From f0eea37f6ea3dd0e4eeab38f46d709c5e330b96f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Sep 2023 17:36:57 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...97-fix-possible-error-value-of-rac97.patch | 52 ++ queue-5.10/amba-bus-fix-refcount-leak.patch | 39 + ...1x-harmonize-ehci-ohci-dt-nodes-name.patch | 73 ++ ...cm53573-add-cells-sizes-to-pcie-node.patch | 47 + ...-describe-on-soc-bcm53125-rev-4-swit.patch | 55 ++ ...-bcm53573-drop-nonexistent-usb-cells.patch | 42 + ...-fix-ethernet-info-for-luxul-devices.patch | 87 ++ ...-use-updated-spi-gpio-binding-proper.patch | 54 ++ ...-s3c64xx-align-pinctrl-with-dtschema.patch | 808 ++++++++++++++++++ ...add-dummy-5v-regulator-for-backlight.patch | 44 + ...s5pv210-adjust-node-names-to-dt-spec.patch | 232 +++++ ...s3c6410-mini6410-correct-ethernet-re.patch | 37 + ...s5pv210-smdkv210-correct-ethernet-re.patch | 37 + ...sm8996-add-missing-interrupt-to-the-.patch | 38 + ...dm845-add-missing-rpmh-power-domain-.patch | 39 + ...dm845-fix-the-min-frequency-of-ice_c.patch | 39 + ...66-fix-build-errors-with-regmap_ac97.patch | 42 + ...le-soft-lockup-in-__audit_inode_chil.patch | 80 ++ ...do-not-call-kfree_skb-under-spin_loc.patch | 38 + ...tential-use-after-free-when-clear-ke.patch | 76 ++ ...fix-value-check-in-nokia_bluetooth_s.patch | 41 + .../bpf-clear-the-probe_addr-for-uprobe.patch | 77 ++ ...ct-unhashed-sockets-in-bpf_sk_assign.patch | 96 +++ ...cal-bpf_perf_event_value-to-fix-acce.patch | 137 +++ ...c-fix-build-warning-for-64-bit-build.patch | 40 + ...bus-ti-sysc-fix-cast-to-enum-warning.patch | 38 + ...b_receive_bulk_callback-count-rx-ove.patch | 50 ++ ...-remove-unused-cgroup_namespaces_ini.patch | 37 + ...e-8m-fix-clock-pauses-when-set_rate-.patch | 78 ++ queue-5.10/clk-imx8mp-fix-sai4-clock.patch | 49 ++ ...sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch | 37 + ...180-use-array_size-instead-of-specif.patch | 173 ++++ ...cc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch | 40 + ...250-use-array_size-instead-of-specif.patch | 443 ++++++++++ ...se-the-correct-type-of-sleep-delay-b.patch | 40 + ...i-ng-modify-mismatched-function-name.patch | 39 + ...plicit-type-conversions-to-prevent-i.patch | 89 ++ ...race-condition-while-updating-the-tr.patch | 81 ++ ...-k8-use-related_cpus-instead-of-cpus.patch | 39 + ...ork-queue-in-crypto_destroy_instance.patch | 95 ++ ...e2b-sync-with-blake2s-implementation.patch | 523 ++++++++++++ ...aam-fix-unchecked-return-value-error.patch | 44 + ...operly-handle-pm_runtime_get-failing.patch | 61 ++ .../dma-buf-sync_file-fix-docs-syntax.patch | 39 + ...a40-add-missing-irq-check-in-d40_pro.patch | 40 + ...er-core-test_async-fix-an-error-code.patch | 37 + ...tone-fix-parameter-judgment-in-_of_p.patch | 38 + ...sb-fix-error-handling-code-in-smsusb.patch | 80 ++ ...low-refresh-rate-register-for-adv753.patch | 49 ++ ...ariable-dereferenced-issue-in-amdgpu.patch | 53 ++ ...-integer-overflow-warning-in-amdgpu_.patch | 52 ++ ...te-min-to-min_t-in-amdgpu_info_ioctl.patch | 88 ++ ...se-rmw-accessors-for-changing-lnkctl.patch | 144 ++++ ...ff-by-one-error-in-armada_overlay_ge.patch | 52 ++ ...8764-fix-debug-print-parameter-order.patch | 40 + ...iv-fix-dumping-of-active-mmu-context.patch | 72 ++ ...x-potential-memory-leak-if-vmap-fail.patch | 45 + ...sm-a2xx-call-adreno_gpu_init-earlier.patch | 58 ++ ...msm-mdp5-don-t-leak-some-plane-state.patch | 55 ++ ...-add-missing-connector-type-and-pixe.patch | 41 + ...se-rmw-accessors-for-changing-lnkctl.patch | 145 ++++ ...fix-incorrect-return-value-of-platfo.patch | 37 + ...-superfluous-error-messages-around-p.patch | 41 + ...dpsub-add-missing-check-for-dma_set_.patch | 39 + .../eventfd-export-eventfd_ctx_do_read.patch | 75 ++ ...ent-underflow-for-eventfd-semaphores.patch | 76 ++ ...grp-validation-in-ext4_mb_good_group.patch | 38 + ...m-fix-to-avoid-potential-null-pointe.patch | 39 + ...error-checking-for-d_hash_and_lookup.patch | 38 + ...-avoid-possible-wrong-null-parameter.patch | 43 + ...heck-return-value-of-ocfs2_add_entry.patch | 50 ++ ...reset-master-errors-after-cfam-reset.patch | 38 + ...fix-error-handling-in-logi_dj_recv_s.patch | 55 ++ ...orrect-devm-device-reference-for-hid.patch | 67 ++ ...-the-channel-number-in-tmp51x_is_vis.patch | 39 + ...00-implement-suspend-and-resume-call.patch | 75 ++ ...ep-clock-enabled-while-hwrng-is-regi.patch | 86 ++ ...-potential-error-pointer-dereference.patch | 42 + ..._events-fix-off-by-one-check-when-fi.patch | 60 ++ ...precated-ima_trusted_keyring-kconfig.patch | 45 + ...le-and-reset-context-bank-before-pro.patch | 47 + ...o-flush-cache-of-pasid-directory-tab.patch | 44 + .../ipmi-ssif-add-check-for-kstrdup.patch | 40 + ...memory-leak-when-scanning-for-an-ada.patch | 37 + ...x-amount-of-blocks-before-allocation.patch | 42 + ...check-for-led_color_id_multi-that-is.patch | 54 ++ ...heck-lwtunnel_xmit_continue-strictly.patch | 78 ++ ...wt-fix-return-values-of-bpf-xmit-ops.patch | 63 ++ ...set-max_write_behind-if-there-is-no-.patch | 59 ++ ...hold-reconfig_mutex-in-backlog_store.patch | 62 ++ ...e-r1bio-before-waiting-for-blocked-r.patch | 55 ++ ...e-barrier-until-handle_read_error-fi.patch | 53 ++ ...p-unsupported-ad5823-from-i2c_-and-o.patch | 66 ++ ...d-retval-check-for-cx24120_message_s.patch | 40 + ...7000p-fix-potential-division-by-zero.patch | 39 + ...20x-fix-a-potential-memory-leak-in-m.patch | 50 ++ ...go7007-remove-redundant-if-statement.patch | 43 + ...-set-v4l2_ctrl_flag_modify_layout-on.patch | 41 + ...0-check-return-value-of-devm_kasprin.patch | 41 + ...codec-return-null-if-no-vdec_fb-is-f.patch | 43 + .../media-ov2680-fix-ov2680_bayer_order.patch | 117 +++ ...-regulators-being-left-enabled-on-ov.patch | 64 ++ ...ov2680-fix-vflip-hflip-set-functions.patch | 118 +++ ...ove-auto-gain-and-auto-exposure-cont.patch | 331 +++++++ ...ble-mipi-interface-in-ov5640_set_pow.patch | 51 ++ ...rease-max-supported-height-for-h.264.patch | 37 + ...fix-a-potential-resource-leak-in-v4l.patch | 71 ++ ...unk-size-setting-in-output-mailbox-b.patch | 43 + ...limit-single-transaction-buffer-size.patch | 56 ++ ...mtd-rawnand-brcmnand-fix-mtd-oobsize.patch | 62 ++ ...-handle-clk-prepare-error-in-fsmc_na.patch | 44 + ...check-bus-width-while-setting-qe-bit.patch | 63 ++ ...t-call-kfree_skb-under-local_irq_dis.patch | 38 + ...se-rmw-accessors-for-changing-lnkctl.patch | 57 ++ ...sc-ensure-inner-classes-have-fsc-cur.patch | 44 + ...xcepted-socket-die-when-snd_wnd-is-0.patch | 83 ++ .../netrom-deny-concurrent-connect.patch | 139 +++ ...cklayout-use-the-passed-in-gfp-flags.patch | 47 + ...t-readdir-loop-when-entry-names-exce.patch | 57 ++ ...y-field-missing-in-some-getdeviceinf.patch | 139 +++ ...-handling-of-copy-err_offload_no_req.patch | 40 + ...null-pointer-dereferencing-in-of_uni.patch | 74 ++ ...x-overlay-type-in-apply-revert-check.patch | 42 + ...ng-0-to-ptr_err-in-_opp_attach_genpd.patch | 41 + ...se-rmw-accessors-for-changing-lnkctl.patch | 105 +++ ...rk-nvidia-t4-gpus-to-avoid-bus-reset.patch | 38 + ...se-rmw-accessors-for-changing-lnkctl.patch | 54 ++ ...-t-enable-counter0-if-none-of-4-coun.patch | 90 ++ ...o-hdmi-do-not-power-on-rk3328-post-p.patch | 55 ++ ...o-hdmi-round-fractal-pixclock-in-rk3.patch | 50 ++ ...o-hdmi-use-correct-vco_div_5-macro-o.patch | 41 + ...-check-return-value-of-devm_kasprint.patch | 62 ++ ...rpc-don-t-include-lppaca.h-in-paca.h.patch | 134 +++ ...eset-dump-area-size-if-fadump-memory.patch | 42 + ...x-notifiers-being-shared-by-pci-and-.patch | 96 +++ ...vert-fsl_emb-notifier-to-state-machi.patch | 84 ++ ...rework-lppaca_shared_proc-to-avoid-d.patch | 160 ++++ .../quota-add-new-helper-dquot_active.patch | 119 +++ .../quota-factor-out-dquot_write_dquot.patch | 94 ++ ...to-follow-the-guarantees-dquot_srcu-.patch | 249 ++++++ ...e-dquot_active-to-inode_quota_active.patch | 121 +++ ...-the-reference-of-cep-kref-in-the-er.patch | 50 ++ ...rdma-siw-correct-wrong-debug-message.patch | 38 + ...ninitalized-use-of-wait_queue_head_t.patch | 83 ++ ...e-alloc_flags-for-memory-allocations.patch | 98 +++ ...check-the-return-value-from-__getblk.patch | 49 ++ ...fix-incorrect-release-of-isert-conne.patch | 124 +++ .../rpmsg-glink-add-check-for-kstrdup.patch | 39 + ...ey_type_ep11_aes-handling-for-secure.patch | 40 + ...x-harmonize-internal-keyblob-headers.patch | 89 ++ ...ples-bpf-fix-broken-map-lookup-probe.patch | 71 ++ ...dd-length-check-when-parsing-nlattrs.patch | 46 + ...e-32-bit-hostnum-in-scsi_host_lookup.patch | 61 ++ ...-potential-deadlock-on-fip-ctlr_lock.patch | 156 ++++ ...x-normally-completed-i-o-analysed-as.patch | 90 ++ ..._sas-fix-warnings-detected-by-sparse.patch | 60 ++ ...dify-v3-hw-sata-completion-error-pro.patch | 61 ++ ...dify-v3-hw-ssp-underflow-error-proce.patch | 113 +++ ...int-sas-address-for-v3-hw-erroneous-.patch | 45 + ...-add-length-check-for-nlattr-payload.patch | 306 +++++++ ...trlen-check-in-iscsi_if_set-_host-_p.patch | 79 ++ ...e-iscsi_set_param-to-iscsi_if_set_pa.patch | 50 ++ ...oduce-more-sam-status-code-aliases-i.patch | 508 +++++++++++ ...-touch-__user-pointer-in-qedf_dbg_de.patch | 67 ++ ...-touch-__user-pointer-in-qedf_dbg_fp.patch | 112 +++ ...-touch-__user-pointer-in-qedf_dbg_st.patch | 70 ++ ...dd-length-check-when-parsing-nlattrs.patch | 80 ++ .../scsi-rdma-srp-fix-residual-handling.patch | 49 ++ ...ean-up-fmod_ret-in-bench_rename-test.patch | 52 ++ ...x-static-assert-compilation-issue-fo.patch | 82 ++ ...s-actually-report-skip-for-signal-te.patch | 56 ++ ...l-close-perf-value-read-fd-on-errors.patch | 85 ++ ...ctrl-don-t-leak-buffer-in-fill_cache.patch | 55 ++ ...l-unmount-resctrl-fs-if-child-fails-.patch | 44 + ...gn-sprd_port-after-initialized-to-av.patch | 118 +++ ...erial-sprd-fix-dma-buffer-leak-issue.patch | 54 ++ ...dle-clk-prepare-error-in-tegra_uart_.patch | 41 + queue-5.10/series | 205 +++++ ...s-prevent-underflow-in-smk_set_cipso.patch | 37 + ...mem-add-ocmem-hardware-version-print.patch | 53 ++ ...cmem-fix-num_ports-num_macros-macros.patch | 50 ++ ...sh-fix-to-check-return-value-of-plat.patch | 44 + ...enter_quickack_mode-should-be-static.patch | 60 ++ ...erify-g-u-id-mount-options-correctly.patch | 98 +++ ...-issue-between-cpu-buffer-write-and-.patch | 141 +++ ...seport-groups-when-connected-sockets.patch | 114 +++ .../um-fix-hostaudio-build-errors.patch | 148 ++++ ...s_storage-fix-unused-variable-warnin.patch | 37 + ...getting-wrong-state-with-mxs_phy_is_.patch | 50 ++ ...1-fix-cap_migration-information-leak.patch | 93 ++ ...avail_wrap_counter-in-virtqueue_add_.patch | 80 ++ ...se-rmw-accessors-for-changing-lnkctl.patch | 61 ++ ...aces-between-ath9k_wmi_cmd-and-ath9k.patch | 129 +++ ...ct-wmi-command-response-buffer-repla.patch | 78 ++ ...k-use-is_err-with-debugfs_create_dir.patch | 44 + ...de-add-nla_policy-for-mt76_tm_attr_t.patch | 41 + ...id-possible-null-skb-pointer-derefer.patch | 50 ++ ...-error-recovery-in-pcie-buffer-descr.patch | 121 +++ ...-memory-leak-in-mwifiex_histogram_re.patch | 52 ++ ...-missed-return-in-oob-checks-failed-.patch | 51 ++ ...-oob-and-integer-underflow-when-rx-p.patch | 127 +++ ...op-the-duplicate-apm_minor_dev-macro.patch | 46 + ...-don-t-rely-on-upper-32-bits-of-gprs.patch | 113 +++ ...x-pci-rom-preservation-in-mixed-mode.patch | 38 + ...it-missing-from-page-protection-modi.patch | 107 +++ ...mark-all-skylake-cpus-as-vulnerable-.patch | 76 ++ 206 files changed, 16431 insertions(+) create mode 100644 queue-5.10/alsa-ac97-fix-possible-error-value-of-rac97.patch create mode 100644 queue-5.10/amba-bus-fix-refcount-leak.patch create mode 100644 queue-5.10/arm-dts-bcm5301x-harmonize-ehci-ohci-dt-nodes-name.patch create mode 100644 queue-5.10/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch create mode 100644 queue-5.10/arm-dts-bcm53573-describe-on-soc-bcm53125-rev-4-swit.patch create mode 100644 queue-5.10/arm-dts-bcm53573-drop-nonexistent-usb-cells.patch create mode 100644 queue-5.10/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch create mode 100644 queue-5.10/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch create mode 100644 queue-5.10/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch create mode 100644 queue-5.10/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch create mode 100644 queue-5.10/arm-dts-s5pv210-adjust-node-names-to-dt-spec.patch create mode 100644 queue-5.10/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch create mode 100644 queue-5.10/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch create mode 100644 queue-5.10/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch create mode 100644 queue-5.10/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch create mode 100644 queue-5.10/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch create mode 100644 queue-5.10/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch create mode 100644 queue-5.10/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch create mode 100644 queue-5.10/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch create mode 100644 queue-5.10/bluetooth-fix-potential-use-after-free-when-clear-ke.patch create mode 100644 queue-5.10/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch create mode 100644 queue-5.10/bpf-clear-the-probe_addr-for-uprobe.patch create mode 100644 queue-5.10/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch create mode 100644 queue-5.10/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch create mode 100644 queue-5.10/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch create mode 100644 queue-5.10/bus-ti-sysc-fix-cast-to-enum-warning.patch create mode 100644 queue-5.10/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch create mode 100644 queue-5.10/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch create mode 100644 queue-5.10/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch create mode 100644 queue-5.10/clk-imx8mp-fix-sai4-clock.patch create mode 100644 queue-5.10/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch create mode 100644 queue-5.10/clk-qcom-gcc-sc7180-use-array_size-instead-of-specif.patch create mode 100644 queue-5.10/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch create mode 100644 queue-5.10/clk-qcom-gcc-sm8250-use-array_size-instead-of-specif.patch create mode 100644 queue-5.10/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch create mode 100644 queue-5.10/clk-sunxi-ng-modify-mismatched-function-name.patch create mode 100644 queue-5.10/coresight-tmc-explicit-type-conversions-to-prevent-i.patch create mode 100644 queue-5.10/cpufreq-fix-the-race-condition-while-updating-the-tr.patch create mode 100644 queue-5.10/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch create mode 100644 queue-5.10/crypto-api-use-work-queue-in-crypto_destroy_instance.patch create mode 100644 queue-5.10/crypto-blake2b-sync-with-blake2s-implementation.patch create mode 100644 queue-5.10/crypto-caam-fix-unchecked-return-value-error.patch create mode 100644 queue-5.10/crypto-stm32-properly-handle-pm_runtime_get-failing.patch create mode 100644 queue-5.10/dma-buf-sync_file-fix-docs-syntax.patch create mode 100644 queue-5.10/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch create mode 100644 queue-5.10/driver-core-test_async-fix-an-error-code.patch create mode 100644 queue-5.10/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch create mode 100644 queue-5.10/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch create mode 100644 queue-5.10/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch create mode 100644 queue-5.10/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch create mode 100644 queue-5.10/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch create mode 100644 queue-5.10/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch create mode 100644 queue-5.10/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch create mode 100644 queue-5.10/drm-bridge-tc358764-fix-debug-print-parameter-order.patch create mode 100644 queue-5.10/drm-etnaviv-fix-dumping-of-active-mmu-context.patch create mode 100644 queue-5.10/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch create mode 100644 queue-5.10/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch create mode 100644 queue-5.10/drm-msm-mdp5-don-t-leak-some-plane-state.patch create mode 100644 queue-5.10/drm-panel-simple-add-missing-connector-type-and-pixe.patch create mode 100644 queue-5.10/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch create mode 100644 queue-5.10/drm-tegra-remove-superfluous-error-messages-around-p.patch create mode 100644 queue-5.10/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch create mode 100644 queue-5.10/eventfd-export-eventfd_ctx_do_read.patch create mode 100644 queue-5.10/eventfd-prevent-underflow-for-eventfd-semaphores.patch create mode 100644 queue-5.10/ext4-correct-grp-validation-in-ext4_mb_good_group.patch create mode 100644 queue-5.10/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch create mode 100644 queue-5.10/fs-fix-error-checking-for-d_hash_and_lookup.patch create mode 100644 queue-5.10/fs-lockd-avoid-possible-wrong-null-parameter.patch create mode 100644 queue-5.10/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch create mode 100644 queue-5.10/fsi-aspeed-reset-master-errors-after-cfam-reset.patch create mode 100644 queue-5.10/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch create mode 100644 queue-5.10/hid-multitouch-correct-devm-device-reference-for-hid.patch create mode 100644 queue-5.10/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch create mode 100644 queue-5.10/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch create mode 100644 queue-5.10/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch create mode 100644 queue-5.10/ib-uverbs-fix-an-potential-error-pointer-dereference.patch create mode 100644 queue-5.10/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch create mode 100644 queue-5.10/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch create mode 100644 queue-5.10/iommu-qcom-disable-and-reset-context-bank-before-pro.patch create mode 100644 queue-5.10/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch create mode 100644 queue-5.10/ipmi-ssif-add-check-for-kstrdup.patch create mode 100644 queue-5.10/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch create mode 100644 queue-5.10/jfs-validate-max-amount-of-blocks-before-allocation.patch create mode 100644 queue-5.10/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch create mode 100644 queue-5.10/lwt-check-lwtunnel_xmit_continue-strictly.patch create mode 100644 queue-5.10/lwt-fix-return-values-of-bpf-xmit-ops.patch create mode 100644 queue-5.10/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch create mode 100644 queue-5.10/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch create mode 100644 queue-5.10/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch create mode 100644 queue-5.10/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch create mode 100644 queue-5.10/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch create mode 100644 queue-5.10/media-cx24120-add-retval-check-for-cx24120_message_s.patch create mode 100644 queue-5.10/media-dib7000p-fix-potential-division-by-zero.patch create mode 100644 queue-5.10/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch create mode 100644 queue-5.10/media-go7007-remove-redundant-if-statement.patch create mode 100644 queue-5.10/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch create mode 100644 queue-5.10/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch create mode 100644 queue-5.10/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch create mode 100644 queue-5.10/media-ov2680-fix-ov2680_bayer_order.patch create mode 100644 queue-5.10/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch create mode 100644 queue-5.10/media-ov2680-fix-vflip-hflip-set-functions.patch create mode 100644 queue-5.10/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch create mode 100644 queue-5.10/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch create mode 100644 queue-5.10/media-rkvdec-increase-max-supported-height-for-h.264.patch create mode 100644 queue-5.10/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch create mode 100644 queue-5.10/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch create mode 100644 queue-5.10/mlxsw-i2c-limit-single-transaction-buffer-size.patch create mode 100644 queue-5.10/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch create mode 100644 queue-5.10/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch create mode 100644 queue-5.10/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch create mode 100644 queue-5.10/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch create mode 100644 queue-5.10/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch create mode 100644 queue-5.10/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch create mode 100644 queue-5.10/netrom-deny-concurrent-connect.patch create mode 100644 queue-5.10/nfs-blocklayout-use-the-passed-in-gfp-flags.patch create mode 100644 queue-5.10/nfs-guard-against-readdir-loop-when-entry-names-exce.patch create mode 100644 queue-5.10/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch create mode 100644 queue-5.10/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch create mode 100644 queue-5.10/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch create mode 100644 queue-5.10/of-unittest-fix-overlay-type-in-apply-revert-check.patch create mode 100644 queue-5.10/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch create mode 100644 queue-5.10/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch create mode 100644 queue-5.10/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch create mode 100644 queue-5.10/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch create mode 100644 queue-5.10/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch create mode 100644 queue-5.10/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch create mode 100644 queue-5.10/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch create mode 100644 queue-5.10/powerpc-don-t-include-lppaca.h-in-paca.h.patch create mode 100644 queue-5.10/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch create mode 100644 queue-5.10/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch create mode 100644 queue-5.10/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch create mode 100644 queue-5.10/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch create mode 100644 queue-5.10/quota-add-new-helper-dquot_active.patch create mode 100644 queue-5.10/quota-factor-out-dquot_write_dquot.patch create mode 100644 queue-5.10/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch create mode 100644 queue-5.10/quota-rename-dquot_active-to-inode_quota_active.patch create mode 100644 queue-5.10/rdma-siw-balance-the-reference-of-cep-kref-in-the-er.patch create mode 100644 queue-5.10/rdma-siw-correct-wrong-debug-message.patch create mode 100644 queue-5.10/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch create mode 100644 queue-5.10/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch create mode 100644 queue-5.10/reiserfs-check-the-return-value-from-__getblk.patch create mode 100644 queue-5.10/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch create mode 100644 queue-5.10/rpmsg-glink-add-check-for-kstrdup.patch create mode 100644 queue-5.10/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch create mode 100644 queue-5.10/s390-pkey-fix-harmonize-internal-keyblob-headers.patch create mode 100644 queue-5.10/samples-bpf-fix-broken-map-lookup-probe.patch create mode 100644 queue-5.10/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch create mode 100644 queue-5.10/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch create mode 100644 queue-5.10/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch create mode 100644 queue-5.10/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch create mode 100644 queue-5.10/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch create mode 100644 queue-5.10/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch create mode 100644 queue-5.10/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch create mode 100644 queue-5.10/scsi-hisi_sas-print-sas-address-for-v3-hw-erroneous-.patch create mode 100644 queue-5.10/scsi-iscsi-add-length-check-for-nlattr-payload.patch create mode 100644 queue-5.10/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch create mode 100644 queue-5.10/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch create mode 100644 queue-5.10/scsi-libsas-introduce-more-sam-status-code-aliases-i.patch create mode 100644 queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch create mode 100644 queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch create mode 100644 queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch create mode 100644 queue-5.10/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch create mode 100644 queue-5.10/scsi-rdma-srp-fix-residual-handling.patch create mode 100644 queue-5.10/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch create mode 100644 queue-5.10/selftests-bpf-fix-static-assert-compilation-issue-fo.patch create mode 100644 queue-5.10/selftests-harness-actually-report-skip-for-signal-te.patch create mode 100644 queue-5.10/selftests-resctrl-close-perf-value-read-fd-on-errors.patch create mode 100644 queue-5.10/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch create mode 100644 queue-5.10/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch create mode 100644 queue-5.10/serial-sprd-assign-sprd_port-after-initialized-to-av.patch create mode 100644 queue-5.10/serial-sprd-fix-dma-buffer-leak-issue.patch create mode 100644 queue-5.10/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch create mode 100644 queue-5.10/smackfs-prevent-underflow-in-smk_set_cipso.patch create mode 100644 queue-5.10/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch create mode 100644 queue-5.10/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch create mode 100644 queue-5.10/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch create mode 100644 queue-5.10/tcp-tcp_enter_quickack_mode-should-be-static.patch create mode 100644 queue-5.10/tmpfs-verify-g-u-id-mount-options-correctly.patch create mode 100644 queue-5.10/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch create mode 100644 queue-5.10/udp-re-score-reuseport-groups-when-connected-sockets.patch create mode 100644 queue-5.10/um-fix-hostaudio-build-errors.patch create mode 100644 queue-5.10/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch create mode 100644 queue-5.10/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch create mode 100644 queue-5.10/vfio-type1-fix-cap_migration-information-leak.patch create mode 100644 queue-5.10/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch create mode 100644 queue-5.10/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch create mode 100644 queue-5.10/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch create mode 100644 queue-5.10/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch create mode 100644 queue-5.10/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch create mode 100644 queue-5.10/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch create mode 100644 queue-5.10/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch create mode 100644 queue-5.10/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch create mode 100644 queue-5.10/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch create mode 100644 queue-5.10/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch create mode 100644 queue-5.10/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch create mode 100644 queue-5.10/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch create mode 100644 queue-5.10/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch create mode 100644 queue-5.10/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch create mode 100644 queue-5.10/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch create mode 100644 queue-5.10/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch diff --git a/queue-5.10/alsa-ac97-fix-possible-error-value-of-rac97.patch b/queue-5.10/alsa-ac97-fix-possible-error-value-of-rac97.patch new file mode 100644 index 00000000000..36a4eb8bc3a --- /dev/null +++ b/queue-5.10/alsa-ac97-fix-possible-error-value-of-rac97.patch @@ -0,0 +1,52 @@ +From a97101a8def4136c7d7893789b3c4b8d8f79bdb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 10:52:13 +0800 +Subject: ALSA: ac97: Fix possible error value of *rac97 + +From: Su Hui + +[ Upstream commit 67de40c9df94037769967ba28c7d951afb45b7fb ] + +Before committing 79597c8bf64c, *rac97 always be NULL if there is +an error. When error happens, make sure *rac97 is NULL is safer. + +For examble, in snd_vortex_mixer(): + err = snd_ac97_mixer(pbus, &ac97, &vortex->codec); + vortex->isquad = ((vortex->codec == NULL) ? + 0 : (vortex->codec->ext_id&0x80)); +If error happened but vortex->codec isn't NULL, this may cause some +problems. + +Move the judgement order to be clearer and better. + +Fixes: 79597c8bf64c ("ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer") +Suggested-by: Christophe JAILLET +Acked-by: Christophe JAILLET +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230823025212.1000961-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index e18572eae5e01..d894dcdf38f4c 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2007,10 +2007,9 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (!rac97) +- return -EINVAL; +- if (snd_BUG_ON(!bus || !template)) ++ if (snd_BUG_ON(!bus || !template || !rac97)) + return -EINVAL; ++ *rac97 = NULL; + if (snd_BUG_ON(template->num >= 4)) + return -EINVAL; + if (bus->codec[template->num]) +-- +2.40.1 + diff --git a/queue-5.10/amba-bus-fix-refcount-leak.patch b/queue-5.10/amba-bus-fix-refcount-leak.patch new file mode 100644 index 00000000000..44ac55b967c --- /dev/null +++ b/queue-5.10/amba-bus-fix-refcount-leak.patch @@ -0,0 +1,39 @@ +From 5abf631846fc74e14da75fbc7f144f790c0636d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:39:27 +0800 +Subject: amba: bus: fix refcount leak + +From: Peng Fan + +[ Upstream commit e312cbdc11305568554a9e18a2ea5c2492c183f3 ] + +commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") +increases the refcount of of_node, but not releases it in +amba_device_release, so there is refcount leak. By using of_node_put +to avoid refcount leak. + +Fixes: 5de1540b7bc4 ("drivers/amba: create devices from device tree") +Signed-off-by: Peng Fan +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230821023928.3324283-1-peng.fan@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 47c72447ccd59..52ab582930caa 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -363,6 +363,7 @@ static void amba_device_release(struct device *dev) + { + struct amba_device *d = to_amba_device(dev); + ++ of_node_put(d->dev.of_node); + if (d->res.parent) + release_resource(&d->res); + kfree(d); +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm5301x-harmonize-ehci-ohci-dt-nodes-name.patch b/queue-5.10/arm-dts-bcm5301x-harmonize-ehci-ohci-dt-nodes-name.patch new file mode 100644 index 00000000000..cf7c533c23a --- /dev/null +++ b/queue-5.10/arm-dts-bcm5301x-harmonize-ehci-ohci-dt-nodes-name.patch @@ -0,0 +1,73 @@ +From d950a1df9f87e771a628758be83487fa40e166cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 14:59:37 +0300 +Subject: ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name + +From: Serge Semin + +[ Upstream commit 74abbfe99f43eb7466d26d9e48fbeb46b8f3d804 ] + +In accordance with the Generic EHCI/OHCI bindings the corresponding node +name is suppose to comply with the Generic USB HCD DT schema, which +requires the USB nodes to have the name acceptable by the regexp: +"^usb(@.*)?" . Make sure the "generic-ehci" and "generic-ohci"-compatible +nodes are correctly named. + +Signed-off-by: Serge Semin +Acked-by: Florian Fainelli +Acked-by: Krzysztof Kozlowski +Signed-off-by: Florian Fainelli +Stable-dep-of: 05d2c3d552b8 ("ARM: dts: BCM53573: Drop nonexistent #usb-cells") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 4 ++-- + arch/arm/boot/dts/bcm53573.dtsi | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 4e9bb10f37d0f..9189a9489464b 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -267,7 +267,7 @@ usb2: usb2@21000 { + + interrupt-parent = <&gic>; + +- ehci: ehci@21000 { ++ ehci: usb@21000 { + #usb-cells = <0>; + + compatible = "generic-ehci"; +@@ -289,7 +289,7 @@ ehci_port2: port@2 { + }; + }; + +- ohci: ohci@22000 { ++ ohci: usb@22000 { + #usb-cells = <0>; + + compatible = "generic-ohci"; +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index 4af8e3293cff4..51546fccc6168 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -135,7 +135,7 @@ usb2: usb2@4000 { + #address-cells = <1>; + #size-cells = <1>; + +- ehci: ehci@4000 { ++ ehci: usb@4000 { + compatible = "generic-ehci"; + reg = <0x4000 0x1000>; + interrupt-parent = <&gic>; +@@ -155,7 +155,7 @@ ehci_port2: port@2 { + }; + }; + +- ohci: ohci@d000 { ++ ohci: usb@d000 { + #usb-cells = <0>; + + compatible = "generic-ohci"; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch b/queue-5.10/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch new file mode 100644 index 00000000000..887780679cf --- /dev/null +++ b/queue-5.10/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch @@ -0,0 +1,47 @@ +From 0a64a2d00016845e3df376417d3d461b05d76c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:03 +0200 +Subject: ARM: dts: BCM53573: Add cells sizes to PCIe node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 3392ef368d9b04622fe758b1079b512664b6110a ] + +This fixes: +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#address-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#size-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml + +Two properties that need to be added later are "device_type" and +"ranges". Adding "device_type" on its own causes a new warning and the +value of "ranges" needs to be determined yet. + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-3-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53573.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index 3cb71829e8597..eed1a6147f0bf 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -127,6 +127,9 @@ uart0: serial@300 { + + pcie0: pcie@2000 { + reg = <0x00002000 0x1000>; ++ ++ #address-cells = <3>; ++ #size-cells = <2>; + }; + + usb2: usb2@4000 { +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm53573-describe-on-soc-bcm53125-rev-4-swit.patch b/queue-5.10/arm-dts-bcm53573-describe-on-soc-bcm53125-rev-4-swit.patch new file mode 100644 index 00000000000..9c57b86e3c0 --- /dev/null +++ b/queue-5.10/arm-dts-bcm53573-describe-on-soc-bcm53125-rev-4-swit.patch @@ -0,0 +1,55 @@ +From f4ed0ca3cba3ba791f488a9fd479c09407193b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 16:10:23 +0200 +Subject: ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 9fb90ae6cae7f8fe4fbf626945f32cd9da2c3892 ] + +BCM53573 family SoC have Ethernet switch connected to the first Ethernet +controller (accessible over MDIO). + +Signed-off-by: Rafał Miłecki +Signed-off-by: Florian Fainelli +Stable-dep-of: 05d2c3d552b8 ("ARM: dts: BCM53573: Drop nonexistent #usb-cells") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53573.dtsi | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index 51546fccc6168..3f03a381db0f2 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -180,6 +180,24 @@ ohci_port2: port@2 { + + gmac0: ethernet@5000 { + reg = <0x5000 0x1000>; ++ ++ mdio { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ switch: switch@1e { ++ compatible = "brcm,bcm53125"; ++ reg = <0x1e>; ++ ++ status = "disabled"; ++ ++ /* ports are defined in board DTS */ ++ ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ }; ++ }; ++ }; + }; + + gmac1: ethernet@b000 { +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm53573-drop-nonexistent-usb-cells.patch b/queue-5.10/arm-dts-bcm53573-drop-nonexistent-usb-cells.patch new file mode 100644 index 00000000000..46265edf748 --- /dev/null +++ b/queue-5.10/arm-dts-bcm53573-drop-nonexistent-usb-cells.patch @@ -0,0 +1,42 @@ +From fa3969df07c5b77026fa03cea7cac8cbad2ad637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:02 +0200 +Subject: ARM: dts: BCM53573: Drop nonexistent #usb-cells +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 05d2c3d552b8c92fc397377d9d1112fc58e2cd59 ] + +Such property simply doesn't exist (is not documented or used anywhere). + +This fixes: +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: usb@d000: Unevaluated properties are not allowed ('#usb-cells' was unexpected) + From schema: Documentation/devicetree/bindings/usb/generic-ohci.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-2-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53573.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index 3f03a381db0f2..3cb71829e8597 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -156,8 +156,6 @@ ehci_port2: port@2 { + }; + + ohci: usb@d000 { +- #usb-cells = <0>; +- + compatible = "generic-ohci"; + reg = <0xd000 0x1000>; + interrupt-parent = <&gic>; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch b/queue-5.10/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch new file mode 100644 index 00000000000..cf91bba7615 --- /dev/null +++ b/queue-5.10/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch @@ -0,0 +1,87 @@ +From dc331d1205a60be7cae4eba40f26a31a313611a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 13:11:45 +0200 +Subject: ARM: dts: BCM53573: Fix Ethernet info for Luxul devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 44ad8207806973f4e4f7d870fff36cc01f494250 ] + +Both Luxul's XAP devices (XAP-810 and XAP-1440) are access points that +use a non-default design. They don't include switch but have a single +Ethernet port and BCM54210E PHY connected to the Ethernet controller's +MDIO bus. + +Support for those devices regressed due to two changes: + +1. Describing MDIO bus with switch +After commit 9fb90ae6cae7 ("ARM: dts: BCM53573: Describe on-SoC BCM53125 +rev 4 switch") Linux stopped probing for MDIO devices. + +2. Dropping hardcoded BCM54210E delays +In commit fea7fda7f50a ("net: phy: broadcom: Fix RGMII delays +configuration for BCM54210E") support for other PHY modes was added but +that requires a proper "phy-mode" value in DT. + +Both above changes are correct (they don't need to be reverted or +anything) but they need this fix for DT data to be correct and for Linux +to work properly. + +Fixes: 9fb90ae6cae7 ("ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch") +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230713111145.14864-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts | 13 +++++++++++++ + arch/arm/boot/dts/bcm47189-luxul-xap-810.dts | 13 +++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts b/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts +index 57ca1cfaecd8e..00e688b45d981 100644 +--- a/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts ++++ b/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts +@@ -46,3 +46,16 @@ restart { + }; + }; + }; ++ ++&gmac0 { ++ phy-mode = "rgmii"; ++ phy-handle = <&bcm54210e>; ++ ++ mdio { ++ /delete-node/ switch@1e; ++ ++ bcm54210e: ethernet-phy@0 { ++ reg = <0>; ++ }; ++ }; ++}; +diff --git a/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts b/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts +index 2e1a7e382cb7a..78c80a5d3f4fa 100644 +--- a/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts ++++ b/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts +@@ -83,3 +83,16 @@ pcie0_chipcommon: chipcommon@0 { + }; + }; + }; ++ ++&gmac0 { ++ phy-mode = "rgmii"; ++ phy-handle = <&bcm54210e>; ++ ++ mdio { ++ /delete-node/ switch@1e; ++ ++ bcm54210e: ethernet-phy@0 { ++ reg = <0>; ++ }; ++ }; ++}; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch b/queue-5.10/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch new file mode 100644 index 00000000000..b1f910785c8 --- /dev/null +++ b/queue-5.10/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch @@ -0,0 +1,54 @@ +From df5ee0c65d96223c2a47820fba0acf33e19d9dfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:04 +0200 +Subject: ARM: dts: BCM53573: Use updated "spi-gpio" binding properties +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 2c0fd6b3d0778ceab40205315ccef74568490f17 ] + +Switch away from deprecated properties. + +This fixes: +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-sck: False schema does not allow [[3, 21, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-miso: False schema does not allow [[3, 22, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-mosi: False schema does not allow [[3, 23, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: 'sck-gpios' is a required property + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: Unevaluated properties are not allowed ('gpio-miso', 'gpio-mosi', 'gpio-sck' were unexpected) + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-4-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm947189acdbmr.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm947189acdbmr.dts b/arch/arm/boot/dts/bcm947189acdbmr.dts +index b0b8c774a37f9..1f0be30e54435 100644 +--- a/arch/arm/boot/dts/bcm947189acdbmr.dts ++++ b/arch/arm/boot/dts/bcm947189acdbmr.dts +@@ -60,9 +60,9 @@ wps { + spi { + compatible = "spi-gpio"; + num-chipselects = <1>; +- gpio-sck = <&chipcommon 21 0>; +- gpio-miso = <&chipcommon 22 0>; +- gpio-mosi = <&chipcommon 23 0>; ++ sck-gpios = <&chipcommon 21 0>; ++ miso-gpios = <&chipcommon 22 0>; ++ mosi-gpios = <&chipcommon 23 0>; + cs-gpios = <&chipcommon 24 0>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch b/queue-5.10/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch new file mode 100644 index 00000000000..7099117836b --- /dev/null +++ b/queue-5.10/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch @@ -0,0 +1,808 @@ +From f07612b9a062c5852a7598628d94a7dbb671bc76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 21:17:16 +0100 +Subject: ARM: dts: s3c64xx: align pinctrl with dtschema + +From: Krzysztof Kozlowski + +[ Upstream commit 9e47ccc01284aba7fe5fbf6ee2a7abc29bf2a740 ] + +Align the pin controller related nodes with dtschema. No functional +change expected. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220111201722.327219-16-krzysztof.kozlowski@canonical.com +Stable-dep-of: cf0cb2af6a18 ("ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 4 +- + arch/arm/boot/dts/s3c64xx-pinctrl.dtsi | 210 ++++++++++++------------- + 2 files changed, 107 insertions(+), 107 deletions(-) + +diff --git a/arch/arm/boot/dts/s3c6410-mini6410.dts b/arch/arm/boot/dts/s3c6410-mini6410.dts +index 285555b9ed943..17097da36f5ed 100644 +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -193,12 +193,12 @@ &uart3 { + }; + + &pinctrl0 { +- gpio_leds: gpio-leds { ++ gpio_leds: gpio-leds-pins { + samsung,pins = "gpk-4", "gpk-5", "gpk-6", "gpk-7"; + samsung,pin-pud = ; + }; + +- gpio_keys: gpio-keys { ++ gpio_keys: gpio-keys-pins { + samsung,pins = "gpn-0", "gpn-1", "gpn-2", "gpn-3", + "gpn-4", "gpn-5", "gpl-11", "gpl-12"; + samsung,pin-pud = ; +diff --git a/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi b/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi +index 8e9594d64b579..0a3186d57cb56 100644 +--- a/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi ++++ b/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi +@@ -16,111 +16,111 @@ &pinctrl0 { + * Pin banks + */ + +- gpa: gpa { ++ gpa: gpa-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpb: gpb { ++ gpb: gpb-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpc: gpc { ++ gpc: gpc-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpd: gpd { ++ gpd: gpd-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpe: gpe { ++ gpe: gpe-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpf: gpf { ++ gpf: gpf-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpg: gpg { ++ gpg: gpg-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gph: gph { ++ gph: gph-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpi: gpi { ++ gpi: gpi-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpj: gpj { ++ gpj: gpj-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpk: gpk { ++ gpk: gpk-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpl: gpl { ++ gpl: gpl-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpm: gpm { ++ gpm: gpm-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpn: gpn { ++ gpn: gpn-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpo: gpo { ++ gpo: gpo-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpp: gpp { ++ gpp: gpp-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpq: gpq { ++ gpq: gpq-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +@@ -131,225 +131,225 @@ gpq: gpq { + * Pin groups + */ + +- uart0_data: uart0-data { ++ uart0_data: uart0-data-pins { + samsung,pins = "gpa-0", "gpa-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart0_fctl: uart0-fctl { ++ uart0_fctl: uart0-fctl-pins { + samsung,pins = "gpa-2", "gpa-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart1_data: uart1-data { ++ uart1_data: uart1-data-pins { + samsung,pins = "gpa-4", "gpa-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart1_fctl: uart1-fctl { ++ uart1_fctl: uart1-fctl-pins { + samsung,pins = "gpa-6", "gpa-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart2_data: uart2-data { ++ uart2_data: uart2-data-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart3_data: uart3-data { ++ uart3_data: uart3-data-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ext_dma_0: ext-dma-0 { ++ ext_dma_0: ext-dma-0-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ext_dma_1: ext-dma-1 { ++ ext_dma_1: ext-dma-1-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_data_0: irda-data-0 { ++ irda_data_0: irda-data-0-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_data_1: irda-data-1 { ++ irda_data_1: irda-data-1-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_sdbw: irda-sdbw { ++ irda_sdbw: irda-sdbw-pins { + samsung,pins = "gpb-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2c0_bus: i2c0-bus { ++ i2c0_bus: i2c0-bus-pins { + samsung,pins = "gpb-5", "gpb-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2c1_bus: i2c1-bus { ++ i2c1_bus: i2c1-bus-pins { + /* S3C6410-only */ + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi0_bus: spi0-bus { ++ spi0_bus: spi0-bus-pins { + samsung,pins = "gpc-0", "gpc-1", "gpc-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi0_cs: spi0-cs { ++ spi0_cs: spi0-cs-pins { + samsung,pins = "gpc-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi1_bus: spi1-bus { ++ spi1_bus: spi1-bus-pins { + samsung,pins = "gpc-4", "gpc-5", "gpc-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi1_cs: spi1-cs { ++ spi1_cs: spi1-cs-pins { + samsung,pins = "gpc-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_cmd: sd0-cmd { ++ sd0_cmd: sd0-cmd-pins { + samsung,pins = "gpg-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_clk: sd0-clk { ++ sd0_clk: sd0-clk-pins { + samsung,pins = "gpg-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_bus1: sd0-bus1 { ++ sd0_bus1: sd0-bus1-pins { + samsung,pins = "gpg-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_bus4: sd0-bus4 { ++ sd0_bus4: sd0-bus4-pins { + samsung,pins = "gpg-2", "gpg-3", "gpg-4", "gpg-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_cd: sd0-cd { ++ sd0_cd: sd0-cd-pins { + samsung,pins = "gpg-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_cmd: sd1-cmd { ++ sd1_cmd: sd1-cmd-pins { + samsung,pins = "gph-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_clk: sd1-clk { ++ sd1_clk: sd1-clk-pins { + samsung,pins = "gph-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus1: sd1-bus1 { ++ sd1_bus1: sd1-bus1-pins { + samsung,pins = "gph-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus4: sd1-bus4 { ++ sd1_bus4: sd1-bus4-pins { + samsung,pins = "gph-2", "gph-3", "gph-4", "gph-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus8: sd1-bus8 { ++ sd1_bus8: sd1-bus8-pins { + samsung,pins = "gph-2", "gph-3", "gph-4", "gph-5", + "gph-6", "gph-7", "gph-8", "gph-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_cd: sd1-cd { ++ sd1_cd: sd1-cd-pins { + samsung,pins = "gpg-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_cmd: sd2-cmd { ++ sd2_cmd: sd2-cmd-pins { + samsung,pins = "gpc-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_clk: sd2-clk { ++ sd2_clk: sd2-clk-pins { + samsung,pins = "gpc-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_bus1: sd2-bus1 { ++ sd2_bus1: sd2-bus1-pins { + samsung,pins = "gph-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_bus4: sd2-bus4 { ++ sd2_bus4: sd2-bus4-pins { + samsung,pins = "gph-6", "gph-7", "gph-8", "gph-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s0_bus: i2s0-bus { ++ i2s0_bus: i2s0-bus-pins { + samsung,pins = "gpd-0", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s0_cdclk: i2s0-cdclk { ++ i2s0_cdclk: i2s0-cdclk-pins { + samsung,pins = "gpd-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s1_bus: i2s1-bus { ++ i2s1_bus: i2s1-bus-pins { + samsung,pins = "gpe-0", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s1_cdclk: i2s1-cdclk { ++ i2s1_cdclk: i2s1-cdclk-pins { + samsung,pins = "gpe-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s2_bus: i2s2-bus { ++ i2s2_bus: i2s2-bus-pins { + /* S3C6410-only */ + samsung,pins = "gpc-4", "gpc-5", "gpc-6", "gph-6", + "gph-8", "gph-9"; +@@ -357,50 +357,50 @@ i2s2_bus: i2s2-bus { + samsung,pin-pud = ; + }; + +- i2s2_cdclk: i2s2-cdclk { ++ i2s2_cdclk: i2s2-cdclk-pins { + /* S3C6410-only */ + samsung,pins = "gph-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm0_bus: pcm0-bus { ++ pcm0_bus: pcm0-bus-pins { + samsung,pins = "gpd-0", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm0_extclk: pcm0-extclk { ++ pcm0_extclk: pcm0-extclk-pins { + samsung,pins = "gpd-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm1_bus: pcm1-bus { ++ pcm1_bus: pcm1-bus-pins { + samsung,pins = "gpe-0", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm1_extclk: pcm1-extclk { ++ pcm1_extclk: pcm1-extclk-pins { + samsung,pins = "gpe-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ac97_bus_0: ac97-bus-0 { ++ ac97_bus_0: ac97-bus-0-pins { + samsung,pins = "gpd-0", "gpd-1", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ac97_bus_1: ac97-bus-1 { ++ ac97_bus_1: ac97-bus-1-pins { + samsung,pins = "gpe-0", "gpe-1", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- cam_port: cam-port { ++ cam_port: cam-port-pins { + samsung,pins = "gpf-0", "gpf-1", "gpf-2", "gpf-4", + "gpf-5", "gpf-6", "gpf-7", "gpf-8", + "gpf-9", "gpf-10", "gpf-11", "gpf-12"; +@@ -408,242 +408,242 @@ cam_port: cam-port { + samsung,pin-pud = ; + }; + +- cam_rst: cam-rst { ++ cam_rst: cam-rst-pins { + samsung,pins = "gpf-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- cam_field: cam-field { ++ cam_field: cam-field-pins { + /* S3C6410-only */ + samsung,pins = "gpb-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm_extclk: pwm-extclk { ++ pwm_extclk: pwm-extclk-pins { + samsung,pins = "gpf-13"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm0_out: pwm0-out { ++ pwm0_out: pwm0-out-pins { + samsung,pins = "gpf-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm1_out: pwm1-out { ++ pwm1_out: pwm1-out-pins { + samsung,pins = "gpf-15"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- clkout0: clkout-0 { ++ clkout0: clkout-0-pins { + samsung,pins = "gpf-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col0_0: keypad-col0-0 { ++ keypad_col0_0: keypad-col0-0-pins { + samsung,pins = "gph-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col1_0: keypad-col1-0 { ++ keypad_col1_0: keypad-col1-0-pins { + samsung,pins = "gph-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col2_0: keypad-col2-0 { ++ keypad_col2_0: keypad-col2-0-pins { + samsung,pins = "gph-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col3_0: keypad-col3-0 { ++ keypad_col3_0: keypad-col3-0-pins { + samsung,pins = "gph-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col4_0: keypad-col4-0 { ++ keypad_col4_0: keypad-col4-0-pins { + samsung,pins = "gph-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col5_0: keypad-col5-0 { ++ keypad_col5_0: keypad-col5-0-pins { + samsung,pins = "gph-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col6_0: keypad-col6-0 { ++ keypad_col6_0: keypad-col6-0-pins { + samsung,pins = "gph-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col7_0: keypad-col7-0 { ++ keypad_col7_0: keypad-col7-0-pins { + samsung,pins = "gph-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col0_1: keypad-col0-1 { ++ keypad_col0_1: keypad-col0-1-pins { + samsung,pins = "gpl-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col1_1: keypad-col1-1 { ++ keypad_col1_1: keypad-col1-1-pins { + samsung,pins = "gpl-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col2_1: keypad-col2-1 { ++ keypad_col2_1: keypad-col2-1-pins { + samsung,pins = "gpl-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col3_1: keypad-col3-1 { ++ keypad_col3_1: keypad-col3-1-pins { + samsung,pins = "gpl-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col4_1: keypad-col4-1 { ++ keypad_col4_1: keypad-col4-1-pins { + samsung,pins = "gpl-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col5_1: keypad-col5-1 { ++ keypad_col5_1: keypad-col5-1-pins { + samsung,pins = "gpl-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col6_1: keypad-col6-1 { ++ keypad_col6_1: keypad-col6-1-pins { + samsung,pins = "gpl-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col7_1: keypad-col7-1 { ++ keypad_col7_1: keypad-col7-1-pins { + samsung,pins = "gpl-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row0_0: keypad-row0-0 { ++ keypad_row0_0: keypad-row0-0-pins { + samsung,pins = "gpk-8"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row1_0: keypad-row1-0 { ++ keypad_row1_0: keypad-row1-0-pins { + samsung,pins = "gpk-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row2_0: keypad-row2-0 { ++ keypad_row2_0: keypad-row2-0-pins { + samsung,pins = "gpk-10"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row3_0: keypad-row3-0 { ++ keypad_row3_0: keypad-row3-0-pins { + samsung,pins = "gpk-11"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row4_0: keypad-row4-0 { ++ keypad_row4_0: keypad-row4-0-pins { + samsung,pins = "gpk-12"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row5_0: keypad-row5-0 { ++ keypad_row5_0: keypad-row5-0-pins { + samsung,pins = "gpk-13"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row6_0: keypad-row6-0 { ++ keypad_row6_0: keypad-row6-0-pins { + samsung,pins = "gpk-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row7_0: keypad-row7-0 { ++ keypad_row7_0: keypad-row7-0-pins { + samsung,pins = "gpk-15"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row0_1: keypad-row0-1 { ++ keypad_row0_1: keypad-row0-1-pins { + samsung,pins = "gpn-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row1_1: keypad-row1-1 { ++ keypad_row1_1: keypad-row1-1-pins { + samsung,pins = "gpn-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row2_1: keypad-row2-1 { ++ keypad_row2_1: keypad-row2-1-pins { + samsung,pins = "gpn-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row3_1: keypad-row3-1 { ++ keypad_row3_1: keypad-row3-1-pins { + samsung,pins = "gpn-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row4_1: keypad-row4-1 { ++ keypad_row4_1: keypad-row4-1-pins { + samsung,pins = "gpn-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row5_1: keypad-row5-1 { ++ keypad_row5_1: keypad-row5-1-pins { + samsung,pins = "gpn-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row6_1: keypad-row6-1 { ++ keypad_row6_1: keypad-row6-1-pins { + samsung,pins = "gpn-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row7_1: keypad-row7-1 { ++ keypad_row7_1: keypad-row7-1-pins { + samsung,pins = "gpn-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- lcd_ctrl: lcd-ctrl { ++ lcd_ctrl: lcd-ctrl-pins { + samsung,pins = "gpj-8", "gpj-9", "gpj-10", "gpj-11"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- lcd_data16: lcd-data-width16 { ++ lcd_data16: lcd-data-width16-pins { + samsung,pins = "gpi-3", "gpi-4", "gpi-5", "gpi-6", + "gpi-7", "gpi-10", "gpi-11", "gpi-12", + "gpi-13", "gpi-14", "gpi-15", "gpj-3", +@@ -652,7 +652,7 @@ lcd_data16: lcd-data-width16 { + samsung,pin-pud = ; + }; + +- lcd_data18: lcd-data-width18 { ++ lcd_data18: lcd-data-width18-pins { + samsung,pins = "gpi-2", "gpi-3", "gpi-4", "gpi-5", + "gpi-6", "gpi-7", "gpi-10", "gpi-11", + "gpi-12", "gpi-13", "gpi-14", "gpi-15", +@@ -662,7 +662,7 @@ lcd_data18: lcd-data-width18 { + samsung,pin-pud = ; + }; + +- lcd_data24: lcd-data-width24 { ++ lcd_data24: lcd-data-width24-pins { + samsung,pins = "gpi-0", "gpi-1", "gpi-2", "gpi-3", + "gpi-4", "gpi-5", "gpi-6", "gpi-7", + "gpi-8", "gpi-9", "gpi-10", "gpi-11", +@@ -673,7 +673,7 @@ lcd_data24: lcd-data-width24 { + samsung,pin-pud = ; + }; + +- hsi_bus: hsi-bus { ++ hsi_bus: hsi-bus-pins { + samsung,pins = "gpk-0", "gpk-1", "gpk-2", "gpk-3", + "gpk-4", "gpk-5", "gpk-6", "gpk-7"; + samsung,pin-function = ; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch b/queue-5.10/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch new file mode 100644 index 00000000000..0e9e647c53c --- /dev/null +++ b/queue-5.10/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch @@ -0,0 +1,44 @@ +From 88f591ad96360b0eb9a72c7f34795b211dbcffc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 11:57:21 +0200 +Subject: ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210 + +From: Krzysztof Kozlowski + +[ Upstream commit b77904ba177a9c67b6dbc3637fdf1faa22df6e5c ] + +Backlight is supplied by DC5V regulator. The DTS has no PMIC node, so +just add a regulator-fixed to solve it and fix dtbs_check warning: + + s5pv210-smdkv210.dtb: backlight: 'power-supply' is a required property + +Link: https://lore.kernel.org/r/20230421095721.31857-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Stable-dep-of: 982655cb0e7f ("ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index fbae768d65e27..6e26c67e0a26e 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -55,6 +55,14 @@ backlight { + default-brightness-level = <6>; + pinctrl-names = "default"; + pinctrl-0 = <&pwm3_out>; ++ power-supply = <&dc5v_reg>; ++ }; ++ ++ dc5v_reg: regulator-0 { ++ compatible = "regulator-fixed"; ++ regulator-name = "DC5V"; ++ regulator-min-microvolt = <5000000>; ++ regulator-max-microvolt = <5000000>; + }; + }; + +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-s5pv210-adjust-node-names-to-dt-spec.patch b/queue-5.10/arm-dts-s5pv210-adjust-node-names-to-dt-spec.patch new file mode 100644 index 00000000000..db10eff217f --- /dev/null +++ b/queue-5.10/arm-dts-s5pv210-adjust-node-names-to-dt-spec.patch @@ -0,0 +1,232 @@ +From 50d094babd1dc3928873925218331c869aeac1f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 18:09:44 +0100 +Subject: ARM: dts: s5pv210: adjust node names to DT spec + +From: Krzysztof Kozlowski + +[ Upstream commit b04544ac0d1f2a51e0f3234045343aa741d64e7b ] + +The Devicetree specification expects device node names to have a generic +name, representing the class of a device. Also the convention for node +names is to use hyphens, not underscores. + +No functional changes. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201027170947.132725-10-krzk@kernel.org +Stable-dep-of: 982655cb0e7f ("ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-aquila.dts | 12 ++++++------ + arch/arm/boot/dts/s5pv210-aries.dtsi | 4 ++-- + arch/arm/boot/dts/s5pv210-goni.dts | 14 +++++++------- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 20 ++++++++++---------- + 4 files changed, 25 insertions(+), 25 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210-aquila.dts b/arch/arm/boot/dts/s5pv210-aquila.dts +index 8e57e5a1f0c51..6423348034b68 100644 +--- a/arch/arm/boot/dts/s5pv210-aquila.dts ++++ b/arch/arm/boot/dts/s5pv210-aquila.dts +@@ -277,37 +277,37 @@ &keypad { + <&keypad_col0>, <&keypad_col1>, <&keypad_col2>; + status = "okay"; + +- key_1 { ++ key-1 { + keypad,row = <0>; + keypad,column = <1>; + linux,code = ; + }; + +- key_2 { ++ key-2 { + keypad,row = <0>; + keypad,column = <2>; + linux,code = ; + }; + +- key_3 { ++ key-3 { + keypad,row = <1>; + keypad,column = <1>; + linux,code = ; + }; + +- key_4 { ++ key-4 { + keypad,row = <1>; + keypad,column = <2>; + linux,code = ; + }; + +- key_5 { ++ key-5 { + keypad,row = <2>; + keypad,column = <1>; + linux,code = ; + }; + +- key_6 { ++ key-6 { + keypad,row = <2>; + keypad,column = <2>; + linux,code = ; +diff --git a/arch/arm/boot/dts/s5pv210-aries.dtsi b/arch/arm/boot/dts/s5pv210-aries.dtsi +index 984bc8dc5e4bd..8f7dcd7af0bc9 100644 +--- a/arch/arm/boot/dts/s5pv210-aries.dtsi ++++ b/arch/arm/boot/dts/s5pv210-aries.dtsi +@@ -54,7 +54,7 @@ pmic_ap_clk: clock-0 { + clock-frequency = <32768>; + }; + +- bt_codec: bt_sco { ++ bt_codec: bt-sco { + compatible = "linux,bt-sco"; + #sound-dai-cells = <0>; + }; +@@ -113,7 +113,7 @@ i2c_sound: i2c-gpio-0 { + pinctrl-names = "default"; + pinctrl-0 = <&sound_i2c_pins>; + +- wm8994: wm8994@1a { ++ wm8994: audio-codec@1a { + compatible = "wlf,wm8994"; + reg = <0x1a>; + +diff --git a/arch/arm/boot/dts/s5pv210-goni.dts b/arch/arm/boot/dts/s5pv210-goni.dts +index ad8d5d2fa32d7..5c1e12d39747b 100644 +--- a/arch/arm/boot/dts/s5pv210-goni.dts ++++ b/arch/arm/boot/dts/s5pv210-goni.dts +@@ -259,37 +259,37 @@ &keypad { + <&keypad_col0>, <&keypad_col1>, <&keypad_col2>; + status = "okay"; + +- key_1 { ++ key-1 { + keypad,row = <0>; + keypad,column = <1>; + linux,code = ; + }; + +- key_2 { ++ key-2 { + keypad,row = <0>; + keypad,column = <2>; + linux,code = ; + }; + +- key_3 { ++ key-3 { + keypad,row = <1>; + keypad,column = <1>; + linux,code = ; + }; + +- key_4 { ++ key-4 { + keypad,row = <1>; + keypad,column = <2>; + linux,code = ; + }; + +- key_5 { ++ key-5 { + keypad,row = <2>; + keypad,column = <1>; + linux,code = ; + }; + +- key_6 { ++ key-6 { + keypad,row = <2>; + keypad,column = <2>; + linux,code = ; +@@ -353,7 +353,7 @@ &i2c2 { + samsung,i2c-slave-addr = <0x10>; + status = "okay"; + +- tsp@4a { ++ touchscreen@4a { + compatible = "atmel,maxtouch"; + reg = <0x4a>; + interrupt-parent = <&gpj0>; +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index 7459e41e8ef13..fbae768d65e27 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -76,61 +76,61 @@ &keypad { + <&keypad_col6>, <&keypad_col7>; + status = "okay"; + +- key_1 { ++ key-1 { + keypad,row = <0>; + keypad,column = <3>; + linux,code = ; + }; + +- key_2 { ++ key-2 { + keypad,row = <0>; + keypad,column = <4>; + linux,code = ; + }; + +- key_3 { ++ key-3 { + keypad,row = <0>; + keypad,column = <5>; + linux,code = ; + }; + +- key_4 { ++ key-4 { + keypad,row = <0>; + keypad,column = <6>; + linux,code = ; + }; + +- key_5 { ++ key-5 { + keypad,row = <0 + >; + keypad,column = <7>; + linux,code = ; + }; + +- key_6 { ++ key-6 { + keypad,row = <1>; + keypad,column = <3>; + linux,code = ; + }; +- key_7 { ++ key-7 { + keypad,row = <1>; + keypad,column = <4>; + linux,code = ; + }; + +- key_8 { ++ key-8 { + keypad,row = <1>; + keypad,column = <5>; + linux,code = ; + }; + +- key_9 { ++ key-9 { + keypad,row = <1>; + keypad,column = <6>; + linux,code = ; + }; + +- key_10 { ++ key-10 { + keypad,row = <1>; + keypad,column = <7>; + linux,code = ; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch b/queue-5.10/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch new file mode 100644 index 00000000000..26fc191b89a --- /dev/null +++ b/queue-5.10/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From 239671e9e56b436695e47f7929c3b905b7545d26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:25 +0200 +Subject: ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit cf0cb2af6a18f28b84f9f1416bff50ca60d6e98a ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: a43736deb47d ("ARM: dts: Add dts file for S3C6410-based Mini6410 board") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s3c6410-mini6410.dts b/arch/arm/boot/dts/s3c6410-mini6410.dts +index 17097da36f5ed..0b07b3c319604 100644 +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -51,7 +51,7 @@ srom-cs1-bus@18000000 { + + ethernet@18000000 { + compatible = "davicom,dm9000"; +- reg = <0x18000000 0x2 0x18000004 0x2>; ++ reg = <0x18000000 0x2>, <0x18000004 0x2>; + interrupt-parent = <&gpn>; + interrupts = <7 IRQ_TYPE_LEVEL_HIGH>; + davicom,no-eeprom; +-- +2.40.1 + diff --git a/queue-5.10/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch b/queue-5.10/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch new file mode 100644 index 00000000000..4947b4eb1ee --- /dev/null +++ b/queue-5.10/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From 77bd61d0139d33e82bf94dab5b4e57d5e04fbbee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:26 +0200 +Subject: ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit 982655cb0e7f18934d7532c32366e574ad61dbd7 ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: b672b27d232e ("ARM: dts: Add Device tree for s5pc110/s5pv210 boards") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index 6e26c67e0a26e..901e7197b1368 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -41,7 +41,7 @@ pmic_ap_clk: clock-0 { + + ethernet@a8000000 { + compatible = "davicom,dm9000"; +- reg = <0xA8000000 0x2 0xA8000002 0x2>; ++ reg = <0xa8000000 0x2>, <0xa8000002 0x2>; + interrupt-parent = <&gph1>; + interrupts = <1 IRQ_TYPE_LEVEL_HIGH>; + local-mac-address = [00 00 de ad be ef]; +-- +2.40.1 + diff --git a/queue-5.10/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch b/queue-5.10/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch new file mode 100644 index 00000000000..ffbc909bc68 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch @@ -0,0 +1,38 @@ +From a7d29dcdedf339f1788b62e45c38d3d6fbed00cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 18:24:27 +0200 +Subject: arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 + controller + +From: Konrad Dybcio + +[ Upstream commit 36541089c4733355ed844c67eebd0c3936953454 ] + +The interrupt line was previously not described. Take care of that. + +Fixes: 1e39255ed29d ("arm64: dts: msm8996: Add device node for qcom,dwc3") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230627-topic-more_bindings-v1-11-6b4b6cd081e5@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 73f7490911c92..0bc5fefb7a49b 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -1966,6 +1966,9 @@ usb2: usb@76f8800 { + #size-cells = <1>; + ranges; + ++ interrupts = ; ++ interrupt-names = "hs_phy_irq"; ++ + clocks = <&gcc GCC_PERIPH_NOC_USB20_AHB_CLK>, + <&gcc GCC_USB20_MASTER_CLK>, + <&gcc GCC_USB20_MOCK_UTMI_CLK>, +-- +2.40.1 + diff --git a/queue-5.10/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch b/queue-5.10/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch new file mode 100644 index 00000000000..462f5f19c06 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch @@ -0,0 +1,39 @@ +From 0c63a4165462c27113d71e25bfd4b86b7ce2e155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 11:10:48 +0530 +Subject: arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC + +From: Manivannan Sadhasivam + +[ Upstream commit 4b6ea15c0a1122422b44bf6c47a3c22fc8d46777 ] + +GCC and it's GDSCs are under the RPMh CX power domain. So let's add the +missing RPMh power domain to the GCC node. + +Fixes: 6d4cf750d03a ("arm64: dts: sdm845: Add minimal dts/dtsi files for sdm845 SoC and MTP") +Reviewed-by: Konrad Dybcio +Co-developed-by: Krzysztof Kozlowski +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230720054100.9940-4-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 71e5b9fdc9e16..418356c3f89fb 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -1064,6 +1064,7 @@ gcc: clock-controller@100000 { + #clock-cells = <1>; + #reset-cells = <1>; + #power-domain-cells = <1>; ++ power-domains = <&rpmhpd SDM845_CX>; + }; + + qfprom@784000 { +-- +2.40.1 + diff --git a/queue-5.10/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch b/queue-5.10/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch new file mode 100644 index 00000000000..9b77693bd9c --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch @@ -0,0 +1,39 @@ +From f55a30a95a3b82a5a5b97226c05b07e56a091295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 11:10:49 +0530 +Subject: arm64: dts: qcom: sdm845: Fix the min frequency of "ice_core_clk" + +From: Manivannan Sadhasivam + +[ Upstream commit bbbef6e24bc4493602df68b052f6f48d48e3184a ] + +Minimum frequency of the "ice_core_clk" should be 75MHz as specified in the +downstream vendor devicetree. So fix it! + +https://git.codelinaro.org/clo/la/kernel/msm-4.9/-/blob/LA.UM.7.3.r1-09300-sdm845.0/arch/arm64/boot/dts/qcom/sdm845.dtsi + +Fixes: 433f9a57298f ("arm64: dts: sdm845: add Inline Crypto Engine registers and clock") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230720054100.9940-5-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 418356c3f89fb..5c696ebf5c20c 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -2109,7 +2109,7 @@ ufs_mem_hc: ufshc@1d84000 { + <0 0>, + <0 0>, + <0 0>, +- <0 300000000>; ++ <75000000 300000000>; + + status = "disabled"; + }; +-- +2.40.1 + diff --git a/queue-5.10/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch b/queue-5.10/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch new file mode 100644 index 00000000000..3d9e94c59aa --- /dev/null +++ b/queue-5.10/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch @@ -0,0 +1,42 @@ +From a586f191d05d42d48bacff958573ca42953fb279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 21:48:36 -0700 +Subject: ASoC: stac9766: fix build errors with REGMAP_AC97 + +From: Randy Dunlap + +[ Upstream commit c70064b96f509daa78f57992aeabcf274fb2fed4 ] + +Select REGMAP_AC97 to fix these build errors: + +ERROR: modpost: "regmap_ac97_default_volatile" [sound/soc/codecs/snd-soc-stac9766.ko] undefined! +ERROR: modpost: "__regmap_init_ac97" [sound/soc/codecs/snd-soc-stac9766.ko] undefined! + +Fixes: 6bbf787bb70c ("ASoC: stac9766: Convert to regmap") +Signed-off-by: Randy Dunlap +Cc: Lars-Peter Clausen +Cc: Mark Brown +Cc: Liam Girdwood +Cc: alsa-devel@alsa-project.org +Link: https://lore.kernel.org/r/20230701044836.18789-1-rdunlap@infradead.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig +index f1c9e563994b2..04a7070c78e28 100644 +--- a/sound/soc/codecs/Kconfig ++++ b/sound/soc/codecs/Kconfig +@@ -1295,6 +1295,7 @@ config SND_SOC_STA529 + config SND_SOC_STAC9766 + tristate + depends on SND_SOC_AC97_BUS ++ select REGMAP_AC97 + + config SND_SOC_STI_SAS + tristate "codec Audio support for STI SAS codec" +-- +2.40.1 + diff --git a/queue-5.10/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch b/queue-5.10/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch new file mode 100644 index 00000000000..b491ddc7de6 --- /dev/null +++ b/queue-5.10/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch @@ -0,0 +1,80 @@ +From 13cef274f9db8700598ffe6719ce7e6f23a1f0d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 20:14:35 +0800 +Subject: audit: fix possible soft lockup in __audit_inode_child() + +From: Gaosheng Cui + +[ Upstream commit b59bc6e37237e37eadf50cd5de369e913f524463 ] + +Tracefs or debugfs maybe cause hundreds to thousands of PATH records, +too many PATH records maybe cause soft lockup. + +For example: + 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n + 2. auditctl -a exit,always -S open -k key + 3. sysctl -w kernel.watchdog_thresh=5 + 4. mkdir /sys/kernel/debug/tracing/instances/test + +There may be a soft lockup as follows: + watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] + Kernel panic - not syncing: softlockup: hung tasks + Call trace: + dump_backtrace+0x0/0x30c + show_stack+0x20/0x30 + dump_stack+0x11c/0x174 + panic+0x27c/0x494 + watchdog_timer_fn+0x2bc/0x390 + __run_hrtimer+0x148/0x4fc + __hrtimer_run_queues+0x154/0x210 + hrtimer_interrupt+0x2c4/0x760 + arch_timer_handler_phys+0x48/0x60 + handle_percpu_devid_irq+0xe0/0x340 + __handle_domain_irq+0xbc/0x130 + gic_handle_irq+0x78/0x460 + el1_irq+0xb8/0x140 + __audit_inode_child+0x240/0x7bc + tracefs_create_file+0x1b8/0x2a0 + trace_create_file+0x18/0x50 + event_create_dir+0x204/0x30c + __trace_add_new_event+0xac/0x100 + event_trace_add_tracer+0xa0/0x130 + trace_array_create_dir+0x60/0x140 + trace_array_create+0x1e0/0x370 + instance_mkdir+0x90/0xd0 + tracefs_syscall_mkdir+0x68/0xa0 + vfs_mkdir+0x21c/0x34c + do_mkdirat+0x1b4/0x1d4 + __arm64_sys_mkdirat+0x4c/0x60 + el0_svc_common.constprop.0+0xa8/0x240 + do_el0_svc+0x8c/0xc0 + el0_svc+0x20/0x30 + el0_sync_handler+0xb0/0xb4 + el0_sync+0x160/0x180 + +Therefore, we add cond_resched() to __audit_inode_child() to fix it. + +Fixes: 5195d8e217a7 ("audit: dynamically allocate audit_names when not enough space is in the names array") +Signed-off-by: Gaosheng Cui +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 07e2788bbbf12..57b982b44732e 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -2203,6 +2203,8 @@ void __audit_inode_child(struct inode *parent, + } + } + ++ cond_resched(); ++ + /* is there a matching child entry? */ + list_for_each_entry(n, &context->names_list, list) { + /* can only match entries that have a name */ +-- +2.40.1 + diff --git a/queue-5.10/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch b/queue-5.10/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..0618ae8cddb --- /dev/null +++ b/queue-5.10/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,38 @@ +From 3c3b039ffe61841052140d0005a8c6942e7b3a39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 11:46:37 +0800 +Subject: Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave() + +From: Jinjie Ruan + +[ Upstream commit 2a05334d7f91ff189692089c05fc48cc1d8204de ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +spin_lock_irqsave(). Compile tested only. + +Fixes: baac6276c0a9 ("Bluetooth: btusb: handle mSBC audio over USB Endpoints") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 49d5375b04f40..f99d190770204 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1689,7 +1689,7 @@ static int btusb_switch_alt_setting(struct hci_dev *hdev, int new_alts) + * alternate setting. + */ + spin_lock_irqsave(&data->rxlock, flags); +- kfree_skb(data->sco_skb); ++ dev_kfree_skb_irq(data->sco_skb); + data->sco_skb = NULL; + spin_unlock_irqrestore(&data->rxlock, flags); + +-- +2.40.1 + diff --git a/queue-5.10/bluetooth-fix-potential-use-after-free-when-clear-ke.patch b/queue-5.10/bluetooth-fix-potential-use-after-free-when-clear-ke.patch new file mode 100644 index 00000000000..05228bc889c --- /dev/null +++ b/queue-5.10/bluetooth-fix-potential-use-after-free-when-clear-ke.patch @@ -0,0 +1,76 @@ +From 6a47d0c2c399396e1eea589eb0b335621f5d1255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 19:07:41 +0800 +Subject: Bluetooth: Fix potential use-after-free when clear keys + +From: Min Li + +[ Upstream commit 3673952cf0c6cf81b06c66a0b788abeeb02ff3ae ] + +Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in +hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() +call. + +Fixes: d7d41682efc2 ("Bluetooth: Fix Suspicious RCU usage warnings") +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index bd6f20ef13f35..46e1e51ff28e3 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2343,9 +2343,9 @@ void hci_uuids_clear(struct hci_dev *hdev) + + void hci_link_keys_clear(struct hci_dev *hdev) + { +- struct link_key *key; ++ struct link_key *key, *tmp; + +- list_for_each_entry(key, &hdev->link_keys, list) { ++ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) { + list_del_rcu(&key->list); + kfree_rcu(key, rcu); + } +@@ -2353,9 +2353,9 @@ void hci_link_keys_clear(struct hci_dev *hdev) + + void hci_smp_ltks_clear(struct hci_dev *hdev) + { +- struct smp_ltk *k; ++ struct smp_ltk *k, *tmp; + +- list_for_each_entry(k, &hdev->long_term_keys, list) { ++ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { + list_del_rcu(&k->list); + kfree_rcu(k, rcu); + } +@@ -2363,9 +2363,9 @@ void hci_smp_ltks_clear(struct hci_dev *hdev) + + void hci_smp_irks_clear(struct hci_dev *hdev) + { +- struct smp_irk *k; ++ struct smp_irk *k, *tmp; + +- list_for_each_entry(k, &hdev->identity_resolving_keys, list) { ++ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { + list_del_rcu(&k->list); + kfree_rcu(k, rcu); + } +@@ -2373,9 +2373,9 @@ void hci_smp_irks_clear(struct hci_dev *hdev) + + void hci_blocked_keys_clear(struct hci_dev *hdev) + { +- struct blocked_key *b; ++ struct blocked_key *b, *tmp; + +- list_for_each_entry(b, &hdev->blocked_keys, list) { ++ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) { + list_del_rcu(&b->list); + kfree_rcu(b, rcu); + } +-- +2.40.1 + diff --git a/queue-5.10/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch b/queue-5.10/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch new file mode 100644 index 00000000000..6639511b43d --- /dev/null +++ b/queue-5.10/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch @@ -0,0 +1,41 @@ +From f0edbd7c053c73074b261b8e4692933b53be9522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 21:30:00 +0800 +Subject: Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() + +From: Yuanjun Gong + +[ Upstream commit e8b5aed31355072faac8092ead4938ddec3111fd ] + +in nokia_bluetooth_serdev_probe(), check the return value of +clk_prepare_enable() and return the error code if +clk_prepare_enable() returns an unexpected value. + +Fixes: 7bb318680e86 ("Bluetooth: add nokia driver") +Signed-off-by: Yuanjun Gong +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_nokia.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c +index 05f7f6de6863d..97da0b2bfd17e 100644 +--- a/drivers/bluetooth/hci_nokia.c ++++ b/drivers/bluetooth/hci_nokia.c +@@ -734,7 +734,11 @@ static int nokia_bluetooth_serdev_probe(struct serdev_device *serdev) + return err; + } + +- clk_prepare_enable(sysclk); ++ err = clk_prepare_enable(sysclk); ++ if (err) { ++ dev_err(dev, "could not enable sysclk: %d", err); ++ return err; ++ } + btdev->sysclk_speed = clk_get_rate(sysclk); + clk_disable_unprepare(sysclk); + +-- +2.40.1 + diff --git a/queue-5.10/bpf-clear-the-probe_addr-for-uprobe.patch b/queue-5.10/bpf-clear-the-probe_addr-for-uprobe.patch new file mode 100644 index 00000000000..34ea5ef7bbf --- /dev/null +++ b/queue-5.10/bpf-clear-the-probe_addr-for-uprobe.patch @@ -0,0 +1,77 @@ +From be65f63c86166f6e8698679ad15dd617d9a1f299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 02:56:25 +0000 +Subject: bpf: Clear the probe_addr for uprobe + +From: Yafang Shao + +[ Upstream commit 5125e757e62f6c1d5478db4c2b61a744060ddf3f ] + +To avoid returning uninitialized or random values when querying the file +descriptor (fd) and accessing probe_addr, it is necessary to clear the +variable prior to its use. + +Fixes: 41bdc4b40ed6 ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY") +Signed-off-by: Yafang Shao +Acked-by: Yonghong Song +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/r/20230709025630.3735-6-laoar.shao@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/trace_events.h | 3 ++- + kernel/trace/bpf_trace.c | 2 +- + kernel/trace/trace_uprobe.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h +index e418065c2c909..6fb20722f49b7 100644 +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -745,7 +745,8 @@ extern int perf_uprobe_init(struct perf_event *event, + extern void perf_uprobe_destroy(struct perf_event *event); + extern int bpf_get_uprobe_info(const struct perf_event *event, + u32 *fd_type, const char **filename, +- u64 *probe_offset, bool perf_type_tracepoint); ++ u64 *probe_offset, u64 *probe_addr, ++ bool perf_type_tracepoint); + #endif + extern int ftrace_profile_set_filter(struct perf_event *event, int event_id, + char *filter_str); +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 1de9a6bf84711..71e0c1bc9759e 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -2174,7 +2174,7 @@ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id, + #ifdef CONFIG_UPROBE_EVENTS + if (flags & TRACE_EVENT_FL_UPROBE) + err = bpf_get_uprobe_info(event, fd_type, buf, +- probe_offset, ++ probe_offset, probe_addr, + event->attr.type == PERF_TYPE_TRACEPOINT); + #endif + } +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index f6c47361c154e..60ff36f5d7f9e 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1422,7 +1422,7 @@ static void uretprobe_perf_func(struct trace_uprobe *tu, unsigned long func, + + int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type, + const char **filename, u64 *probe_offset, +- bool perf_type_tracepoint) ++ u64 *probe_addr, bool perf_type_tracepoint) + { + const char *pevent = trace_event_name(event->tp_event); + const char *group = event->tp_event->class->system; +@@ -1439,6 +1439,7 @@ int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type, + : BPF_FD_TYPE_UPROBE; + *filename = tu->filename; + *probe_offset = tu->offset; ++ *probe_addr = 0; + return 0; + } + #endif /* CONFIG_PERF_EVENTS */ +-- +2.40.1 + diff --git a/queue-5.10/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch b/queue-5.10/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch new file mode 100644 index 00000000000..cc57357a3d4 --- /dev/null +++ b/queue-5.10/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch @@ -0,0 +1,96 @@ +From 5116b7e9e700cf1a1fb97bd10556c88685a82912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:06 +0200 +Subject: bpf: reject unhashed sockets in bpf_sk_assign + +From: Lorenz Bauer + +[ Upstream commit 67312adc96b5a585970d03b62412847afe2c6b01 ] + +The semantics for bpf_sk_assign are as follows: + + sk = some_lookup_func() + bpf_sk_assign(skb, sk) + bpf_sk_release(sk) + +That is, the sk is not consumed by bpf_sk_assign. The function +therefore needs to make sure that sk lives long enough to be +consumed from __inet_lookup_skb. The path through the stack for a +TCPv4 packet is roughly: + + netif_receive_skb_core: takes RCU read lock + __netif_receive_skb_core: + sch_handle_ingress: + tcf_classify: + bpf_sk_assign() + deliver_ptype_list_skb: + deliver_skb: + ip_packet_type->func == ip_rcv: + ip_rcv_core: + ip_rcv_finish_core: + dst_input: + ip_local_deliver: + ip_local_deliver_finish: + ip_protocol_deliver_rcu: + tcp_v4_rcv: + __inet_lookup_skb: + skb_steal_sock + +The existing helper takes advantage of the fact that everything +happens in the same RCU critical section: for sockets with +SOCK_RCU_FREE set bpf_sk_assign never takes a reference. +skb_steal_sock then checks SOCK_RCU_FREE again and does sock_put +if necessary. + +This approach assumes that SOCK_RCU_FREE is never set on a sk +between bpf_sk_assign and skb_steal_sock, but this invariant is +violated by unhashed UDP sockets. A new UDP socket is created +in TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only +added in udp_lib_get_port() which happens when a socket is bound. + +When bpf_sk_assign was added it wasn't possible to access unhashed +UDP sockets from BPF, so this wasn't a problem. This changed +in commit 0c48eefae712 ("sock_map: Lift socket state restriction +for datagram sockets"), but the helper wasn't adjusted accordingly. +The following sequence of events will therefore lead to a refcount +leak: + +1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap. +2. Pull socket out of sockmap and bpf_sk_assign it. Since + SOCK_RCU_FREE is not set we increment the refcount. +3. bind() or connect() the socket, setting SOCK_RCU_FREE. +4. skb_steal_sock will now set refcounted = false due to + SOCK_RCU_FREE. +5. tcp_v4_rcv() skips sock_put(). + +Fix the problem by rejecting unhashed sockets in bpf_sk_assign(). +This matches the behaviour of __inet_lookup_skb which is ultimately +the goal of bpf_sk_assign(). + +Fixes: cf7fbe660f2d ("bpf: Add socket assign support") +Cc: Joe Stringer +Signed-off-by: Lorenz Bauer +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-2-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index b9c954182b375..ea8ab9c704832 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6661,6 +6661,8 @@ BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags) + return -ENETUNREACH; + if (unlikely(sk_fullsock(sk) && sk->sk_reuseport)) + return -ESOCKTNOSUPPORT; ++ if (sk_unhashed(sk)) ++ return -EOPNOTSUPP; + if (sk_is_refcounted(sk) && + unlikely(!refcount_inc_not_zero(&sk->sk_refcnt))) + return -ENOENT; +-- +2.40.1 + diff --git a/queue-5.10/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch b/queue-5.10/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch new file mode 100644 index 00000000000..b4b2bff321e --- /dev/null +++ b/queue-5.10/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch @@ -0,0 +1,137 @@ +From 141ee9347867588d27de4f631de741f7eb1cc307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 10:54:25 +0100 +Subject: bpftool: Use a local bpf_perf_event_value to fix accessing its fields + +From: Alexander Lobakin + +[ Upstream commit 658ac06801315b739774a15796ff06913ef5cad5 ] + +Fix the following error when building bpftool: + + CLANG profiler.bpf.o + CLANG pid_iter.bpf.o +skeleton/profiler.bpf.c:18:21: error: invalid application of 'sizeof' to an incomplete type 'struct bpf_perf_event_value' + __uint(value_size, sizeof(struct bpf_perf_event_value)); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +tools/bpf/bpftool/bootstrap/libbpf/include/bpf/bpf_helpers.h:13:39: note: expanded from macro '__uint' +tools/bpf/bpftool/bootstrap/libbpf/include/bpf/bpf_helper_defs.h:7:8: note: forward declaration of 'struct bpf_perf_event_value' +struct bpf_perf_event_value; + ^ + +struct bpf_perf_event_value is being used in the kernel only when +CONFIG_BPF_EVENTS is enabled, so it misses a BTF entry then. +Define struct bpf_perf_event_value___local with the +`preserve_access_index` attribute inside the pid_iter BPF prog to +allow compiling on any configs. It is a full mirror of a UAPI +structure, so is compatible both with and w/o CO-RE. +bpf_perf_event_read_value() requires a pointer of the original type, +so a cast is needed. + +Fixes: 47c09d6a9f67 ("bpftool: Introduce "prog profile" command") +Suggested-by: Andrii Nakryiko +Signed-off-by: Alexander Lobakin +Signed-off-by: Quentin Monnet +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230707095425.168126-5-quentin@isovalent.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/skeleton/profiler.bpf.c | 27 ++++++++++++++--------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/tools/bpf/bpftool/skeleton/profiler.bpf.c b/tools/bpf/bpftool/skeleton/profiler.bpf.c +index ce5b65e07ab10..2f80edc682f11 100644 +--- a/tools/bpf/bpftool/skeleton/profiler.bpf.c ++++ b/tools/bpf/bpftool/skeleton/profiler.bpf.c +@@ -4,6 +4,12 @@ + #include + #include + ++struct bpf_perf_event_value___local { ++ __u64 counter; ++ __u64 enabled; ++ __u64 running; ++} __attribute__((preserve_access_index)); ++ + /* map of perf event fds, num_cpu * num_metric entries */ + struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); +@@ -15,14 +21,14 @@ struct { + struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __uint(key_size, sizeof(u32)); +- __uint(value_size, sizeof(struct bpf_perf_event_value)); ++ __uint(value_size, sizeof(struct bpf_perf_event_value___local)); + } fentry_readings SEC(".maps"); + + /* accumulated readings */ + struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __uint(key_size, sizeof(u32)); +- __uint(value_size, sizeof(struct bpf_perf_event_value)); ++ __uint(value_size, sizeof(struct bpf_perf_event_value___local)); + } accum_readings SEC(".maps"); + + /* sample counts, one per cpu */ +@@ -39,7 +45,7 @@ const volatile __u32 num_metric = 1; + SEC("fentry/XXX") + int BPF_PROG(fentry_XXX) + { +- struct bpf_perf_event_value *ptrs[MAX_NUM_MATRICS]; ++ struct bpf_perf_event_value___local *ptrs[MAX_NUM_MATRICS]; + u32 key = bpf_get_smp_processor_id(); + u32 i; + +@@ -53,10 +59,10 @@ int BPF_PROG(fentry_XXX) + } + + for (i = 0; i < num_metric && i < MAX_NUM_MATRICS; i++) { +- struct bpf_perf_event_value reading; ++ struct bpf_perf_event_value___local reading; + int err; + +- err = bpf_perf_event_read_value(&events, key, &reading, ++ err = bpf_perf_event_read_value(&events, key, (void *)&reading, + sizeof(reading)); + if (err) + return 0; +@@ -68,14 +74,14 @@ int BPF_PROG(fentry_XXX) + } + + static inline void +-fexit_update_maps(u32 id, struct bpf_perf_event_value *after) ++fexit_update_maps(u32 id, struct bpf_perf_event_value___local *after) + { +- struct bpf_perf_event_value *before, diff; ++ struct bpf_perf_event_value___local *before, diff; + + before = bpf_map_lookup_elem(&fentry_readings, &id); + /* only account samples with a valid fentry_reading */ + if (before && before->counter) { +- struct bpf_perf_event_value *accum; ++ struct bpf_perf_event_value___local *accum; + + diff.counter = after->counter - before->counter; + diff.enabled = after->enabled - before->enabled; +@@ -93,7 +99,7 @@ fexit_update_maps(u32 id, struct bpf_perf_event_value *after) + SEC("fexit/XXX") + int BPF_PROG(fexit_XXX) + { +- struct bpf_perf_event_value readings[MAX_NUM_MATRICS]; ++ struct bpf_perf_event_value___local readings[MAX_NUM_MATRICS]; + u32 cpu = bpf_get_smp_processor_id(); + u32 i, zero = 0; + int err; +@@ -102,7 +108,8 @@ int BPF_PROG(fexit_XXX) + /* read all events before updating the maps, to reduce error */ + for (i = 0; i < num_metric && i < MAX_NUM_MATRICS; i++) { + err = bpf_perf_event_read_value(&events, cpu + i * num_cpu, +- readings + i, sizeof(*readings)); ++ (void *)(readings + i), ++ sizeof(*readings)); + if (err) + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch b/queue-5.10/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch new file mode 100644 index 00000000000..ae6e5337e5f --- /dev/null +++ b/queue-5.10/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch @@ -0,0 +1,40 @@ +From 1a97de8897e01764282fab2b2627148c6d1cedb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 13:38:01 +0300 +Subject: bus: ti-sysc: Fix build warning for 64-bit build + +From: Tony Lindgren + +[ Upstream commit e1e1e9bb9d943ec690670a609a5f660ca10eaf85 ] + +Fix "warning: cast from pointer to integer of different size" on 64-bit +builds. + +Note that this is a cosmetic fix at this point as the driver is not yet +used for 64-bit systems. + +Fixes: feaa8baee82a ("bus: ti-sysc: Implement SoC revision handling") +Reviewed-by: Dhruva Gole +Reviewed-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index fcfe4d16cc149..fa7894cab2152 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -3041,7 +3041,7 @@ static int sysc_init_static_data(struct sysc *ddata) + + match = soc_device_match(sysc_soc_match); + if (match && match->data) +- sysc_soc->soc = (int)match->data; ++ sysc_soc->soc = (enum sysc_soc)match->data; + + /* Ignore devices that are not available on HS and EMU SoCs */ + if (!sysc_soc->general_purpose) { +-- +2.40.1 + diff --git a/queue-5.10/bus-ti-sysc-fix-cast-to-enum-warning.patch b/queue-5.10/bus-ti-sysc-fix-cast-to-enum-warning.patch new file mode 100644 index 00000000000..d2f0171610c --- /dev/null +++ b/queue-5.10/bus-ti-sysc-fix-cast-to-enum-warning.patch @@ -0,0 +1,38 @@ +From 893c41fde61d86f1f655d055f71d1e889719badf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 08:49:05 +0300 +Subject: bus: ti-sysc: Fix cast to enum warning + +From: Tony Lindgren + +[ Upstream commit de44bf2f7683347f75690ef6cf61a1d5ba8f0891 ] + +Fix warning for "cast to smaller integer type 'enum sysc_soc' from 'const +void *'". + +Cc: Nishanth Menon +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202308150723.ziuGCdM3-lkp@intel.com/ +Fixes: e1e1e9bb9d94 ("bus: ti-sysc: Fix build warning for 64-bit build") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index fa7894cab2152..c8e0f8cb9aa32 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -3041,7 +3041,7 @@ static int sysc_init_static_data(struct sysc *ddata) + + match = soc_device_match(sysc_soc_match); + if (match && match->data) +- sysc_soc->soc = (enum sysc_soc)match->data; ++ sysc_soc->soc = (enum sysc_soc)(uintptr_t)match->data; + + /* Ignore devices that are not available on HS and EMU SoCs */ + if (!sysc_soc->general_purpose) { +-- +2.40.1 + diff --git a/queue-5.10/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch b/queue-5.10/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch new file mode 100644 index 00000000000..8894f6da25f --- /dev/null +++ b/queue-5.10/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch @@ -0,0 +1,50 @@ +From f883a8f55998fab9b03acaab6055c9dddbff09bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 11:23:37 +0200 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors + also in case of OOM + +From: Marc Kleine-Budde + +[ Upstream commit 6c8bc15f02b85bc8f47074110d8fd8caf7a1e42d ] + +In case of an RX overflow error from the CAN controller and an OOM +where no skb can be allocated, the error counters are not incremented. + +Fix this by first incrementing the error counters and then allocate +the skb. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20230718-gs_usb-cleanups-v1-7-c3b9154ec605@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 1f81293f137c9..864db200f45e5 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -381,6 +381,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + + if (hf->flags & GS_CAN_FLAG_OVERFLOW) { ++ stats->rx_over_errors++; ++ stats->rx_errors++; ++ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) + goto resubmit_urb; +@@ -388,8 +391,6 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + cf->can_id |= CAN_ERR_CRTL; + cf->can_dlc = CAN_ERR_DLC; + cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW; +- stats->rx_over_errors++; +- stats->rx_errors++; + netif_rx(skb); + } + +-- +2.40.1 + diff --git a/queue-5.10/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch b/queue-5.10/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch new file mode 100644 index 00000000000..a9f1c5e6e72 --- /dev/null +++ b/queue-5.10/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch @@ -0,0 +1,37 @@ +From d56be99729706eb5025c84a30505e5634ad6bee3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 11:25:28 +0000 +Subject: cgroup:namespace: Remove unused cgroup_namespaces_init() + +From: Lu Jialin + +[ Upstream commit 82b90b6c5b38e457c7081d50dff11ecbafc1e61a ] + +cgroup_namspace_init() just return 0. Therefore, there is no need to +call it during start_kernel. Just remove it. + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Lu Jialin +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/namespace.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/kernel/cgroup/namespace.c b/kernel/cgroup/namespace.c +index 812a61afd538a..d2b4dd753234e 100644 +--- a/kernel/cgroup/namespace.c ++++ b/kernel/cgroup/namespace.c +@@ -149,9 +149,3 @@ const struct proc_ns_operations cgroupns_operations = { + .install = cgroupns_install, + .owner = cgroupns_owner, + }; +- +-static __init int cgroup_namespaces_init(void) +-{ +- return 0; +-} +-subsys_initcall(cgroup_namespaces_init); +-- +2.40.1 + diff --git a/queue-5.10/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch b/queue-5.10/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch new file mode 100644 index 00000000000..001dc28c756 --- /dev/null +++ b/queue-5.10/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch @@ -0,0 +1,78 @@ +From 12fce6d0d50c3da32735f3079ebf9a3763efb03f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 10:22:00 +0200 +Subject: clk: imx: composite-8m: fix clock pauses when set_rate would be a + no-op + +From: Ahmad Fatoum + +[ Upstream commit 4dd432d985ef258e3bc436e568fba4b987b59171 ] + +Reconfiguring the clock divider to the exact same value is observed +on an i.MX8MN to often cause a longer than usual clock pause, probably +because the divider restarts counting whenever the register is rewritten. + +This issue doesn't show up normally, because the clock framework will +take care to not call set_rate when the clock rate is the same. +However, when we reconfigure an upstream clock, the common code will +call set_rate with the newly calculated rate on all children, e.g.: + + - sai5 is running normally and divides Audio PLL out by 16. + - Audio PLL rate is increased by 32Hz (glitch-free kdiv change) + - rates for children are recalculated and rates are set recursively + - imx8m_clk_composite_divider_set_rate(sai5) is called with + 32/16 = 2Hz more + - imx8m_clk_composite_divider_set_rate computes same divider as before + - divider register is written, so it restarts counting from zero and + MCLK is briefly paused, so instead of e.g. 40ns, MCLK is low for 120ns. + +Some external clock consumers can be upset by such unexpected clock pauses, +so let's make sure we only rewrite the divider value when the value to be +written is actually different. + +Fixes: d3ff9728134e ("clk: imx: Add imx composite clock") +Signed-off-by: Ahmad Fatoum +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/20230807082201.2332746-1-a.fatoum@pengutronix.de +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-8m.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c +index 04e728538cefe..75e05582cb24f 100644 +--- a/drivers/clk/imx/clk-composite-8m.c ++++ b/drivers/clk/imx/clk-composite-8m.c +@@ -97,7 +97,7 @@ static int imx8m_clk_composite_divider_set_rate(struct clk_hw *hw, + int prediv_value; + int div_value; + int ret; +- u32 val; ++ u32 orig, val; + + ret = imx8m_clk_composite_compute_dividers(rate, parent_rate, + &prediv_value, &div_value); +@@ -106,13 +106,15 @@ static int imx8m_clk_composite_divider_set_rate(struct clk_hw *hw, + + spin_lock_irqsave(divider->lock, flags); + +- val = readl(divider->reg); +- val &= ~((clk_div_mask(divider->width) << divider->shift) | +- (clk_div_mask(PCG_DIV_WIDTH) << PCG_DIV_SHIFT)); ++ orig = readl(divider->reg); ++ val = orig & ~((clk_div_mask(divider->width) << divider->shift) | ++ (clk_div_mask(PCG_DIV_WIDTH) << PCG_DIV_SHIFT)); + + val |= (u32)(prediv_value - 1) << divider->shift; + val |= (u32)(div_value - 1) << PCG_DIV_SHIFT; +- writel(val, divider->reg); ++ ++ if (val != orig) ++ writel(val, divider->reg); + + spin_unlock_irqrestore(divider->lock, flags); + +-- +2.40.1 + diff --git a/queue-5.10/clk-imx8mp-fix-sai4-clock.patch b/queue-5.10/clk-imx8mp-fix-sai4-clock.patch new file mode 100644 index 00000000000..da1a7d31400 --- /dev/null +++ b/queue-5.10/clk-imx8mp-fix-sai4-clock.patch @@ -0,0 +1,49 @@ +From 2a1827fa5d32a2890975f032c79acac222688fb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 16:21:49 +0200 +Subject: clk: imx8mp: fix sai4 clock + +From: Marco Felsch + +[ Upstream commit c30f600f1f41dcf5ef0fb02e9a201f9b2e8f31bd ] + +The reference manual don't mention a SAI4 hardware block. This would be +clock slice 78 which is skipped (TRM, page 237). Remove any reference to +this clock to align the driver with the reality. + +Fixes: 9c140d992676 ("clk: imx: Add support for i.MX8MP clock driver") +Acked-by: Stephen Boyd +Signed-off-by: Marco Felsch +Link: https://lore.kernel.org/r/20230731142150.3186650-1-m.felsch@pengutronix.de +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index 98a4711ef38d0..148572852e70f 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -181,10 +181,6 @@ static const char * const imx8mp_sai3_sels[] = {"osc_24m", "audio_pll1_out", "au + "video_pll1_out", "sys_pll1_133m", "osc_hdmi", + "clk_ext3", "clk_ext4", }; + +-static const char * const imx8mp_sai4_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", +- "clk_ext1", "clk_ext2", }; +- + static const char * const imx8mp_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", + "video_pll1_out", "sys_pll1_133m", "osc_hdmi", + "clk_ext2", "clk_ext3", }; +@@ -596,7 +592,6 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + hws[IMX8MP_CLK_SAI1] = imx8m_clk_hw_composite("sai1", imx8mp_sai1_sels, ccm_base + 0xa580); + hws[IMX8MP_CLK_SAI2] = imx8m_clk_hw_composite("sai2", imx8mp_sai2_sels, ccm_base + 0xa600); + hws[IMX8MP_CLK_SAI3] = imx8m_clk_hw_composite("sai3", imx8mp_sai3_sels, ccm_base + 0xa680); +- hws[IMX8MP_CLK_SAI4] = imx8m_clk_hw_composite("sai4", imx8mp_sai4_sels, ccm_base + 0xa700); + hws[IMX8MP_CLK_SAI5] = imx8m_clk_hw_composite("sai5", imx8mp_sai5_sels, ccm_base + 0xa780); + hws[IMX8MP_CLK_SAI6] = imx8m_clk_hw_composite("sai6", imx8mp_sai6_sels, ccm_base + 0xa800); + hws[IMX8MP_CLK_ENET_QOS] = imx8m_clk_hw_composite("enet_qos", imx8mp_enet_qos_sels, ccm_base + 0xa880); +-- +2.40.1 + diff --git a/queue-5.10/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch b/queue-5.10/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch new file mode 100644 index 00000000000..c871a6ab250 --- /dev/null +++ b/queue-5.10/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch @@ -0,0 +1,37 @@ +From 5d3932c9d4711f20bf4ada0d9f5f4efb02e93db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 21:05:02 +0200 +Subject: clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src + +From: David Wronek + +[ Upstream commit fd0b5ba87ad5709f0fd3d2bc4b7870494a75f96a ] + +Set .flags = CLK_OPS_PARENT_ENABLE to fix "gcc_sdcc2_apps_clk_src: rcg +didn't update its configuration" error. + +Fixes: 17269568f726 ("clk: qcom: Add Global Clock controller (GCC) driver for SC7180") +Signed-off-by: David Wronek +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230723190725.1619193-2-davidwronek@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc7180.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-sc7180.c b/drivers/clk/qcom/gcc-sc7180.c +index 16f65f74cb8fd..bebe317935238 100644 +--- a/drivers/clk/qcom/gcc-sc7180.c ++++ b/drivers/clk/qcom/gcc-sc7180.c +@@ -666,6 +666,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_5, + .num_parents = ARRAY_SIZE(gcc_parent_data_5), ++ .flags = CLK_OPS_PARENT_ENABLE, + .ops = &clk_rcg2_floor_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.10/clk-qcom-gcc-sc7180-use-array_size-instead-of-specif.patch b/queue-5.10/clk-qcom-gcc-sc7180-use-array_size-instead-of-specif.patch new file mode 100644 index 00000000000..06a0c5ecb60 --- /dev/null +++ b/queue-5.10/clk-qcom-gcc-sc7180-use-array_size-instead-of-specif.patch @@ -0,0 +1,173 @@ +From 19597b5a68b5ac52dd5acb3b1256079cf260b6dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 01:47:39 +0300 +Subject: clk: qcom: gcc-sc7180: use ARRAY_SIZE instead of specifying + num_parents + +From: Dmitry Baryshkov + +[ Upstream commit e957ca2a930ad42e47bf5c9ea2a7afa0960ec1d8 ] + +Use ARRAY_SIZE() instead of manually specifying num_parents. This makes +adding/removing entries to/from parent_data easy and errorproof. + +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210405224743.590029-30-dmitry.baryshkov@linaro.org +Signed-off-by: Stephen Boyd +Stable-dep-of: fd0b5ba87ad5 ("clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc7180.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sc7180.c b/drivers/clk/qcom/gcc-sc7180.c +index 7e80dbd4a3f9f..16f65f74cb8fd 100644 +--- a/drivers/clk/qcom/gcc-sc7180.c ++++ b/drivers/clk/qcom/gcc-sc7180.c +@@ -285,7 +285,7 @@ static struct clk_rcg2 gcc_cpuss_ahb_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_cpuss_ahb_clk_src", + .parent_data = gcc_parent_data_0_ao, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0_ao), + .flags = CLK_SET_RATE_PARENT, + .ops = &clk_rcg2_ops, + }, +@@ -309,7 +309,7 @@ static struct clk_rcg2 gcc_gp1_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp1_clk_src", + .parent_data = gcc_parent_data_4, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_4), + .ops = &clk_rcg2_ops, + }, + }; +@@ -323,7 +323,7 @@ static struct clk_rcg2 gcc_gp2_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp2_clk_src", + .parent_data = gcc_parent_data_4, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_4), + .ops = &clk_rcg2_ops, + }, + }; +@@ -337,7 +337,7 @@ static struct clk_rcg2 gcc_gp3_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp3_clk_src", + .parent_data = gcc_parent_data_4, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_4), + .ops = &clk_rcg2_ops, + }, + }; +@@ -357,7 +357,7 @@ static struct clk_rcg2 gcc_pdm2_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pdm2_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -378,7 +378,7 @@ static struct clk_rcg2 gcc_qspi_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_qspi_core_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 6, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +@@ -619,7 +619,7 @@ static struct clk_rcg2 gcc_sdcc1_apps_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_sdcc1_apps_clk_src", + .parent_data = gcc_parent_data_1, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_1), + .ops = &clk_rcg2_floor_ops, + }, + }; +@@ -641,7 +641,7 @@ static struct clk_rcg2 gcc_sdcc1_ice_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_sdcc1_ice_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -665,7 +665,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_5, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_5), + .ops = &clk_rcg2_floor_ops, + }, + }; +@@ -688,7 +688,7 @@ static struct clk_rcg2 gcc_ufs_phy_axi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_axi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -710,7 +710,7 @@ static struct clk_rcg2 gcc_ufs_phy_ice_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_ice_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -730,7 +730,7 @@ static struct clk_rcg2 gcc_ufs_phy_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_phy_aux_clk_src", + .parent_data = gcc_parent_data_3, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_3), + .ops = &clk_rcg2_ops, + }, + }; +@@ -751,7 +751,7 @@ static struct clk_rcg2 gcc_ufs_phy_unipro_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_unipro_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -773,7 +773,7 @@ static struct clk_rcg2 gcc_usb30_prim_master_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_prim_master_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -793,7 +793,7 @@ static struct clk_rcg2 gcc_usb30_prim_mock_utmi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_prim_mock_utmi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -812,7 +812,7 @@ static struct clk_rcg2 gcc_usb3_prim_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb3_prim_phy_aux_clk_src", + .parent_data = gcc_parent_data_6, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_6), + .ops = &clk_rcg2_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.10/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch b/queue-5.10/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch new file mode 100644 index 00000000000..aa40b0bebf9 --- /dev/null +++ b/queue-5.10/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch @@ -0,0 +1,40 @@ +From bddff65d1120387a3509ce7c0fb564c8dc35db14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 14:04:00 -0700 +Subject: clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src + +From: Patrick Whewell + +[ Upstream commit 783cb693828ce487cf0bc6ad16cbcf2caae6f8d9 ] + +GPLL9 is not on by default, which causes a "gcc_sdcc2_apps_clk_src: rcg +didn't update its configuration" error when booting. Set .flags = +CLK_OPS_PARENT_ENABLE to fix the error. + +Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") +Reviewed-by: Konrad Dybcio +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Patrick Whewell +Reviewed-by: Vinod Koul +Link: https://lore.kernel.org/r/20230802210359.408-1-patrick.whewell@sightlineapplications.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm8250.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-sm8250.c b/drivers/clk/qcom/gcc-sm8250.c +index 68a31f208d904..70723e4dab008 100644 +--- a/drivers/clk/qcom/gcc-sm8250.c ++++ b/drivers/clk/qcom/gcc-sm8250.c +@@ -722,6 +722,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_4, + .num_parents = ARRAY_SIZE(gcc_parent_data_4), ++ .flags = CLK_OPS_PARENT_ENABLE, + .ops = &clk_rcg2_floor_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.10/clk-qcom-gcc-sm8250-use-array_size-instead-of-specif.patch b/queue-5.10/clk-qcom-gcc-sm8250-use-array_size-instead-of-specif.patch new file mode 100644 index 00000000000..afbf45ec89c --- /dev/null +++ b/queue-5.10/clk-qcom-gcc-sm8250-use-array_size-instead-of-specif.patch @@ -0,0 +1,443 @@ +From 99e61bf38ba21a2fd6f1212c8fe7daee80d8bf8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 01:47:42 +0300 +Subject: clk: qcom: gcc-sm8250: use ARRAY_SIZE instead of specifying + num_parents + +From: Dmitry Baryshkov + +[ Upstream commit c864cd5f506cf53b7f2290009fba6e933a34770d ] + +Use ARRAY_SIZE() instead of manually specifying num_parents. This makes +adding/removing entries to/from parent_data easy and errorproof. + +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210405224743.590029-33-dmitry.baryshkov@linaro.org +Signed-off-by: Stephen Boyd +Stable-dep-of: 783cb693828c ("clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm8250.c | 92 +++++++++++++++++------------------ + 1 file changed, 46 insertions(+), 46 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sm8250.c b/drivers/clk/qcom/gcc-sm8250.c +index 7ec11acc82984..68a31f208d904 100644 +--- a/drivers/clk/qcom/gcc-sm8250.c ++++ b/drivers/clk/qcom/gcc-sm8250.c +@@ -200,7 +200,7 @@ static struct clk_rcg2 gcc_cpuss_ahb_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_cpuss_ahb_clk_src", + .parent_data = gcc_parent_data_0_ao, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0_ao), + .flags = CLK_SET_RATE_PARENT, + .ops = &clk_rcg2_ops, + }, +@@ -224,7 +224,7 @@ static struct clk_rcg2 gcc_gp1_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp1_clk_src", + .parent_data = gcc_parent_data_1, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_1), + .ops = &clk_rcg2_ops, + }, + }; +@@ -238,7 +238,7 @@ static struct clk_rcg2 gcc_gp2_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp2_clk_src", + .parent_data = gcc_parent_data_1, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_1), + .ops = &clk_rcg2_ops, + }, + }; +@@ -252,7 +252,7 @@ static struct clk_rcg2 gcc_gp3_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_gp3_clk_src", + .parent_data = gcc_parent_data_1, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_1), + .ops = &clk_rcg2_ops, + }, + }; +@@ -272,7 +272,7 @@ static struct clk_rcg2 gcc_pcie_0_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pcie_0_aux_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 2, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +@@ -286,7 +286,7 @@ static struct clk_rcg2 gcc_pcie_1_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pcie_1_aux_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 2, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +@@ -300,7 +300,7 @@ static struct clk_rcg2 gcc_pcie_2_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pcie_2_aux_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 2, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +@@ -320,7 +320,7 @@ static struct clk_rcg2 gcc_pcie_phy_refgen_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pcie_phy_refgen_clk_src", + .parent_data = gcc_parent_data_0_ao, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0_ao), + .ops = &clk_rcg2_ops, + }, + }; +@@ -341,7 +341,7 @@ static struct clk_rcg2 gcc_pdm2_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_pdm2_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -369,7 +369,7 @@ static const struct freq_tbl ftbl_gcc_qupv3_wrap0_s0_clk_src[] = { + static struct clk_init_data gcc_qupv3_wrap0_s0_clk_src_init = { + .name = "gcc_qupv3_wrap0_s0_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -385,7 +385,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s0_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s1_clk_src_init = { + .name = "gcc_qupv3_wrap0_s1_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -417,7 +417,7 @@ static const struct freq_tbl ftbl_gcc_qupv3_wrap0_s2_clk_src[] = { + static struct clk_init_data gcc_qupv3_wrap0_s2_clk_src_init = { + .name = "gcc_qupv3_wrap0_s2_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -433,7 +433,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s2_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s3_clk_src_init = { + .name = "gcc_qupv3_wrap0_s3_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -449,7 +449,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s3_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s4_clk_src_init = { + .name = "gcc_qupv3_wrap0_s4_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -465,7 +465,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s4_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s5_clk_src_init = { + .name = "gcc_qupv3_wrap0_s5_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -481,7 +481,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s5_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s6_clk_src_init = { + .name = "gcc_qupv3_wrap0_s6_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -497,7 +497,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s6_clk_src = { + static struct clk_init_data gcc_qupv3_wrap0_s7_clk_src_init = { + .name = "gcc_qupv3_wrap0_s7_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -513,7 +513,7 @@ static struct clk_rcg2 gcc_qupv3_wrap0_s7_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s0_clk_src_init = { + .name = "gcc_qupv3_wrap1_s0_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -529,7 +529,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s0_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s1_clk_src_init = { + .name = "gcc_qupv3_wrap1_s1_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -545,7 +545,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s1_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s2_clk_src_init = { + .name = "gcc_qupv3_wrap1_s2_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -561,7 +561,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s2_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s3_clk_src_init = { + .name = "gcc_qupv3_wrap1_s3_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -577,7 +577,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s3_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s4_clk_src_init = { + .name = "gcc_qupv3_wrap1_s4_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -593,7 +593,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s4_clk_src = { + static struct clk_init_data gcc_qupv3_wrap1_s5_clk_src_init = { + .name = "gcc_qupv3_wrap1_s5_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -609,7 +609,7 @@ static struct clk_rcg2 gcc_qupv3_wrap1_s5_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s0_clk_src_init = { + .name = "gcc_qupv3_wrap2_s0_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -625,7 +625,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s0_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s1_clk_src_init = { + .name = "gcc_qupv3_wrap2_s1_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -641,7 +641,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s1_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s2_clk_src_init = { + .name = "gcc_qupv3_wrap2_s2_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -657,7 +657,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s2_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s3_clk_src_init = { + .name = "gcc_qupv3_wrap2_s3_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -673,7 +673,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s3_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s4_clk_src_init = { + .name = "gcc_qupv3_wrap2_s4_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -689,7 +689,7 @@ static struct clk_rcg2 gcc_qupv3_wrap2_s4_clk_src = { + static struct clk_init_data gcc_qupv3_wrap2_s5_clk_src_init = { + .name = "gcc_qupv3_wrap2_s5_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }; + +@@ -721,7 +721,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_4, +- .num_parents = 5, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_4), + .ops = &clk_rcg2_floor_ops, + }, + }; +@@ -744,7 +744,7 @@ static struct clk_rcg2 gcc_sdcc4_apps_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_sdcc4_apps_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_floor_ops, + }, + }; +@@ -763,7 +763,7 @@ static struct clk_rcg2 gcc_tsif_ref_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_tsif_ref_clk_src", + .parent_data = gcc_parent_data_5, +- .num_parents = 4, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_5), + .ops = &clk_rcg2_ops, + }, + }; +@@ -785,7 +785,7 @@ static struct clk_rcg2 gcc_ufs_card_axi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_card_axi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -807,7 +807,7 @@ static struct clk_rcg2 gcc_ufs_card_ice_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_card_ice_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -826,7 +826,7 @@ static struct clk_rcg2 gcc_ufs_card_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_card_phy_aux_clk_src", + .parent_data = gcc_parent_data_3, +- .num_parents = 1, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_3), + .ops = &clk_rcg2_ops, + }, + }; +@@ -847,7 +847,7 @@ static struct clk_rcg2 gcc_ufs_card_unipro_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_card_unipro_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -870,7 +870,7 @@ static struct clk_rcg2 gcc_ufs_phy_axi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_axi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -884,7 +884,7 @@ static struct clk_rcg2 gcc_ufs_phy_ice_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_ice_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -898,7 +898,7 @@ static struct clk_rcg2 gcc_ufs_phy_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_phy_aux_clk_src", + .parent_data = gcc_parent_data_3, +- .num_parents = 1, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_3), + .ops = &clk_rcg2_ops, + }, + }; +@@ -912,7 +912,7 @@ static struct clk_rcg2 gcc_ufs_phy_unipro_core_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_unipro_core_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -935,7 +935,7 @@ static struct clk_rcg2 gcc_usb30_prim_master_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_prim_master_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -949,7 +949,7 @@ static struct clk_rcg2 gcc_usb30_prim_mock_utmi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_prim_mock_utmi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -963,7 +963,7 @@ static struct clk_rcg2 gcc_usb30_sec_master_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_sec_master_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -977,7 +977,7 @@ static struct clk_rcg2 gcc_usb30_sec_mock_utmi_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_sec_mock_utmi_clk_src", + .parent_data = gcc_parent_data_0, +- .num_parents = 3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_0), + .ops = &clk_rcg2_ops, + }, + }; +@@ -991,7 +991,7 @@ static struct clk_rcg2 gcc_usb3_prim_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb3_prim_phy_aux_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 2, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +@@ -1005,7 +1005,7 @@ static struct clk_rcg2 gcc_usb3_sec_phy_aux_clk_src = { + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb3_sec_phy_aux_clk_src", + .parent_data = gcc_parent_data_2, +- .num_parents = 2, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_2), + .ops = &clk_rcg2_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.10/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch b/queue-5.10/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch new file mode 100644 index 00000000000..073d6a48022 --- /dev/null +++ b/queue-5.10/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch @@ -0,0 +1,40 @@ +From a62cd2bf9d30e071ca8625172d40ed54f957ac4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 09:57:38 +0200 +Subject: clk: qcom: reset: Use the correct type of sleep/delay based on length + +From: Konrad Dybcio + +[ Upstream commit 181b66ee7cdd824797fc99b53bec29cf5630a04f ] + +Use the fsleep() helper that (based on the length of the delay, see: [1]) +chooses the correct sleep/delay functions. + +[1] https://www.kernel.org/doc/Documentation/timers/timers-howto.txt + +Fixes: 2cb8a39b6781 ("clk: qcom: reset: Allow specifying custom reset delay") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230726-topic-qcom_reset-v3-1-5958facd5db2@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 0e914ec7aeae1..e45e32804d2c7 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -16,7 +16,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + struct qcom_reset_controller *rst = to_qcom_reset_controller(rcdev); + + rcdev->ops->assert(rcdev, id); +- udelay(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ ++ fsleep(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ ++ + rcdev->ops->deassert(rcdev, id); + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/clk-sunxi-ng-modify-mismatched-function-name.patch b/queue-5.10/clk-sunxi-ng-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..9da86f3e110 --- /dev/null +++ b/queue-5.10/clk-sunxi-ng-modify-mismatched-function-name.patch @@ -0,0 +1,39 @@ +From 45b7a81212208e80ea5051bf034285a2238a2cd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 15:31:07 +0000 +Subject: clk: sunxi-ng: Modify mismatched function name + +From: Zhang Jianhua + +[ Upstream commit 075d9ca5b4e17f84fd1c744a405e69ec743be7f0 ] + +No functional modification involved. + +drivers/clk/sunxi-ng/ccu_mmc_timing.c:54: warning: expecting prototype for sunxi_ccu_set_mmc_timing_mode(). Prototype was for sunxi_ccu_get_mmc_timing_mode() instead + +Fixes: f6f64ed868d3 ("clk: sunxi-ng: Add interface to query or configure MMC timing modes.") +Signed-off-by: Zhang Jianhua +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230722153107.2078179-1-chris.zjh@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu_mmc_timing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu_mmc_timing.c b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +index de33414fc5c28..c6a6ce98ca03a 100644 +--- a/drivers/clk/sunxi-ng/ccu_mmc_timing.c ++++ b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +@@ -43,7 +43,7 @@ int sunxi_ccu_set_mmc_timing_mode(struct clk *clk, bool new_mode) + EXPORT_SYMBOL_GPL(sunxi_ccu_set_mmc_timing_mode); + + /** +- * sunxi_ccu_set_mmc_timing_mode: Get the current MMC clock timing mode ++ * sunxi_ccu_get_mmc_timing_mode: Get the current MMC clock timing mode + * @clk: clock to query + * + * Returns 0 if the clock is in old timing mode, > 0 if it is in +-- +2.40.1 + diff --git a/queue-5.10/coresight-tmc-explicit-type-conversions-to-prevent-i.patch b/queue-5.10/coresight-tmc-explicit-type-conversions-to-prevent-i.patch new file mode 100644 index 00000000000..9313f4da6ef --- /dev/null +++ b/queue-5.10/coresight-tmc-explicit-type-conversions-to-prevent-i.patch @@ -0,0 +1,89 @@ +From 36c14e0ffa06ea1f668da864c9db1846c1961da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 16:15:14 +0800 +Subject: coresight: tmc: Explicit type conversions to prevent integer overflow + +From: Ruidong Tian + +[ Upstream commit fd380097cdb305582b7a1f9476391330299d2c59 ] + +Perf cs_etm session executed unexpectedly when AUX buffer > 1G. + + perf record -C 0 -m ,2G -e cs_etm// -- + [ perf record: Captured and wrote 2.615 MB perf.data ] + +Perf only collect about 2M perf data rather than 2G. This is becasuse +the operation, "nr_pages << PAGE_SHIFT", in coresight tmc driver, will +overflow when nr_pages >= 0x80000(correspond to 1G AUX buffer). The +overflow cause buffer allocation to fail, and TMC driver will alloc +minimal buffer size(1M). You can just get about 2M perf data(1M AUX +buffer + perf data header) at least. + +Explicit convert nr_pages to 64 bit to avoid overflow. + +Fixes: 22f429f19c41 ("coresight: etm-perf: Add support for ETR backend") +Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") +Fixes: 2e499bbc1a92 ("coresight: tmc: implementing TMC-ETF AUX space API") +Signed-off-by: Ruidong Tian +Reviewed-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20230804081514.120171-2-tianruidong@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 2 +- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 5 +++-- + drivers/hwtracing/coresight/coresight-tmc.h | 2 +- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c +index 8978f3410bee5..eee069e95b9f6 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -426,7 +426,7 @@ static int tmc_set_etf_buffer(struct coresight_device *csdev, + return -EINVAL; + + /* wrap head around to the amount of space we have */ +- head = handle->head & ((buf->nr_pages << PAGE_SHIFT) - 1); ++ head = handle->head & (((unsigned long)buf->nr_pages << PAGE_SHIFT) - 1); + + /* find the page to write to */ + buf->cur = head / PAGE_SIZE; +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c +index 3e74f5aed20d7..ae2dd0c88f4eb 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -47,7 +47,8 @@ struct etr_perf_buffer { + }; + + /* Convert the perf index to an offset within the ETR buffer */ +-#define PERF_IDX2OFF(idx, buf) ((idx) % ((buf)->nr_pages << PAGE_SHIFT)) ++#define PERF_IDX2OFF(idx, buf) \ ++ ((idx) % ((unsigned long)(buf)->nr_pages << PAGE_SHIFT)) + + /* Lower limit for ETR hardware buffer */ + #define TMC_ETR_PERF_MIN_BUF_SIZE SZ_1M +@@ -1232,7 +1233,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, + * than the size requested via sysfs. + */ + if ((nr_pages << PAGE_SHIFT) > drvdata->size) { +- etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), ++ etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << PAGE_SHIFT), + 0, node, NULL); + if (!IS_ERR(etr_buf)) + goto done; +diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h +index b91ec7dde7bc9..3655b3bfb2e32 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc.h ++++ b/drivers/hwtracing/coresight/coresight-tmc.h +@@ -321,7 +321,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table *sg_table, + static inline unsigned long + tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) + { +- return sg_table->data_pages.nr_pages << PAGE_SHIFT; ++ return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; + } + + struct coresight_device *tmc_etr_get_catu_device(struct tmc_drvdata *drvdata); +-- +2.40.1 + diff --git a/queue-5.10/cpufreq-fix-the-race-condition-while-updating-the-tr.patch b/queue-5.10/cpufreq-fix-the-race-condition-while-updating-the-tr.patch new file mode 100644 index 00000000000..bdfa026cd8b --- /dev/null +++ b/queue-5.10/cpufreq-fix-the-race-condition-while-updating-the-tr.patch @@ -0,0 +1,81 @@ +From b6cc746189aafba95407144209991853ef22fdb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 07:03:18 +0000 +Subject: cpufreq: Fix the race condition while updating the transition_task of + policy + +From: Liao Chang + +[ Upstream commit 61bfbf7951ba561dcbdd5357702d3cbc2d447812 ] + +The field 'transition_task' of policy structure is used to track the +task which is performing the frequency transition. Using this field to +print a warning once detect a case where the same task is calling +_begin() again before completing the preivous frequency transition via +the _end(). + +However, there is a potential race condition in _end() and _begin() APIs +while updating the field 'transition_task' of policy, the scenario is +depicted below: + + Task A Task B + + /* 1st freq transition */ + Invoke _begin() { + ... + ... + } + /* 2nd freq transition */ + Invoke _begin() { + ... //waiting for A to + ... //clear + ... //transition_ongoing + ... //in _end() for + ... //the 1st transition + | + Change the frequency | + | + Invoke _end() { | + ... | + ... | + transition_ongoing = false; V + transition_ongoing = true; + transition_task = current; + transition_task = NULL; + ... //A overwrites the task + ... //performing the transition + ... //result in error warning. + } + +To fix this race condition, the transition_lock of policy structure is +now acquired before updating policy structure in _end() API. Which ensure +that only one task can update the 'transition_task' field at a time. + +Link: https://lore.kernel.org/all/b3c61d8a-d52d-3136-fbf0-d1de9f1ba411@huawei.com/ +Fixes: ca654dc3a93d ("cpufreq: Catch double invocations of cpufreq_freq_transition_begin/end") +Signed-off-by: Liao Chang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 58342390966b7..5b4bca71f201d 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -450,8 +450,10 @@ void cpufreq_freq_transition_end(struct cpufreq_policy *policy, + policy->cur, + policy->cpuinfo.max_freq); + ++ spin_lock(&policy->transition_lock); + policy->transition_ongoing = false; + policy->transition_task = NULL; ++ spin_unlock(&policy->transition_lock); + + wake_up(&policy->transition_wait); + } +-- +2.40.1 + diff --git a/queue-5.10/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch b/queue-5.10/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch new file mode 100644 index 00000000000..c204a8fb59c --- /dev/null +++ b/queue-5.10/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch @@ -0,0 +1,39 @@ +From dfcf08962be93a136e400150051a2cd42263aad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 09:51:13 +0000 +Subject: cpufreq: powernow-k8: Use related_cpus instead of cpus in + driver.exit() + +From: Liao Chang + +[ Upstream commit 03997da042dac73c69e60d91942c727c76828b65 ] + +Since the 'cpus' field of policy structure will become empty in the +cpufreq core API, it is better to use 'related_cpus' in the exit() +callback of driver. + +Fixes: c3274763bfc3 ("cpufreq: powernow-k8: Initialize per-cpu data-structures properly") +Signed-off-by: Liao Chang +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernow-k8.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/powernow-k8.c b/drivers/cpufreq/powernow-k8.c +index b9ccb6a3dad98..22d4c639d71db 100644 +--- a/drivers/cpufreq/powernow-k8.c ++++ b/drivers/cpufreq/powernow-k8.c +@@ -1101,7 +1101,8 @@ static int powernowk8_cpu_exit(struct cpufreq_policy *pol) + + kfree(data->powernow_table); + kfree(data); +- for_each_cpu(cpu, pol->cpus) ++ /* pol->cpus will be empty here, use related_cpus instead. */ ++ for_each_cpu(cpu, pol->related_cpus) + per_cpu(powernow_data, cpu) = NULL; + + return 0; +-- +2.40.1 + diff --git a/queue-5.10/crypto-api-use-work-queue-in-crypto_destroy_instance.patch b/queue-5.10/crypto-api-use-work-queue-in-crypto_destroy_instance.patch new file mode 100644 index 00000000000..4101cbbb9e4 --- /dev/null +++ b/queue-5.10/crypto-api-use-work-queue-in-crypto_destroy_instance.patch @@ -0,0 +1,95 @@ +From f8d8a3d036aa0bf8dbfe0365ad469dae76f3b184 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 17:59:28 +0800 +Subject: crypto: api - Use work queue in crypto_destroy_instance + +From: Herbert Xu + +[ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ] + +The function crypto_drop_spawn expects to be called in process +context. However, when an instance is unregistered while it still +has active users, the last user may cause the instance to be freed +in atomic context. + +Fix this by delaying the freeing to a work queue. + +Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") +Reported-by: Florent Revest +Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com +Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Tested-by: Florent Revest +Acked-by: Florent Revest +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algapi.c | 16 ++++++++++++++-- + include/crypto/algapi.h | 3 +++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 42dca17dc2d97..5d422e725b267 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -68,15 +69,26 @@ static void crypto_free_instance(struct crypto_instance *inst) + inst->alg.cra_type->free(inst); + } + +-static void crypto_destroy_instance(struct crypto_alg *alg) ++static void crypto_destroy_instance_workfn(struct work_struct *w) + { +- struct crypto_instance *inst = (void *)alg; ++ struct crypto_instance *inst = container_of(w, struct crypto_instance, ++ free_work); + struct crypto_template *tmpl = inst->tmpl; + + crypto_free_instance(inst); + crypto_tmpl_put(tmpl); + } + ++static void crypto_destroy_instance(struct crypto_alg *alg) ++{ ++ struct crypto_instance *inst = container_of(alg, ++ struct crypto_instance, ++ alg); ++ ++ INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); ++ schedule_work(&inst->free_work); ++} ++ + /* + * This function adds a spawn to the list secondary_spawns which + * will be used at the end of crypto_remove_spawns to unregister +diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h +index 18dd7a4aaf7da..96dbd438cc700 100644 +--- a/include/crypto/algapi.h ++++ b/include/crypto/algapi.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + /* + * Maximum values for blocksize and alignmask, used to allocate +@@ -55,6 +56,8 @@ struct crypto_instance { + struct crypto_spawn *spawns; + }; + ++ struct work_struct free_work; ++ + void *__ctx[] CRYPTO_MINALIGN_ATTR; + }; + +-- +2.40.1 + diff --git a/queue-5.10/crypto-blake2b-sync-with-blake2s-implementation.patch b/queue-5.10/crypto-blake2b-sync-with-blake2s-implementation.patch new file mode 100644 index 00000000000..bf779c5c770 --- /dev/null +++ b/queue-5.10/crypto-blake2b-sync-with-blake2s-implementation.patch @@ -0,0 +1,523 @@ +From 16122c9dba081e884eb06a94fd63ef38f52b6fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Dec 2020 00:10:01 -0800 +Subject: crypto: blake2b - sync with blake2s implementation + +From: Eric Biggers + +[ Upstream commit 28dcca4cc0c01e2467549a36b1b0eacfdb01236c ] + +Sync the BLAKE2b code with the BLAKE2s code as much as possible: + +- Move a lot of code into new headers and + , and adjust it to be like the + corresponding BLAKE2s code, i.e. like and + . + +- Rename constants, e.g. BLAKE2B_*_DIGEST_SIZE => BLAKE2B_*_HASH_SIZE. + +- Use a macro BLAKE2B_ALG() to define the shash_alg structs. + +- Export blake2b_compress_generic() for use as a fallback. + +This makes it much easier to add optimized implementations of BLAKE2b, +as optimized implementations can use the helper functions +crypto_blake2b_{setkey,init,update,final}() and +blake2b_compress_generic(). The ARM implementation will use these. + +But this change is also helpful because it eliminates unnecessary +differences between the BLAKE2b and BLAKE2s code, so that the same +improvements can easily be made to both. (The two algorithms are +basically identical, except for the word size and constants.) It also +makes it straightforward to add a library API for BLAKE2b in the future +if/when it's needed. + +This change does make the BLAKE2b code slightly more complicated than it +needs to be, as it doesn't actually provide a library API yet. For +example, __blake2b_update() doesn't really need to exist yet; it could +just be inlined into crypto_blake2b_update(). But I believe this is +outweighed by the benefits of keeping the code in sync. + +Signed-off-by: Eric Biggers +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Stable-dep-of: 9ae4577bc077 ("crypto: api - Use work queue in crypto_destroy_instance") +Signed-off-by: Sasha Levin +--- + crypto/blake2b_generic.c | 226 +++++++----------------------- + include/crypto/blake2b.h | 67 +++++++++ + include/crypto/internal/blake2b.h | 115 +++++++++++++++ + 3 files changed, 230 insertions(+), 178 deletions(-) + create mode 100644 include/crypto/blake2b.h + create mode 100644 include/crypto/internal/blake2b.h + +diff --git a/crypto/blake2b_generic.c b/crypto/blake2b_generic.c +index a2ffe60e06d34..963f7fe0e4ea8 100644 +--- a/crypto/blake2b_generic.c ++++ b/crypto/blake2b_generic.c +@@ -20,36 +20,11 @@ + + #include + #include +-#include + #include + #include ++#include + #include + +-#define BLAKE2B_160_DIGEST_SIZE (160 / 8) +-#define BLAKE2B_256_DIGEST_SIZE (256 / 8) +-#define BLAKE2B_384_DIGEST_SIZE (384 / 8) +-#define BLAKE2B_512_DIGEST_SIZE (512 / 8) +- +-enum blake2b_constant { +- BLAKE2B_BLOCKBYTES = 128, +- BLAKE2B_KEYBYTES = 64, +-}; +- +-struct blake2b_state { +- u64 h[8]; +- u64 t[2]; +- u64 f[2]; +- u8 buf[BLAKE2B_BLOCKBYTES]; +- size_t buflen; +-}; +- +-static const u64 blake2b_IV[8] = { +- 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, +- 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, +- 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, +- 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +-}; +- + static const u8 blake2b_sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, +@@ -95,8 +70,8 @@ static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while (0) + +-static void blake2b_compress(struct blake2b_state *S, +- const u8 block[BLAKE2B_BLOCKBYTES]) ++static void blake2b_compress_one_generic(struct blake2b_state *S, ++ const u8 block[BLAKE2B_BLOCK_SIZE]) + { + u64 m[16]; + u64 v[16]; +@@ -108,14 +83,14 @@ static void blake2b_compress(struct blake2b_state *S, + for (i = 0; i < 8; ++i) + v[i] = S->h[i]; + +- v[ 8] = blake2b_IV[0]; +- v[ 9] = blake2b_IV[1]; +- v[10] = blake2b_IV[2]; +- v[11] = blake2b_IV[3]; +- v[12] = blake2b_IV[4] ^ S->t[0]; +- v[13] = blake2b_IV[5] ^ S->t[1]; +- v[14] = blake2b_IV[6] ^ S->f[0]; +- v[15] = blake2b_IV[7] ^ S->f[1]; ++ v[ 8] = BLAKE2B_IV0; ++ v[ 9] = BLAKE2B_IV1; ++ v[10] = BLAKE2B_IV2; ++ v[11] = BLAKE2B_IV3; ++ v[12] = BLAKE2B_IV4 ^ S->t[0]; ++ v[13] = BLAKE2B_IV5 ^ S->t[1]; ++ v[14] = BLAKE2B_IV6 ^ S->f[0]; ++ v[15] = BLAKE2B_IV7 ^ S->f[1]; + + ROUND(0); + ROUND(1); +@@ -139,159 +114,54 @@ static void blake2b_compress(struct blake2b_state *S, + #undef G + #undef ROUND + +-struct blake2b_tfm_ctx { +- u8 key[BLAKE2B_KEYBYTES]; +- unsigned int keylen; +-}; +- +-static int blake2b_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen) ++void blake2b_compress_generic(struct blake2b_state *state, ++ const u8 *block, size_t nblocks, u32 inc) + { +- struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(tfm); +- +- if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) +- return -EINVAL; +- +- memcpy(tctx->key, key, keylen); +- tctx->keylen = keylen; +- +- return 0; ++ do { ++ blake2b_increment_counter(state, inc); ++ blake2b_compress_one_generic(state, block); ++ block += BLAKE2B_BLOCK_SIZE; ++ } while (--nblocks); + } ++EXPORT_SYMBOL(blake2b_compress_generic); + +-static int blake2b_init(struct shash_desc *desc) ++static int crypto_blake2b_update_generic(struct shash_desc *desc, ++ const u8 *in, unsigned int inlen) + { +- struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); +- struct blake2b_state *state = shash_desc_ctx(desc); +- const int digestsize = crypto_shash_digestsize(desc->tfm); +- +- memset(state, 0, sizeof(*state)); +- memcpy(state->h, blake2b_IV, sizeof(state->h)); +- +- /* Parameter block is all zeros except index 0, no xor for 1..7 */ +- state->h[0] ^= 0x01010000 | tctx->keylen << 8 | digestsize; +- +- if (tctx->keylen) { +- /* +- * Prefill the buffer with the key, next call to _update or +- * _final will process it +- */ +- memcpy(state->buf, tctx->key, tctx->keylen); +- state->buflen = BLAKE2B_BLOCKBYTES; +- } +- return 0; ++ return crypto_blake2b_update(desc, in, inlen, blake2b_compress_generic); + } + +-static int blake2b_update(struct shash_desc *desc, const u8 *in, +- unsigned int inlen) ++static int crypto_blake2b_final_generic(struct shash_desc *desc, u8 *out) + { +- struct blake2b_state *state = shash_desc_ctx(desc); +- const size_t left = state->buflen; +- const size_t fill = BLAKE2B_BLOCKBYTES - left; +- +- if (!inlen) +- return 0; +- +- if (inlen > fill) { +- state->buflen = 0; +- /* Fill buffer */ +- memcpy(state->buf + left, in, fill); +- blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES); +- /* Compress */ +- blake2b_compress(state, state->buf); +- in += fill; +- inlen -= fill; +- while (inlen > BLAKE2B_BLOCKBYTES) { +- blake2b_increment_counter(state, BLAKE2B_BLOCKBYTES); +- blake2b_compress(state, in); +- in += BLAKE2B_BLOCKBYTES; +- inlen -= BLAKE2B_BLOCKBYTES; +- } +- } +- memcpy(state->buf + state->buflen, in, inlen); +- state->buflen += inlen; +- +- return 0; ++ return crypto_blake2b_final(desc, out, blake2b_compress_generic); + } + +-static int blake2b_final(struct shash_desc *desc, u8 *out) +-{ +- struct blake2b_state *state = shash_desc_ctx(desc); +- const int digestsize = crypto_shash_digestsize(desc->tfm); +- size_t i; +- +- blake2b_increment_counter(state, state->buflen); +- /* Set last block */ +- state->f[0] = (u64)-1; +- /* Padding */ +- memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen); +- blake2b_compress(state, state->buf); +- +- /* Avoid temporary buffer and switch the internal output to LE order */ +- for (i = 0; i < ARRAY_SIZE(state->h); i++) +- __cpu_to_le64s(&state->h[i]); +- +- memcpy(out, state->h, digestsize); +- return 0; +-} ++#define BLAKE2B_ALG(name, driver_name, digest_size) \ ++ { \ ++ .base.cra_name = name, \ ++ .base.cra_driver_name = driver_name, \ ++ .base.cra_priority = 100, \ ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, \ ++ .base.cra_blocksize = BLAKE2B_BLOCK_SIZE, \ ++ .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), \ ++ .base.cra_module = THIS_MODULE, \ ++ .digestsize = digest_size, \ ++ .setkey = crypto_blake2b_setkey, \ ++ .init = crypto_blake2b_init, \ ++ .update = crypto_blake2b_update_generic, \ ++ .final = crypto_blake2b_final_generic, \ ++ .descsize = sizeof(struct blake2b_state), \ ++ } + + static struct shash_alg blake2b_algs[] = { +- { +- .base.cra_name = "blake2b-160", +- .base.cra_driver_name = "blake2b-160-generic", +- .base.cra_priority = 100, +- .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, +- .base.cra_blocksize = BLAKE2B_BLOCKBYTES, +- .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), +- .base.cra_module = THIS_MODULE, +- .digestsize = BLAKE2B_160_DIGEST_SIZE, +- .setkey = blake2b_setkey, +- .init = blake2b_init, +- .update = blake2b_update, +- .final = blake2b_final, +- .descsize = sizeof(struct blake2b_state), +- }, { +- .base.cra_name = "blake2b-256", +- .base.cra_driver_name = "blake2b-256-generic", +- .base.cra_priority = 100, +- .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, +- .base.cra_blocksize = BLAKE2B_BLOCKBYTES, +- .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), +- .base.cra_module = THIS_MODULE, +- .digestsize = BLAKE2B_256_DIGEST_SIZE, +- .setkey = blake2b_setkey, +- .init = blake2b_init, +- .update = blake2b_update, +- .final = blake2b_final, +- .descsize = sizeof(struct blake2b_state), +- }, { +- .base.cra_name = "blake2b-384", +- .base.cra_driver_name = "blake2b-384-generic", +- .base.cra_priority = 100, +- .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, +- .base.cra_blocksize = BLAKE2B_BLOCKBYTES, +- .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), +- .base.cra_module = THIS_MODULE, +- .digestsize = BLAKE2B_384_DIGEST_SIZE, +- .setkey = blake2b_setkey, +- .init = blake2b_init, +- .update = blake2b_update, +- .final = blake2b_final, +- .descsize = sizeof(struct blake2b_state), +- }, { +- .base.cra_name = "blake2b-512", +- .base.cra_driver_name = "blake2b-512-generic", +- .base.cra_priority = 100, +- .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, +- .base.cra_blocksize = BLAKE2B_BLOCKBYTES, +- .base.cra_ctxsize = sizeof(struct blake2b_tfm_ctx), +- .base.cra_module = THIS_MODULE, +- .digestsize = BLAKE2B_512_DIGEST_SIZE, +- .setkey = blake2b_setkey, +- .init = blake2b_init, +- .update = blake2b_update, +- .final = blake2b_final, +- .descsize = sizeof(struct blake2b_state), +- } ++ BLAKE2B_ALG("blake2b-160", "blake2b-160-generic", ++ BLAKE2B_160_HASH_SIZE), ++ BLAKE2B_ALG("blake2b-256", "blake2b-256-generic", ++ BLAKE2B_256_HASH_SIZE), ++ BLAKE2B_ALG("blake2b-384", "blake2b-384-generic", ++ BLAKE2B_384_HASH_SIZE), ++ BLAKE2B_ALG("blake2b-512", "blake2b-512-generic", ++ BLAKE2B_512_HASH_SIZE), + }; + + static int __init blake2b_mod_init(void) +diff --git a/include/crypto/blake2b.h b/include/crypto/blake2b.h +new file mode 100644 +index 0000000000000..18875f16f8cad +--- /dev/null ++++ b/include/crypto/blake2b.h +@@ -0,0 +1,67 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */ ++ ++#ifndef _CRYPTO_BLAKE2B_H ++#define _CRYPTO_BLAKE2B_H ++ ++#include ++#include ++#include ++#include ++ ++enum blake2b_lengths { ++ BLAKE2B_BLOCK_SIZE = 128, ++ BLAKE2B_HASH_SIZE = 64, ++ BLAKE2B_KEY_SIZE = 64, ++ ++ BLAKE2B_160_HASH_SIZE = 20, ++ BLAKE2B_256_HASH_SIZE = 32, ++ BLAKE2B_384_HASH_SIZE = 48, ++ BLAKE2B_512_HASH_SIZE = 64, ++}; ++ ++struct blake2b_state { ++ /* 'h', 't', and 'f' are used in assembly code, so keep them as-is. */ ++ u64 h[8]; ++ u64 t[2]; ++ u64 f[2]; ++ u8 buf[BLAKE2B_BLOCK_SIZE]; ++ unsigned int buflen; ++ unsigned int outlen; ++}; ++ ++enum blake2b_iv { ++ BLAKE2B_IV0 = 0x6A09E667F3BCC908ULL, ++ BLAKE2B_IV1 = 0xBB67AE8584CAA73BULL, ++ BLAKE2B_IV2 = 0x3C6EF372FE94F82BULL, ++ BLAKE2B_IV3 = 0xA54FF53A5F1D36F1ULL, ++ BLAKE2B_IV4 = 0x510E527FADE682D1ULL, ++ BLAKE2B_IV5 = 0x9B05688C2B3E6C1FULL, ++ BLAKE2B_IV6 = 0x1F83D9ABFB41BD6BULL, ++ BLAKE2B_IV7 = 0x5BE0CD19137E2179ULL, ++}; ++ ++static inline void __blake2b_init(struct blake2b_state *state, size_t outlen, ++ const void *key, size_t keylen) ++{ ++ state->h[0] = BLAKE2B_IV0 ^ (0x01010000 | keylen << 8 | outlen); ++ state->h[1] = BLAKE2B_IV1; ++ state->h[2] = BLAKE2B_IV2; ++ state->h[3] = BLAKE2B_IV3; ++ state->h[4] = BLAKE2B_IV4; ++ state->h[5] = BLAKE2B_IV5; ++ state->h[6] = BLAKE2B_IV6; ++ state->h[7] = BLAKE2B_IV7; ++ state->t[0] = 0; ++ state->t[1] = 0; ++ state->f[0] = 0; ++ state->f[1] = 0; ++ state->buflen = 0; ++ state->outlen = outlen; ++ if (keylen) { ++ memcpy(state->buf, key, keylen); ++ memset(&state->buf[keylen], 0, BLAKE2B_BLOCK_SIZE - keylen); ++ state->buflen = BLAKE2B_BLOCK_SIZE; ++ } ++} ++ ++#endif /* _CRYPTO_BLAKE2B_H */ +diff --git a/include/crypto/internal/blake2b.h b/include/crypto/internal/blake2b.h +new file mode 100644 +index 0000000000000..982fe5e8471cd +--- /dev/null ++++ b/include/crypto/internal/blake2b.h +@@ -0,0 +1,115 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */ ++/* ++ * Helper functions for BLAKE2b implementations. ++ * Keep this in sync with the corresponding BLAKE2s header. ++ */ ++ ++#ifndef _CRYPTO_INTERNAL_BLAKE2B_H ++#define _CRYPTO_INTERNAL_BLAKE2B_H ++ ++#include ++#include ++#include ++ ++void blake2b_compress_generic(struct blake2b_state *state, ++ const u8 *block, size_t nblocks, u32 inc); ++ ++static inline void blake2b_set_lastblock(struct blake2b_state *state) ++{ ++ state->f[0] = -1; ++} ++ ++typedef void (*blake2b_compress_t)(struct blake2b_state *state, ++ const u8 *block, size_t nblocks, u32 inc); ++ ++static inline void __blake2b_update(struct blake2b_state *state, ++ const u8 *in, size_t inlen, ++ blake2b_compress_t compress) ++{ ++ const size_t fill = BLAKE2B_BLOCK_SIZE - state->buflen; ++ ++ if (unlikely(!inlen)) ++ return; ++ if (inlen > fill) { ++ memcpy(state->buf + state->buflen, in, fill); ++ (*compress)(state, state->buf, 1, BLAKE2B_BLOCK_SIZE); ++ state->buflen = 0; ++ in += fill; ++ inlen -= fill; ++ } ++ if (inlen > BLAKE2B_BLOCK_SIZE) { ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2B_BLOCK_SIZE); ++ /* Hash one less (full) block than strictly possible */ ++ (*compress)(state, in, nblocks - 1, BLAKE2B_BLOCK_SIZE); ++ in += BLAKE2B_BLOCK_SIZE * (nblocks - 1); ++ inlen -= BLAKE2B_BLOCK_SIZE * (nblocks - 1); ++ } ++ memcpy(state->buf + state->buflen, in, inlen); ++ state->buflen += inlen; ++} ++ ++static inline void __blake2b_final(struct blake2b_state *state, u8 *out, ++ blake2b_compress_t compress) ++{ ++ int i; ++ ++ blake2b_set_lastblock(state); ++ memset(state->buf + state->buflen, 0, ++ BLAKE2B_BLOCK_SIZE - state->buflen); /* Padding */ ++ (*compress)(state, state->buf, 1, state->buflen); ++ for (i = 0; i < ARRAY_SIZE(state->h); i++) ++ __cpu_to_le64s(&state->h[i]); ++ memcpy(out, state->h, state->outlen); ++} ++ ++/* Helper functions for shash implementations of BLAKE2b */ ++ ++struct blake2b_tfm_ctx { ++ u8 key[BLAKE2B_KEY_SIZE]; ++ unsigned int keylen; ++}; ++ ++static inline int crypto_blake2b_setkey(struct crypto_shash *tfm, ++ const u8 *key, unsigned int keylen) ++{ ++ struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(tfm); ++ ++ if (keylen == 0 || keylen > BLAKE2B_KEY_SIZE) ++ return -EINVAL; ++ ++ memcpy(tctx->key, key, keylen); ++ tctx->keylen = keylen; ++ ++ return 0; ++} ++ ++static inline int crypto_blake2b_init(struct shash_desc *desc) ++{ ++ const struct blake2b_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct blake2b_state *state = shash_desc_ctx(desc); ++ unsigned int outlen = crypto_shash_digestsize(desc->tfm); ++ ++ __blake2b_init(state, outlen, tctx->key, tctx->keylen); ++ return 0; ++} ++ ++static inline int crypto_blake2b_update(struct shash_desc *desc, ++ const u8 *in, unsigned int inlen, ++ blake2b_compress_t compress) ++{ ++ struct blake2b_state *state = shash_desc_ctx(desc); ++ ++ __blake2b_update(state, in, inlen, compress); ++ return 0; ++} ++ ++static inline int crypto_blake2b_final(struct shash_desc *desc, u8 *out, ++ blake2b_compress_t compress) ++{ ++ struct blake2b_state *state = shash_desc_ctx(desc); ++ ++ __blake2b_final(state, out, compress); ++ return 0; ++} ++ ++#endif /* _CRYPTO_INTERNAL_BLAKE2B_H */ +-- +2.40.1 + diff --git a/queue-5.10/crypto-caam-fix-unchecked-return-value-error.patch b/queue-5.10/crypto-caam-fix-unchecked-return-value-error.patch new file mode 100644 index 00000000000..b0c8273d790 --- /dev/null +++ b/queue-5.10/crypto-caam-fix-unchecked-return-value-error.patch @@ -0,0 +1,44 @@ +From 55c13f0667f9deb751bd3b933fbaf7df8b550a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 12:55:25 +0200 +Subject: crypto: caam - fix unchecked return value error + +From: Gaurav Jain + +[ Upstream commit e30685204711a6be40dec2622606950ccd37dafe ] + +error: +Unchecked return value (CHECKED_RETURN) +check_return: Calling sg_miter_next without checking return value + +fix: +added check if(!sg_miter_next) + +Fixes: 8a2a0dd35f2e ("crypto: caam - strip input zeros from RSA input buffer") +Signed-off-by: Gaurav Jain +Signed-off-by: Meenakshi Aggarwal +Reviewed-by: Gaurav Jain +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caampkc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c +index 3acc825da4cca..5bd70a59f4ce2 100644 +--- a/drivers/crypto/caam/caampkc.c ++++ b/drivers/crypto/caam/caampkc.c +@@ -222,7 +222,9 @@ static int caam_rsa_count_leading_zeros(struct scatterlist *sgl, + if (len && *buff) + break; + +- sg_miter_next(&miter); ++ if (!sg_miter_next(&miter)) ++ break; ++ + buff = miter.addr; + len = miter.length; + +-- +2.40.1 + diff --git a/queue-5.10/crypto-stm32-properly-handle-pm_runtime_get-failing.patch b/queue-5.10/crypto-stm32-properly-handle-pm_runtime_get-failing.patch new file mode 100644 index 00000000000..ec264ddca34 --- /dev/null +++ b/queue-5.10/crypto-stm32-properly-handle-pm_runtime_get-failing.patch @@ -0,0 +1,61 @@ +From 24a78a752b48f8d571b862738c29d6f9fe0452a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 18:54:54 +0200 +Subject: crypto: stm32 - Properly handle pm_runtime_get failing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit aec48805163338f8413118796c1dd035661b9140 ] + +If pm_runtime_get() (disguised as pm_runtime_resume_and_get()) fails, this +means the clk wasn't prepared and enabled. Returning early in this case +however is wrong as then the following resource frees are skipped and this +is never catched up. So do all the cleanups but clk_disable_unprepare(). + +Also don't emit a warning, as stm32_hash_runtime_resume() already emitted +one. + +Note that the return value of stm32_hash_remove() is mostly ignored by +the device core. The only effect of returning zero instead of an error +value is to suppress another warning in platform_remove(). So return 0 +even if pm_runtime_resume_and_get() failed. + +Fixes: 8b4d566de6a5 ("crypto: stm32/hash - Add power management support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-hash.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c +index 16bb52836b28d..2f2a426a6cd5c 100644 +--- a/drivers/crypto/stm32/stm32-hash.c ++++ b/drivers/crypto/stm32/stm32-hash.c +@@ -1565,9 +1565,7 @@ static int stm32_hash_remove(struct platform_device *pdev) + if (!hdev) + return -ENODEV; + +- ret = pm_runtime_resume_and_get(hdev->dev); +- if (ret < 0) +- return ret; ++ ret = pm_runtime_get_sync(hdev->dev); + + stm32_hash_unregister_algs(hdev); + +@@ -1583,7 +1581,8 @@ static int stm32_hash_remove(struct platform_device *pdev) + pm_runtime_disable(hdev->dev); + pm_runtime_put_noidle(hdev->dev); + +- clk_disable_unprepare(hdev->clk); ++ if (ret >= 0) ++ clk_disable_unprepare(hdev->clk); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/dma-buf-sync_file-fix-docs-syntax.patch b/queue-5.10/dma-buf-sync_file-fix-docs-syntax.patch new file mode 100644 index 00000000000..a0df9ffe04e --- /dev/null +++ b/queue-5.10/dma-buf-sync_file-fix-docs-syntax.patch @@ -0,0 +1,39 @@ +From c9a062543789d947c4deecd8e71ae3d7dcd57e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 07:49:41 -0700 +Subject: dma-buf/sync_file: Fix docs syntax + +From: Rob Clark + +[ Upstream commit 05d56d8079d510a2994039470f65bea85f0075ee ] + +Fixes the warning: + + include/uapi/linux/sync_file.h:77: warning: Function parameter or member 'num_fences' not described in 'sync_file_info' + +Fixes: 2d75c88fefb2 ("staging/android: refactor SYNC IOCTLs") +Signed-off-by: Rob Clark +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230724145000.125880-1-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/uapi/linux/sync_file.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/sync_file.h b/include/uapi/linux/sync_file.h +index ee2dcfb3d6602..d7f7c04a6e0c1 100644 +--- a/include/uapi/linux/sync_file.h ++++ b/include/uapi/linux/sync_file.h +@@ -52,7 +52,7 @@ struct sync_fence_info { + * @name: name of fence + * @status: status of fence. 1: signaled 0:active <0:error + * @flags: sync_file_info flags +- * @num_fences number of fences in the sync_file ++ * @num_fences: number of fences in the sync_file + * @pad: padding for 64-bit alignment, should always be zero + * @sync_fence_info: pointer to array of structs sync_fence_info with all + * fences in the sync_file +-- +2.40.1 + diff --git a/queue-5.10/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch b/queue-5.10/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch new file mode 100644 index 00000000000..3f426781000 --- /dev/null +++ b/queue-5.10/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch @@ -0,0 +1,40 @@ +From 81abeb505c0a710f724be3deaabf4a675dd1c8e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:41:08 +0000 +Subject: dmaengine: ste_dma40: Add missing IRQ check in d40_probe + +From: ruanjinjie + +[ Upstream commit c05ce6907b3d6e148b70f0bb5eafd61dcef1ddc1 ] + +Check for the return value of platform_get_irq(): if no interrupt +is specified, it wouldn't make sense to call request_irq(). + +Fixes: 8d318a50b3d7 ("DMAENGINE: Support for ST-Ericssons DMA40 block v3") +Signed-off-by: Ruan Jinjie +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20230724144108.2582917-1-ruanjinjie@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ste_dma40.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index b35b97cb8fd25..d99fec8215083 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -3598,6 +3598,10 @@ static int __init d40_probe(struct platform_device *pdev) + spin_lock_init(&base->lcla_pool.lock); + + base->irq = platform_get_irq(pdev, 0); ++ if (base->irq < 0) { ++ ret = base->irq; ++ goto destroy_cache; ++ } + + ret = request_irq(base->irq, d40_handle_interrupt, 0, D40_NAME, base); + if (ret) { +-- +2.40.1 + diff --git a/queue-5.10/driver-core-test_async-fix-an-error-code.patch b/queue-5.10/driver-core-test_async-fix-an-error-code.patch new file mode 100644 index 00000000000..52a7f535913 --- /dev/null +++ b/queue-5.10/driver-core-test_async-fix-an-error-code.patch @@ -0,0 +1,37 @@ +From 6bbeb213bba90c18521e575eef306502db91fe3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:03:49 +0300 +Subject: driver core: test_async: fix an error code + +From: Dan Carpenter + +[ Upstream commit 22d2381bbd70a5853c2ee77522f4965139672db9 ] + +The test_platform_device_register_node() function should return error +pointers instead of NULL. That is what the callers are expecting. + +Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/1e11ed19-e1f6-43d8-b352-474134b7c008@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/test/test_async_driver_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/test/test_async_driver_probe.c b/drivers/base/test/test_async_driver_probe.c +index c157a912d6739..88336f093decd 100644 +--- a/drivers/base/test/test_async_driver_probe.c ++++ b/drivers/base/test/test_async_driver_probe.c +@@ -84,7 +84,7 @@ test_platform_device_register_node(char *name, int id, int nid) + + pdev = platform_device_alloc(name, id); + if (!pdev) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (nid != NUMA_NO_NODE) + set_dev_node(&pdev->dev, nid); +-- +2.40.1 + diff --git a/queue-5.10/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch b/queue-5.10/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch new file mode 100644 index 00000000000..b93fffe45d3 --- /dev/null +++ b/queue-5.10/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch @@ -0,0 +1,38 @@ +From 1d2a18997ba3619127585bcc1737a4f25d4c3012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 18:22:46 +0800 +Subject: drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() + +From: Minjie Du + +[ Upstream commit a995c50db887ef97f3160775aef7d772635a6f6e ] + +The function clk_register_pll() may return NULL or an ERR_PTR. Don't +treat an ERR_PTR as valid. + +Signed-off-by: Minjie Du +Link: https://lore.kernel.org/r/20230712102246.10348-1-duminjie@vivo.com +Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver") +[sboyd@kernel.org: Reword commit text] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index d59a7621bb204..ee5c72369334f 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -209,7 +209,7 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl) + } + + clk = clk_register_pll(NULL, node->name, parent_name, pll_data); +- if (clk) { ++ if (!IS_ERR_OR_NULL(clk)) { + of_clk_add_provider(node, of_clk_src_simple_get, clk); + return; + } +-- +2.40.1 + diff --git a/queue-5.10/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch b/queue-5.10/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch new file mode 100644 index 00000000000..b6bdb096f48 --- /dev/null +++ b/queue-5.10/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch @@ -0,0 +1,80 @@ +From f1e9a957b466993df4335666a78bc19619a8fcc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 18:24:08 +0800 +Subject: drivers: usb: smsusb: fix error handling code in smsusb_init_device + +From: Dongliang Mu + +[ Upstream commit b9c7141f384097fa4fa67d2f72e5731d628aef7c ] + +The previous commit 4b208f8b561f ("[media] siano: register media controller +earlier")moves siano_media_device_register before smscore_register_device, +and adds corresponding error handling code if smscore_register_device +fails. However, it misses the following error handling code of +smsusb_init_device. + +Fix this by moving error handling code at the end of smsusb_init_device +and adding a goto statement in the following error handling parts. + +Fixes: 4b208f8b561f ("[media] siano: register media controller earlier") +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 5c223b5498b4b..6036ad3b15681 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -455,12 +455,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_register_device(¶ms, &dev->coredev, 0, mdev); + if (rc < 0) { + pr_err("smscore_register_device(...) failed, rc %d\n", rc); +- smsusb_term_device(intf); +-#ifdef CONFIG_MEDIA_CONTROLLER_DVB +- media_device_unregister(mdev); +-#endif +- kfree(mdev); +- return rc; ++ goto err_unregister_device; + } + + smscore_set_board_id(dev->coredev, board_id); +@@ -477,8 +472,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smsusb_start_streaming(dev); + if (rc < 0) { + pr_err("smsusb_start_streaming(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + dev->state = SMSUSB_ACTIVE; +@@ -486,13 +480,20 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_start_device(dev->coredev); + if (rc < 0) { + pr_err("smscore_start_device(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + pr_debug("device 0x%p created\n", dev); + + return rc; ++ ++err_unregister_device: ++ smsusb_term_device(intf); ++#ifdef CONFIG_MEDIA_CONTROLLER_DVB ++ media_device_unregister(mdev); ++#endif ++ kfree(mdev); ++ return rc; + } + + static int smsusb_probe(struct usb_interface *intf, +-- +2.40.1 + diff --git a/queue-5.10/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch b/queue-5.10/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch new file mode 100644 index 00000000000..08e304d5c23 --- /dev/null +++ b/queue-5.10/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch @@ -0,0 +1,49 @@ +From 1724e4bce39655bc2ebdf0f7f9b97d70a62d162e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 09:01:43 +0300 +Subject: drm: adv7511: Fix low refresh rate register for ADV7533/5 + +From: Bogdan Togorean + +[ Upstream commit d281eeaa4de2636ff0c8e6ae387bb07b50e5fcbb ] + +For ADV7533 and ADV7535 low refresh rate is selected using +bits [3:2] of 0x4a main register. +So depending on ADV model write 0xfb or 0x4a register. + +Fixes: 2437e7cd88e8 ("drm/bridge: adv7533: Initial support for ADV7533") +Reviewed-by: Robert Foss +Reviewed-by: Nuno Sa +Signed-off-by: Bogdan Togorean +Signed-off-by: Alexandru Ardelean +Reviewed-by: Frieder Schrempf +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230719060143.63649-1-alex@shruggie.ro +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 6ba860a16e96c..e50c741cbfe72 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -786,8 +786,13 @@ static void adv7511_mode_set(struct adv7511 *adv7511, + else + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE; + +- regmap_update_bits(adv7511->regmap, 0xfb, +- 0x6, low_refresh_rate << 1); ++ if (adv7511->type == ADV7511) ++ regmap_update_bits(adv7511->regmap, 0xfb, ++ 0x6, low_refresh_rate << 1); ++ else ++ regmap_update_bits(adv7511->regmap, 0x4a, ++ 0xc, low_refresh_rate << 2); ++ + regmap_update_bits(adv7511->regmap, 0x17, + 0x60, (vsync_polarity << 6) | (hsync_polarity << 5)); + +-- +2.40.1 + diff --git a/queue-5.10/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch b/queue-5.10/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch new file mode 100644 index 00000000000..261bd232d1f --- /dev/null +++ b/queue-5.10/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch @@ -0,0 +1,53 @@ +From 492d243a7803f97dabbfa538955b793a17697a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 16:53:23 +0800 +Subject: drm/amd/pm: fix variable dereferenced issue in + amdgpu_device_attr_create() + +From: Yang Wang + +[ Upstream commit 25e6373a5b8efc623443f2699d2b929bf3067d76 ] + +- fix variable ('attr') dereferenced issue. +- using condition check instead of BUG_ON(). + +Fixes: 4e01847c38f7 ("drm/amdgpu: optimize amdgpu device attribute code") +Cc: Dan Carpenter +Signed-off-by: Yang Wang +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +index 5abb68017f6ed..d58a59cf4f853 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -2115,15 +2115,19 @@ static int amdgpu_device_attr_create(struct amdgpu_device *adev, + uint32_t mask, struct list_head *attr_list) + { + int ret = 0; +- struct device_attribute *dev_attr = &attr->dev_attr; +- const char *name = dev_attr->attr.name; + enum amdgpu_device_attr_states attr_states = ATTR_STATE_SUPPORTED; + struct amdgpu_device_attr_entry *attr_entry; ++ struct device_attribute *dev_attr; ++ const char *name; + + int (*attr_update)(struct amdgpu_device *adev, struct amdgpu_device_attr *attr, + uint32_t mask, enum amdgpu_device_attr_states *states) = default_attr_update; + +- BUG_ON(!attr); ++ if (!attr) ++ return -EINVAL; ++ ++ dev_attr = &attr->dev_attr; ++ name = dev_attr->attr.name; + + attr_update = attr->attr_update ? attr_update : default_attr_update; + +-- +2.40.1 + diff --git a/queue-5.10/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch b/queue-5.10/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch new file mode 100644 index 00000000000..af5bffd1a16 --- /dev/null +++ b/queue-5.10/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch @@ -0,0 +1,52 @@ +From 2bceb2ddbd7a534f7a05973d78c04cfada1eb39c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:11:51 +0200 +Subject: drm/amdgpu: avoid integer overflow warning in + amdgpu_device_resize_fb_bar() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 822130b5e8834ab30ad410cf19a582e5014b9a85 ] + +On 32-bit architectures comparing a resource against a value larger than +U32_MAX can cause a warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1344:18: error: result of comparison of constant 4294967296 with expression of type 'resource_size_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + res->start > 0x100000000ull) + ~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +As gcc does not warn about this in dead code, add an IS_ENABLED() check at +the start of the function. This will always return success but not actually resize +the BAR on 32-bit architectures without high memory, which is exactly what +we want here, as the driver can fall back to bank switching the VRAM +access. + +Fixes: 31b8adab3247 ("drm/amdgpu: require a root bus window above 4GB for BAR resize") +Reviewed-by: Christian König +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 8bd887fb6e631..f0db9724ca85e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1091,6 +1091,9 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev) + u16 cmd; + int r; + ++ if (!IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT)) ++ return 0; ++ + /* Bypass for VF */ + if (amdgpu_sriov_vf(adev)) + return 0; +-- +2.40.1 + diff --git a/queue-5.10/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch b/queue-5.10/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch new file mode 100644 index 00000000000..48a42cd7e33 --- /dev/null +++ b/queue-5.10/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch @@ -0,0 +1,88 @@ +From d63b215b2d84b07d633e9bc372dcc7edfb4fe727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 12:29:14 +0530 +Subject: drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit a0cc8e1512ad72c9f97cdcb76d42715730adaf62 ] + +Fixes the following: + +WARNING: min() should probably be min_t(size_t, size, sizeof(ip)) ++ ret = copy_to_user(out, &ip, min((size_t)size, sizeof(ip))); + +And other style fixes: + +WARNING: Prefer 'unsigned int' to bare use of 'unsigned' +WARNING: Missing a blank line after declarations + +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 917b94002f4b7..93a4b52f4a73b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -505,6 +505,7 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + crtc = (struct drm_crtc *)minfo->crtcs[i]; + if (crtc && crtc->base.id == info->mode_crtc.id) { + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); ++ + ui32 = amdgpu_crtc->crtc_id; + found = 1; + break; +@@ -523,7 +524,7 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + if (ret) + return ret; + +- ret = copy_to_user(out, &ip, min((size_t)size, sizeof(ip))); ++ ret = copy_to_user(out, &ip, min_t(size_t, size, sizeof(ip))); + return ret ? -EFAULT : 0; + } + case AMDGPU_INFO_HW_IP_COUNT: { +@@ -671,17 +672,18 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + ? -EFAULT : 0; + } + case AMDGPU_INFO_READ_MMR_REG: { +- unsigned n, alloc_size; ++ unsigned int n, alloc_size; + uint32_t *regs; +- unsigned se_num = (info->read_mmr_reg.instance >> ++ unsigned int se_num = (info->read_mmr_reg.instance >> + AMDGPU_INFO_MMR_SE_INDEX_SHIFT) & + AMDGPU_INFO_MMR_SE_INDEX_MASK; +- unsigned sh_num = (info->read_mmr_reg.instance >> ++ unsigned int sh_num = (info->read_mmr_reg.instance >> + AMDGPU_INFO_MMR_SH_INDEX_SHIFT) & + AMDGPU_INFO_MMR_SH_INDEX_MASK; + + /* set full masks if the userspace set all bits +- * in the bitfields */ ++ * in the bitfields ++ */ + if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK) + se_num = 0xffffffff; + else if (se_num >= AMDGPU_GFX_MAX_SE) +@@ -799,7 +801,7 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + min((size_t)size, sizeof(dev_info))) ? -EFAULT : 0; + } + case AMDGPU_INFO_VCE_CLOCK_TABLE: { +- unsigned i; ++ unsigned int i; + struct drm_amdgpu_info_vce_clock_table vce_clk_table = {}; + struct amd_vce_state *vce_state; + +-- +2.40.1 + diff --git a/queue-5.10/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..8a947c7dc04 --- /dev/null +++ b/queue-5.10/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,144 @@ +From ca0e153aff745fd147b72933460237c248545bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:57 +0300 +Subject: drm/amdgpu: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit ce7d88110b9ed5f33fe79ea6d4ed049fb0e57bce ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. And in +the case of upstream bridge, the driver does not even own the device it's +changing the registers for. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") +Fixes: 62a37553414a ("drm/amdgpu: add si implementation v10") +Link: https://lore.kernel.org/r/20230717120503.15276-6-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/cik.c | 36 +++++++++----------------------- + drivers/gpu/drm/amd/amdgpu/si.c | 36 +++++++++----------------------- + 2 files changed, 20 insertions(+), 52 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/cik.c b/drivers/gpu/drm/amd/amdgpu/cik.c +index 5442df0941024..453464914f353 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik.c +@@ -1509,17 +1509,8 @@ static void cik_pcie_gen3_enable(struct amdgpu_device *adev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(adev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(adev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(adev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(ixPCIE_LC_STATUS1); + max_lw = (tmp & PCIE_LC_STATUS1__LC_DETECTED_LINK_WIDTH_MASK) >> +@@ -1572,21 +1563,14 @@ static void cik_pcie_gen3_enable(struct amdgpu_device *adev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(adev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(adev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(adev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +diff --git a/drivers/gpu/drm/amd/amdgpu/si.c b/drivers/gpu/drm/amd/amdgpu/si.c +index e5e336fd9e941..b7e1201d46f97 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si.c ++++ b/drivers/gpu/drm/amd/amdgpu/si.c +@@ -2159,17 +2159,8 @@ static void si_pcie_gen3_enable(struct amdgpu_device *adev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(adev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(adev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(adev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -2214,21 +2205,14 @@ static void si_pcie_gen3_enable(struct amdgpu_device *adev) + + mdelay(100); + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(adev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(adev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(adev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, + &tmp16); +-- +2.40.1 + diff --git a/queue-5.10/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch b/queue-5.10/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch new file mode 100644 index 00000000000..143b6f77474 --- /dev/null +++ b/queue-5.10/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch @@ -0,0 +1,52 @@ +From dc4a89d64fdde66346bbdcd47ac4ef861ef20621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:25:40 +0200 +Subject: drm/armada: Fix off-by-one error in armada_overlay_get_property() + +From: Geert Uytterhoeven + +[ Upstream commit 5f0d984053f74983a287100a9519b2fabb785fb5 ] + +As ffs() returns one more than the index of the first bit set (zero +means no bits set), the color key mode value is shifted one position too +much. + +Fix this by using FIELD_GET() instead. + +Fixes: c96103b6c49ff9a8 ("drm/armada: move colorkey properties into overlay plane state") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Russell King (Oracle) +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/a4d779d954a7515ddbbf31cb0f0d8184c0e7c879.1689600265.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/armada/armada_overlay.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/armada/armada_overlay.c b/drivers/gpu/drm/armada/armada_overlay.c +index 30e01101f59ed..7ee4c90d4a2df 100644 +--- a/drivers/gpu/drm/armada/armada_overlay.c ++++ b/drivers/gpu/drm/armada/armada_overlay.c +@@ -4,6 +4,8 @@ + * Rewritten from the dovefb driver, and Armada510 manuals. + */ + ++#include ++ + #include + #include + #include +@@ -446,8 +448,8 @@ static int armada_overlay_get_property(struct drm_plane *plane, + drm_to_overlay_state(state)->colorkey_ug, + drm_to_overlay_state(state)->colorkey_vb, 0); + } else if (property == priv->colorkey_mode_prop) { +- *val = (drm_to_overlay_state(state)->colorkey_mode & +- CFG_CKMODE_MASK) >> ffs(CFG_CKMODE_MASK); ++ *val = FIELD_GET(CFG_CKMODE_MASK, ++ drm_to_overlay_state(state)->colorkey_mode); + } else if (property == priv->brightness_prop) { + *val = drm_to_overlay_state(state)->brightness + 256; + } else if (property == priv->contrast_prop) { +-- +2.40.1 + diff --git a/queue-5.10/drm-bridge-tc358764-fix-debug-print-parameter-order.patch b/queue-5.10/drm-bridge-tc358764-fix-debug-print-parameter-order.patch new file mode 100644 index 00000000000..5d2780e70aa --- /dev/null +++ b/queue-5.10/drm-bridge-tc358764-fix-debug-print-parameter-order.patch @@ -0,0 +1,40 @@ +From d2f2538ff99ae53cabf3c6ddfa3ede4a1b5c9d65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:28:17 +0200 +Subject: drm/bridge: tc358764: Fix debug print parameter order + +From: Marek Vasut + +[ Upstream commit 7f947be02aab5b154427cb5b0fffe858fc387b02 ] + +The debug print parameters were swapped in the output and they were +printed as decimal values, both the hardware address and the value. +Update the debug print to print the parameters in correct order, and +use hexadecimal print for both address and value. + +Fixes: f38b7cca6d0e ("drm/bridge: tc358764: Add DSI to LVDS bridge driver") +Signed-off-by: Marek Vasut +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230615152817.359420-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358764.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358764.c b/drivers/gpu/drm/bridge/tc358764.c +index d89394bc5aa4d..ea1445e09e6f1 100644 +--- a/drivers/gpu/drm/bridge/tc358764.c ++++ b/drivers/gpu/drm/bridge/tc358764.c +@@ -180,7 +180,7 @@ static void tc358764_read(struct tc358764 *ctx, u16 addr, u32 *val) + if (ret >= 0) + le32_to_cpus(val); + +- dev_dbg(ctx->dev, "read: %d, addr: %d\n", addr, *val); ++ dev_dbg(ctx->dev, "read: addr=0x%04x data=0x%08x\n", addr, *val); + } + + static void tc358764_write(struct tc358764 *ctx, u16 addr, u32 val) +-- +2.40.1 + diff --git a/queue-5.10/drm-etnaviv-fix-dumping-of-active-mmu-context.patch b/queue-5.10/drm-etnaviv-fix-dumping-of-active-mmu-context.patch new file mode 100644 index 00000000000..c549a49b083 --- /dev/null +++ b/queue-5.10/drm-etnaviv-fix-dumping-of-active-mmu-context.patch @@ -0,0 +1,72 @@ +From 9b300ecd3ceac5f04e5048c025a30b200fcc99b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 16:38:10 +0200 +Subject: drm/etnaviv: fix dumping of active MMU context + +From: Lucas Stach + +[ Upstream commit 20faf2005ec85fa1a6acc9a74ff27de667f90576 ] + +gpu->mmu_context is the MMU context of the last job in the HW queue, which +isn't necessarily the same as the context from the bad job. Dump the MMU +context from the scheduler determined bad submit to make it work as intended. + +Fixes: 17e4660ae3d7 ("drm/etnaviv: implement per-process address spaces on MMUv2") +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_dump.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +index 706af0304ca4c..7b57d01ba865b 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +@@ -125,9 +125,9 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + return; + etnaviv_dump_core = false; + +- mutex_lock(&gpu->mmu_context->lock); ++ mutex_lock(&submit->mmu_context->lock); + +- mmu_size = etnaviv_iommu_dump_size(gpu->mmu_context); ++ mmu_size = etnaviv_iommu_dump_size(submit->mmu_context); + + /* We always dump registers, mmu, ring, hanging cmdbuf and end marker */ + n_obj = 5; +@@ -157,7 +157,7 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + iter.start = __vmalloc(file_size, GFP_KERNEL | __GFP_NOWARN | + __GFP_NORETRY); + if (!iter.start) { +- mutex_unlock(&gpu->mmu_context->lock); ++ mutex_unlock(&submit->mmu_context->lock); + dev_warn(gpu->dev, "failed to allocate devcoredump file\n"); + return; + } +@@ -169,18 +169,18 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + memset(iter.hdr, 0, iter.data - iter.start); + + etnaviv_core_dump_registers(&iter, gpu); +- etnaviv_core_dump_mmu(&iter, gpu->mmu_context, mmu_size); ++ etnaviv_core_dump_mmu(&iter, submit->mmu_context, mmu_size); + etnaviv_core_dump_mem(&iter, ETDUMP_BUF_RING, gpu->buffer.vaddr, + gpu->buffer.size, + etnaviv_cmdbuf_get_va(&gpu->buffer, +- &gpu->mmu_context->cmdbuf_mapping)); ++ &submit->mmu_context->cmdbuf_mapping)); + + etnaviv_core_dump_mem(&iter, ETDUMP_BUF_CMD, + submit->cmdbuf.vaddr, submit->cmdbuf.size, + etnaviv_cmdbuf_get_va(&submit->cmdbuf, +- &gpu->mmu_context->cmdbuf_mapping)); ++ &submit->mmu_context->cmdbuf_mapping)); + +- mutex_unlock(&gpu->mmu_context->lock); ++ mutex_unlock(&submit->mmu_context->lock); + + /* Reserve space for the bomap */ + if (n_bomap_pages) { +-- +2.40.1 + diff --git a/queue-5.10/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch b/queue-5.10/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch new file mode 100644 index 00000000000..52693ec0dc2 --- /dev/null +++ b/queue-5.10/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch @@ -0,0 +1,45 @@ +From 1608f264eafb1a3a3cc5af3d03d3ff161667a93c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 21:40:00 +0800 +Subject: drm/mediatek: Fix potential memory leak if vmap() fail + +From: Sui Jingfeng + +[ Upstream commit 379091e0f6d179d1a084c65de90fa44583b14a70 ] + +Also return -ENOMEM if such a failure happens, the implement should take +responsibility for the error handling. + +Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") +Reviewed-by: Matthias Brugger +Reviewed-by: Alexandre Mergnat +Signed-off-by: Sui Jingfeng +Reviewed-by: CK Hu +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20230706134000.130098-1-suijingfeng@loongson.cn/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index 29702dd8631d4..fe64bf2176f30 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -249,7 +249,11 @@ void *mtk_drm_gem_prime_vmap(struct drm_gem_object *obj) + + mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, + pgprot_writecombine(PAGE_KERNEL)); +- ++ if (!mtk_gem->kvaddr) { ++ kfree(sgt); ++ kfree(mtk_gem->pages); ++ return -ENOMEM; ++ } + out: + kfree(sgt); + +-- +2.40.1 + diff --git a/queue-5.10/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch b/queue-5.10/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch new file mode 100644 index 00000000000..044a300e405 --- /dev/null +++ b/queue-5.10/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch @@ -0,0 +1,58 @@ +From bc7103feeccba33a4aab34b201ee0e091188bc20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:23:19 -0300 +Subject: drm/msm/a2xx: Call adreno_gpu_init() earlier + +From: Fabio Estevam + +[ Upstream commit db07ce5da8b26bfeaf437a676ae49bd3bb1eace6 ] + +The adreno_is_a20x() and adreno_is_a225() functions rely on the +GPU revision, but such information is retrieved inside adreno_gpu_init(), +which is called afterwards. + +Fix this problem by caling adreno_gpu_init() earlier, so that +the GPU information revision is available when adreno_is_a20x() +and adreno_is_a225() run. + +Tested on a imx53-qsb board. + +Fixes: 21af872cd8c6 ("drm/msm/adreno: add a2xx") +Signed-off-by: Fabio Estevam +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/543456/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a2xx_gpu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c +index 7e82c41a85f1a..64ee63dcdb7c9 100644 +--- a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c +@@ -521,6 +521,10 @@ struct msm_gpu *a2xx_gpu_init(struct drm_device *dev) + gpu->perfcntrs = perfcntrs; + gpu->num_perfcntrs = ARRAY_SIZE(perfcntrs); + ++ ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1); ++ if (ret) ++ goto fail; ++ + if (adreno_is_a20x(adreno_gpu)) + adreno_gpu->registers = a200_registers; + else if (adreno_is_a225(adreno_gpu)) +@@ -528,10 +532,6 @@ struct msm_gpu *a2xx_gpu_init(struct drm_device *dev) + else + adreno_gpu->registers = a220_registers; + +- ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1); +- if (ret) +- goto fail; +- + if (!gpu->aspace) { + dev_err(dev->dev, "No memory protection without MMU\n"); + ret = -ENXIO; +-- +2.40.1 + diff --git a/queue-5.10/drm-msm-mdp5-don-t-leak-some-plane-state.patch b/queue-5.10/drm-msm-mdp5-don-t-leak-some-plane-state.patch new file mode 100644 index 00000000000..65f35c4e055 --- /dev/null +++ b/queue-5.10/drm-msm-mdp5-don-t-leak-some-plane-state.patch @@ -0,0 +1,55 @@ +From 1bb6e01992677c0a458e18bf2b82cccbc0edda2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 22:45:21 +0200 +Subject: drm/msm/mdp5: Don't leak some plane state + +From: Daniel Vetter + +[ Upstream commit fd0ad3b2365c1c58aa5a761c18efc4817193beb6 ] + +Apparently no one noticed that mdp5 plane states leak like a sieve +ever since we introduced plane_state->commit refcount a few years ago +in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too +early by tracking commits, v3.") + +Fix it by using the right helpers. + +Fixes: 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too early by tracking commits, v3.") +Cc: Maarten Lankhorst +Cc: Daniel Vetter +Cc: Rob Clark +Cc: Abhinav Kumar +Cc: Dmitry Baryshkov +Cc: linux-arm-msm@vger.kernel.org +Cc: freedreno@lists.freedesktop.org +Reported-and-tested-by: dorum@noisolation.com +Cc: dorum@noisolation.com +Signed-off-by: Daniel Vetter +Reviewed-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/551236/ +Link: https://lore.kernel.org/r/20230803204521.928582-1-daniel.vetter@ffwll.ch +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +index 0dc23c86747e8..e1c1b4ad5ed04 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -221,8 +221,7 @@ static void mdp5_plane_destroy_state(struct drm_plane *plane, + { + struct mdp5_plane_state *pstate = to_mdp5_plane_state(state); + +- if (state->fb) +- drm_framebuffer_put(state->fb); ++ __drm_atomic_helper_plane_destroy_state(state); + + kfree(pstate); + } +-- +2.40.1 + diff --git a/queue-5.10/drm-panel-simple-add-missing-connector-type-and-pixe.patch b/queue-5.10/drm-panel-simple-add-missing-connector-type-and-pixe.patch new file mode 100644 index 00000000000..3ec111b2d5a --- /dev/null +++ b/queue-5.10/drm-panel-simple-add-missing-connector-type-and-pixe.patch @@ -0,0 +1,41 @@ +From 329b307396648f3c1766662b1b83826bc4ab8e91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 15:49:14 +0200 +Subject: drm/panel: simple: Add missing connector type and pixel format for + AUO T215HVN01 + +From: Marek Vasut + +[ Upstream commit 7a675a8fa598edb29a664a91adb80f0340649f6f ] + +The connector type and pixel format are missing for this panel, +add them to prevent various drivers from failing to determine +either of those parameters. + +Fixes: 7ee933a1d5c4 ("drm/panel: simple: Add support for AUO T215HVN01") +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20230709134914.449328-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index e40321d798981..e90b518118881 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1200,7 +1200,9 @@ static const struct panel_desc auo_t215hvn01 = { + .delay = { + .disable = 5, + .unprepare = 1000, +- } ++ }, ++ .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode avic_tm070ddh03_mode = { +-- +2.40.1 + diff --git a/queue-5.10/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..fde144891ee --- /dev/null +++ b/queue-5.10/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,145 @@ +From b4c427ecbe70c0b49c1556b2f228a6f734a6a343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:58 +0300 +Subject: drm/radeon: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 7189576e8a829130192b33c5b64e8a475369c776 ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. And in +the case of upstream bridge, the driver does not even own the device it's +changing the registers for. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: 8a7cd27679d0 ("drm/radeon/cik: add support for pcie gen1/2/3 switching") +Fixes: b9d305dfb66c ("drm/radeon: implement pcie gen2/3 support for SI") +Link: https://lore.kernel.org/r/20230717120503.15276-7-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cik.c | 36 ++++++++++------------------------- + drivers/gpu/drm/radeon/si.c | 37 ++++++++++-------------------------- + 2 files changed, 20 insertions(+), 53 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index 5c42877fd6fbf..13f25ec1fe25c 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -9551,17 +9551,8 @@ static void cik_pcie_gen3_enable(struct radeon_device *rdev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(rdev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(rdev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(rdev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE_PORT(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -9608,21 +9599,14 @@ static void cik_pcie_gen3_enable(struct radeon_device *rdev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(rdev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 93dcab548a835..31e2c1083b089 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -7138,17 +7138,8 @@ static void si_pcie_gen3_enable(struct radeon_device *rdev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(rdev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(rdev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(rdev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -7195,22 +7186,14 @@ static void si_pcie_gen3_enable(struct radeon_device *rdev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, +- PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(rdev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +-- +2.40.1 + diff --git a/queue-5.10/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch b/queue-5.10/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch new file mode 100644 index 00000000000..a945656c6bf --- /dev/null +++ b/queue-5.10/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch @@ -0,0 +1,37 @@ +From 1afb86ce0fa457bad63a16fe1ad94606b15eedd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 11:23:49 +0800 +Subject: drm/tegra: dpaux: Fix incorrect return value of platform_get_irq + +From: Yangtao Li + +[ Upstream commit 2a1ca44b654346cadfc538c4fb32eecd8daf3140 ] + +When platform_get_irq fails, we should return dpaux->irq +instead of -ENXIO. + +Fixes: 6b6b604215c6 ("drm/tegra: Add eDP support") +Signed-off-by: Yangtao Li +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20230710032355.72914-13-frank.li@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dpaux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dpaux.c b/drivers/gpu/drm/tegra/dpaux.c +index 044e5eeea86f3..f8b8107368a02 100644 +--- a/drivers/gpu/drm/tegra/dpaux.c ++++ b/drivers/gpu/drm/tegra/dpaux.c +@@ -468,7 +468,7 @@ static int tegra_dpaux_probe(struct platform_device *pdev) + + dpaux->irq = platform_get_irq(pdev, 0); + if (dpaux->irq < 0) +- return -ENXIO; ++ return dpaux->irq; + + if (!pdev->dev.pm_domain) { + dpaux->rst = devm_reset_control_get(&pdev->dev, "dpaux"); +-- +2.40.1 + diff --git a/queue-5.10/drm-tegra-remove-superfluous-error-messages-around-p.patch b/queue-5.10/drm-tegra-remove-superfluous-error-messages-around-p.patch new file mode 100644 index 00000000000..aeaee9dccd8 --- /dev/null +++ b/queue-5.10/drm-tegra-remove-superfluous-error-messages-around-p.patch @@ -0,0 +1,41 @@ +From b6f84a048a205f302b4f6473b6e26d3a2d48d286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 14:39:55 +0800 +Subject: drm/tegra: Remove superfluous error messages around + platform_get_irq() + +From: Tan Zhongjun + +[ Upstream commit d12919bb5da571ec50588ef97683d37e36dc2de5 ] + +The platform_get_irq() prints error message telling that interrupt is +missing,hence there is no need to duplicated that message in the +drivers. + +Signed-off-by: Tan Zhongjun +Signed-off-by: Thierry Reding +Stable-dep-of: 2a1ca44b6543 ("drm/tegra: dpaux: Fix incorrect return value of platform_get_irq") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dpaux.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dpaux.c b/drivers/gpu/drm/tegra/dpaux.c +index 105fb9cdbb3bd..044e5eeea86f3 100644 +--- a/drivers/gpu/drm/tegra/dpaux.c ++++ b/drivers/gpu/drm/tegra/dpaux.c +@@ -467,10 +467,8 @@ static int tegra_dpaux_probe(struct platform_device *pdev) + return PTR_ERR(dpaux->regs); + + dpaux->irq = platform_get_irq(pdev, 0); +- if (dpaux->irq < 0) { +- dev_err(&pdev->dev, "failed to get IRQ\n"); ++ if (dpaux->irq < 0) + return -ENXIO; +- } + + if (!pdev->dev.pm_domain) { + dpaux->rst = devm_reset_control_get(&pdev->dev, "dpaux"); +-- +2.40.1 + diff --git a/queue-5.10/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch b/queue-5.10/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch new file mode 100644 index 00000000000..81cba1eb377 --- /dev/null +++ b/queue-5.10/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch @@ -0,0 +1,39 @@ +From dee5d70ba29c2ff79b46b6d0ae7af6a85c291b94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 10:05:29 +0800 +Subject: drm: xlnx: zynqmp_dpsub: Add missing check for dma_set_mask + +From: Jiasheng Jiang + +[ Upstream commit 1832fba7f9780aff67c96ad30f397c2d76141833 ] + +Add check for dma_set_mask() and return the error if it fails. + +Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Laurent Pinchart +Reviewed-by: Tomi Valkeinen +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +index 8e69303aad3f7..5f6eea81f3cc8 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +@@ -214,7 +214,9 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev) + dpsub->dev = &pdev->dev; + platform_set_drvdata(pdev, dpsub); + +- dma_set_mask(dpsub->dev, DMA_BIT_MASK(ZYNQMP_DISP_MAX_DMA_BIT)); ++ ret = dma_set_mask(dpsub->dev, DMA_BIT_MASK(ZYNQMP_DISP_MAX_DMA_BIT)); ++ if (ret) ++ return ret; + + /* Try the reserved memory. Proceed if there's none. */ + of_reserved_mem_device_init(&pdev->dev); +-- +2.40.1 + diff --git a/queue-5.10/eventfd-export-eventfd_ctx_do_read.patch b/queue-5.10/eventfd-export-eventfd_ctx_do_read.patch new file mode 100644 index 00000000000..3cd7f861c89 --- /dev/null +++ b/queue-5.10/eventfd-export-eventfd_ctx_do_read.patch @@ -0,0 +1,75 @@ +From 59b0415f3c489bb01421abaf49041b53388b995f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 13:55:21 +0000 +Subject: eventfd: Export eventfd_ctx_do_read() + +From: David Woodhouse + +[ Upstream commit 28f1326710555bbe666f64452d08f2d7dd657cae ] + +Where events are consumed in the kernel, for example by KVM's +irqfd_wakeup() and VFIO's virqfd_wakeup(), they currently lack a +mechanism to drain the eventfd's counter. + +Since the wait queue is already locked while the wakeup functions are +invoked, all they really need to do is call eventfd_ctx_do_read(). + +Add a check for the lock, and export it for them. + +Signed-off-by: David Woodhouse +Message-Id: <20201027135523.646811-2-dwmw2@infradead.org> +Signed-off-by: Paolo Bonzini +Stable-dep-of: 758b49204781 ("eventfd: prevent underflow for eventfd semaphores") +Signed-off-by: Sasha Levin +--- + fs/eventfd.c | 5 ++++- + include/linux/eventfd.h | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/eventfd.c b/fs/eventfd.c +index 4a14295cffe0d..b8d38b970ce7f 100644 +--- a/fs/eventfd.c ++++ b/fs/eventfd.c +@@ -187,11 +187,14 @@ static __poll_t eventfd_poll(struct file *file, poll_table *wait) + return events; + } + +-static void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) ++void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) + { ++ lockdep_assert_held(&ctx->wqh.lock); ++ + *cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count; + ctx->count -= *cnt; + } ++EXPORT_SYMBOL_GPL(eventfd_ctx_do_read); + + /** + * eventfd_ctx_remove_wait_queue - Read the current counter and removes wait queue. +diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h +index 6cd2a92daf205..c1bd4883e2faf 100644 +--- a/include/linux/eventfd.h ++++ b/include/linux/eventfd.h +@@ -42,6 +42,7 @@ __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n); + __u64 eventfd_signal_mask(struct eventfd_ctx *ctx, __u64 n, unsigned mask); + int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait, + __u64 *cnt); ++void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt); + + DECLARE_PER_CPU(int, eventfd_wake_count); + +@@ -89,6 +90,11 @@ static inline bool eventfd_signal_count(void) + return false; + } + ++static inline void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) ++{ ++ ++} ++ + #endif + + #endif /* _LINUX_EVENTFD_H */ +-- +2.40.1 + diff --git a/queue-5.10/eventfd-prevent-underflow-for-eventfd-semaphores.patch b/queue-5.10/eventfd-prevent-underflow-for-eventfd-semaphores.patch new file mode 100644 index 00000000000..bbc26e4a6ea --- /dev/null +++ b/queue-5.10/eventfd-prevent-underflow-for-eventfd-semaphores.patch @@ -0,0 +1,76 @@ +From 8d53d6c909f0cf816ff475bfe91308016ea444c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 14:54:51 +0800 +Subject: eventfd: prevent underflow for eventfd semaphores + +From: Wen Yang + +[ Upstream commit 758b492047816a3158d027e9fca660bc5bcf20bf ] + +For eventfd with flag EFD_SEMAPHORE, when its ctx->count is 0, calling +eventfd_ctx_do_read will cause ctx->count to overflow to ULLONG_MAX. + +An underflow can happen with EFD_SEMAPHORE eventfds in at least the +following three subsystems: + +(1) virt/kvm/eventfd.c +(2) drivers/vfio/virqfd.c +(3) drivers/virt/acrn/irqfd.c + +where (2) and (3) are just modeled after (1). An eventfd must be +specified for use with the KVM_IRQFD ioctl(). This can also be an +EFD_SEMAPHORE eventfd. When the eventfd count is zero or has been +decremented to zero an underflow can be triggered when the irqfd is shut +down by raising the KVM_IRQFD_FLAG_DEASSIGN flag in the KVM_IRQFD +ioctl(): + + // ctx->count == 0 + kvm_vm_ioctl() + -> kvm_irqfd() + -> kvm_irqfd_deassign() + -> irqfd_deactivate() + -> irqfd_shutdown() + -> eventfd_ctx_remove_wait_queue(&cnt) + -> eventfd_ctx_do_read(&cnt) + +Userspace polling on the eventfd wouldn't notice the underflow because 1 +is always returned as the value from eventfd_read() while ctx->count +would've underflowed. It's not a huge deal because this should only be +happening when the irqfd is shutdown but we should still fix it and +avoid the spurious wakeup. + +Fixes: cb289d6244a3 ("eventfd - allow atomic read and waitqueue remove") +Signed-off-by: Wen Yang +Cc: Alexander Viro +Cc: Jens Axboe +Cc: Christian Brauner +Cc: Christoph Hellwig +Cc: Dylan Yudaken +Cc: David Woodhouse +Cc: Matthew Wilcox +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Message-Id: +[brauner: rewrite commit message and add explanation how this underflow can happen] +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventfd.c b/fs/eventfd.c +index b8d38b970ce7f..3673eb8de0356 100644 +--- a/fs/eventfd.c ++++ b/fs/eventfd.c +@@ -191,7 +191,7 @@ void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) + { + lockdep_assert_held(&ctx->wqh.lock); + +- *cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count; ++ *cnt = ((ctx->flags & EFD_SEMAPHORE) && ctx->count) ? 1 : ctx->count; + ctx->count -= *cnt; + } + EXPORT_SYMBOL_GPL(eventfd_ctx_do_read); +-- +2.40.1 + diff --git a/queue-5.10/ext4-correct-grp-validation-in-ext4_mb_good_group.patch b/queue-5.10/ext4-correct-grp-validation-in-ext4_mb_good_group.patch new file mode 100644 index 00000000000..ae441044eb2 --- /dev/null +++ b/queue-5.10/ext4-correct-grp-validation-in-ext4_mb_good_group.patch @@ -0,0 +1,38 @@ +From 29861a7364329bae72ddf758ef85ee3aa3f9ac43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:31:55 +0800 +Subject: ext4: correct grp validation in ext4_mb_good_group + +From: Kemeng Shi + +[ Upstream commit a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 ] + +Group corruption check will access memory of grp and will trigger kernel +crash if grp is NULL. So do NULL check before corruption check. + +Fixes: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail") +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230801143204.2284343-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 3a71928846712..2f6ed59d81f02 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2103,7 +2103,7 @@ static bool ext4_mb_good_group(struct ext4_allocation_context *ac, + + BUG_ON(cr < 0 || cr >= 4); + +- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp) || !grp)) ++ if (unlikely(!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))) + return false; + + free = grp->bb_free; +-- +2.40.1 + diff --git a/queue-5.10/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch b/queue-5.10/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch new file mode 100644 index 00000000000..54a62069eec --- /dev/null +++ b/queue-5.10/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch @@ -0,0 +1,39 @@ +From 1fd7977d358e4bffea6fd86c5901d861f83e8244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 22:13:38 +0800 +Subject: firmware: meson_sm: fix to avoid potential NULL pointer dereference + +From: Zhang Shurong + +[ Upstream commit f2ed165619c16577c02b703a114a1f6b52026df4 ] + +of_match_device() may fail and returns a NULL pointer. + +Fix this by checking the return value of of_match_device. + +Fixes: 8cde3c2153e8 ("firmware: meson_sm: Rework driver as a proper platform driver") +Signed-off-by: Zhang Shurong +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/tencent_AA08AAA6C4F34D53ADCE962E188A879B8206@qq.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + drivers/firmware/meson/meson_sm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c +index 2854b56f6e0bd..ed27ff2e503ef 100644 +--- a/drivers/firmware/meson/meson_sm.c ++++ b/drivers/firmware/meson/meson_sm.c +@@ -292,6 +292,8 @@ static int __init meson_sm_probe(struct platform_device *pdev) + return -ENOMEM; + + chip = of_match_device(meson_sm_ids, dev)->data; ++ if (!chip) ++ return -EINVAL; + + if (chip->cmd_shmem_in_base) { + fw->sm_shmem_in_base = meson_sm_map_shmem(chip->cmd_shmem_in_base, +-- +2.40.1 + diff --git a/queue-5.10/fs-fix-error-checking-for-d_hash_and_lookup.patch b/queue-5.10/fs-fix-error-checking-for-d_hash_and_lookup.patch new file mode 100644 index 00000000000..47456cd60c8 --- /dev/null +++ b/queue-5.10/fs-fix-error-checking-for-d_hash_and_lookup.patch @@ -0,0 +1,38 @@ +From abba6fb0ec36b63ec06290997d160b207dfc2cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 20:05:42 +0800 +Subject: fs: Fix error checking for d_hash_and_lookup() + +From: Wang Ming + +[ Upstream commit 0d5a4f8f775ff990142cdc810a84eae078589d27 ] + +The d_hash_and_lookup() function returns error pointers or NULL. +Most incorrect error checks were fixed, but the one in int path_pts() +was forgotten. + +Fixes: eedf265aa003 ("devpts: Make each mount of devpts an independent filesystem.") +Signed-off-by: Wang Ming +Message-Id: <20230713120555.7025-1-machel@vivo.com> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namei.c b/fs/namei.c +index bc5e633a5954e..3ff954a2bbd1d 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2640,7 +2640,7 @@ int path_pts(struct path *path) + dput(path->dentry); + path->dentry = parent; + child = d_hash_and_lookup(parent, &this); +- if (!child) ++ if (IS_ERR_OR_NULL(child)) + return -ENOENT; + + path->dentry = child; +-- +2.40.1 + diff --git a/queue-5.10/fs-lockd-avoid-possible-wrong-null-parameter.patch b/queue-5.10/fs-lockd-avoid-possible-wrong-null-parameter.patch new file mode 100644 index 00000000000..04018b4335f --- /dev/null +++ b/queue-5.10/fs-lockd-avoid-possible-wrong-null-parameter.patch @@ -0,0 +1,43 @@ +From 3dd2ff4a136a7eca6c41973ba833f250a72e8f6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:26:57 +0800 +Subject: fs: lockd: avoid possible wrong NULL parameter + +From: Su Hui + +[ Upstream commit de8d38cf44bac43e83bad28357ba84784c412752 ] + +clang's static analysis warning: fs/lockd/mon.c: line 293, column 2: +Null pointer passed as 2nd argument to memory copy function. + +Assuming 'hostname' is NULL and calling 'nsm_create_handle()', this will +pass NULL as 2nd argument to memory copy function 'memcpy()'. So return +NULL if 'hostname' is invalid. + +Fixes: 77a3ef33e2de ("NSM: More clean up of nsm_get_handle()") +Signed-off-by: Su Hui +Reviewed-by: Nick Desaulniers +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/lockd/mon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 1d9488cf05348..87a0f207df0b9 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -276,6 +276,9 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, + { + struct nsm_handle *new; + ++ if (!hostname) ++ return NULL; ++ + new = kzalloc(sizeof(*new) + hostname_len + 1, GFP_KERNEL); + if (unlikely(new == NULL)) + return NULL; +-- +2.40.1 + diff --git a/queue-5.10/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch b/queue-5.10/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch new file mode 100644 index 00000000000..83256265aa7 --- /dev/null +++ b/queue-5.10/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch @@ -0,0 +1,50 @@ +From 8413ab98238d33292ae63f4876aa96ef15450006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 17:54:17 +0300 +Subject: fs: ocfs2: namei: check return value of ocfs2_add_entry() + +From: Artem Chernyshev + +[ Upstream commit 6b72e5f9e79360fce4f2be7fe81159fbdf4256a5 ] + +Process result of ocfs2_add_entry() in case we have an error +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lkml.kernel.org/r/20230803145417.177649-1-artem.chernyshev@red-soft.ru +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Artem Chernyshev +Reviewed-by: Joseph Qi +Cc: Artem Chernyshev +Cc: Joel Becker +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index d6a0e719b1ad9..5c98813b3dcaf 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -1532,6 +1532,10 @@ static int ocfs2_rename(struct inode *old_dir, + status = ocfs2_add_entry(handle, new_dentry, old_inode, + OCFS2_I(old_inode)->ip_blkno, + new_dir_bh, &target_insert); ++ if (status < 0) { ++ mlog_errno(status); ++ goto bail; ++ } + } + + old_inode->i_ctime = current_time(old_inode); +-- +2.40.1 + diff --git a/queue-5.10/fsi-aspeed-reset-master-errors-after-cfam-reset.patch b/queue-5.10/fsi-aspeed-reset-master-errors-after-cfam-reset.patch new file mode 100644 index 00000000000..f5d52f00e6f --- /dev/null +++ b/queue-5.10/fsi-aspeed-reset-master-errors-after-cfam-reset.patch @@ -0,0 +1,38 @@ +From 9e0f671f863b17e7df648024b65538f992412eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 14:56:50 -0500 +Subject: fsi: aspeed: Reset master errors after CFAM reset + +From: Eddie James + +[ Upstream commit 52300909f4670ac552bfeb33c1355b896eac8c06 ] + +It has been observed that sometimes the FSI master will return all 0xffs +after a CFAM has been taken out of reset, without presenting any error. +Resetting the FSI master errors resolves the issue. + +Fixes: 4a851d714ead ("fsi: aspeed: Support CFAM reset GPIO") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20230612195657.245125-8-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-master-aspeed.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/fsi/fsi-master-aspeed.c b/drivers/fsi/fsi-master-aspeed.c +index 87edc77260d20..db0519da0f892 100644 +--- a/drivers/fsi/fsi-master-aspeed.c ++++ b/drivers/fsi/fsi-master-aspeed.c +@@ -445,6 +445,8 @@ static ssize_t cfam_reset_store(struct device *dev, struct device_attribute *att + gpiod_set_value(aspeed->cfam_reset_gpio, 1); + usleep_range(900, 1000); + gpiod_set_value(aspeed->cfam_reset_gpio, 0); ++ usleep_range(900, 1000); ++ opb_writel(aspeed, ctrl_base + FSI_MRESP0, cpu_to_be32(FSI_MRESP_RST_ALL_MASTER)); + mutex_unlock(&aspeed->lock); + + return count; +-- +2.40.1 + diff --git a/queue-5.10/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch b/queue-5.10/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch new file mode 100644 index 00000000000..a6cf8c3baaf --- /dev/null +++ b/queue-5.10/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch @@ -0,0 +1,55 @@ +From 254355638364f9c4d3968e9d53c9a0a8c5b390d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 03:16:35 -0700 +Subject: HID: logitech-dj: Fix error handling in + logi_dj_recv_switch_to_dj_mode() + +From: Nikita Zhandarovich + +[ Upstream commit 6f20d3261265885f6a6be4cda49d7019728760e0 ] + +Presently, if a call to logi_dj_recv_send_report() fails, we do +not learn about the error until after sending short +HID_OUTPUT_REPORT with hid_hw_raw_request(). +To handle this somewhat unlikely issue, return on error in +logi_dj_recv_send_report() (minding ugly sleep workaround) and +take into account the result of hid_hw_raw_request(). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 6a9ddc897883 ("HID: logitech-dj: enable notifications on connect/disconnect") +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20230613101635.77820-1-n.zhandarovich@fintech.ru +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-dj.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 587259b3db97c..f4d79ec826797 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -1217,6 +1217,9 @@ static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, + * 50 msec should gives enough time to the receiver to be ready. + */ + msleep(50); ++ ++ if (retval) ++ return retval; + } + + /* +@@ -1238,7 +1241,7 @@ static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, + buf[5] = 0x09; + buf[6] = 0x00; + +- hid_hw_raw_request(hdev, REPORT_ID_HIDPP_SHORT, buf, ++ retval = hid_hw_raw_request(hdev, REPORT_ID_HIDPP_SHORT, buf, + HIDPP_REPORT_SHORT_LENGTH, HID_OUTPUT_REPORT, + HID_REQ_SET_REPORT); + +-- +2.40.1 + diff --git a/queue-5.10/hid-multitouch-correct-devm-device-reference-for-hid.patch b/queue-5.10/hid-multitouch-correct-devm-device-reference-for-hid.patch new file mode 100644 index 00000000000..2a4e1966d74 --- /dev/null +++ b/queue-5.10/hid-multitouch-correct-devm-device-reference-for-hid.patch @@ -0,0 +1,67 @@ +From e205cae6d63985066304ef6c20d22c067ed1c2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 06:14:33 +0000 +Subject: HID: multitouch: Correct devm device reference for hidinput input_dev + name + +From: Rahul Rameshbabu + +[ Upstream commit 4794394635293a3e74591351fff469cea7ad15a2 ] + +Reference the HID device rather than the input device for the devm +allocation of the input_dev name. Referencing the input_dev would lead to a +use-after-free when the input_dev was unregistered and subsequently fires a +uevent that depends on the name. At the point of firing the uevent, the +name would be freed by devres management. + +Use devm_kasprintf to simplify the logic for allocating memory and +formatting the input_dev name string. + +Reported-by: Maxime Ripard +Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae +Fixes: c08d46aa805b ("HID: multitouch: devm conversion") +Suggested-by: Maxime Ripard +Suggested-by: Dmitry Torokhov +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230824061308.222021-3-sergeantsagara@protonmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index ea8c52f0aa783..dc7c33f6b2c4e 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1541,7 +1541,6 @@ static void mt_post_parse(struct mt_device *td, struct mt_application *app) + static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + { + struct mt_device *td = hid_get_drvdata(hdev); +- char *name; + const char *suffix = NULL; + struct mt_report_data *rdata; + struct mt_application *mt_application = NULL; +@@ -1595,15 +1594,9 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + break; + } + +- if (suffix) { +- name = devm_kzalloc(&hi->input->dev, +- strlen(hdev->name) + strlen(suffix) + 2, +- GFP_KERNEL); +- if (name) { +- sprintf(name, "%s %s", hdev->name, suffix); +- hi->input->name = name; +- } +- } ++ if (suffix) ++ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, ++ "%s %s", hdev->name, suffix); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch b/queue-5.10/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch new file mode 100644 index 00000000000..4a6aa3cec28 --- /dev/null +++ b/queue-5.10/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch @@ -0,0 +1,39 @@ +From 5c499bedfab4e37e5c916a748fbcfd4d047f9e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 21:44:54 +0100 +Subject: hwmon: (tmp513) Fix the channel number in tmp51x_is_visible() + +From: Biju Das + +[ Upstream commit d103337e38e7e64c3d915029e947b1cb0b512737 ] + +The supported channels for this driver are {0..3}. Fix the incorrect +channel in tmp51x_is_visible(). + +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/ea0eccc0-a29f-41e4-9049-a1a13f8b16f1@roeck-us.net/ +Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230824204456.401580-2-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp513.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/tmp513.c b/drivers/hwmon/tmp513.c +index 7d5f7441aceb1..b9a93ee9c2364 100644 +--- a/drivers/hwmon/tmp513.c ++++ b/drivers/hwmon/tmp513.c +@@ -434,7 +434,7 @@ static umode_t tmp51x_is_visible(const void *_data, + + switch (type) { + case hwmon_temp: +- if (data->id == tmp512 && channel == 4) ++ if (data->id == tmp512 && channel == 3) + return 0; + switch (attr) { + case hwmon_temp_input: +-- +2.40.1 + diff --git a/queue-5.10/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch b/queue-5.10/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch new file mode 100644 index 00000000000..806c9fcc88a --- /dev/null +++ b/queue-5.10/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch @@ -0,0 +1,75 @@ +From fd6d2b344ee437979a47c7795b2e8eb86e4e9a12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 12:22:08 -0700 +Subject: hwrng: iproc-rng200 - Implement suspend and resume calls + +From: Florian Fainelli + +[ Upstream commit 8e03dd62e5be811efbf0cbeba47e79e793519105 ] + +Chips such as BCM7278 support system wide suspend/resume which will +cause the HWRNG block to lose its state and reset to its power on reset +register values. We need to cleanup and re-initialize the HWRNG for it +to be functional coming out of a system suspend cycle. + +Fixes: c3577f6100ca ("hwrng: iproc-rng200 - Add support for BCM7278") +Signed-off-by: Florian Fainelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/iproc-rng200.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/char/hw_random/iproc-rng200.c b/drivers/char/hw_random/iproc-rng200.c +index 01583faf9893e..52c4aa66d8379 100644 +--- a/drivers/char/hw_random/iproc-rng200.c ++++ b/drivers/char/hw_random/iproc-rng200.c +@@ -195,6 +195,8 @@ static int iproc_rng200_probe(struct platform_device *pdev) + return PTR_ERR(priv->base); + } + ++ dev_set_drvdata(dev, priv); ++ + priv->rng.name = "iproc-rng200"; + priv->rng.read = iproc_rng200_read; + priv->rng.init = iproc_rng200_init; +@@ -212,6 +214,28 @@ static int iproc_rng200_probe(struct platform_device *pdev) + return 0; + } + ++static int __maybe_unused iproc_rng200_suspend(struct device *dev) ++{ ++ struct iproc_rng200_dev *priv = dev_get_drvdata(dev); ++ ++ iproc_rng200_cleanup(&priv->rng); ++ ++ return 0; ++} ++ ++static int __maybe_unused iproc_rng200_resume(struct device *dev) ++{ ++ struct iproc_rng200_dev *priv = dev_get_drvdata(dev); ++ ++ iproc_rng200_init(&priv->rng); ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops iproc_rng200_pm_ops = { ++ SET_SYSTEM_SLEEP_PM_OPS(iproc_rng200_suspend, iproc_rng200_resume) ++}; ++ + static const struct of_device_id iproc_rng200_of_match[] = { + { .compatible = "brcm,bcm2711-rng200", }, + { .compatible = "brcm,bcm7211-rng200", }, +@@ -225,6 +249,7 @@ static struct platform_driver iproc_rng200_driver = { + .driver = { + .name = "iproc-rng200", + .of_match_table = iproc_rng200_of_match, ++ .pm = &iproc_rng200_pm_ops, + }, + .probe = iproc_rng200_probe, + }; +-- +2.40.1 + diff --git a/queue-5.10/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch b/queue-5.10/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch new file mode 100644 index 00000000000..ee12b943b7a --- /dev/null +++ b/queue-5.10/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch @@ -0,0 +1,86 @@ +From 1fea7dded7ba25abd6f0132b7c0909ed1ce1e5c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jul 2023 19:35:02 +0200 +Subject: hwrng: nomadik - keep clock enabled while hwrng is registered + +From: Martin Kaiser + +[ Upstream commit 039980de89dc9dd757418d6f296e4126cc3f86c3 ] + +The nomadik driver uses devres to register itself with the hwrng core, +the driver will be unregistered from hwrng when its device goes out of +scope. This happens after the driver's remove function is called. + +However, nomadik's clock is disabled in the remove function. There's a +short timeframe where nomadik is still registered with the hwrng core +although its clock is disabled. I suppose the clock must be active to +access the hardware and serve requests from the hwrng core. + +Switch to devm_clk_get_enabled and let devres disable the clock and +unregister the hwrng. This avoids the race condition. + +Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/nomadik-rng.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/char/hw_random/nomadik-rng.c b/drivers/char/hw_random/nomadik-rng.c +index e8f9621e79541..3774adf903a83 100644 +--- a/drivers/char/hw_random/nomadik-rng.c ++++ b/drivers/char/hw_random/nomadik-rng.c +@@ -13,8 +13,6 @@ + #include + #include + +-static struct clk *rng_clk; +- + static int nmk_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + { + void __iomem *base = (void __iomem *)rng->priv; +@@ -36,21 +34,20 @@ static struct hwrng nmk_rng = { + + static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id) + { ++ struct clk *rng_clk; + void __iomem *base; + int ret; + +- rng_clk = devm_clk_get(&dev->dev, NULL); ++ rng_clk = devm_clk_get_enabled(&dev->dev, NULL); + if (IS_ERR(rng_clk)) { + dev_err(&dev->dev, "could not get rng clock\n"); + ret = PTR_ERR(rng_clk); + return ret; + } + +- clk_prepare_enable(rng_clk); +- + ret = amba_request_regions(dev, dev->dev.init_name); + if (ret) +- goto out_clk; ++ return ret; + ret = -ENOMEM; + base = devm_ioremap(&dev->dev, dev->res.start, + resource_size(&dev->res)); +@@ -64,15 +61,12 @@ static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id) + + out_release: + amba_release_regions(dev); +-out_clk: +- clk_disable_unprepare(rng_clk); + return ret; + } + + static void nmk_rng_remove(struct amba_device *dev) + { + amba_release_regions(dev); +- clk_disable_unprepare(rng_clk); + } + + static const struct amba_id nmk_rng_ids[] = { +-- +2.40.1 + diff --git a/queue-5.10/ib-uverbs-fix-an-potential-error-pointer-dereference.patch b/queue-5.10/ib-uverbs-fix-an-potential-error-pointer-dereference.patch new file mode 100644 index 00000000000..ef19caf9fd8 --- /dev/null +++ b/queue-5.10/ib-uverbs-fix-an-potential-error-pointer-dereference.patch @@ -0,0 +1,42 @@ +From 55bd03e7c42b8d52138e549f48bcdde94d3fb981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 10:25:25 +0800 +Subject: IB/uverbs: Fix an potential error pointer dereference + +From: Xiang Yang + +[ Upstream commit 26b7d1a27167e7adf75b150755e05d2bc123ce55 ] + +smatch reports the warning below: +drivers/infiniband/core/uverbs_std_types_counters.c:110 +ib_uverbs_handler_UVERBS_METHOD_COUNTERS_READ() error: 'uattr' +dereferencing possible ERR_PTR() + +The return value of uattr maybe ERR_PTR(-ENOENT), fix this by checking +the value of uattr before using it. + +Fixes: ebb6796bd397 ("IB/uverbs: Add read counters support") +Signed-off-by: Xiang Yang +Link: https://lore.kernel.org/r/20230804022525.1916766-1-xiangyang3@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_std_types_counters.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/uverbs_std_types_counters.c b/drivers/infiniband/core/uverbs_std_types_counters.c +index b3c6c066b6010..c61b10fbf90a9 100644 +--- a/drivers/infiniband/core/uverbs_std_types_counters.c ++++ b/drivers/infiniband/core/uverbs_std_types_counters.c +@@ -108,6 +108,8 @@ static int UVERBS_HANDLER(UVERBS_METHOD_COUNTERS_READ)( + return ret; + + uattr = uverbs_attr_get(attrs, UVERBS_ATTR_READ_COUNTERS_BUFF); ++ if (IS_ERR(uattr)) ++ return PTR_ERR(uattr); + read_attr.ncounters = uattr->ptr_attr.len / sizeof(u64); + read_attr.counters_buff = uverbs_zalloc( + attrs, array_size(read_attr.ncounters, sizeof(u64))); +-- +2.40.1 + diff --git a/queue-5.10/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch b/queue-5.10/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch new file mode 100644 index 00000000000..d029cd3bc32 --- /dev/null +++ b/queue-5.10/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch @@ -0,0 +1,60 @@ +From 144956d6c2f9cc872e5755240ba43763f2a7d446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 17:54:15 -0400 +Subject: ice: ice_aq_check_events: fix off-by-one check when filling buffer + +From: Przemek Kitszel + +[ Upstream commit e1e8a142c43336e3d25bfa1cb3a4ae7d00875c48 ] + +Allow task's event buffer to be filled also in the case that it's size +is exactly the size of the message. + +Fixes: d69ea414c9b4 ("ice: implement device flash update via devlink") +Reviewed-by: Jacob Keller +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 4f0d63fa5709b..d2ee760f92942 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -1137,6 +1137,7 @@ int ice_aq_wait_for_event(struct ice_pf *pf, u16 opcode, unsigned long timeout, + static void ice_aq_check_events(struct ice_pf *pf, u16 opcode, + struct ice_rq_event_info *event) + { ++ struct ice_rq_event_info *task_ev; + struct ice_aq_task *task; + bool found = false; + +@@ -1145,15 +1146,15 @@ static void ice_aq_check_events(struct ice_pf *pf, u16 opcode, + if (task->state || task->opcode != opcode) + continue; + +- memcpy(&task->event->desc, &event->desc, sizeof(event->desc)); +- task->event->msg_len = event->msg_len; ++ task_ev = task->event; ++ memcpy(&task_ev->desc, &event->desc, sizeof(event->desc)); ++ task_ev->msg_len = event->msg_len; + + /* Only copy the data buffer if a destination was set */ +- if (task->event->msg_buf && +- task->event->buf_len > event->buf_len) { +- memcpy(task->event->msg_buf, event->msg_buf, ++ if (task_ev->msg_buf && task_ev->buf_len >= event->buf_len) { ++ memcpy(task_ev->msg_buf, event->msg_buf, + event->buf_len); +- task->event->buf_len = event->buf_len; ++ task_ev->buf_len = event->buf_len; + } + + task->state = ICE_AQ_TASK_COMPLETE; +-- +2.40.1 + diff --git a/queue-5.10/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch b/queue-5.10/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch new file mode 100644 index 00000000000..80538ad7b98 --- /dev/null +++ b/queue-5.10/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch @@ -0,0 +1,45 @@ +From fd6e7b80b5d50ed65ed1f4cd6e7b646af73b2dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 12:44:47 -0400 +Subject: ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig + +From: Nayna Jain + +[ Upstream commit 5087fd9e80e539d2163accd045b73da64de7de95 ] + +Time to remove "IMA_TRUSTED_KEYRING". + +Fixes: f4dc37785e9b ("integrity: define '.evm' as a builtin 'trusted' keyring") # v4.5+ +Signed-off-by: Nayna Jain +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/Kconfig | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig +index 0a5ae1e8da47a..05b8f5bcc37ac 100644 +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -248,18 +248,6 @@ config IMA_APPRAISE_MODSIG + The modsig keyword can be used in the IMA policy to allow a hook + to accept such signatures. + +-config IMA_TRUSTED_KEYRING +- bool "Require all keys on the .ima keyring be signed (deprecated)" +- depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING +- depends on INTEGRITY_ASYMMETRIC_KEYS +- select INTEGRITY_TRUSTED_KEYRING +- default y +- help +- This option requires that all keys added to the .ima +- keyring be signed by a key on the system trusted keyring. +- +- This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING +- + config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY + bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + depends on SYSTEM_TRUSTED_KEYRING +-- +2.40.1 + diff --git a/queue-5.10/iommu-qcom-disable-and-reset-context-bank-before-pro.patch b/queue-5.10/iommu-qcom-disable-and-reset-context-bank-before-pro.patch new file mode 100644 index 00000000000..0d336801ff5 --- /dev/null +++ b/queue-5.10/iommu-qcom-disable-and-reset-context-bank-before-pro.patch @@ -0,0 +1,47 @@ +From 4da8f3e276823205dd0703e273f3631757697945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 11:27:39 +0200 +Subject: iommu/qcom: Disable and reset context bank before programming + +From: AngeloGioacchino Del Regno + +[ Upstream commit 9f3fef23d9b5a858a6e6d5f478bb1b6b76265e76 ] + +Writing the new TTBRs, TCRs and MAIRs on a previously enabled +context bank may trigger a context fault, resulting in firmware +driven AP resets: change the domain initialization programming +sequence to disable the context bank(s) and to also clear the +related fault address (CB_FAR) and fault status (CB_FSR) +registers before writing new values to TTBR0/1, TCR/TCR2, MAIR0/1. + +Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") +Signed-off-by: AngeloGioacchino Del Regno +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230622092742.74819-4-angelogioacchino.delregno@collabora.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/qcom_iommu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +index a24390c548a91..37c8f75a35801 100644 +--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c ++++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +@@ -283,6 +283,13 @@ static int qcom_iommu_init_domain(struct iommu_domain *domain, + ctx->secure_init = true; + } + ++ /* Disable context bank before programming */ ++ iommu_writel(ctx, ARM_SMMU_CB_SCTLR, 0); ++ ++ /* Clear context bank fault address fault status registers */ ++ iommu_writel(ctx, ARM_SMMU_CB_FAR, 0); ++ iommu_writel(ctx, ARM_SMMU_CB_FSR, ARM_SMMU_FSR_FAULT); ++ + /* TTBRs */ + iommu_writeq(ctx, ARM_SMMU_CB_TTBR0, + pgtbl_cfg.arm_lpae_s1_cfg.ttbr | +-- +2.40.1 + diff --git a/queue-5.10/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch b/queue-5.10/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch new file mode 100644 index 00000000000..19d12eacc1f --- /dev/null +++ b/queue-5.10/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch @@ -0,0 +1,44 @@ +From b74a0fa172f8598559e4665146012c3f7b09c284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 20:48:04 +0800 +Subject: iommu/vt-d: Fix to flush cache of PASID directory table + +From: Yanfei Xu + +[ Upstream commit 8a3b8e63f8371c1247b7aa24ff9c5312f1a6948b ] + +Even the PCI devices don't support pasid capability, PASID table is +mandatory for a PCI device in scalable mode. However flushing cache +of pasid directory table for these devices are not taken after pasid +table is allocated as the "size" of table is zero. Fix it by +calculating the size by page order. + +Found this when reading the code, no real problem encountered for now. + +Fixes: 194b3348bdbb ("iommu/vt-d: Fix PASID directory pointer coherency") +Suggested-by: Lu Baolu +Signed-off-by: Yanfei Xu +Link: https://lore.kernel.org/r/20230616081045.721873-1-yanfei.xu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/pasid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c +index 80d6412e2c546..9b24e8224379e 100644 +--- a/drivers/iommu/intel/pasid.c ++++ b/drivers/iommu/intel/pasid.c +@@ -187,7 +187,7 @@ int intel_pasid_alloc_table(struct device *dev) + device_attach_pasid_table(info, pasid_table); + + if (!ecap_coherent(info->iommu->ecap)) +- clflush_cache_range(pasid_table->table, size); ++ clflush_cache_range(pasid_table->table, (1 << order) * PAGE_SIZE); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/ipmi-ssif-add-check-for-kstrdup.patch b/queue-5.10/ipmi-ssif-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..8ac6f57bb7c --- /dev/null +++ b/queue-5.10/ipmi-ssif-add-check-for-kstrdup.patch @@ -0,0 +1,40 @@ +From d62ed1f1cfe268ba582549791e40b1b151ce2c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 17:28:02 +0800 +Subject: ipmi:ssif: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit c5586d0f711e9744d0cade39b0c4a2d116a333ca ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface") +Signed-off-by: Jiasheng Jiang +Message-Id: <20230619092802.35384-1-jiasheng@iscas.ac.cn> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index a3745fa643f3b..87aa12ab8c66f 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1614,6 +1614,11 @@ static int ssif_add_infos(struct i2c_client *client) + info->addr_src = SI_ACPI; + info->client = client; + info->adapter_name = kstrdup(client->adapter->name, GFP_KERNEL); ++ if (!info->adapter_name) { ++ kfree(info); ++ return -ENOMEM; ++ } ++ + info->binfo.addr = client->addr; + list_add_tail(&info->link, &ssif_infos); + return 0; +-- +2.40.1 + diff --git a/queue-5.10/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch b/queue-5.10/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch new file mode 100644 index 00000000000..585c07ffae8 --- /dev/null +++ b/queue-5.10/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch @@ -0,0 +1,37 @@ +From d904735a7579b9be0893a1bdeff2043f796710c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 11:43:33 -0500 +Subject: ipmi:ssif: Fix a memory leak when scanning for an adapter + +From: Corey Minyard + +[ Upstream commit b8d72e32e1453d37ee5c8a219f24e7eeadc471ef ] + +The adapter scan ssif_info_find() sets info->adapter_name if the adapter +info came from SMBIOS, as it's not set in that case. However, this +function can be called more than once, and it will leak the adapter name +if it had already been set. So check for NULL before setting it. + +Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface") +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 87aa12ab8c66f..30f757249c5c0 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1414,7 +1414,7 @@ static struct ssif_addr_info *ssif_info_find(unsigned short addr, + restart: + list_for_each_entry(info, &ssif_infos, link) { + if (info->binfo.addr == addr) { +- if (info->addr_src == SI_SMBIOS) ++ if (info->addr_src == SI_SMBIOS && !info->adapter_name) + info->adapter_name = kstrdup(adapter_name, + GFP_KERNEL); + +-- +2.40.1 + diff --git a/queue-5.10/jfs-validate-max-amount-of-blocks-before-allocation.patch b/queue-5.10/jfs-validate-max-amount-of-blocks-before-allocation.patch new file mode 100644 index 00000000000..e820aac14ae --- /dev/null +++ b/queue-5.10/jfs-validate-max-amount-of-blocks-before-allocation.patch @@ -0,0 +1,42 @@ +From a58eba0fd27dd78be615698768f30f1161193ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Aug 2023 20:32:16 +0300 +Subject: jfs: validate max amount of blocks before allocation. + +From: Alexei Filippov + +[ Upstream commit 0225e10972fa809728b8d4c1bd2772b3ec3fdb57 ] + +The lack of checking bmp->db_max_freebud in extBalloc() can lead to +shift out of bounds, so this patch prevents undefined behavior, because +bmp->db_max_freebud == -1 only if there is no free space. + +Signed-off-by: Aleksei Filippov +Signed-off-by: Dave Kleikamp +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5f088f29593e6b4c8db8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=01abadbd6ae6a08b1f1987aa61554c6b3ac19ff2 +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_extent.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_extent.c b/fs/jfs/jfs_extent.c +index f65bd6b35412b..d4e063dbb9a0b 100644 +--- a/fs/jfs/jfs_extent.c ++++ b/fs/jfs/jfs_extent.c +@@ -508,6 +508,11 @@ extBalloc(struct inode *ip, s64 hint, s64 * nblocks, s64 * blkno) + * blocks in the map. in that case, we'll start off with the + * maximum free. + */ ++ ++ /* give up if no space left */ ++ if (bmp->db_maxfreebud == -1) ++ return -ENOSPC; ++ + max = (s64) 1 << bmp->db_maxfreebud; + if (*nblocks >= max && *nblocks > nbperpage) + nb = nblks = (max > nbperpage) ? max : nbperpage; +-- +2.40.1 + diff --git a/queue-5.10/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch b/queue-5.10/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch new file mode 100644 index 00000000000..8cff9de24fa --- /dev/null +++ b/queue-5.10/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch @@ -0,0 +1,54 @@ +From 1d448bf34bcca7f771dc8a0aac7ad81fd85207f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 17:16:23 +0200 +Subject: leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit c3f853184bed04105682383c2971798c572226b5 ] + +At the time we call + BUG_ON(props.color == LED_COLOR_ID_MULTI); +the props variable is still initialized to zero. + +Call the BUG_ON only after we parse fwnode into props. + +Fixes: 77dce3a22e89 ("leds: disallow /sys/class/leds/*:multi:* for now") +Signed-off-by: Marek Behún +Link: https://lore.kernel.org/r/20230801151623.30387-1-kabel@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c +index c4e780bdb3852..2cf5897339ac1 100644 +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -425,15 +425,15 @@ int led_compose_name(struct device *dev, struct led_init_data *init_data, + struct fwnode_handle *fwnode = init_data->fwnode; + const char *devicename = init_data->devicename; + +- /* We want to label LEDs that can produce full range of colors +- * as RGB, not multicolor */ +- BUG_ON(props.color == LED_COLOR_ID_MULTI); +- + if (!led_classdev_name) + return -EINVAL; + + led_parse_fwnode_props(dev, fwnode, &props); + ++ /* We want to label LEDs that can produce full range of colors ++ * as RGB, not multicolor */ ++ BUG_ON(props.color == LED_COLOR_ID_MULTI); ++ + if (props.label) { + /* + * If init_data.devicename is NULL, then it indicates that +-- +2.40.1 + diff --git a/queue-5.10/lwt-check-lwtunnel_xmit_continue-strictly.patch b/queue-5.10/lwt-check-lwtunnel_xmit_continue-strictly.patch new file mode 100644 index 00000000000..b84dd98b965 --- /dev/null +++ b/queue-5.10/lwt-check-lwtunnel_xmit_continue-strictly.patch @@ -0,0 +1,78 @@ +From be0fc84ebbc27f5074493bcfbc8d70d2718feb12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:14 -0700 +Subject: lwt: Check LWTUNNEL_XMIT_CONTINUE strictly + +From: Yan Zhai + +[ Upstream commit a171fbec88a2c730b108c7147ac5e7b2f5a02b47 ] + +LWTUNNEL_XMIT_CONTINUE is implicitly assumed in ip(6)_finish_output2, +such that any positive return value from a xmit hook could cause +unexpected continue behavior, despite that related skb may have been +freed. This could be error-prone for future xmit hook ops. One of the +possible errors is to return statuses of dst_output directly. + +To make the code safer, redefine LWTUNNEL_XMIT_CONTINUE value to +distinguish from dst_output statuses and check the continue +condition explicitly. + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Suggested-by: Dan Carpenter +Signed-off-by: Yan Zhai +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/96b939b85eda00e8df4f7c080f770970a4c5f698.1692326837.git.yan@cloudflare.com +Signed-off-by: Sasha Levin +--- + include/net/lwtunnel.h | 5 ++++- + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index 05cfd6ff65287..d4a90eca1921a 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -16,9 +16,12 @@ + #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) + #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) + ++/* LWTUNNEL_XMIT_CONTINUE should be distinguishable from dst_output return ++ * values (NET_XMIT_xxx and NETDEV_TX_xxx in linux/netdevice.h) for safety. ++ */ + enum { + LWTUNNEL_XMIT_DONE, +- LWTUNNEL_XMIT_CONTINUE, ++ LWTUNNEL_XMIT_CONTINUE = 0x100, + }; + + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 6fd04f2f8b40c..a99c374101fc5 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -223,7 +223,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index c62e44224bf84..58b5ab5fcdbf1 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -131,7 +131,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +-- +2.40.1 + diff --git a/queue-5.10/lwt-fix-return-values-of-bpf-xmit-ops.patch b/queue-5.10/lwt-fix-return-values-of-bpf-xmit-ops.patch new file mode 100644 index 00000000000..15411f3f87b --- /dev/null +++ b/queue-5.10/lwt-fix-return-values-of-bpf-xmit-ops.patch @@ -0,0 +1,63 @@ +From 39ed4c6554b2f1598d673b3eab6d50836270ef34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:11 -0700 +Subject: lwt: Fix return values of BPF xmit ops + +From: Yan Zhai + +[ Upstream commit 29b22badb7a84b783e3a4fffca16f7768fb31205 ] + +BPF encap ops can return different types of positive values, such like +NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function +skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return +values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in +ip(6)_finish_output2. When this happens, skbs that have been freed would +continue to the neighbor subsystem, causing use-after-free bug and +kernel crashes. + +To fix the incorrect behavior, skb_do_redirect return values can be +simply discarded, the same as tc-egress behavior. On the other hand, +bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU +information. Thus convert its return values to avoid the conflict with +LWTUNNEL_XMIT_CONTINUE. + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Reported-by: Jordan Griege +Suggested-by: Martin KaFai Lau +Suggested-by: Stanislav Fomichev +Signed-off-by: Yan Zhai +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/0d2b878186cfe215fec6b45769c1cd0591d3628d.1692326837.git.yan@cloudflare.com +Signed-off-by: Sasha Levin +--- + net/core/lwt_bpf.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c +index 3fd207fe1284a..f6c327c7badb4 100644 +--- a/net/core/lwt_bpf.c ++++ b/net/core/lwt_bpf.c +@@ -59,9 +59,8 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, + ret = BPF_OK; + } else { + skb_reset_mac_header(skb); +- ret = skb_do_redirect(skb); +- if (ret == 0) +- ret = BPF_REDIRECT; ++ skb_do_redirect(skb); ++ ret = BPF_REDIRECT; + } + break; + +@@ -254,7 +253,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) + + err = dst_output(dev_net(skb_dst(skb)->dev), skb->sk, skb); + if (unlikely(err)) +- return err; ++ return net_xmit_errno(err); + + /* ip[6]_finish_output2 understand LWTUNNEL_XMIT_DONE */ + return LWTUNNEL_XMIT_DONE; +-- +2.40.1 + diff --git a/queue-5.10/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch b/queue-5.10/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch new file mode 100644 index 00000000000..f41749245a2 --- /dev/null +++ b/queue-5.10/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch @@ -0,0 +1,59 @@ +From 1131ab140e75a6e45362e1bbbe548bcd7b044e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 21:50:17 +0800 +Subject: md/bitmap: don't set max_write_behind if there is no write mostly + device + +From: Guoqing Jiang + +[ Upstream commit 8c13ab115b577bd09097b9d77916732e97e31b7b ] + +We shouldn't set it since write behind IO should only happen to write +mostly device. + +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Stable-dep-of: 44abfa6a95df ("md/md-bitmap: hold 'reconfig_mutex' in backlog_store()") +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index f843ade442dec..eb8a2d5ba83f4 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2476,11 +2476,30 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + { + unsigned long backlog; + unsigned long old_mwb = mddev->bitmap_info.max_write_behind; ++ struct md_rdev *rdev; ++ bool has_write_mostly = false; + int rv = kstrtoul(buf, 10, &backlog); + if (rv) + return rv; + if (backlog > COUNTER_MAX) + return -EINVAL; ++ ++ /* ++ * Without write mostly device, it doesn't make sense to set ++ * backlog for max_write_behind. ++ */ ++ rdev_for_each(rdev, mddev) { ++ if (test_bit(WriteMostly, &rdev->flags)) { ++ has_write_mostly = true; ++ break; ++ } ++ } ++ if (!has_write_mostly) { ++ pr_warn_ratelimited("%s: can't set backlog, no write mostly device available\n", ++ mdname(mddev)); ++ return -EINVAL; ++ } ++ + mddev->bitmap_info.max_write_behind = backlog; + if (!backlog && mddev->serial_info_pool) { + /* serial_info_pool is not needed if backlog is zero */ +-- +2.40.1 + diff --git a/queue-5.10/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch b/queue-5.10/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch new file mode 100644 index 00000000000..9bb06d2c2b5 --- /dev/null +++ b/queue-5.10/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch @@ -0,0 +1,62 @@ +From 32c93eadaa0f3e7f3dcc71d3adac6e2385266217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 16:37:27 +0800 +Subject: md/md-bitmap: hold 'reconfig_mutex' in backlog_store() + +From: Yu Kuai + +[ Upstream commit 44abfa6a95df425c0660d56043020b67e6d93ab8 ] + +Several reasons why 'reconfig_mutex' should be held: + +1) rdev_for_each() is not safe to be called without the lock, because + rdev can be removed concurrently. +2) mddev_destroy_serial_pool() and mddev_create_serial_pool() should not + be called concurrently. +3) mddev_suspend() from mddev_destroy/create_serial_pool() should be + protected by the lock. + +Fixes: 10c92fca636e ("md-bitmap: create and destroy wb_info_pool with the change of backlog") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20230706083727.608914-3-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index eb8a2d5ba83f4..d18ca119929e1 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2484,6 +2484,10 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + if (backlog > COUNTER_MAX) + return -EINVAL; + ++ rv = mddev_lock(mddev); ++ if (rv) ++ return rv; ++ + /* + * Without write mostly device, it doesn't make sense to set + * backlog for max_write_behind. +@@ -2497,6 +2501,7 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + if (!has_write_mostly) { + pr_warn_ratelimited("%s: can't set backlog, no write mostly device available\n", + mdname(mddev)); ++ mddev_unlock(mddev); + return -EINVAL; + } + +@@ -2514,6 +2519,8 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + } + if (old_mwb != backlog) + md_bitmap_update_sb(mddev->bitmap); ++ ++ mddev_unlock(mddev); + return len; + } + +-- +2.40.1 + diff --git a/queue-5.10/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch b/queue-5.10/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch new file mode 100644 index 00000000000..3931f3e3059 --- /dev/null +++ b/queue-5.10/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch @@ -0,0 +1,55 @@ +From b76e91380c3bef29f4b3cf2a34717ffbb169cd6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 21:53:55 +0800 +Subject: md/raid1: free the r1bio before waiting for blocked rdev + +From: Xueshi Hu + +[ Upstream commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 ] + +Raid1 reshape will change mempool and r1conf::raid_disks which are +needed to free r1bio. allow_barrier() make a concurrent raid1_reshape() +possible. So, free the in-flight r1bio before waiting blocked rdev. + +Fixes: 6bfe0b499082 ("md: support blocking writes to an array on device failure") +Reviewed-by: Yu Kuai +Signed-off-by: Xueshi Hu +Link: https://lore.kernel.org/r/20230814135356.1113639-3-xueshi.hu@smartx.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 6b5cc3f59fb39..84499c1385d11 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1349,6 +1349,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + */ + wait_barrier(conf, bio->bi_iter.bi_sector); + ++ retry_write: + r1_bio = alloc_r1bio(mddev, bio); + r1_bio->sectors = max_write_sectors; + +@@ -1370,7 +1371,6 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + */ + + disks = conf->raid_disks * 2; +- retry_write: + blocked_rdev = NULL; + rcu_read_lock(); + max_sectors = r1_bio->sectors; +@@ -1441,7 +1441,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + for (j = 0; j < i; j++) + if (r1_bio->bios[j]) + rdev_dec_pending(conf->mirrors[j].rdev, mddev); +- r1_bio->state = 0; ++ free_r1bio(r1_bio); + allow_barrier(conf, bio->bi_iter.bi_sector); + raid1_log(mddev, "wait rdev %d blocked", blocked_rdev->raid_disk); + md_wait_for_blocked_rdev(blocked_rdev, mddev); +-- +2.40.1 + diff --git a/queue-5.10/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch b/queue-5.10/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch new file mode 100644 index 00000000000..8998e7b8cb0 --- /dev/null +++ b/queue-5.10/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch @@ -0,0 +1,53 @@ +From d5d3a37b342c80aa27183df78baa30a04b82e549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 21:53:56 +0800 +Subject: md/raid1: hold the barrier until handle_read_error() finishes + +From: Xueshi Hu + +[ Upstream commit c069da449a13669ffa754fd971747e7e17e7d691 ] + +handle_read_error() will call allow_barrier() to match the former barrier +raising. However, it should put the allow_barrier() at the end to avoid a +concurrent raid reshape. + +Fixes: 689389a06ce7 ("md/raid1: simplify handle_read_error().") +Reviewed-by: Yu Kuai +Signed-off-by: Xueshi Hu +Link: https://lore.kernel.org/r/20230814135356.1113639-4-xueshi.hu@smartx.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 84499c1385d11..021155617c803 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2464,6 +2464,7 @@ static void handle_read_error(struct r1conf *conf, struct r1bio *r1_bio) + struct mddev *mddev = conf->mddev; + struct bio *bio; + struct md_rdev *rdev; ++ sector_t sector; + + clear_bit(R1BIO_ReadError, &r1_bio->state); + /* we got a read error. Maybe the drive is bad. Maybe just +@@ -2493,12 +2494,13 @@ static void handle_read_error(struct r1conf *conf, struct r1bio *r1_bio) + } + + rdev_dec_pending(rdev, conf->mddev); +- allow_barrier(conf, r1_bio->sector); ++ sector = r1_bio->sector; + bio = r1_bio->master_bio; + + /* Reuse the old r1_bio so that the IO_BLOCKED settings are preserved */ + r1_bio->state = 0; + raid1_read_request(mddev, bio, r1_bio->sectors, r1_bio); ++ allow_barrier(conf, sector); + } + + static void raid1d(struct md_thread *thread) +-- +2.40.1 + diff --git a/queue-5.10/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch b/queue-5.10/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch new file mode 100644 index 00000000000..19e7648eb9d --- /dev/null +++ b/queue-5.10/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch @@ -0,0 +1,66 @@ +From adcc3a4050391876be306b879f73d2406779c10a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 20:17:40 +0200 +Subject: media: ad5820: Drop unsupported ad5823 from i2c_ and of_device_id + tables + +From: Hans de Goede + +[ Upstream commit f126ff7e4024f6704e6ec0d4137037568708a3c7 ] + +The supported ad5820 and ad5821 VCMs both use a single 16 bit register +which is written by sending 2 bytes with the data directly after sending +the i2c-client address. + +The ad5823 OTOH has a more typical i2c / smbus device setup with multiple +8 bit registers where the first byte send after the i2c-client address is +the register address and the actual data only starts from the second byte +after the i2c-client address. + +The ad5823 i2c_ and of_device_id-s was added at the same time as +the ad5821 ids with as rationale: + +""" +Some camera modules also refer that AD5823 is a replacement of AD5820: +https://download.kamami.com/p564094-OV8865_DS.pdf +""" + +The AD5823 may be an electrical and functional replacement of the AD5820, +but from a software pov it is not compatible at all and it is going to +need its own driver, drop its id from the ad5820 driver. + +Fixes: b8bf73136bae ("media: ad5820: Add support for ad5821 and ad5823") +Cc: Pavel Machek +Cc: Ricardo Ribalda Delgado +Signed-off-by: Hans de Goede +Reviewed-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ad5820.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c +index f55322eebf6d0..d2c69ee27f008 100644 +--- a/drivers/media/i2c/ad5820.c ++++ b/drivers/media/i2c/ad5820.c +@@ -359,7 +359,6 @@ static int ad5820_remove(struct i2c_client *client) + static const struct i2c_device_id ad5820_id_table[] = { + { "ad5820", 0 }, + { "ad5821", 0 }, +- { "ad5823", 0 }, + { } + }; + MODULE_DEVICE_TABLE(i2c, ad5820_id_table); +@@ -367,7 +366,6 @@ MODULE_DEVICE_TABLE(i2c, ad5820_id_table); + static const struct of_device_id ad5820_of_table[] = { + { .compatible = "adi,ad5820" }, + { .compatible = "adi,ad5821" }, +- { .compatible = "adi,ad5823" }, + { } + }; + MODULE_DEVICE_TABLE(of, ad5820_of_table); +-- +2.40.1 + diff --git a/queue-5.10/media-cx24120-add-retval-check-for-cx24120_message_s.patch b/queue-5.10/media-cx24120-add-retval-check-for-cx24120_message_s.patch new file mode 100644 index 00000000000..b6ff925667a --- /dev/null +++ b/queue-5.10/media-cx24120-add-retval-check-for-cx24120_message_s.patch @@ -0,0 +1,40 @@ +From cc391fbc0de866ce88e965e1dff5ad0ec5cce747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 01:55:01 -0700 +Subject: media: cx24120: Add retval check for cx24120_message_send() + +From: Daniil Dulov + +[ Upstream commit 96002c0ac824e1773d3f706b1f92e2a9f2988047 ] + +If cx24120_message_send() returns error, we should keep local struct +unchanged. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5afc9a25be8d ("[media] Add support for TechniSat Skystar S2") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cx24120.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c +index 2464b63fe0cf4..307efef263f27 100644 +--- a/drivers/media/dvb-frontends/cx24120.c ++++ b/drivers/media/dvb-frontends/cx24120.c +@@ -972,7 +972,9 @@ static void cx24120_set_clock_ratios(struct dvb_frontend *fe) + cmd.arg[8] = (clock_ratios_table[idx].rate >> 8) & 0xff; + cmd.arg[9] = (clock_ratios_table[idx].rate >> 0) & 0xff; + +- cx24120_message_send(state, &cmd); ++ ret = cx24120_message_send(state, &cmd); ++ if (ret != 0) ++ return; + + /* Calculate ber window rates for stat work */ + cx24120_calculate_ber_window(state, clock_ratios_table[idx].rate); +-- +2.40.1 + diff --git a/queue-5.10/media-dib7000p-fix-potential-division-by-zero.patch b/queue-5.10/media-dib7000p-fix-potential-division-by-zero.patch new file mode 100644 index 00000000000..c26220ea8e5 --- /dev/null +++ b/queue-5.10/media-dib7000p-fix-potential-division-by-zero.patch @@ -0,0 +1,39 @@ +From d77c9a80ab0cb4886ef97b51d1de07f95ac0fca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 06:38:32 -0700 +Subject: media: dib7000p: Fix potential division by zero + +From: Daniil Dulov + +[ Upstream commit a1db7b2c5533fc67e2681eb5efc921a67bc7d5b8 ] + +Variable loopdiv can be assigned 0, then it is used as a denominator, +without checking it for 0. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 713d54a8bd81 ("[media] DiB7090: add support for the dib7090 based") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +[hverkuil: (bw != NULL) -> bw] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index 55bee50aa8716..1f0b0690198ef 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -497,7 +497,7 @@ static int dib7000p_update_pll(struct dvb_frontend *fe, struct dibx000_bandwidth + prediv = reg_1856 & 0x3f; + loopdiv = (reg_1856 >> 6) & 0x3f; + +- if ((bw != NULL) && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { ++ if (loopdiv && bw && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { + dprintk("Updating pll (prediv: old = %d new = %d ; loopdiv : old = %d new = %d)\n", prediv, bw->pll_prediv, loopdiv, bw->pll_ratio); + reg_1856 &= 0xf000; + reg_1857 = dib7000p_read_word(state, 1857); +-- +2.40.1 + diff --git a/queue-5.10/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch b/queue-5.10/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch new file mode 100644 index 00000000000..bc46a59958f --- /dev/null +++ b/queue-5.10/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch @@ -0,0 +1,50 @@ +From 04dac8f89929a8e787e2c9fea16830af417c229c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 07:58:36 +0200 +Subject: media: dvb-usb: m920x: Fix a potential memory leak in + m920x_i2c_xfer() + +From: Christophe JAILLET + +[ Upstream commit ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 ] + +'read' is freed when it is known to be NULL, but not when a read error +occurs. + +Revert the logic to avoid a small leak, should a m920x_read() call fail. + +Fixes: a2ab06d7c4d6 ("media: m920x: don't use stack on USB reads") +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/m920x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index 691e05833db19..da81fa189b5d5 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -277,7 +277,6 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + char *read = kmalloc(1, GFP_KERNEL); + if (!read) { + ret = -ENOMEM; +- kfree(read); + goto unlock; + } + +@@ -288,8 +287,10 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- read, 1)) != 0) ++ read, 1)) != 0) { ++ kfree(read); + goto unlock; ++ } + msg[i].buf[j] = read[0]; + } + +-- +2.40.1 + diff --git a/queue-5.10/media-go7007-remove-redundant-if-statement.patch b/queue-5.10/media-go7007-remove-redundant-if-statement.patch new file mode 100644 index 00000000000..5a7f5e45bc4 --- /dev/null +++ b/queue-5.10/media-go7007-remove-redundant-if-statement.patch @@ -0,0 +1,43 @@ +From 236e9a5ea4464f97a588fc3b5beef2729ff9df99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 19:40:07 +0200 +Subject: media: go7007: Remove redundant if statement + +From: Colin Ian King + +[ Upstream commit f33cb49081da0ec5af0888f8ecbd566bd326eed1 ] + +The if statement that compares msgs[i].len != 3 is always false because +it is in a code block where msg[i].len is equal to 3. The check is +redundant and can be removed. + +As detected by cppcheck static analysis: +drivers/media/usb/go7007/go7007-i2c.c:168:20: warning: Opposite inner +'if' condition leads to a dead code block. [oppositeInnerCondition] + +Link: https://lore.kernel.org/linux-media/20230727174007.635572-1-colin.i.king@gmail.com + +Fixes: 866b8695d67e ("Staging: add the go7007 video driver") +Signed-off-by: Colin Ian King +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-i2c.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-i2c.c b/drivers/media/usb/go7007/go7007-i2c.c +index 38339dd2f83f7..2880370e45c8b 100644 +--- a/drivers/media/usb/go7007/go7007-i2c.c ++++ b/drivers/media/usb/go7007/go7007-i2c.c +@@ -165,8 +165,6 @@ static int go7007_i2c_master_xfer(struct i2c_adapter *adapter, + } else if (msgs[i].len == 3) { + if (msgs[i].flags & I2C_M_RD) + return -EIO; +- if (msgs[i].len != 3) +- return -EIO; + if (go7007_i2c_xfer(go, msgs[i].addr, 0, + (msgs[i].buf[0] << 8) | msgs[i].buf[1], + 0x01, &msgs[i].buf[2]) < 0) +-- +2.40.1 + diff --git a/queue-5.10/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch b/queue-5.10/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch new file mode 100644 index 00000000000..a71b27eda6e --- /dev/null +++ b/queue-5.10/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch @@ -0,0 +1,41 @@ +From e9832e801ce8a0b8e613b531f5ee1693991668b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 15:21:45 +0000 +Subject: media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips + +From: Dave Stevenson + +[ Upstream commit 66274280b2c745d380508dc27b9a4dfd736e5eda ] + +The driver changes the Bayer order based on the flips, but +does not define the control correctly with the +V4L2_CTRL_FLAG_MODIFY_LAYOUT flag. + +Add the V4L2_CTRL_FLAG_MODIFY_LAYOUT flag. + +Signed-off-by: Dave Stevenson +Acked-by: Rui Miguel Silva +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 7b5a42e6ae71 ("media: ov2680: Remove auto-gain and auto-exposure controls") +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 59cdbc33658ce..cd0c083a4768a 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -966,6 +966,8 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + + ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; + ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; ++ ctrls->vflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; ++ ctrls->hflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + + v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); + v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); +-- +2.40.1 + diff --git a/queue-5.10/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch b/queue-5.10/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..49daad18cfc --- /dev/null +++ b/queue-5.10/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From f05bc2160a7d84a7ba4c5a83d2be5ca8eba5c3cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:30:30 +0200 +Subject: media: i2c: tvp5150: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 26ce7054d804be73935b9268d6e0ecf2fbbc8aef ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 0556f1d580d4 ("media: tvp5150: add input source selection of_graph support") +Signed-off-by: Claudiu Beznea +Reviewed-by: Marco Felsch +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tvp5150.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/i2c/tvp5150.c b/drivers/media/i2c/tvp5150.c +index 3b3221fd3fe8f..cf0570a6760ca 100644 +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -2078,6 +2078,10 @@ static int tvp5150_parse_dt(struct tvp5150 *decoder, struct device_node *np) + tvpc->ent.name = devm_kasprintf(dev, GFP_KERNEL, "%s %s", + v4l2c->name, v4l2c->label ? + v4l2c->label : ""); ++ if (!tvpc->ent.name) { ++ ret = -ENOMEM; ++ goto err_free; ++ } + } + + ep_np = of_graph_get_endpoint_by_regs(np, TVP5150_PAD_VID_OUT, 0); +-- +2.40.1 + diff --git a/queue-5.10/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch b/queue-5.10/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch new file mode 100644 index 00000000000..37fc87c1d65 --- /dev/null +++ b/queue-5.10/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch @@ -0,0 +1,43 @@ +From 59a6f3dab555819f62615a5ca25081b70403a0ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 17:14:41 +0800 +Subject: media: mediatek: vcodec: Return NULL if no vdec_fb is found + +From: Irui Wang + +[ Upstream commit dfa2d6e07432270330ae191f50a0e70636a4cd2b ] + +"fb_use_list" is used to store used or referenced frame buffers for +vp9 stateful decoder. "NULL" should be returned when getting target +frame buffer failed from "fb_use_list", not a random unexpected one. + +Fixes: f77e89854b3e ("[media] vcodec: mediatek: Add Mediatek VP9 Video Decoder Driver") +Signed-off-by: Irui Wang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +index d9880210b2ab6..43c108b68d0a0 100644 +--- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c ++++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +@@ -226,10 +226,11 @@ static struct vdec_fb *vp9_rm_from_fb_use_list(struct vdec_vp9_inst + if (fb->base_y.va == addr) { + list_move_tail(&node->list, + &inst->available_fb_node_list); +- break; ++ return fb; + } + } +- return fb; ++ ++ return NULL; + } + + static void vp9_add_to_fb_free_list(struct vdec_vp9_inst *inst, +-- +2.40.1 + diff --git a/queue-5.10/media-ov2680-fix-ov2680_bayer_order.patch b/queue-5.10/media-ov2680-fix-ov2680_bayer_order.patch new file mode 100644 index 00000000000..436d5b52bf9 --- /dev/null +++ b/queue-5.10/media-ov2680-fix-ov2680_bayer_order.patch @@ -0,0 +1,117 @@ +From c924ca736a57343e31ade2e6da1070cc2571ace1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:17 +0200 +Subject: media: ov2680: Fix ov2680_bayer_order() + +From: Hans de Goede + +[ Upstream commit 50a7bad4e0a37d7018ab6fe843dd84bc6b2ecf72 ] + +The index into ov2680_hv_flip_bayer_order[] should be 0-3, but +ov2680_bayer_order() was using 0 + BIT(2) + (BIT(2) << 1) as +max index, while the intention was to use: 0 + 1 + 2 as max index. + +Fix the index calculation in ov2680_bayer_order(), while at it +also just use the ctrl values rather then reading them back using +a slow i2c-read transaction. + +This also allows making the function void, since there now are +no more i2c-reads to error check. + +Note the check for the ctrls being NULL is there to allow +adding an ov2680_fill_format() helper later, which will call +ov2680_set_bayer_order() during probe() before the ctrls are created. + +[Sakari Ailus: Change all users of ov2680_set_bayer_order() here] + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index f143e2af0b5fc..a4baf440b9505 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -315,26 +315,17 @@ static void ov2680_power_down(struct ov2680_dev *sensor) + usleep_range(5000, 10000); + } + +-static int ov2680_bayer_order(struct ov2680_dev *sensor) ++static void ov2680_set_bayer_order(struct ov2680_dev *sensor) + { +- u32 format1; +- u32 format2; +- u32 hv_flip; +- int ret; +- +- ret = ov2680_read_reg(sensor, OV2680_REG_FORMAT1, &format1); +- if (ret < 0) +- return ret; ++ int hv_flip = 0; + +- ret = ov2680_read_reg(sensor, OV2680_REG_FORMAT2, &format2); +- if (ret < 0) +- return ret; ++ if (sensor->ctrls.vflip && sensor->ctrls.vflip->val) ++ hv_flip += 1; + +- hv_flip = (format2 & BIT(2) << 1) | (format1 & BIT(2)); ++ if (sensor->ctrls.hflip && sensor->ctrls.hflip->val) ++ hv_flip += 2; + + sensor->fmt.code = ov2680_hv_flip_bayer_order[hv_flip]; +- +- return 0; + } + + static int ov2680_vflip_enable(struct ov2680_dev *sensor) +@@ -345,7 +336,8 @@ static int ov2680_vflip_enable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_vflip_disable(struct ov2680_dev *sensor) +@@ -356,7 +348,8 @@ static int ov2680_vflip_disable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_hflip_enable(struct ov2680_dev *sensor) +@@ -367,7 +360,8 @@ static int ov2680_hflip_enable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_hflip_disable(struct ov2680_dev *sensor) +@@ -378,7 +372,8 @@ static int ov2680_hflip_disable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_test_pattern_set(struct ov2680_dev *sensor, int value) +-- +2.40.1 + diff --git a/queue-5.10/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch b/queue-5.10/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch new file mode 100644 index 00000000000..a16751cd8ed --- /dev/null +++ b/queue-5.10/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch @@ -0,0 +1,64 @@ +From d64b223a9e40f851b65eac577edae9ab18cab2bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:23 +0200 +Subject: media: ov2680: Fix regulators being left enabled on ov2680_power_on() + errors + +From: Hans de Goede + +[ Upstream commit 84b4bd7e0d98166aa32fd470e672721190492eae ] + +When the ov2680_power_on() "sensor soft reset failed" path is hit during +probe() the WARN() about putting an enabled regulator at +drivers/regulator/core.c:2398 triggers 3 times (once for each regulator), +filling dmesg with backtraces. + +Fix this by properly disabling the regulators on ov2680_power_on() errors. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 5249a9eb7c81a..731a60f6a59af 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -459,7 +459,7 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + ret = ov2680_write_reg(sensor, OV2680_REG_SOFT_RESET, 0x01); + if (ret != 0) { + dev_err(dev, "sensor soft reset failed\n"); +- return ret; ++ goto err_disable_regulators; + } + usleep_range(1000, 2000); + } else { +@@ -469,7 +469,7 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + + ret = clk_prepare_enable(sensor->xvclk); + if (ret < 0) +- return ret; ++ goto err_disable_regulators; + + sensor->is_enabled = true; + +@@ -479,6 +479,10 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + ov2680_stream_disable(sensor); + + return 0; ++ ++err_disable_regulators: ++ regulator_bulk_disable(OV2680_NUM_SUPPLIES, sensor->supplies); ++ return ret; + } + + static int ov2680_s_power(struct v4l2_subdev *sd, int on) +-- +2.40.1 + diff --git a/queue-5.10/media-ov2680-fix-vflip-hflip-set-functions.patch b/queue-5.10/media-ov2680-fix-vflip-hflip-set-functions.patch new file mode 100644 index 00000000000..844a804f294 --- /dev/null +++ b/queue-5.10/media-ov2680-fix-vflip-hflip-set-functions.patch @@ -0,0 +1,118 @@ +From f90b4548b330d091ed64eed2213c83876ebb970e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:18 +0200 +Subject: media: ov2680: Fix vflip / hflip set functions + +From: Hans de Goede + +[ Upstream commit d5d08ad330c9ccebc5e066fda815423a290f48b0 ] + +ov2680_vflip_disable() / ov2680_hflip_disable() pass BIT(0) instead of +0 as value to ov2680_mod_reg(). + +While fixing this also: + +1. Stop having separate enable/disable functions for hflip / vflip +2. Move the is_streaming check, which is unique to hflip / vflip + into the ov2680_set_?flip() functions. + +for a nice code cleanup. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 50 +++++++++----------------------------- + 1 file changed, 12 insertions(+), 38 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index a4baf440b9505..5249a9eb7c81a 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -328,23 +328,15 @@ static void ov2680_set_bayer_order(struct ov2680_dev *sensor) + sensor->fmt.code = ov2680_hv_flip_bayer_order[hv_flip]; + } + +-static int ov2680_vflip_enable(struct ov2680_dev *sensor) ++static int ov2680_set_vflip(struct ov2680_dev *sensor, s32 val) + { + int ret; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, BIT(2), BIT(2)); +- if (ret < 0) +- return ret; +- +- ov2680_set_bayer_order(sensor); +- return 0; +-} +- +-static int ov2680_vflip_disable(struct ov2680_dev *sensor) +-{ +- int ret; ++ if (sensor->is_streaming) ++ return -EBUSY; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, BIT(2), BIT(0)); ++ ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, ++ BIT(2), val ? BIT(2) : 0); + if (ret < 0) + return ret; + +@@ -352,23 +344,15 @@ static int ov2680_vflip_disable(struct ov2680_dev *sensor) + return 0; + } + +-static int ov2680_hflip_enable(struct ov2680_dev *sensor) ++static int ov2680_set_hflip(struct ov2680_dev *sensor, s32 val) + { + int ret; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, BIT(2), BIT(2)); +- if (ret < 0) +- return ret; +- +- ov2680_set_bayer_order(sensor); +- return 0; +-} +- +-static int ov2680_hflip_disable(struct ov2680_dev *sensor) +-{ +- int ret; ++ if (sensor->is_streaming) ++ return -EBUSY; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, BIT(2), BIT(0)); ++ ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, ++ BIT(2), val ? BIT(2) : 0); + if (ret < 0) + return ret; + +@@ -721,19 +705,9 @@ static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + case V4L2_CID_EXPOSURE: + return ov2680_exposure_set(sensor, ctrl->val); + case V4L2_CID_VFLIP: +- if (sensor->is_streaming) +- return -EBUSY; +- if (ctrl->val) +- return ov2680_vflip_enable(sensor); +- else +- return ov2680_vflip_disable(sensor); ++ return ov2680_set_vflip(sensor, ctrl->val); + case V4L2_CID_HFLIP: +- if (sensor->is_streaming) +- return -EBUSY; +- if (ctrl->val) +- return ov2680_hflip_enable(sensor); +- else +- return ov2680_hflip_disable(sensor); ++ return ov2680_set_hflip(sensor, ctrl->val); + case V4L2_CID_TEST_PATTERN: + return ov2680_test_pattern_set(sensor, ctrl->val); + default: +-- +2.40.1 + diff --git a/queue-5.10/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch b/queue-5.10/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch new file mode 100644 index 00000000000..ea0ff1e3c10 --- /dev/null +++ b/queue-5.10/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch @@ -0,0 +1,331 @@ +From 54e69279615bac516b2cde5bb121be8c4ca6a0b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:16 +0200 +Subject: media: ov2680: Remove auto-gain and auto-exposure controls + +From: Hans de Goede + +[ Upstream commit 7b5a42e6ae71927359ea67a2c22570ba97fa4059 ] + +Quoting the OV2680 datasheet: + +"3.2 exposure and gain control + +In the OV2680, the exposure time and gain are set manually from an external +controller. The OV2680 supports manual gain and exposure control only for +normal applications, no auto mode." + +And indeed testing with the atomisp_ov2680 fork of ov2680.c has shown that +auto-exposure and auto-gain do not work. + +Note that the code setting the auto-exposure flag was broken, callers +of ov2680_exposure_set() were directly passing !!ctrls->auto_exp->val as +"bool auto_exp" value, but ctrls->auto_exp is a menu control with: + +enum v4l2_exposure_auto_type { + V4L2_EXPOSURE_AUTO = 0, + V4L2_EXPOSURE_MANUAL = 1, + ... + +So instead of passing !!ctrls->auto_exp->val they should have been passing +ctrls->auto_exp->val == V4L2_EXPOSURE_AUTO, iow the passed value was +inverted of what it should have been. + +Also remove ov2680_g_volatile_ctrl() since without auto support the gain +and exposure controls are not volatile. + +This also fixes the control values not being properly applied in +ov2680_mode_set(). The 800x600 mode register-list also sets gain, +exposure and vflip overriding the last set ctrl values. + +ov2680_mode_set() does call ov2680_gain_set() and ov2680_exposure_set() +but did this before writing the mode register-list, so these values +would still be overridden by the mode register-list. + +Add a v4l2_ctrl_handler_setup() call after writing the mode register-list +to restore all ctrl values. Also remove the ctrls->gain->is_new check from +ov2680_gain_set() so that the gain always gets restored properly. + +Last since ov2680_mode_set() now calls v4l2_ctrl_handler_setup(), remove +the v4l2_ctrl_handler_setup() call after ov2680_mode_restore() since +ov2680_mode_restore() calls ov2680_mode_set(). + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 161 ++++--------------------------------- + 1 file changed, 17 insertions(+), 144 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index cd0c083a4768a..f143e2af0b5fc 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -85,15 +85,8 @@ struct ov2680_mode_info { + + struct ov2680_ctrls { + struct v4l2_ctrl_handler handler; +- struct { +- struct v4l2_ctrl *auto_exp; +- struct v4l2_ctrl *exposure; +- }; +- struct { +- struct v4l2_ctrl *auto_gain; +- struct v4l2_ctrl *gain; +- }; +- ++ struct v4l2_ctrl *exposure; ++ struct v4l2_ctrl *gain; + struct v4l2_ctrl *hflip; + struct v4l2_ctrl *vflip; + struct v4l2_ctrl *test_pattern; +@@ -143,6 +136,7 @@ static const struct reg_value ov2680_setting_30fps_QUXGA_800_600[] = { + {0x380e, 0x02}, {0x380f, 0x84}, {0x3811, 0x04}, {0x3813, 0x04}, + {0x3814, 0x31}, {0x3815, 0x31}, {0x3820, 0xc0}, {0x4008, 0x00}, + {0x4009, 0x03}, {0x4837, 0x1e}, {0x3501, 0x4e}, {0x3502, 0xe0}, ++ {0x3503, 0x03}, + }; + + static const struct reg_value ov2680_setting_30fps_720P_1280_720[] = { +@@ -405,69 +399,15 @@ static int ov2680_test_pattern_set(struct ov2680_dev *sensor, int value) + return 0; + } + +-static int ov2680_gain_set(struct ov2680_dev *sensor, bool auto_gain) +-{ +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- u32 gain; +- int ret; +- +- ret = ov2680_mod_reg(sensor, OV2680_REG_R_MANUAL, BIT(1), +- auto_gain ? 0 : BIT(1)); +- if (ret < 0) +- return ret; +- +- if (auto_gain || !ctrls->gain->is_new) +- return 0; +- +- gain = ctrls->gain->val; +- +- ret = ov2680_write_reg16(sensor, OV2680_REG_GAIN_PK, gain); +- +- return 0; +-} +- +-static int ov2680_gain_get(struct ov2680_dev *sensor) +-{ +- u32 gain; +- int ret; +- +- ret = ov2680_read_reg16(sensor, OV2680_REG_GAIN_PK, &gain); +- if (ret) +- return ret; +- +- return gain; +-} +- +-static int ov2680_exposure_set(struct ov2680_dev *sensor, bool auto_exp) ++static int ov2680_gain_set(struct ov2680_dev *sensor, u32 gain) + { +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- u32 exp; +- int ret; +- +- ret = ov2680_mod_reg(sensor, OV2680_REG_R_MANUAL, BIT(0), +- auto_exp ? 0 : BIT(0)); +- if (ret < 0) +- return ret; +- +- if (auto_exp || !ctrls->exposure->is_new) +- return 0; +- +- exp = (u32)ctrls->exposure->val; +- exp <<= 4; +- +- return ov2680_write_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, exp); ++ return ov2680_write_reg16(sensor, OV2680_REG_GAIN_PK, gain); + } + +-static int ov2680_exposure_get(struct ov2680_dev *sensor) ++static int ov2680_exposure_set(struct ov2680_dev *sensor, u32 exp) + { +- int ret; +- u32 exp; +- +- ret = ov2680_read_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, &exp); +- if (ret) +- return ret; +- +- return exp >> 4; ++ return ov2680_write_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, ++ exp << 4); + } + + static int ov2680_stream_enable(struct ov2680_dev *sensor) +@@ -482,33 +422,17 @@ static int ov2680_stream_disable(struct ov2680_dev *sensor) + + static int ov2680_mode_set(struct ov2680_dev *sensor) + { +- struct ov2680_ctrls *ctrls = &sensor->ctrls; + int ret; + +- ret = ov2680_gain_set(sensor, false); +- if (ret < 0) +- return ret; +- +- ret = ov2680_exposure_set(sensor, false); ++ ret = ov2680_load_regs(sensor, sensor->current_mode); + if (ret < 0) + return ret; + +- ret = ov2680_load_regs(sensor, sensor->current_mode); ++ /* Restore value of all ctrls */ ++ ret = __v4l2_ctrl_handler_setup(&sensor->ctrls.handler); + if (ret < 0) + return ret; + +- if (ctrls->auto_gain->val) { +- ret = ov2680_gain_set(sensor, true); +- if (ret < 0) +- return ret; +- } +- +- if (ctrls->auto_exp->val == V4L2_EXPOSURE_AUTO) { +- ret = ov2680_exposure_set(sensor, true); +- if (ret < 0) +- return ret; +- } +- + sensor->mode_pending_changes = false; + + return 0; +@@ -590,15 +514,10 @@ static int ov2680_s_power(struct v4l2_subdev *sd, int on) + else + ret = ov2680_power_off(sensor); + +- mutex_unlock(&sensor->lock); +- +- if (on && ret == 0) { +- ret = v4l2_ctrl_handler_setup(&sensor->ctrls.handler); +- if (ret < 0) +- return ret; +- ++ if (on && ret == 0) + ret = ov2680_mode_restore(sensor); +- } ++ ++ mutex_unlock(&sensor->lock); + + return ret; + } +@@ -793,52 +712,19 @@ static int ov2680_enum_frame_interval(struct v4l2_subdev *sd, + return 0; + } + +-static int ov2680_g_volatile_ctrl(struct v4l2_ctrl *ctrl) +-{ +- struct v4l2_subdev *sd = ctrl_to_sd(ctrl); +- struct ov2680_dev *sensor = to_ov2680_dev(sd); +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- int val; +- +- if (!sensor->is_enabled) +- return 0; +- +- switch (ctrl->id) { +- case V4L2_CID_GAIN: +- val = ov2680_gain_get(sensor); +- if (val < 0) +- return val; +- ctrls->gain->val = val; +- break; +- case V4L2_CID_EXPOSURE: +- val = ov2680_exposure_get(sensor); +- if (val < 0) +- return val; +- ctrls->exposure->val = val; +- break; +- } +- +- return 0; +-} +- + static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + { + struct v4l2_subdev *sd = ctrl_to_sd(ctrl); + struct ov2680_dev *sensor = to_ov2680_dev(sd); +- struct ov2680_ctrls *ctrls = &sensor->ctrls; + + if (!sensor->is_enabled) + return 0; + + switch (ctrl->id) { +- case V4L2_CID_AUTOGAIN: +- return ov2680_gain_set(sensor, !!ctrl->val); + case V4L2_CID_GAIN: +- return ov2680_gain_set(sensor, !!ctrls->auto_gain->val); +- case V4L2_CID_EXPOSURE_AUTO: +- return ov2680_exposure_set(sensor, !!ctrl->val); ++ return ov2680_gain_set(sensor, ctrl->val); + case V4L2_CID_EXPOSURE: +- return ov2680_exposure_set(sensor, !!ctrls->auto_exp->val); ++ return ov2680_exposure_set(sensor, ctrl->val); + case V4L2_CID_VFLIP: + if (sensor->is_streaming) + return -EBUSY; +@@ -863,7 +749,6 @@ static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + } + + static const struct v4l2_ctrl_ops ov2680_ctrl_ops = { +- .g_volatile_ctrl = ov2680_g_volatile_ctrl, + .s_ctrl = ov2680_s_ctrl, + }; + +@@ -935,7 +820,7 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- v4l2_ctrl_handler_init(hdl, 7); ++ v4l2_ctrl_handler_init(hdl, 5); + + hdl->lock = &sensor->lock; + +@@ -947,16 +832,9 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + ARRAY_SIZE(test_pattern_menu) - 1, + 0, 0, test_pattern_menu); + +- ctrls->auto_exp = v4l2_ctrl_new_std_menu(hdl, ops, +- V4L2_CID_EXPOSURE_AUTO, +- V4L2_EXPOSURE_MANUAL, 0, +- V4L2_EXPOSURE_AUTO); +- + ctrls->exposure = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_EXPOSURE, + 0, 32767, 1, 0); + +- ctrls->auto_gain = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_AUTOGAIN, +- 0, 1, 1, 1); + ctrls->gain = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_GAIN, 0, 2047, 1, 0); + + if (hdl->error) { +@@ -964,14 +842,9 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + goto cleanup_entity; + } + +- ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; +- ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; + ctrls->vflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + ctrls->hflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + +- v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); +- v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); +- + sensor->sd.ctrl_handler = hdl; + + ret = v4l2_async_register_subdev(&sensor->sd); +-- +2.40.1 + diff --git a/queue-5.10/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch b/queue-5.10/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch new file mode 100644 index 00000000000..5e598932b79 --- /dev/null +++ b/queue-5.10/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch @@ -0,0 +1,51 @@ +From 89897be081f09c2779841aa31da88218dcb7f81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 16:47:25 +0200 +Subject: media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() + +From: Marek Vasut + +[ Upstream commit 98cb72d3b9c5e03b10fa993752ecfcbd9c572d8c ] + +Set OV5640_REG_IO_MIPI_CTRL00 bit 2 to 1 instead of 0, since 1 means +MIPI CSI2 interface, while 0 means CPI parallel interface. + +In the ov5640_set_power_mipi() the interface should obviously be set +to MIPI CSI2 since this functions is used to power up the sensor when +operated in MIPI CSI2 mode. The sensor should not be in CPI mode in +that case. + +This fixes a corner case where capturing the first frame on i.MX8MN +with CSI/ISI resulted in corrupted frame. + +Fixes: aa4bb8b8838f ("media: ov5640: Re-work MIPI startup sequence") +Reviewed-by: Jacopo Mondi +Tested-by: Jacopo Mondi # [Test on imx6q] +Signed-off-by: Marek Vasut +Tested-by: Jai Luthra # [Test on bplay, sk-am62] +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 92a5f9aff9b53..db4b6095f4f4c 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -1942,9 +1942,9 @@ static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) + * "ov5640_set_stream_mipi()") + * [4] = 0 : Power up MIPI HS Tx + * [3] = 0 : Power up MIPI LS Rx +- * [2] = 0 : MIPI interface disabled ++ * [2] = 1 : MIPI interface enabled + */ +- ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x40); ++ ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x44); + if (ret) + return ret; + +-- +2.40.1 + diff --git a/queue-5.10/media-rkvdec-increase-max-supported-height-for-h.264.patch b/queue-5.10/media-rkvdec-increase-max-supported-height-for-h.264.patch new file mode 100644 index 00000000000..8bc031d0ddd --- /dev/null +++ b/queue-5.10/media-rkvdec-increase-max-supported-height-for-h.264.patch @@ -0,0 +1,37 @@ +From 78a1d5e31ef831c59b8df70f957037ade2b63528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:06:11 +0200 +Subject: media: rkvdec: increase max supported height for H.264 + +From: Benjamin Gaignard + +[ Upstream commit f000e6ca2d60fefd02a180a57df2c4162fa0c1b7 ] + +After testing it is possible for the hardware to decode H264 +bistream with a height up to 2560. + +Signed-off-by: Benjamin Gaignard +Fixes: cd33c830448ba ("media: rkvdec: Add the rkvdec driver") +Reviewed-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c +index f6a29a7078625..86483f1c070b9 100644 +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -101,7 +101,7 @@ static const struct rkvdec_coded_fmt_desc rkvdec_coded_fmts[] = { + .max_width = 4096, + .step_width = 16, + .min_height = 48, +- .max_height = 2304, ++ .max_height = 2560, + .step_height = 16, + }, + .ctrls = &rkvdec_h264_ctrls, +-- +2.40.1 + diff --git a/queue-5.10/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch b/queue-5.10/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch new file mode 100644 index 00000000000..bc39576b297 --- /dev/null +++ b/queue-5.10/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch @@ -0,0 +1,71 @@ +From 53895ea7de2a36b29e4a1dbca520a37c549e3183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 20:31:05 +0200 +Subject: media: v4l2-core: Fix a potential resource leak in + v4l2_fwnode_parse_link() + +From: Christophe JAILLET + +[ Upstream commit d7b13edd4cb4bfa335b6008ab867ac28582d3e5c ] + +If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, +so fwnode_handle_put() is a no-op. + +Release the reference taken from a previous fwnode_graph_get_port_parent() +call instead. + +Also handle fwnode_graph_get_port_parent() failures. + +In order to fix these issues, add an error handling path to the function +and the needed gotos. + +Fixes: ca50c197bd96 ("[media] v4l: fwnode: Support generic fwnode for parsing standardised properties") +Signed-off-by: Christophe JAILLET +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-fwnode.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c b/drivers/media/v4l2-core/v4l2-fwnode.c +index dfc53d11053fc..1977ce0195fee 100644 +--- a/drivers/media/v4l2-core/v4l2-fwnode.c ++++ b/drivers/media/v4l2-core/v4l2-fwnode.c +@@ -572,19 +572,29 @@ int v4l2_fwnode_parse_link(struct fwnode_handle *fwnode, + link->local_id = fwep.id; + link->local_port = fwep.port; + link->local_node = fwnode_graph_get_port_parent(fwnode); ++ if (!link->local_node) ++ return -ENOLINK; + + fwnode = fwnode_graph_get_remote_endpoint(fwnode); +- if (!fwnode) { +- fwnode_handle_put(fwnode); +- return -ENOLINK; +- } ++ if (!fwnode) ++ goto err_put_local_node; + + fwnode_graph_parse_endpoint(fwnode, &fwep); + link->remote_id = fwep.id; + link->remote_port = fwep.port; + link->remote_node = fwnode_graph_get_port_parent(fwnode); ++ if (!link->remote_node) ++ goto err_put_remote_endpoint; + + return 0; ++ ++err_put_remote_endpoint: ++ fwnode_handle_put(fwnode); ++ ++err_put_local_node: ++ fwnode_handle_put(link->local_node); ++ ++ return -ENOLINK; + } + EXPORT_SYMBOL_GPL(v4l2_fwnode_parse_link); + +-- +2.40.1 + diff --git a/queue-5.10/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch b/queue-5.10/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch new file mode 100644 index 00000000000..53203b80ceb --- /dev/null +++ b/queue-5.10/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch @@ -0,0 +1,43 @@ +From 91b72a1a4fcf30eb41560a1f41273f43168443df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 15:43:08 +0200 +Subject: mlxsw: i2c: Fix chunk size setting in output mailbox buffer + +From: Vadim Pasternak + +[ Upstream commit 146c7c330507c0384bf29d567186632bfe975927 ] + +The driver reads commands output from the output mailbox. If the size +of the output mailbox is not a multiple of the transaction / +block size, then the driver will not issue enough read transactions +to read the entire output, which can result in driver initialization +errors. + +Fix by determining the number of transactions using DIV_ROUND_UP(). + +Fixes: 3029a693beda ("mlxsw: i2c: Allow flexible setting of I2C transactions size") +Signed-off-by: Vadim Pasternak +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/i2c.c b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +index ce843ea914646..f20dca41424c9 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/i2c.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +@@ -428,7 +428,7 @@ mlxsw_i2c_cmd(struct device *dev, u16 opcode, u32 in_mod, size_t in_mbox_size, + } else { + /* No input mailbox is case of initialization query command. */ + reg_size = MLXSW_I2C_MAX_DATA_SIZE; +- num = reg_size / mlxsw_i2c->block_size; ++ num = DIV_ROUND_UP(reg_size, mlxsw_i2c->block_size); + + if (mutex_lock_interruptible(&mlxsw_i2c->cmd.lock) < 0) { + dev_err(&client->dev, "Could not acquire lock"); +-- +2.40.1 + diff --git a/queue-5.10/mlxsw-i2c-limit-single-transaction-buffer-size.patch b/queue-5.10/mlxsw-i2c-limit-single-transaction-buffer-size.patch new file mode 100644 index 00000000000..866f937cd10 --- /dev/null +++ b/queue-5.10/mlxsw-i2c-limit-single-transaction-buffer-size.patch @@ -0,0 +1,56 @@ +From ad9d6da84e938be50ce34ab6fa3de8e5dba96c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 15:43:09 +0200 +Subject: mlxsw: i2c: Limit single transaction buffer size + +From: Vadim Pasternak + +[ Upstream commit d7248f1cc835bd80e936dc5b2d94b149bdd0077d ] + +Maximum size of buffer is obtained from underlying I2C adapter and in +case adapter allows I2C transaction buffer size greater than 100 bytes, +transaction will fail due to firmware limitation. + +As a result driver will fail initialization. + +Limit the maximum size of transaction buffer by 100 bytes to fit to +firmware. + +Remove unnecessary calculation: +max_t(u16, MLXSW_I2C_BLK_DEF, quirk_size). +This condition can not happened. + +Fixes: 3029a693beda ("mlxsw: i2c: Allow flexible setting of I2C transactions size") +Signed-off-by: Vadim Pasternak +Reviewed-by: Petr Machata +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/i2c.c b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +index f20dca41424c9..61d2f621d65fc 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/i2c.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +@@ -47,6 +47,7 @@ + #define MLXSW_I2C_MBOX_SIZE_BITS 12 + #define MLXSW_I2C_ADDR_BUF_SIZE 4 + #define MLXSW_I2C_BLK_DEF 32 ++#define MLXSW_I2C_BLK_MAX 100 + #define MLXSW_I2C_RETRY 5 + #define MLXSW_I2C_TIMEOUT_MSECS 5000 + #define MLXSW_I2C_MAX_DATA_SIZE 256 +@@ -576,7 +577,7 @@ static int mlxsw_i2c_probe(struct i2c_client *client, + return -EOPNOTSUPP; + } + +- mlxsw_i2c->block_size = max_t(u16, MLXSW_I2C_BLK_DEF, ++ mlxsw_i2c->block_size = min_t(u16, MLXSW_I2C_BLK_MAX, + min_t(u16, quirks->max_read_len, + quirks->max_write_len)); + } else { +-- +2.40.1 + diff --git a/queue-5.10/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch b/queue-5.10/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch new file mode 100644 index 00000000000..f5f8cee96ba --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch @@ -0,0 +1,62 @@ +From 005c182961e4be466790d2b7494951d3a98ff810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:29:09 -0700 +Subject: mtd: rawnand: brcmnand: Fix mtd oobsize + +From: William Zhang + +[ Upstream commit 60177390fa061c62d156f4a546e3efd90df3c183 ] + +brcmnand controller can only access the flash spare area up to certain +bytes based on the ECC level. It can be less than the actual flash spare +area size. For example, for many NAND chip supporting ECC BCH-8, it has +226 bytes spare area. But controller can only uses 218 bytes. So brcmand +driver overrides the mtd oobsize with the controller's accessible spare +area size. When the nand base driver utilizes the nand_device object, it +resets the oobsize back to the actual flash spare aprea size from +nand_memory_organization structure and controller may not able to access +all the oob area as mtd advises. + +This change fixes the issue by overriding the oobsize in the +nand_memory_organization structure to the controller's accessible spare +area size. + +Fixes: a7ab085d7c16 ("mtd: rawnand: Initialize the nand_device object") +Signed-off-by: William Zhang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-6-william.zhang@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 580b91cbd18de..64c8c177d0082 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2534,6 +2534,8 @@ static int brcmnand_setup_dev(struct brcmnand_host *host) + struct nand_chip *chip = &host->chip; + const struct nand_ecc_props *requirements = + nanddev_get_ecc_requirements(&chip->base); ++ struct nand_memory_organization *memorg = ++ nanddev_get_memorg(&chip->base); + struct brcmnand_controller *ctrl = host->ctrl; + struct brcmnand_cfg *cfg = &host->hwcfg; + char msg[128]; +@@ -2555,10 +2557,11 @@ static int brcmnand_setup_dev(struct brcmnand_host *host) + if (cfg->spare_area_size > ctrl->max_oob) + cfg->spare_area_size = ctrl->max_oob; + /* +- * Set oobsize to be consistent with controller's spare_area_size, as +- * the rest is inaccessible. ++ * Set mtd and memorg oobsize to be consistent with controller's ++ * spare_area_size, as the rest is inaccessible. + */ + mtd->oobsize = cfg->spare_area_size * (mtd->writesize >> FC_SHIFT); ++ memorg->oobsize = mtd->oobsize; + + cfg->device_size = mtd->size; + cfg->block_size = mtd->erasesize; +-- +2.40.1 + diff --git a/queue-5.10/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch b/queue-5.10/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch new file mode 100644 index 00000000000..940345bf3ae --- /dev/null +++ b/queue-5.10/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch @@ -0,0 +1,44 @@ +From 46d9b8692f85b3438d3dd05aace0819ee70cc030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:39 +0800 +Subject: mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() + +From: Yi Yang + +[ Upstream commit a5a88125d00612586e941ae13e7fcf36ba8f18a7 ] + +In fsmc_nand_resume(), the return value of clk_prepare_enable() should be +checked since it might fail. + +Fixes: e25da1c07dfb ("mtd: fsmc_nand: Add clk_{un}prepare() support") +Signed-off-by: Yi Yang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230817115839.10192-1-yiyang13@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsmc_nand.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/fsmc_nand.c b/drivers/mtd/nand/raw/fsmc_nand.c +index 663ff5300ad99..3da66e95e5b7e 100644 +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -1190,9 +1190,14 @@ static int fsmc_nand_suspend(struct device *dev) + static int fsmc_nand_resume(struct device *dev) + { + struct fsmc_nand_data *host = dev_get_drvdata(dev); ++ int ret; + + if (host) { +- clk_prepare_enable(host->clk); ++ ret = clk_prepare_enable(host->clk); ++ if (ret) { ++ dev_err(dev, "failed to enable clk\n"); ++ return ret; ++ } + if (host->dev_timings) + fsmc_nand_setup(host, host->dev_timings); + nand_reset(&host->nand, 0); +-- +2.40.1 + diff --git a/queue-5.10/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch b/queue-5.10/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch new file mode 100644 index 00000000000..aea82abf80d --- /dev/null +++ b/queue-5.10/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch @@ -0,0 +1,63 @@ +From 778940fa35a4e982e99676fe87a16bc69fefe665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 14:42:23 +0800 +Subject: mtd: spi-nor: Check bus width while setting QE bit + +From: Hsin-Yi Wang + +[ Upstream commit f01d8155a92e33cdaa85d20bfbe6c441907b3c1f ] + +spi_nor_write_16bit_sr_and_check() should also check if bus width is +4 before setting QE bit. + +Fixes: 39d1e3340c73 ("mtd: spi-nor: Fix clearing of QE bit on lock()/unlock()") +Suggested-by: Michael Walle +Suggested-by: Tudor Ambarus +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20230818064524.1229100-2-hsinyi@chromium.org +Signed-off-by: Tudor Ambarus +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/core.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c +index 3422152319321..09e112f376918 100644 +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -800,21 +800,22 @@ static int spi_nor_write_16bit_sr_and_check(struct spi_nor *nor, u8 sr1) + ret = spi_nor_read_cr(nor, &sr_cr[1]); + if (ret) + return ret; +- } else if (nor->params->quad_enable) { ++ } else if (spi_nor_get_protocol_width(nor->read_proto) == 4 && ++ spi_nor_get_protocol_width(nor->write_proto) == 4 && ++ nor->params->quad_enable) { + /* + * If the Status Register 2 Read command (35h) is not + * supported, we should at least be sure we don't + * change the value of the SR2 Quad Enable bit. + * +- * We can safely assume that when the Quad Enable method is +- * set, the value of the QE bit is one, as a consequence of the +- * nor->params->quad_enable() call. ++ * When the Quad Enable method is set and the buswidth is 4, we ++ * can safely assume that the value of the QE bit is one, as a ++ * consequence of the nor->params->quad_enable() call. + * +- * We can safely assume that the Quad Enable bit is present in +- * the Status Register 2 at BIT(1). According to the JESD216 +- * revB standard, BFPT DWORDS[15], bits 22:20, the 16-bit +- * Write Status (01h) command is available just for the cases +- * in which the QE bit is described in SR2 at BIT(1). ++ * According to the JESD216 revB standard, BFPT DWORDS[15], ++ * bits 22:20, the 16-bit Write Status (01h) command is ++ * available just for the cases in which the QE bit is ++ * described in SR2 at BIT(1). + */ + sr_cr[1] = SR2_QUAD_EN_BIT1; + } else { +-- +2.40.1 + diff --git a/queue-5.10/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch b/queue-5.10/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch new file mode 100644 index 00000000000..e5c5dfa559c --- /dev/null +++ b/queue-5.10/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch @@ -0,0 +1,38 @@ +From dc14b92ec55a7705cc646b7c4b9467ab751573ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 14:43:36 +0800 +Subject: net: arcnet: Do not call kfree_skb() under local_irq_disable() + +From: Jinjie Ruan + +[ Upstream commit 786c96e92fb9e854cb8b0cb7399bb2fb28e15c4b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +local_irq_disable(). Compile tested only. + +Fixes: 05fcd31cc472 ("arcnet: add err_skb package for package status feedback") +Signed-off-by: Jinjie Ruan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/arcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c +index d76dd7d14299e..a7899405a51a5 100644 +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -468,7 +468,7 @@ static void arcnet_reply_tasklet(unsigned long data) + + ret = sock_queue_err_skb(sk, ackskb); + if (ret) +- kfree_skb(ackskb); ++ dev_kfree_skb_irq(ackskb); + + local_irq_enable(); + }; +-- +2.40.1 + diff --git a/queue-5.10/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..f5441fdf0f7 --- /dev/null +++ b/queue-5.10/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,57 @@ +From 908ed54542fdfada689baa1d124cf6de6cdc50c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:59 +0300 +Subject: net/mlx5: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 30de872537bda526664d7a20b646adfb3e7ce6e6 ] + +Don't assume that only the driver would be accessing LNKCTL of the upstream +bridge. ASPM policy changes can trigger write to LNKCTL outside of driver's +control. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: eabe8e5e88f5 ("net/mlx5: Handle sync reset now event") +Link: https://lore.kernel.org/r/20230717120503.15276-8-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Moshe Shemesh +Reviewed-by: Simon Horman +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index e29db4c39b37f..a2d9904e10492 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -279,16 +279,11 @@ static int mlx5_pci_link_toggle(struct mlx5_core_dev *dev) + pci_cfg_access_lock(sdev); + } + /* PCI link toggle */ +- err = pci_read_config_word(bridge, cap + PCI_EXP_LNKCTL, ®16); +- if (err) +- return err; +- reg16 |= PCI_EXP_LNKCTL_LD; +- err = pci_write_config_word(bridge, cap + PCI_EXP_LNKCTL, reg16); ++ err = pcie_capability_set_word(bridge, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_LD); + if (err) + return err; + msleep(500); +- reg16 &= ~PCI_EXP_LNKCTL_LD; +- err = pci_write_config_word(bridge, cap + PCI_EXP_LNKCTL, reg16); ++ err = pcie_capability_clear_word(bridge, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_LD); + if (err) + return err; + +-- +2.40.1 + diff --git a/queue-5.10/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch b/queue-5.10/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch new file mode 100644 index 00000000000..760207269f8 --- /dev/null +++ b/queue-5.10/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch @@ -0,0 +1,44 @@ +From ee2a64cc1b4d834d46005ece07e9857482ec7b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 01:49:05 -0700 +Subject: net/sched: sch_hfsc: Ensure inner classes have fsc curve + +From: Budimir Markovic + +[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ] + +HFSC assumes that inner classes have an fsc curve, but it is currently +possible for classes without an fsc curve to become parents. This leads +to bugs including a use-after-free. + +Don't allow non-root classes without HFSC_FSC to become parents. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Budimir Markovic +Signed-off-by: Budimir Markovic +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_hfsc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index cdc43a06aa9bc..6076294a632c5 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -1012,6 +1012,10 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + if (parent == NULL) + return -ENOENT; + } ++ if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) { ++ NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC"); ++ return -EINVAL; ++ } + + if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0) + return -EINVAL; +-- +2.40.1 + diff --git a/queue-5.10/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch b/queue-5.10/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch new file mode 100644 index 00000000000..c4d7eeb5fe1 --- /dev/null +++ b/queue-5.10/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch @@ -0,0 +1,83 @@ +From 92bf41bc2c43d2b48f12b5c01cb6d6b275575c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 10:55:29 +0800 +Subject: net: tcp: fix unexcepted socket die when snd_wnd is 0 + +From: Menglong Dong + +[ Upstream commit e89688e3e97868451a5d05b38a9d2633d6785cd4 ] + +In tcp_retransmit_timer(), a window shrunk connection will be regarded +as timeout if 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX'. This is not +right all the time. + +The retransmits will become zero-window probes in tcp_retransmit_timer() +if the 'snd_wnd==0'. Therefore, the icsk->icsk_rto will come up to +TCP_RTO_MAX sooner or later. + +However, the timer can be delayed and be triggered after 122877ms, not +TCP_RTO_MAX, as I tested. + +Therefore, 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX' is always true +once the RTO come up to TCP_RTO_MAX, and the socket will die. + +Fix this by replacing the 'tcp_jiffies32' with '(u32)icsk->icsk_timeout', +which is exact the timestamp of the timeout. + +However, "tp->rcv_tstamp" can restart from idle, then tp->rcv_tstamp +could already be a long time (minutes or hours) in the past even on the +first RTO. So we double check the timeout with the duration of the +retransmission. + +Meanwhile, making "2 * TCP_RTO_MAX" as the timeout to avoid the socket +dying too soon. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/netdev/CADxym3YyMiO+zMD4zj03YPM3FBi-1LHi6gSD2XT8pyAMM096pg@mail.gmail.com/ +Signed-off-by: Menglong Dong +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_timer.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index d2e07bb30164c..5c7e10939dd90 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -437,6 +437,22 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req) + TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX); + } + ++static bool tcp_rtx_probe0_timed_out(const struct sock *sk, ++ const struct sk_buff *skb) ++{ ++ const struct tcp_sock *tp = tcp_sk(sk); ++ const int timeout = TCP_RTO_MAX * 2; ++ u32 rcv_delta, rtx_delta; ++ ++ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp; ++ if (rcv_delta <= timeout) ++ return false; ++ ++ rtx_delta = (u32)msecs_to_jiffies(tcp_time_stamp(tp) - ++ (tp->retrans_stamp ?: tcp_skb_timestamp(skb))); ++ ++ return rtx_delta > timeout; ++} + + /** + * tcp_retransmit_timer() - The TCP retransmit timeout handler +@@ -502,7 +518,7 @@ void tcp_retransmit_timer(struct sock *sk) + tp->snd_una, tp->snd_nxt); + } + #endif +- if (tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX) { ++ if (tcp_rtx_probe0_timed_out(sk, skb)) { + tcp_write_err(sk); + goto out; + } +-- +2.40.1 + diff --git a/queue-5.10/netrom-deny-concurrent-connect.patch b/queue-5.10/netrom-deny-concurrent-connect.patch new file mode 100644 index 00000000000..dd8d793927c --- /dev/null +++ b/queue-5.10/netrom-deny-concurrent-connect.patch @@ -0,0 +1,139 @@ +From cfb24c3b1f8b0d155aced752d34cf4da4be818d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 09:50:59 -0700 +Subject: netrom: Deny concurrent connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit c2f8fd7949603efb03908e05abbf7726748c8de3 ] + +syzkaller reported null-ptr-deref [0] related to AF_NETROM. +This is another self-accept issue from the strace log. [1] + +syz-executor creates an AF_NETROM socket and calls connect(), which +is blocked at that time. Then, sk->sk_state is TCP_SYN_SENT and +sock->state is SS_CONNECTING. + + [pid 5059] socket(AF_NETROM, SOCK_SEQPACKET, 0) = 4 + [pid 5059] connect(4, {sa_family=AF_NETROM, sa_data="..." + +Another thread calls connect() concurrently, which finally fails +with -EINVAL. However, the problem here is the socket state is +reset even while the first connect() is blocked. + + [pid 5060] connect(4, NULL, 0 + [pid 5060] <... connect resumed>) = -1 EINVAL (Invalid argument) + +As sk->state is TCP_CLOSE and sock->state is SS_UNCONNECTED, the +following listen() succeeds. Then, the first connect() looks up +itself as a listener and puts skb into the queue with skb->sk itself. +As a result, the next accept() gets another FD of itself as 3, and +the first connect() finishes. + + [pid 5060] listen(4, 0 + [pid 5060] <... listen resumed>) = 0 + [pid 5060] accept(4, NULL, NULL + [pid 5060] <... accept resumed>) = 3 + [pid 5059] <... connect resumed>) = 0 + +Then, accept4() is called but blocked, which causes the general protection +fault later. + + [pid 5059] accept4(4, NULL, 0x20000400, SOCK_NONBLOCK + +After that, another self-accept occurs by accept() and writev(). + + [pid 5060] accept(4, NULL, NULL + [pid 5061] writev(3, [{iov_base=...}] + [pid 5061] <... writev resumed>) = 99 + [pid 5060] <... accept resumed>) = 6 + +Finally, the leader thread close()s all FDs. Since the three FDs +reference the same socket, nr_release() does the cleanup for it +three times, and the remaining accept4() causes the following fault. + + [pid 5058] close(3) = 0 + [pid 5058] close(4) = 0 + [pid 5058] close(5) = -1 EBADF (Bad file descriptor) + [pid 5058] close(6) = 0 + [pid 5058] <... exit_group resumed>) = ? + [ 83.456055][ T5059] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN + +To avoid the issue, we need to return an error for connect() if +another connect() is in progress, as done in __inet_stream_connect(). + +[0]: +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 0 PID: 5059 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00194-gace0ab3a4b54 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012 +Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 11 6e 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 48 90 0f 84 96 0d 00 +RSP: 0018:ffffc90003d6f9e0 EFLAGS: 00010006 +RAX: ffff8880244c8000 RBX: 1ffff920007adf6c RCX: 0000000000000003 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000018 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000018 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f51d519a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f51d5158d58 CR3: 000000002943f000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + lock_acquire kernel/locking/lockdep.c:5761 [inline] + lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162 + prepare_to_wait+0x47/0x380 kernel/sched/wait.c:269 + nr_accept+0x20d/0x650 net/netrom/af_netrom.c:798 + do_accept+0x3a6/0x570 net/socket.c:1872 + __sys_accept4_file net/socket.c:1913 [inline] + __sys_accept4+0x99/0x120 net/socket.c:1943 + __do_sys_accept4 net/socket.c:1954 [inline] + __se_sys_accept4 net/socket.c:1951 [inline] + __x64_sys_accept4+0x96/0x100 net/socket.c:1951 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f51d447cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f51d519a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 +RAX: ffffffffffffffda RBX: 00007f51d459bf80 RCX: 00007f51d447cae9 +RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 00007f51d44c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000800 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f51d459bf80 R15: 00007ffc25c34e48 + + +Link: https://syzkaller.appspot.com/text?tag=CrashLog&x=152cdb63a80000 [1] +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=666c97e4686410e79649 +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 5c04da4cfbad0..24747163122bb 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -660,6 +660,11 @@ static int nr_connect(struct socket *sock, struct sockaddr *uaddr, + goto out_release; + } + ++ if (sock->state == SS_CONNECTING) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.40.1 + diff --git a/queue-5.10/nfs-blocklayout-use-the-passed-in-gfp-flags.patch b/queue-5.10/nfs-blocklayout-use-the-passed-in-gfp-flags.patch new file mode 100644 index 00000000000..ab860aa0ef1 --- /dev/null +++ b/queue-5.10/nfs-blocklayout-use-the-passed-in-gfp-flags.patch @@ -0,0 +1,47 @@ +From 9e7c48c5dbc8bda8b8eee0d15caf4d2a3a686a29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 11:08:46 +0300 +Subject: nfs/blocklayout: Use the passed in gfp flags + +From: Dan Carpenter + +[ Upstream commit 08b45fcb2d4675f6182fe0edc0d8b1fe604051fa ] + +This allocation should use the passed in GFP_ flags instead of +GFP_KERNEL. One places where this matters is in filelayout_pg_init_write() +which uses GFP_NOFS as the allocation flags. + +Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing") +Signed-off-by: Dan Carpenter +Reviewed-by: Christoph Hellwig +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index dec5880ac6de2..6e3a14fdff9c8 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -422,7 +422,7 @@ bl_parse_concat(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->concat.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +@@ -451,7 +451,7 @@ bl_parse_stripe(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->stripe.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +-- +2.40.1 + diff --git a/queue-5.10/nfs-guard-against-readdir-loop-when-entry-names-exce.patch b/queue-5.10/nfs-guard-against-readdir-loop-when-entry-names-exce.patch new file mode 100644 index 00000000000..8cc24452bfb --- /dev/null +++ b/queue-5.10/nfs-guard-against-readdir-loop-when-entry-names-exce.patch @@ -0,0 +1,57 @@ +From 3de7175ad84843c5c3976e3ea428f5b458792e9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 14:22:38 -0400 +Subject: NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN + +From: Benjamin Coddington + +[ Upstream commit f67b55b6588bcf9316a1e6e8d529100a5aa3ebe6 ] + +Commit 64cfca85bacd asserts the only valid return values for +nfs2/3_decode_dirent should not include -ENAMETOOLONG, but for a server +that sends a filename3 which exceeds MAXNAMELEN in a READDIR response the +client's behavior will be to endlessly retry the operation. + +We could map -ENAMETOOLONG into -EBADCOOKIE, but that would produce +truncated listings without any error. The client should return an error +for this case to clearly assert that the server implementation must be +corrected. + +Fixes: 64cfca85bacd ("NFS: Return valid errors from nfs2/3_decode_dirent()") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs2xdr.c | 2 +- + fs/nfs/nfs3xdr.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c +index 5e6453e9b3079..b34196da1f945 100644 +--- a/fs/nfs/nfs2xdr.c ++++ b/fs/nfs/nfs2xdr.c +@@ -948,7 +948,7 @@ int nfs2_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, + + error = decode_filename_inline(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return -EAGAIN; ++ return error == -ENAMETOOLONG ? -ENAMETOOLONG : -EAGAIN; + + /* + * The type (size and byte order) of nfscookie isn't defined in +diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c +index b5a9379b14504..509f32845d7b2 100644 +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -1987,7 +1987,7 @@ int nfs3_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, + + error = decode_inline_filename3(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return -EAGAIN; ++ return error == -ENAMETOOLONG ? -ENAMETOOLONG : -EAGAIN; + + error = decode_cookie3(xdr, &new_cookie); + if (unlikely(error)) +-- +2.40.1 + diff --git a/queue-5.10/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch b/queue-5.10/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch new file mode 100644 index 00000000000..49f5326ad31 --- /dev/null +++ b/queue-5.10/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch @@ -0,0 +1,139 @@ +From 9c62529afc481ee5edbb44a76f2d27da8acb1d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:20:52 -0400 +Subject: NFSD: da_addr_body field missing in some GETDEVICEINFO replies + +From: Chuck Lever + +[ Upstream commit 6372e2ee629894433fe6107d7048536a3280a284 ] + +The XDR specification in RFC 8881 looks like this: + +struct device_addr4 { + layouttype4 da_layout_type; + opaque da_addr_body<>; +}; + +struct GETDEVICEINFO4resok { + device_addr4 gdir_device_addr; + bitmap4 gdir_notification; +}; + +union GETDEVICEINFO4res switch (nfsstat4 gdir_status) { +case NFS4_OK: + GETDEVICEINFO4resok gdir_resok4; +case NFS4ERR_TOOSMALL: + count4 gdir_mincount; +default: + void; +}; + +Looking at nfsd4_encode_getdeviceinfo() .... + +When the client provides a zero gd_maxcount, then the Linux NFS +server implementation encodes the da_layout_type field and then +skips the da_addr_body field completely, proceeding directly to +encode gdir_notification field. + +There does not appear to be an option in the specification to skip +encoding da_addr_body. Moreover, Section 18.40.3 says: + +> If the client wants to just update or turn off notifications, it +> MAY send a GETDEVICEINFO operation with gdia_maxcount set to zero. +> In that event, if the device ID is valid, the reply's da_addr_body +> field of the gdir_device_addr field will be of zero length. + +Since the layout drivers are responsible for encoding the +da_addr_body field, put this fix inside the ->encode_getdeviceinfo +methods. + +Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations") +Reviewed-by: Christoph Hellwig +Cc: Tom Haynes +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/blocklayoutxdr.c | 9 +++++++++ + fs/nfsd/flexfilelayoutxdr.c | 9 +++++++++ + fs/nfsd/nfs4xdr.c | 25 +++++++++++-------------- + 3 files changed, 29 insertions(+), 14 deletions(-) + +diff --git a/fs/nfsd/blocklayoutxdr.c b/fs/nfsd/blocklayoutxdr.c +index 442543304930b..2455dc8be18a8 100644 +--- a/fs/nfsd/blocklayoutxdr.c ++++ b/fs/nfsd/blocklayoutxdr.c +@@ -82,6 +82,15 @@ nfsd4_block_encode_getdeviceinfo(struct xdr_stream *xdr, + int len = sizeof(__be32), ret, i; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + p = xdr_reserve_space(xdr, len + sizeof(__be32)); + if (!p) + return nfserr_resource; +diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c +index e81d2a5cf381e..bb205328e043d 100644 +--- a/fs/nfsd/flexfilelayoutxdr.c ++++ b/fs/nfsd/flexfilelayoutxdr.c +@@ -85,6 +85,15 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr, + int addr_len; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + /* len + padding for two strings */ + addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len; + ver_len = 20; +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index c7e8e641d3e5f..dbfa24cf33906 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4407,20 +4407,17 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_compoundres *resp, __be32 nfserr, + + *p++ = cpu_to_be32(gdev->gd_layout_type); + +- /* If maxcount is 0 then just update notifications */ +- if (gdev->gd_maxcount != 0) { +- ops = nfsd4_layout_ops[gdev->gd_layout_type]; +- nfserr = ops->encode_getdeviceinfo(xdr, gdev); +- if (nfserr) { +- /* +- * We don't bother to burden the layout drivers with +- * enforcing gd_maxcount, just tell the client to +- * come back with a bigger buffer if it's not enough. +- */ +- if (xdr->buf->len + 4 > gdev->gd_maxcount) +- goto toosmall; +- return nfserr; +- } ++ ops = nfsd4_layout_ops[gdev->gd_layout_type]; ++ nfserr = ops->encode_getdeviceinfo(xdr, gdev); ++ if (nfserr) { ++ /* ++ * We don't bother to burden the layout drivers with ++ * enforcing gd_maxcount, just tell the client to ++ * come back with a bigger buffer if it's not enough. ++ */ ++ if (xdr->buf->len + 4 > gdev->gd_maxcount) ++ goto toosmall; ++ return nfserr; + } + + if (gdev->gd_notify_types) { +-- +2.40.1 + diff --git a/queue-5.10/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch b/queue-5.10/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch new file mode 100644 index 00000000000..6306636f02b --- /dev/null +++ b/queue-5.10/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch @@ -0,0 +1,40 @@ +From 48aed7f4a3ca471a89c84d90541d1bacd2ef546f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 16:43:53 -0400 +Subject: NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ + +From: Olga Kornievskaia + +[ Upstream commit 5690eed941ab7e33c3c3d6b850100cabf740f075 ] + +If the client sent a synchronous copy and the server replied with +ERR_OFFLOAD_NO_REQ indicating that it wants an asynchronous +copy instead, the client should retry with asynchronous copy. + +Fixes: 539f57b3e0fd ("NFS handle COPY ERR_OFFLOAD_NO_REQS") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index dad32b171e677..dfeea712014b7 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -443,8 +443,9 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src, + continue; + } + break; +- } else if (err == -NFS4ERR_OFFLOAD_NO_REQS && !args.sync) { +- args.sync = true; ++ } else if (err == -NFS4ERR_OFFLOAD_NO_REQS && ++ args.sync != res.synchronous) { ++ args.sync = res.synchronous; + dst_exception.retry = 1; + continue; + } else if ((err == -ESTALE || +-- +2.40.1 + diff --git a/queue-5.10/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch b/queue-5.10/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch new file mode 100644 index 00000000000..b29729f00f9 --- /dev/null +++ b/queue-5.10/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch @@ -0,0 +1,74 @@ +From 059ac2149f1c3fbaea2f68d57c527b526bcfc9b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 16:02:46 +0800 +Subject: of: unittest: fix null pointer dereferencing in + of_unittest_find_node_by_name() + +From: Ruan Jinjie + +[ Upstream commit d6ce4f0ea19c32f10867ed93d8386924326ab474 ] + +when kmalloc() fail to allocate memory in kasprintf(), name +or full_name will be NULL, strcmp() will cause +null pointer dereference. + +Fixes: 0d638a07d3a1 ("of: Convert to using %pOF instead of full_name") +Signed-off-by: Ruan Jinjie +Link: https://lore.kernel.org/r/20230727080246.519539-1-ruanjinjie@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 5407bbdb64395..1058e23eca7d2 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -69,7 +69,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find /testcase-data failed\n"); + of_node_put(np); + kfree(name); +@@ -80,14 +80,14 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find /testcase-data/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); + + np = of_find_node_by_path("testcase-alias"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find testcase-alias failed\n"); + of_node_put(np); + kfree(name); +@@ -98,7 +98,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("testcase-alias/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find testcase-alias/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); +@@ -1376,6 +1376,8 @@ static void attach_node_and_children(struct device_node *np) + const char *full_name; + + full_name = kasprintf(GFP_KERNEL, "%pOF", np); ++ if (!full_name) ++ return; + + if (!strcmp(full_name, "/__local_fixups__") || + !strcmp(full_name, "/__fixups__")) { +-- +2.40.1 + diff --git a/queue-5.10/of-unittest-fix-overlay-type-in-apply-revert-check.patch b/queue-5.10/of-unittest-fix-overlay-type-in-apply-revert-check.patch new file mode 100644 index 00000000000..a81ccb58e2a --- /dev/null +++ b/queue-5.10/of-unittest-fix-overlay-type-in-apply-revert-check.patch @@ -0,0 +1,42 @@ +From 412369cb4f15d5fca83cb054698ab40726afddc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 10:50:29 +0200 +Subject: of: unittest: Fix overlay type in apply/revert check + +From: Geert Uytterhoeven + +[ Upstream commit 6becf8f845ae1f0b1cfed395bbeccbd23654162d ] + +The removal check in of_unittest_apply_revert_overlay_check() +always uses the platform device overlay type, while it should use the +actual overlay type, as passed as a parameter to the function. + +This has no impact on any current test, as all tests calling +of_unittest_apply_revert_overlay_check() use the platform device overlay +type. + +Fixes: d5e75500ca401d31 ("of: unitest: Add I2C overlay unit tests.") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ba0234c41ba808f10112094f88792beeb6dbaedf.1690533838.git.geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 1058e23eca7d2..412d7ddb3b8b2 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -2067,7 +2067,7 @@ static int __init of_unittest_apply_revert_overlay_check(int overlay_nr, + of_unittest_untrack_overlay(save_id); + + /* unittest device must be again in before state */ +- if (of_unittest_device_exists(unittest_nr, PDEV_OVERLAY) != before) { ++ if (of_unittest_device_exists(unittest_nr, ovtype) != before) { + unittest(0, "%s with device @\"%s\" %s\n", + overlay_name_from_nr(overlay_nr), + unittest_path(unittest_nr, ovtype), +-- +2.40.1 + diff --git a/queue-5.10/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch b/queue-5.10/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch new file mode 100644 index 00000000000..13ab68befc4 --- /dev/null +++ b/queue-5.10/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch @@ -0,0 +1,41 @@ +From e7c2b1b6ff956227c0d84c6122f47310bdc3bf83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 18:16:34 +0530 +Subject: OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() + +From: Manivannan Sadhasivam + +[ Upstream commit d920920f85a82c1c806a4143871a0e8f534732f2 ] + +If dev_pm_domain_attach_by_name() returns NULL, then 0 will be passed to +PTR_ERR() as reported by the smatch warning below: + +drivers/opp/core.c:2456 _opp_attach_genpd() warn: passing zero to 'PTR_ERR' + +Fix it by checking for the non-NULL virt_dev pointer before passing it to +PTR_ERR. Otherwise return -ENODEV. + +Fixes: 4ea9496cbc95 ("opp: Fix error check in dev_pm_opp_attach_genpd()") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 7ed605ffb7171..7999baa075b0e 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -2053,7 +2053,7 @@ struct opp_table *dev_pm_opp_attach_genpd(struct device *dev, + + virt_dev = dev_pm_domain_attach_by_name(dev, *name); + if (IS_ERR_OR_NULL(virt_dev)) { +- ret = PTR_ERR(virt_dev) ? : -ENODEV; ++ ret = virt_dev ? PTR_ERR(virt_dev) : -ENODEV; + dev_err(dev, "Couldn't attach to pm_domain: %d\n", ret); + goto err; + } +-- +2.40.1 + diff --git a/queue-5.10/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..f7c1366153a --- /dev/null +++ b/queue-5.10/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,105 @@ +From 807f355a4fe76a621f07721e8d318f94bb985137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:56 +0300 +Subject: PCI/ASPM: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit e09060b3b6b4661278ff8e1b7b81a37d5ea86eae ] + +Don't assume that the device is fully under the control of ASPM and use RMW +capability accessors which do proper locking to avoid losing concurrent +updates to the register values. + +If configuration fails in pcie_aspm_configure_common_clock(), the +function attempts to restore the old PCI_EXP_LNKCTL_CCC settings. Store +only the old PCI_EXP_LNKCTL_CCC bit for the relevant devices rather +than the content of the whole LNKCTL registers. It aligns better with +how pcie_lnkctl_clear_and_set() expects its parameter and makes the +code more obvious to understand. + +Suggested-by: Lukas Wunner +Fixes: 2a42d9dba784 ("PCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch") +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/20230717120503.15276-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: "Rafael J. Wysocki" +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 7a3cf8aaec256..ef6f0ceb92f9f 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -249,7 +249,7 @@ static int pcie_retrain_link(struct pcie_link_state *link) + static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + { + int same_clock = 1; +- u16 reg16, parent_reg, child_reg[8]; ++ u16 reg16, ccc, parent_old_ccc, child_old_ccc[8]; + struct pci_dev *child, *parent = link->pdev; + struct pci_bus *linkbus = parent->subordinate; + /* +@@ -271,6 +271,7 @@ static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + + /* Port might be already in common clock mode */ + pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); ++ parent_old_ccc = reg16 & PCI_EXP_LNKCTL_CCC; + if (same_clock && (reg16 & PCI_EXP_LNKCTL_CCC)) { + bool consistent = true; + +@@ -287,34 +288,29 @@ static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + pci_info(parent, "ASPM: current common clock configuration is inconsistent, reconfiguring\n"); + } + ++ ccc = same_clock ? PCI_EXP_LNKCTL_CCC : 0; + /* Configure downstream component, all functions */ + list_for_each_entry(child, &linkbus->devices, bus_list) { + pcie_capability_read_word(child, PCI_EXP_LNKCTL, ®16); +- child_reg[PCI_FUNC(child->devfn)] = reg16; +- if (same_clock) +- reg16 |= PCI_EXP_LNKCTL_CCC; +- else +- reg16 &= ~PCI_EXP_LNKCTL_CCC; +- pcie_capability_write_word(child, PCI_EXP_LNKCTL, reg16); ++ child_old_ccc[PCI_FUNC(child->devfn)] = reg16 & PCI_EXP_LNKCTL_CCC; ++ pcie_capability_clear_and_set_word(child, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ccc); + } + + /* Configure upstream component */ +- pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); +- parent_reg = reg16; +- if (same_clock) +- reg16 |= PCI_EXP_LNKCTL_CCC; +- else +- reg16 &= ~PCI_EXP_LNKCTL_CCC; +- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); ++ pcie_capability_clear_and_set_word(parent, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ccc); + + if (pcie_retrain_link(link)) { + + /* Training failed. Restore common clock configurations */ + pci_err(parent, "ASPM: Could not configure common clock\n"); + list_for_each_entry(child, &linkbus->devices, bus_list) +- pcie_capability_write_word(child, PCI_EXP_LNKCTL, +- child_reg[PCI_FUNC(child->devfn)]); +- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, parent_reg); ++ pcie_capability_clear_and_set_word(child, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ++ child_old_ccc[PCI_FUNC(child->devfn)]); ++ pcie_capability_clear_and_set_word(parent, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, parent_old_ccc); + } + } + +-- +2.40.1 + diff --git a/queue-5.10/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch b/queue-5.10/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..fb6d19973eb --- /dev/null +++ b/queue-5.10/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch @@ -0,0 +1,38 @@ +From df3d45fbd01db563b3bab40659c4b6f8aacedac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 20:34:11 +0800 +Subject: PCI: Mark NVIDIA T4 GPUs to avoid bus reset + +From: Wu Zongyong + +[ Upstream commit d5af729dc2071273f14cbb94abbc60608142fd83 ] + +NVIDIA T4 GPUs do not work with SBR. This problem is found when the T4 card +is direct attached to a Root Port only. Avoid bus reset by marking T4 GPUs +PCI_DEV_FLAGS_NO_BUS_RESET. + +Fixes: 4c207e7121fa ("PCI: Mark some NVIDIA GPUs to avoid bus reset") +Link: https://lore.kernel.org/r/2dcebea53a6eb9bd212ec6d8974af2e5e0333ef6.1681129861.git.wuzongyong@linux.alibaba.com +Signed-off-by: Wu Zongyong +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index c0d1134811915..1193c81f88964 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3578,7 +3578,7 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + */ + static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) + { +- if ((dev->device & 0xffc0) == 0x2340) ++ if ((dev->device & 0xffc0) == 0x2340 || dev->device == 0x1eb8) + quirk_no_bus_reset(dev); + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, +-- +2.40.1 + diff --git a/queue-5.10/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..36b80bd90e3 --- /dev/null +++ b/queue-5.10/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,54 @@ +From 03a7c03f85077485e1621654aaab4e756391e5af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:55 +0300 +Subject: PCI: pciehp: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 5f75f96c61039151c193775d776fde42477eace1 ] + +As hotplug is not the only driver touching LNKCTL, use the RMW capability +accessor which handles concurrent changes correctly. + +Suggested-by: Lukas Wunner +Fixes: 7f822999e12a ("PCI: pciehp: Add Disable/enable link functions") +Link: https://lore.kernel.org/r/20230717120503.15276-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: "Rafael J. Wysocki" +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index dda9523577472..75c6c72ec32ac 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -332,17 +332,11 @@ int pciehp_check_link_status(struct controller *ctrl) + static int __pciehp_link_set(struct controller *ctrl, bool enable) + { + struct pci_dev *pdev = ctrl_dev(ctrl); +- u16 lnk_ctrl; + +- pcie_capability_read_word(pdev, PCI_EXP_LNKCTL, &lnk_ctrl); ++ pcie_capability_clear_and_set_word(pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_LD, ++ enable ? 0 : PCI_EXP_LNKCTL_LD); + +- if (enable) +- lnk_ctrl &= ~PCI_EXP_LNKCTL_LD; +- else +- lnk_ctrl |= PCI_EXP_LNKCTL_LD; +- +- pcie_capability_write_word(pdev, PCI_EXP_LNKCTL, lnk_ctrl); +- ctrl_dbg(ctrl, "%s: lnk_ctrl = %x\n", __func__, lnk_ctrl); + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.10/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch b/queue-5.10/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch new file mode 100644 index 00000000000..b6c28f688d7 --- /dev/null +++ b/queue-5.10/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch @@ -0,0 +1,90 @@ +From 10d72ed6a79442626499d75e403a01dc52a5d166 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 09:54:38 +0800 +Subject: perf/imx_ddr: don't enable counter0 if none of 4 counters are used + +From: Xu Yang + +[ Upstream commit f4e2bd91ddf5e8543cbe7ad80b3fba3d2dc63fa3 ] + +In current driver, counter0 will be enabled after ddr_perf_pmu_enable() +is called even though none of the 4 counters are used. This will cause +counter0 continue to count until ddr_perf_pmu_disabled() is called. If +pmu is not disabled all the time, the pmu interrupt will be asserted +from time to time due to counter0 will overflow and irq handler will +clear it. It's not an expected behavior. This patch will not enable +counter0 if none of 4 counters are used. + +Fixes: 9a66d36cc7ac ("drivers/perf: imx_ddr: Add DDR performance counter support to perf") +Signed-off-by: Xu Yang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20230811015438.1999307-2-xu.yang_2@nxp.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/fsl_imx8_ddr_perf.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/drivers/perf/fsl_imx8_ddr_perf.c b/drivers/perf/fsl_imx8_ddr_perf.c +index e09bbf3890c49..8dfb67530d6bc 100644 +--- a/drivers/perf/fsl_imx8_ddr_perf.c ++++ b/drivers/perf/fsl_imx8_ddr_perf.c +@@ -82,6 +82,7 @@ struct ddr_pmu { + const struct fsl_ddr_devtype_data *devtype_data; + int irq; + int id; ++ int active_counter; + }; + + enum ddr_perf_filter_capabilities { +@@ -414,6 +415,10 @@ static void ddr_perf_event_start(struct perf_event *event, int flags) + + ddr_perf_counter_enable(pmu, event->attr.config, counter, true); + ++ if (!pmu->active_counter++) ++ ddr_perf_counter_enable(pmu, EVENT_CYCLES_ID, ++ EVENT_CYCLES_COUNTER, true); ++ + hwc->state = 0; + } + +@@ -468,6 +473,10 @@ static void ddr_perf_event_stop(struct perf_event *event, int flags) + ddr_perf_counter_enable(pmu, event->attr.config, counter, false); + ddr_perf_event_update(event); + ++ if (!--pmu->active_counter) ++ ddr_perf_counter_enable(pmu, EVENT_CYCLES_ID, ++ EVENT_CYCLES_COUNTER, false); ++ + hwc->state |= PERF_HES_STOPPED; + } + +@@ -486,25 +495,10 @@ static void ddr_perf_event_del(struct perf_event *event, int flags) + + static void ddr_perf_pmu_enable(struct pmu *pmu) + { +- struct ddr_pmu *ddr_pmu = to_ddr_pmu(pmu); +- +- /* enable cycle counter if cycle is not active event list */ +- if (ddr_pmu->events[EVENT_CYCLES_COUNTER] == NULL) +- ddr_perf_counter_enable(ddr_pmu, +- EVENT_CYCLES_ID, +- EVENT_CYCLES_COUNTER, +- true); + } + + static void ddr_perf_pmu_disable(struct pmu *pmu) + { +- struct ddr_pmu *ddr_pmu = to_ddr_pmu(pmu); +- +- if (ddr_pmu->events[EVENT_CYCLES_COUNTER] == NULL) +- ddr_perf_counter_enable(ddr_pmu, +- EVENT_CYCLES_ID, +- EVENT_CYCLES_COUNTER, +- false); + } + + static int ddr_perf_init(struct ddr_pmu *pmu, void __iomem *base, +-- +2.40.1 + diff --git a/queue-5.10/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch b/queue-5.10/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch new file mode 100644 index 00000000000..3f3511ba7d0 --- /dev/null +++ b/queue-5.10/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch @@ -0,0 +1,55 @@ +From 780467553cb6b58a48313c1d51204f3031ebb0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:21 +0000 +Subject: phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write + +From: Jonas Karlman + +[ Upstream commit 19a1d46bd699940a496d3b0d4e142ef99834988c ] + +inno_write is used to configure 0xaa reg, that also hold the +POST_PLL_POWER_DOWN bit. +When POST_PLL_REFCLK_SEL_TMDS is configured the power down bit is not +taken into consideration. + +Fix this by keeping the power down bit until configuration is complete. +Also reorder the reg write order for consistency. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-5-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index 093d2334e8cdc..2b0f5f2b4f339 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -1023,9 +1023,10 @@ inno_hdmi_phy_rk3328_power_on(struct inno_hdmi_phy *inno, + + inno_write(inno, 0xac, RK3328_POST_PLL_FB_DIV_7_0(cfg->fbdiv)); + if (cfg->postdiv == 1) { +- inno_write(inno, 0xaa, RK3328_POST_PLL_REFCLK_SEL_TMDS); + inno_write(inno, 0xab, RK3328_POST_PLL_FB_DIV_8(cfg->fbdiv) | + RK3328_POST_PLL_PRE_DIV(cfg->prediv)); ++ inno_write(inno, 0xaa, RK3328_POST_PLL_REFCLK_SEL_TMDS | ++ RK3328_POST_PLL_POWER_DOWN); + } else { + v = (cfg->postdiv / 2) - 1; + v &= RK3328_POST_PLL_POST_DIV_MASK; +@@ -1033,7 +1034,8 @@ inno_hdmi_phy_rk3328_power_on(struct inno_hdmi_phy *inno, + inno_write(inno, 0xab, RK3328_POST_PLL_FB_DIV_8(cfg->fbdiv) | + RK3328_POST_PLL_PRE_DIV(cfg->prediv)); + inno_write(inno, 0xaa, RK3328_POST_PLL_POST_DIV_ENABLE | +- RK3328_POST_PLL_REFCLK_SEL_TMDS); ++ RK3328_POST_PLL_REFCLK_SEL_TMDS | ++ RK3328_POST_PLL_POWER_DOWN); + } + + for (v = 0; v < 14; v++) +-- +2.40.1 + diff --git a/queue-5.10/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch b/queue-5.10/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch new file mode 100644 index 00000000000..df0e39c60c6 --- /dev/null +++ b/queue-5.10/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch @@ -0,0 +1,50 @@ +From 8f6649540a8780976584385db841f12887c76151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:19 +0000 +Subject: phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate + +From: Zheng Yang + +[ Upstream commit d5ef343c1d62bc4c4c2c393af654a41cb34b449f ] + +inno_hdmi_phy_rk3328_clk_recalc_rate() is returning a rate not found +in the pre pll config table when the fractal divider is used. +This can prevent proper power_on because a tmdsclock for the new rate +is not found in the pre pll config table. + +Fix this by saving and returning a rounded pixel rate that exist +in the pre pll config table. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Zheng Yang +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-3-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index b0ac1d3ee3905..093d2334e8cdc 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -745,10 +745,12 @@ unsigned long inno_hdmi_phy_rk3328_clk_recalc_rate(struct clk_hw *hw, + do_div(vco, (nd * (no_a == 1 ? no_b : no_a) * no_d * 2)); + } + +- inno->pixclock = vco; +- dev_dbg(inno->dev, "%s rate %lu\n", __func__, inno->pixclock); ++ inno->pixclock = DIV_ROUND_CLOSEST((unsigned long)vco, 1000) * 1000; + +- return vco; ++ dev_dbg(inno->dev, "%s rate %lu vco %llu\n", ++ __func__, inno->pixclock, vco); ++ ++ return inno->pixclock; + } + + static long inno_hdmi_phy_rk3328_clk_round_rate(struct clk_hw *hw, +-- +2.40.1 + diff --git a/queue-5.10/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch b/queue-5.10/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch new file mode 100644 index 00000000000..86fa24e5d29 --- /dev/null +++ b/queue-5.10/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch @@ -0,0 +1,41 @@ +From beb1d0ca13ad959b30717d9eba9603925d1bdb16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:17 +0000 +Subject: phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 + +From: Jonas Karlman + +[ Upstream commit 644c06dfbd0da713f772abf0a8f8581ac78e6264 ] + +inno_hdmi_phy_rk3328_clk_set_rate() is using the RK3228 macro +when configuring vco_div_5 on RK3328. + +Fix this by using correct vco_div_5 macro for RK3328. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-2-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index 9ca20c947283d..b0ac1d3ee3905 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -790,8 +790,8 @@ static int inno_hdmi_phy_rk3328_clk_set_rate(struct clk_hw *hw, + RK3328_PRE_PLL_POWER_DOWN); + + /* Configure pre-pll */ +- inno_update_bits(inno, 0xa0, RK3228_PCLK_VCO_DIV_5_MASK, +- RK3228_PCLK_VCO_DIV_5(cfg->vco_div_5_en)); ++ inno_update_bits(inno, 0xa0, RK3328_PCLK_VCO_DIV_5_MASK, ++ RK3328_PCLK_VCO_DIV_5(cfg->vco_div_5_en)); + inno_write(inno, 0xa1, RK3328_PRE_PLL_PRE_DIV(cfg->prediv)); + + val = RK3328_SPREAD_SPECTRUM_MOD_DISABLE; +-- +2.40.1 + diff --git a/queue-5.10/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch b/queue-5.10/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch new file mode 100644 index 00000000000..91c86314acf --- /dev/null +++ b/queue-5.10/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch @@ -0,0 +1,62 @@ +From 7971a99d4dc7ce5ea119d5e960896a3ff94ff3a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 13:04:09 +0300 +Subject: pinctrl: mcp23s08: check return value of devm_kasprintf() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Beznea + +[ Upstream commit f941714a7c7698eadb59bc27d34d6d6f38982705 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 0f04a81784fe ("pinctrl: mcp23s08: Split to three parts: core, I²C, SPI") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621100409.1608395-1-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08_spi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08_spi.c b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +index 9ae10318f6f35..ea059b9c5542e 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +@@ -91,18 +91,28 @@ static int mcp23s08_spi_regmap_init(struct mcp23s08 *mcp, struct device *dev, + mcp->reg_shift = 0; + mcp->chip.ngpio = 8; + mcp->chip.label = devm_kasprintf(dev, GFP_KERNEL, "mcp23s08.%d", addr); ++ if (!mcp->chip.label) ++ return -ENOMEM; + + config = &mcp23x08_regmap; + name = devm_kasprintf(dev, GFP_KERNEL, "%d", addr); ++ if (!name) ++ return -ENOMEM; ++ + break; + + case MCP_TYPE_S17: + mcp->reg_shift = 1; + mcp->chip.ngpio = 16; + mcp->chip.label = devm_kasprintf(dev, GFP_KERNEL, "mcp23s17.%d", addr); ++ if (!mcp->chip.label) ++ return -ENOMEM; + + config = &mcp23x17_regmap; + name = devm_kasprintf(dev, GFP_KERNEL, "%d", addr); ++ if (!name) ++ return -ENOMEM; ++ + break; + + case MCP_TYPE_S18: +-- +2.40.1 + diff --git a/queue-5.10/powerpc-don-t-include-lppaca.h-in-paca.h.patch b/queue-5.10/powerpc-don-t-include-lppaca.h-in-paca.h.patch new file mode 100644 index 00000000000..2dd48cc817e --- /dev/null +++ b/queue-5.10/powerpc-don-t-include-lppaca.h-in-paca.h.patch @@ -0,0 +1,134 @@ +From a7abe7c08a7faff731f74f9e2092bfcc7fb17a12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 15:53:16 +1000 +Subject: powerpc: Don't include lppaca.h in paca.h + +From: Michael Ellerman + +[ Upstream commit 1aa000667669fa855853decbb1c69e974d8ff716 ] + +By adding a forward declaration for struct lppaca we can untangle paca.h +and lppaca.h. Also move get_lppaca() into lppaca.h for consistency. + +Add includes of lppaca.h to some files that need it. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230823055317.751786-3-mpe@ellerman.id.au +Stable-dep-of: eac030b22ea1 ("powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/lppaca.h | 4 ++++ + arch/powerpc/include/asm/paca.h | 6 +----- + arch/powerpc/include/asm/paravirt.h | 1 + + arch/powerpc/include/asm/plpar_wrappers.h | 1 + + arch/powerpc/kvm/book3s_hv_ras.c | 1 + + arch/powerpc/mm/book3s64/slb.c | 1 + + arch/powerpc/xmon/xmon.c | 1 + + 7 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/include/asm/lppaca.h b/arch/powerpc/include/asm/lppaca.h +index c390ec377baed..5d509ba0550b5 100644 +--- a/arch/powerpc/include/asm/lppaca.h ++++ b/arch/powerpc/include/asm/lppaca.h +@@ -130,6 +130,10 @@ static inline bool lppaca_shared_proc(struct lppaca *l) + return !!(l->__old_status & LPPACA_OLD_SHARED_PROC); + } + ++#ifdef CONFIG_PPC_PSERIES ++#define get_lppaca() (get_paca()->lppaca_ptr) ++#endif ++ + /* + * SLB shadow buffer structure as defined in the PAPR. The save_area + * contains adjacent ESID and VSID pairs for each shadowed SLB. The +diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h +index 9454d29ff4b47..555aa3580e160 100644 +--- a/arch/powerpc/include/asm/paca.h ++++ b/arch/powerpc/include/asm/paca.h +@@ -14,7 +14,6 @@ + + #include + #include +-#include + #include + #include + #ifdef CONFIG_PPC_BOOK3E +@@ -45,14 +44,11 @@ extern unsigned int debug_smp_processor_id(void); /* from linux/smp.h */ + #define get_paca() local_paca + #endif + +-#ifdef CONFIG_PPC_PSERIES +-#define get_lppaca() (get_paca()->lppaca_ptr) +-#endif +- + #define get_slb_shadow() (get_paca()->slb_shadow_ptr) + + struct task_struct; + struct rtas_args; ++struct lppaca; + + /* + * Defines the layout of the paca. +diff --git a/arch/powerpc/include/asm/paravirt.h b/arch/powerpc/include/asm/paravirt.h +index 588bfb9a0579c..546c725013789 100644 +--- a/arch/powerpc/include/asm/paravirt.h ++++ b/arch/powerpc/include/asm/paravirt.h +@@ -6,6 +6,7 @@ + #include + #ifdef CONFIG_PPC64 + #include ++#include + #include + #endif + +diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h +index ece84a430701f..7796cc05e2c8d 100644 +--- a/arch/powerpc/include/asm/plpar_wrappers.h ++++ b/arch/powerpc/include/asm/plpar_wrappers.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + + static inline long poll_pending(void) +diff --git a/arch/powerpc/kvm/book3s_hv_ras.c b/arch/powerpc/kvm/book3s_hv_ras.c +index 6028628ea3acf..7c693b3ee34b9 100644 +--- a/arch/powerpc/kvm/book3s_hv_ras.c ++++ b/arch/powerpc/kvm/book3s_hv_ras.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/powerpc/mm/book3s64/slb.c b/arch/powerpc/mm/book3s64/slb.c +index c30fcbfa0e326..ccf0a876a7bd0 100644 +--- a/arch/powerpc/mm/book3s64/slb.c ++++ b/arch/powerpc/mm/book3s64/slb.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 2872b66d9fec7..3de2adc0a8074 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -58,6 +58,7 @@ + #ifdef CONFIG_PPC64 + #include + #include ++#include + #endif + + #include "nonstdio.h" +-- +2.40.1 + diff --git a/queue-5.10/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch b/queue-5.10/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch new file mode 100644 index 00000000000..d32a7e4f04d --- /dev/null +++ b/queue-5.10/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch @@ -0,0 +1,42 @@ +From 51397080991695e688ea0a1e91c77a3cb60542d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 10:37:15 +0530 +Subject: powerpc/fadump: reset dump area size if fadump memory reserve fails + +From: Sourabh Jain + +[ Upstream commit d1eb75e0dfed80d2d85b664e28a39f65b290ab55 ] + +In case fadump_reserve_mem() fails to reserve memory, the +reserve_dump_area_size variable will retain the reserve area size. This +will lead to /sys/kernel/fadump/mem_reserved node displaying an incorrect +memory reserved by fadump. + +To fix this problem, reserve dump area size variable is set to 0 if fadump +failed to reserve memory. + +Fixes: 8255da95e545 ("powerpc/fadump: release all the memory above boot memory size") +Signed-off-by: Sourabh Jain +Acked-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230704050715.203581-1-sourabhjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/fadump.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index 1a5ba26aab156..935ce1bec43fa 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -642,6 +642,7 @@ int __init fadump_reserve_mem(void) + return ret; + error_out: + fw_dump.fadump_enabled = 0; ++ fw_dump.reserve_dump_area_size = 0; + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.10/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch b/queue-5.10/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch new file mode 100644 index 00000000000..f467abe15a9 --- /dev/null +++ b/queue-5.10/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch @@ -0,0 +1,96 @@ +From 844204a289e514e5a95811b168b55ca24a03c46c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 14:53:22 +1100 +Subject: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses + +From: Russell Currey + +[ Upstream commit c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 ] + +fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both +PCI and VIO buses. struct notifier_block is a linked list node, so this +causes any notifiers later registered to either bus type to also be +registered to the other since they share the same node. + +This causes issues in (at least) the vgaarb code, which registers a +notifier for PCI buses. pci_notify() ends up being called on a vio +device, converted with to_pci_dev() even though it's not a PCI device, +and finally makes a bad access in vga_arbiter_add_pci_device() as +discovered with KASAN: + + BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 + Read of size 4 at addr c000000264c26fdc by task swapper/0/1 + + Call Trace: + dump_stack_lvl+0x1bc/0x2b8 (unreliable) + print_report+0x3f4/0xc60 + kasan_report+0x244/0x698 + __asan_load4+0xe8/0x250 + vga_arbiter_add_pci_device+0x60/0xe00 + pci_notify+0x88/0x444 + notifier_call_chain+0x104/0x320 + blocking_notifier_call_chain+0xa0/0x140 + device_add+0xac8/0x1d30 + device_register+0x58/0x80 + vio_register_device_node+0x9ac/0xce0 + vio_bus_scan_register_devices+0xc4/0x13c + __machine_initcall_pseries_vio_device_init+0x94/0xf0 + do_one_initcall+0x12c/0xaa8 + kernel_init_freeable+0xa48/0xba8 + kernel_init+0x64/0x400 + ret_from_kernel_thread+0x5c/0x64 + +Fix this by creating separate notifier_block structs for each bus type. + +Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection") +Reported-by: Nageswara R Sastry +Signed-off-by: Russell Currey +Tested-by: Nageswara R Sastry +Reviewed-by: Andrew Donnellan +[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230322035322.328709-1-ruscur@russell.cc +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 6806eefa52ceb..370635107f1c6 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -133,17 +133,28 @@ static int fail_iommu_bus_notify(struct notifier_block *nb, + return 0; + } + +-static struct notifier_block fail_iommu_bus_notifier = { ++/* ++ * PCI and VIO buses need separate notifier_block structs, since they're linked ++ * list nodes. Sharing a notifier_block would mean that any notifiers later ++ * registered for PCI buses would also get called by VIO buses and vice versa. ++ */ ++static struct notifier_block fail_iommu_pci_bus_notifier = { + .notifier_call = fail_iommu_bus_notify + }; + ++#ifdef CONFIG_IBMVIO ++static struct notifier_block fail_iommu_vio_bus_notifier = { ++ .notifier_call = fail_iommu_bus_notify ++}; ++#endif ++ + static int __init fail_iommu_setup(void) + { + #ifdef CONFIG_PCI +- bus_register_notifier(&pci_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&pci_bus_type, &fail_iommu_pci_bus_notifier); + #endif + #ifdef CONFIG_IBMVIO +- bus_register_notifier(&vio_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&vio_bus_type, &fail_iommu_vio_bus_notifier); + #endif + + return 0; +-- +2.40.1 + diff --git a/queue-5.10/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch b/queue-5.10/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch new file mode 100644 index 00000000000..926ea7c2397 --- /dev/null +++ b/queue-5.10/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch @@ -0,0 +1,84 @@ +From 2d6c7076001e7bc8bfdd8c08e49a04e017979ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 10:59:44 +0200 +Subject: powerpc/perf: Convert fsl_emb notifier to state machine callbacks + +From: Christophe Leroy + +[ Upstream commit 34daf445f82bd3a4df852bb5f1dffd792ac830a0 ] + + CC arch/powerpc/perf/core-fsl-emb.o +arch/powerpc/perf/core-fsl-emb.c:675:6: error: no previous prototype for 'hw_perf_event_setup' [-Werror=missing-prototypes] + 675 | void hw_perf_event_setup(int cpu) + | ^~~~~~~~~~~~~~~~~~~ + +Looks like fsl_emb was completely missed by commit 3f6da3905398 ("perf: +Rework and fix the arch CPU-hotplug hooks") + +So, apply same changes as commit 3f6da3905398 ("perf: Rework and fix +the arch CPU-hotplug hooks") then commit 57ecde42cc74 ("powerpc/perf: +Convert book3s notifier to state machine callbacks") + +While at it, also fix following error: + +arch/powerpc/perf/core-fsl-emb.c: In function 'perf_event_interrupt': +arch/powerpc/perf/core-fsl-emb.c:648:13: error: variable 'found' set but not used [-Werror=unused-but-set-variable] + 648 | int found = 0; + | ^~~~~ + +Fixes: 3f6da3905398 ("perf: Rework and fix the arch CPU-hotplug hooks") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/603e1facb32608f88f40b7d7b9094adc50e7b2dc.1692349125.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/core-fsl-emb.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/core-fsl-emb.c b/arch/powerpc/perf/core-fsl-emb.c +index ee721f420a7ba..1a53ab08447cb 100644 +--- a/arch/powerpc/perf/core-fsl-emb.c ++++ b/arch/powerpc/perf/core-fsl-emb.c +@@ -645,7 +645,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + struct cpu_hw_events *cpuhw = this_cpu_ptr(&cpu_hw_events); + struct perf_event *event; + unsigned long val; +- int found = 0; + + for (i = 0; i < ppmu->n_counter; ++i) { + event = cpuhw->event[i]; +@@ -654,7 +653,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + if ((int)val < 0) { + if (event) { + /* event has overflowed */ +- found = 1; + record_and_restart(event, val, regs); + } else { + /* +@@ -672,11 +670,13 @@ static void perf_event_interrupt(struct pt_regs *regs) + isync(); + } + +-void hw_perf_event_setup(int cpu) ++static int fsl_emb_pmu_prepare_cpu(unsigned int cpu) + { + struct cpu_hw_events *cpuhw = &per_cpu(cpu_hw_events, cpu); + + memset(cpuhw, 0, sizeof(*cpuhw)); ++ ++ return 0; + } + + int register_fsl_emb_pmu(struct fsl_emb_pmu *pmu) +@@ -689,6 +689,8 @@ int register_fsl_emb_pmu(struct fsl_emb_pmu *pmu) + pmu->name); + + perf_pmu_register(&fsl_emb_pmu, "cpu", PERF_TYPE_RAW); ++ cpuhp_setup_state(CPUHP_PERF_POWER, "perf/powerpc:prepare", ++ fsl_emb_pmu_prepare_cpu, NULL); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch b/queue-5.10/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch new file mode 100644 index 00000000000..d756931cbdf --- /dev/null +++ b/queue-5.10/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch @@ -0,0 +1,160 @@ +From 417cbb27dd9680dea4d7249d494a6588e6bb8344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 15:53:17 +1000 +Subject: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT + +From: Russell Currey + +[ Upstream commit eac030b22ea12cdfcbb2e941c21c03964403c63f ] + +lppaca_shared_proc() takes a pointer to the lppaca which is typically +accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads +to checking if preemption is enabled, for example: + + BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 + caller is lparcfg_data+0x408/0x19a0 + CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 + Call Trace: + dump_stack_lvl+0x154/0x200 (unreliable) + check_preemption_disabled+0x214/0x220 + lparcfg_data+0x408/0x19a0 + ... + +This isn't actually a problem however, as it does not matter which +lppaca is accessed, the shared proc state will be the same. +vcpudispatch_stats_procfs_init() already works around this by disabling +preemption, but the lparcfg code does not, erroring any time +/proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. + +Instead of disabling preemption on the caller side, rework +lppaca_shared_proc() to not take a pointer and instead directly access +the lppaca, bypassing any potential preemption checks. + +Fixes: f13c13a00512 ("powerpc: Stop using non-architected shared_proc field in lppaca") +Signed-off-by: Russell Currey +[mpe: Rework to avoid needing a definition in paca.h and lppaca.h] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230823055317.751786-4-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/lppaca.h | 11 +++++++++-- + arch/powerpc/platforms/pseries/lpar.c | 10 +--------- + arch/powerpc/platforms/pseries/lparcfg.c | 4 ++-- + arch/powerpc/platforms/pseries/setup.c | 2 +- + drivers/cpuidle/cpuidle-pseries.c | 8 +------- + 5 files changed, 14 insertions(+), 21 deletions(-) + +diff --git a/arch/powerpc/include/asm/lppaca.h b/arch/powerpc/include/asm/lppaca.h +index 5d509ba0550b5..1412e643122e4 100644 +--- a/arch/powerpc/include/asm/lppaca.h ++++ b/arch/powerpc/include/asm/lppaca.h +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + /* + * The lppaca is the "virtual processor area" registered with the hypervisor, +@@ -123,14 +124,20 @@ struct lppaca { + */ + #define LPPACA_OLD_SHARED_PROC 2 + +-static inline bool lppaca_shared_proc(struct lppaca *l) ++#ifdef CONFIG_PPC_PSERIES ++/* ++ * All CPUs should have the same shared proc value, so directly access the PACA ++ * to avoid false positives from DEBUG_PREEMPT. ++ */ ++static inline bool lppaca_shared_proc(void) + { ++ struct lppaca *l = local_paca->lppaca_ptr; ++ + if (!firmware_has_feature(FW_FEATURE_SPLPAR)) + return false; + return !!(l->__old_status & LPPACA_OLD_SHARED_PROC); + } + +-#ifdef CONFIG_PPC_PSERIES + #define get_lppaca() (get_paca()->lppaca_ptr) + #endif + +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 28396a7e77d6f..68f3b082245e0 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -637,16 +637,8 @@ static const struct proc_ops vcpudispatch_stats_freq_proc_ops = { + + static int __init vcpudispatch_stats_procfs_init(void) + { +- /* +- * Avoid smp_processor_id while preemptible. All CPUs should have +- * the same value for lppaca_shared_proc. +- */ +- preempt_disable(); +- if (!lppaca_shared_proc(get_lppaca())) { +- preempt_enable(); ++ if (!lppaca_shared_proc()) + return 0; +- } +- preempt_enable(); + + if (!proc_create("powerpc/vcpudispatch_stats", 0600, NULL, + &vcpudispatch_stats_proc_ops)) +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index d3517e498512f..a7d4e25ae82a1 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -205,7 +205,7 @@ static void parse_ppp_data(struct seq_file *m) + ppp_data.active_system_procs); + + /* pool related entries are appropriate for shared configs */ +- if (lppaca_shared_proc(get_lppaca())) { ++ if (lppaca_shared_proc()) { + unsigned long pool_idle_time, pool_procs; + + seq_printf(m, "pool=%d\n", ppp_data.pool_num); +@@ -529,7 +529,7 @@ static int pseries_lparcfg_data(struct seq_file *m, void *v) + partition_potential_processors); + + seq_printf(m, "shared_processor_mode=%d\n", +- lppaca_shared_proc(get_lppaca())); ++ lppaca_shared_proc()); + + #ifdef CONFIG_PPC_BOOK3S_64 + seq_printf(m, "slb_size=%d\n", mmu_slb_size); +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index 0eac9ca782c21..822be2680b792 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -800,7 +800,7 @@ static void __init pSeries_setup_arch(void) + if (firmware_has_feature(FW_FEATURE_LPAR)) { + vpa_init(boot_cpuid); + +- if (lppaca_shared_proc(get_lppaca())) { ++ if (lppaca_shared_proc()) { + static_branch_enable(&shared_processor); + pv_spinlocks_init(); + } +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index ff164dec8422e..f4cf3ade03db8 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -409,13 +409,7 @@ static int __init pseries_idle_probe(void) + return -ENODEV; + + if (firmware_has_feature(FW_FEATURE_SPLPAR)) { +- /* +- * Use local_paca instead of get_lppaca() since +- * preemption is not disabled, and it is not required in +- * fact, since lppaca_ptr does not need to be the value +- * associated to the current CPU, it can be from any CPU. +- */ +- if (lppaca_shared_proc(local_paca->lppaca_ptr)) { ++ if (lppaca_shared_proc()) { + cpuidle_state_table = shared_states; + max_idle_state = ARRAY_SIZE(shared_states); + } else { +-- +2.40.1 + diff --git a/queue-5.10/quota-add-new-helper-dquot_active.patch b/queue-5.10/quota-add-new-helper-dquot_active.patch new file mode 100644 index 00000000000..cdc16ae08e8 --- /dev/null +++ b/queue-5.10/quota-add-new-helper-dquot_active.patch @@ -0,0 +1,119 @@ +From c99b7c8f51228e6abdd9c876a183565d1c6b290f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:20 +0800 +Subject: quota: add new helper dquot_active() + +From: Baokun Li + +[ Upstream commit 33bcfafc48cb186bc4bbcea247feaa396594229e ] + +Add new helper function dquot_active() to make the code more concise. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-4-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index bbe748bb9a0d5..202d97c2c5cb2 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -338,6 +338,11 @@ static void wait_on_dquot(struct dquot *dquot) + mutex_unlock(&dquot->dq_lock); + } + ++static inline int dquot_active(struct dquot *dquot) ++{ ++ return test_bit(DQ_ACTIVE_B, &dquot->dq_flags); ++} ++ + static inline int dquot_dirty(struct dquot *dquot) + { + return test_bit(DQ_MOD_B, &dquot->dq_flags); +@@ -353,14 +358,14 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + { + int ret = 1; + +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (!dquot_active(dquot)) + return 0; + + if (sb_dqopt(dquot->dq_sb)->flags & DQUOT_NOLIST_DIRTY) + return test_and_set_bit(DQ_MOD_B, &dquot->dq_flags); + + /* If quota is dirty already, we don't have to acquire dq_list_lock */ +- if (test_bit(DQ_MOD_B, &dquot->dq_flags)) ++ if (dquot_dirty(dquot)) + return 1; + + spin_lock(&dq_list_lock); +@@ -442,7 +447,7 @@ int dquot_acquire(struct dquot *dquot) + smp_mb__before_atomic(); + set_bit(DQ_READ_B, &dquot->dq_flags); + /* Instantiate dquot if needed */ +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags) && !dquot->dq_off) { ++ if (!dquot_active(dquot) && !dquot->dq_off) { + ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot); + /* Write the info if needed */ + if (info_dirty(&dqopt->info[dquot->dq_id.type])) { +@@ -484,7 +489,7 @@ int dquot_commit(struct dquot *dquot) + goto out_lock; + /* Inactive dquot can be only if there was error during read/init + * => we have better not writing it */ +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (dquot_active(dquot)) + ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot); + else + ret = -EIO; +@@ -599,7 +604,7 @@ int dquot_scan_active(struct super_block *sb, + + spin_lock(&dq_list_lock); + list_for_each_entry(dquot, &inuse_list, dq_inuse) { +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (!dquot_active(dquot)) + continue; + if (dquot->dq_sb != sb) + continue; +@@ -614,7 +619,7 @@ int dquot_scan_active(struct super_block *sb, + * outstanding call and recheck the DQ_ACTIVE_B after that. + */ + wait_on_dquot(dquot); +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (dquot_active(dquot)) { + ret = fn(dquot, priv); + if (ret < 0) + goto out; +@@ -665,7 +670,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + dquot = list_first_entry(&dirty, struct dquot, + dq_dirty); + +- WARN_ON(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)); ++ WARN_ON(!dquot_active(dquot)); + + /* Now we have active dquot from which someone is + * holding reference so we can safely just increase +@@ -802,7 +807,7 @@ void dqput(struct dquot *dquot) + dquot_write_dquot(dquot); + goto we_slept; + } +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (dquot_active(dquot)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->release_dquot(dquot); + goto we_slept; +@@ -903,7 +908,7 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + * already finished or it will be canceled due to dq_count > 1 test */ + wait_on_dquot(dquot); + /* Read the dquot / allocate space in quota file */ +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (!dquot_active(dquot)) { + int err; + + err = sb->dq_op->acquire_dquot(dquot); +-- +2.40.1 + diff --git a/queue-5.10/quota-factor-out-dquot_write_dquot.patch b/queue-5.10/quota-factor-out-dquot_write_dquot.patch new file mode 100644 index 00000000000..d22602a0b71 --- /dev/null +++ b/queue-5.10/quota-factor-out-dquot_write_dquot.patch @@ -0,0 +1,94 @@ +From 4229c1a2bbfc75c1abcf9541d898c18bddc42036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:18 +0800 +Subject: quota: factor out dquot_write_dquot() + +From: Baokun Li + +[ Upstream commit 024128477809f8073d870307c8157b8826ebfd08 ] + +Refactor out dquot_write_dquot() to reduce duplicate code. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-2-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 39 ++++++++++++++++----------------------- + 1 file changed, 16 insertions(+), 23 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 8d0cd68fc90a4..de4bebdc6e773 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -630,6 +630,18 @@ int dquot_scan_active(struct super_block *sb, + } + EXPORT_SYMBOL(dquot_scan_active); + ++static inline int dquot_write_dquot(struct dquot *dquot) ++{ ++ int ret = dquot->dq_sb->dq_op->write_dquot(dquot); ++ if (ret < 0) { ++ quota_error(dquot->dq_sb, "Can't write quota structure " ++ "(error %d). Quota may get out of sync!", ret); ++ /* Clear dirty bit anyway to avoid infinite loop. */ ++ clear_dquot_dirty(dquot); ++ } ++ return ret; ++} ++ + /* Write all dquot structures to quota files */ + int dquot_writeback_dquots(struct super_block *sb, int type) + { +@@ -660,16 +672,9 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + * use count */ + dqgrab(dquot); + spin_unlock(&dq_list_lock); +- err = sb->dq_op->write_dquot(dquot); +- if (err) { +- /* +- * Clear dirty bit anyway to avoid infinite +- * loop here. +- */ +- clear_dquot_dirty(dquot); +- if (!ret) +- ret = err; +- } ++ err = dquot_write_dquot(dquot); ++ if (err && !ret) ++ ret = err; + dqput(dquot); + spin_lock(&dq_list_lock); + } +@@ -767,8 +772,6 @@ static struct shrinker dqcache_shrinker = { + */ + void dqput(struct dquot *dquot) + { +- int ret; +- + if (!dquot) + return; + #ifdef CONFIG_QUOTA_DEBUG +@@ -796,17 +799,7 @@ void dqput(struct dquot *dquot) + if (dquot_dirty(dquot)) { + spin_unlock(&dq_list_lock); + /* Commit dquot before releasing */ +- ret = dquot->dq_sb->dq_op->write_dquot(dquot); +- if (ret < 0) { +- quota_error(dquot->dq_sb, "Can't write quota structure" +- " (error %d). Quota may get out of sync!", +- ret); +- /* +- * We clear dirty bit anyway, so that we avoid +- * infinite loop here +- */ +- clear_dquot_dirty(dquot); +- } ++ dquot_write_dquot(dquot); + goto we_slept; + } + if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { +-- +2.40.1 + diff --git a/queue-5.10/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch b/queue-5.10/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch new file mode 100644 index 00000000000..07d24a67598 --- /dev/null +++ b/queue-5.10/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch @@ -0,0 +1,249 @@ +From dce8c22d4d3491ac8e2ce339eac54d55b667cef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:21 +0800 +Subject: quota: fix dqput() to follow the guarantees dquot_srcu should provide + +From: Baokun Li + +[ Upstream commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a ] + +The dquot_mark_dquot_dirty() using dquot references from the inode +should be protected by dquot_srcu. quota_off code takes care to call +synchronize_srcu(&dquot_srcu) to not drop dquot references while they +are used by other users. But dquot_transfer() breaks this assumption. +We call dquot_transfer() to drop the last reference of dquot and add +it to free_dquots, but there may still be other users using the dquot +at this time, as shown in the function graph below: + + cpu1 cpu2 +_________________|_________________ +wb_do_writeback CHOWN(1) + ... + ext4_da_update_reserve_space + dquot_claim_block + ... + dquot_mark_dquot_dirty // try to dirty old quota + test_bit(DQ_ACTIVE_B, &dquot->dq_flags) // still ACTIVE + if (test_bit(DQ_MOD_B, &dquot->dq_flags)) + // test no dirty, wait dq_list_lock + ... + dquot_transfer + __dquot_transfer + dqput_all(transfer_from) // rls old dquot + dqput // last dqput + dquot_release + clear_bit(DQ_ACTIVE_B, &dquot->dq_flags) + atomic_dec(&dquot->dq_count) + put_dquot_last(dquot) + list_add_tail(&dquot->dq_free, &free_dquots) + // add the dquot to free_dquots + if (!test_and_set_bit(DQ_MOD_B, &dquot->dq_flags)) + add dqi_dirty_list // add released dquot to dirty_list + +This can cause various issues, such as dquot being destroyed by +dqcache_shrink_scan() after being added to free_dquots, which can trigger +a UAF in dquot_mark_dquot_dirty(); or after dquot is added to free_dquots +and then to dirty_list, it is added to free_dquots again after +dquot_writeback_dquots() is executed, which causes the free_dquots list to +be corrupted and triggers a UAF when dqcache_shrink_scan() is called for +freeing dquot twice. + +As Honza said, we need to fix dquot_transfer() to follow the guarantees +dquot_srcu should provide. But calling synchronize_srcu() directly from +dquot_transfer() is too expensive (and mostly unnecessary). So we add +dquot whose last reference should be dropped to the new global dquot +list releasing_dquots, and then queue work item which would call +synchronize_srcu() and after that perform the final cleanup of all the +dquots on releasing_dquots. + +Fixes: 4580b30ea887 ("quota: Do not dirty bad dquots") +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-5-libaokun1@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 96 +++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 78 insertions(+), 18 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 202d97c2c5cb2..13a9a17d6a13b 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -225,13 +225,22 @@ static void put_quota_format(struct quota_format_type *fmt) + + /* + * Dquot List Management: +- * The quota code uses four lists for dquot management: the inuse_list, +- * free_dquots, dqi_dirty_list, and dquot_hash[] array. A single dquot +- * structure may be on some of those lists, depending on its current state. ++ * The quota code uses five lists for dquot management: the inuse_list, ++ * releasing_dquots, free_dquots, dqi_dirty_list, and dquot_hash[] array. ++ * A single dquot structure may be on some of those lists, depending on ++ * its current state. + * + * All dquots are placed to the end of inuse_list when first created, and this + * list is used for invalidate operation, which must look at every dquot. + * ++ * When the last reference of a dquot will be dropped, the dquot will be ++ * added to releasing_dquots. We'd then queue work item which would call ++ * synchronize_srcu() and after that perform the final cleanup of all the ++ * dquots on the list. Both releasing_dquots and free_dquots use the ++ * dq_free list_head in the dquot struct. When a dquot is removed from ++ * releasing_dquots, a reference count is always subtracted, and if ++ * dq_count == 0 at that point, the dquot will be added to the free_dquots. ++ * + * Unused dquots (dq_count == 0) are added to the free_dquots list when freed, + * and this list is searched whenever we need an available dquot. Dquots are + * removed from the list as soon as they are used again, and +@@ -250,6 +259,7 @@ static void put_quota_format(struct quota_format_type *fmt) + + static LIST_HEAD(inuse_list); + static LIST_HEAD(free_dquots); ++static LIST_HEAD(releasing_dquots); + static unsigned int dq_hash_bits, dq_hash_mask; + static struct hlist_head *dquot_hash; + +@@ -260,6 +270,9 @@ static qsize_t inode_get_rsv_space(struct inode *inode); + static qsize_t __inode_get_rsv_space(struct inode *inode); + static int __dquot_initialize(struct inode *inode, int type); + ++static void quota_release_workfn(struct work_struct *work); ++static DECLARE_DELAYED_WORK(quota_release_work, quota_release_workfn); ++ + static inline unsigned int + hashfn(const struct super_block *sb, struct kqid qid) + { +@@ -307,12 +320,18 @@ static inline void put_dquot_last(struct dquot *dquot) + dqstats_inc(DQST_FREE_DQUOTS); + } + ++static inline void put_releasing_dquots(struct dquot *dquot) ++{ ++ list_add_tail(&dquot->dq_free, &releasing_dquots); ++} ++ + static inline void remove_free_dquot(struct dquot *dquot) + { + if (list_empty(&dquot->dq_free)) + return; + list_del_init(&dquot->dq_free); +- dqstats_dec(DQST_FREE_DQUOTS); ++ if (!atomic_read(&dquot->dq_count)) ++ dqstats_dec(DQST_FREE_DQUOTS); + } + + static inline void put_inuse(struct dquot *dquot) +@@ -554,6 +573,8 @@ static void invalidate_dquots(struct super_block *sb, int type) + struct dquot *dquot, *tmp; + + restart: ++ flush_delayed_work("a_release_work); ++ + spin_lock(&dq_list_lock); + list_for_each_entry_safe(dquot, tmp, &inuse_list, dq_inuse) { + if (dquot->dq_sb != sb) +@@ -562,6 +583,12 @@ static void invalidate_dquots(struct super_block *sb, int type) + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { ++ /* dquot in releasing_dquots, flush and retry */ ++ if (!list_empty(&dquot->dq_free)) { ++ spin_unlock(&dq_list_lock); ++ goto restart; ++ } ++ + atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* +@@ -772,6 +799,49 @@ static struct shrinker dqcache_shrinker = { + .seeks = DEFAULT_SEEKS, + }; + ++/* ++ * Safely release dquot and put reference to dquot. ++ */ ++static void quota_release_workfn(struct work_struct *work) ++{ ++ struct dquot *dquot; ++ struct list_head rls_head; ++ ++ spin_lock(&dq_list_lock); ++ /* Exchange the list head to avoid livelock. */ ++ list_replace_init(&releasing_dquots, &rls_head); ++ spin_unlock(&dq_list_lock); ++ ++restart: ++ synchronize_srcu(&dquot_srcu); ++ spin_lock(&dq_list_lock); ++ while (!list_empty(&rls_head)) { ++ dquot = list_first_entry(&rls_head, struct dquot, dq_free); ++ /* Dquot got used again? */ ++ if (atomic_read(&dquot->dq_count) > 1) { ++ remove_free_dquot(dquot); ++ atomic_dec(&dquot->dq_count); ++ continue; ++ } ++ if (dquot_dirty(dquot)) { ++ spin_unlock(&dq_list_lock); ++ /* Commit dquot before releasing */ ++ dquot_write_dquot(dquot); ++ goto restart; ++ } ++ if (dquot_active(dquot)) { ++ spin_unlock(&dq_list_lock); ++ dquot->dq_sb->dq_op->release_dquot(dquot); ++ goto restart; ++ } ++ /* Dquot is inactive and clean, now move it to free list */ ++ remove_free_dquot(dquot); ++ atomic_dec(&dquot->dq_count); ++ put_dquot_last(dquot); ++ } ++ spin_unlock(&dq_list_lock); ++} ++ + /* + * Put reference to dquot + */ +@@ -788,7 +858,7 @@ void dqput(struct dquot *dquot) + } + #endif + dqstats_inc(DQST_DROPS); +-we_slept: ++ + spin_lock(&dq_list_lock); + if (atomic_read(&dquot->dq_count) > 1) { + /* We have more than one user... nothing to do */ +@@ -800,25 +870,15 @@ void dqput(struct dquot *dquot) + spin_unlock(&dq_list_lock); + return; + } ++ + /* Need to release dquot? */ +- if (dquot_dirty(dquot)) { +- spin_unlock(&dq_list_lock); +- /* Commit dquot before releasing */ +- dquot_write_dquot(dquot); +- goto we_slept; +- } +- if (dquot_active(dquot)) { +- spin_unlock(&dq_list_lock); +- dquot->dq_sb->dq_op->release_dquot(dquot); +- goto we_slept; +- } +- atomic_dec(&dquot->dq_count); + #ifdef CONFIG_QUOTA_DEBUG + /* sanity check */ + BUG_ON(!list_empty(&dquot->dq_free)); + #endif +- put_dquot_last(dquot); ++ put_releasing_dquots(dquot); + spin_unlock(&dq_list_lock); ++ queue_delayed_work(system_unbound_wq, "a_release_work, 1); + } + EXPORT_SYMBOL(dqput); + +-- +2.40.1 + diff --git a/queue-5.10/quota-rename-dquot_active-to-inode_quota_active.patch b/queue-5.10/quota-rename-dquot_active-to-inode_quota_active.patch new file mode 100644 index 00000000000..39a23de5936 --- /dev/null +++ b/queue-5.10/quota-rename-dquot_active-to-inode_quota_active.patch @@ -0,0 +1,121 @@ +From eedd546c21cd8cef334d81c1737fd72bfac11232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:19 +0800 +Subject: quota: rename dquot_active() to inode_quota_active() + +From: Baokun Li + +[ Upstream commit 4b9bdfa16535de8f49bf954aeed0f525ee2fc322 ] + +Now we have a helper function dquot_dirty() to determine if dquot has +DQ_MOD_B bit. dquot_active() can easily be misunderstood as a helper +function to determine if dquot has DQ_ACTIVE_B bit. So we avoid this by +renaming it to inode_quota_active() and later on we will add the helper +function dquot_active() to determine if dquot has DQ_ACTIVE_B bit. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-3-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index de4bebdc6e773..bbe748bb9a0d5 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1420,7 +1420,7 @@ static int info_bdq_free(struct dquot *dquot, qsize_t space) + return QUOTA_NL_NOWARN; + } + +-static int dquot_active(const struct inode *inode) ++static int inode_quota_active(const struct inode *inode) + { + struct super_block *sb = inode->i_sb; + +@@ -1443,7 +1443,7 @@ static int __dquot_initialize(struct inode *inode, int type) + qsize_t rsv; + int ret = 0; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + + dquots = i_dquot(inode); +@@ -1551,7 +1551,7 @@ bool dquot_initialize_needed(struct inode *inode) + struct dquot **dquots; + int i; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return false; + + dquots = i_dquot(inode); +@@ -1662,7 +1662,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + int reserve = flags & DQUOT_SPACE_RESERVE; + struct dquot **dquots; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + if (reserve) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) += number; +@@ -1732,7 +1732,7 @@ int dquot_alloc_inode(struct inode *inode) + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + for (cnt = 0; cnt < MAXQUOTAS; cnt++) + warn[cnt].w_type = QUOTA_NL_NOWARN; +@@ -1775,7 +1775,7 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + struct dquot **dquots; + int cnt, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; + __inode_add_bytes(inode, number); +@@ -1817,7 +1817,7 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + struct dquot **dquots; + int cnt, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) += number; + __inode_sub_bytes(inode, number); +@@ -1861,7 +1861,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + struct dquot **dquots; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + if (reserve) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; +@@ -1916,7 +1916,7 @@ void dquot_free_inode(struct inode *inode) + struct dquot * const *dquots; + int index; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return; + + dquots = i_dquot(inode); +@@ -2087,7 +2087,7 @@ int dquot_transfer(struct inode *inode, struct iattr *iattr) + struct super_block *sb = inode->i_sb; + int ret; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + + if (iattr->ia_valid & ATTR_UID && !uid_eq(iattr->ia_uid, inode->i_uid)){ +-- +2.40.1 + diff --git a/queue-5.10/rdma-siw-balance-the-reference-of-cep-kref-in-the-er.patch b/queue-5.10/rdma-siw-balance-the-reference-of-cep-kref-in-the-er.patch new file mode 100644 index 00000000000..c822926b03f --- /dev/null +++ b/queue-5.10/rdma-siw-balance-the-reference-of-cep-kref-in-the-er.patch @@ -0,0 +1,50 @@ +From 8368e26d4c9334ae52c7fe1302c7ff1717cdc11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 21:32:53 +0800 +Subject: RDMA/siw: Balance the reference of cep->kref in the error path + +From: Guoqing Jiang + +[ Upstream commit b056327bee09e6b86683d3f709a438ccd6031d72 ] + +The siw_connect can go to err in below after cep is allocated successfully: + +1. If siw_cm_alloc_work returns failure. In this case socket is not +assoicated with cep so siw_cep_put can't be called by siw_socket_disassoc. +We need to call siw_cep_put twice since cep->kref is increased once after +it was initialized. + +2. If siw_cm_queue_work can't find a work, which means siw_cep_get is not +called in siw_cm_queue_work, so cep->kref is increased twice by siw_cep_get +and when associate socket with cep after it was initialized. So we need to +call siw_cep_put three times (one in siw_socket_disassoc). + +3. siw_send_mpareqrep returns error, this scenario is similar as 2. + +So we need to remove one siw_cep_put in the error path. + +Fixes: 6c52fdc244b5 ("rdma/siw: connection management") +Signed-off-by: Guoqing Jiang +Link: https://lore.kernel.org/r/20230821133255.31111-2-guoqing.jiang@linux.dev +Acked-by: Bernard Metzler +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_cm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c +index b87ba4c9fccf1..de5ab282ac748 100644 +--- a/drivers/infiniband/sw/siw/siw_cm.c ++++ b/drivers/infiniband/sw/siw/siw_cm.c +@@ -1490,7 +1490,6 @@ int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params) + + cep->cm_id = NULL; + id->rem_ref(id); +- siw_cep_put(cep); + + qp->cep = NULL; + siw_cep_put(cep); +-- +2.40.1 + diff --git a/queue-5.10/rdma-siw-correct-wrong-debug-message.patch b/queue-5.10/rdma-siw-correct-wrong-debug-message.patch new file mode 100644 index 00000000000..81f539bf777 --- /dev/null +++ b/queue-5.10/rdma-siw-correct-wrong-debug-message.patch @@ -0,0 +1,38 @@ +From 73e6ee4de3c44f7f4b95a0470e409d1c282a869a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 21:32:54 +0800 +Subject: RDMA/siw: Correct wrong debug message + +From: Guoqing Jiang + +[ Upstream commit bee024d20451e4ce04ea30099cad09f7f75d288b ] + +We need to print num_sle first then pbl->max_buf per the condition. +Also replace mem->pbl with pbl while at it. + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Signed-off-by: Guoqing Jiang +Link: https://lore.kernel.org/r/20230821133255.31111-3-guoqing.jiang@linux.dev +Acked-by: Bernard Metzler +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index d043793ff0f53..1d4e0dc550e42 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -1487,7 +1487,7 @@ int siw_map_mr_sg(struct ib_mr *base_mr, struct scatterlist *sl, int num_sle, + + if (pbl->max_buf < num_sle) { + siw_dbg_mem(mem, "too many SGE's: %d > %d\n", +- mem->pbl->max_buf, num_sle); ++ num_sle, pbl->max_buf); + return -ENOMEM; + } + for_each_sg(sl, slp, num_sle, i) { +-- +2.40.1 + diff --git a/queue-5.10/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch b/queue-5.10/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch new file mode 100644 index 00000000000..3db4eed2841 --- /dev/null +++ b/queue-5.10/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch @@ -0,0 +1,83 @@ +From 41c5fca3bc9bcf654e9409ee8099bc19986a3d9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:53:55 -0400 +Subject: refscale: Fix uninitalized use of wait_queue_head_t + +From: Waiman Long + +[ Upstream commit f5063e8948dad7f31adb007284a5d5038ae31bb8 ] + +Running the refscale test occasionally crashes the kernel with the +following error: + +[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 +[ 8569.952900] #PF: supervisor read access in kernel mode +[ 8569.952902] #PF: error_code(0x0000) - not-present page +[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 +[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI +[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 +[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 + : +[ 8569.952940] Call Trace: +[ 8569.952941] +[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] +[ 8569.952959] kthread+0x10e/0x130 +[ 8569.952966] ret_from_fork+0x1f/0x30 +[ 8569.952973] + +The likely cause is that init_waitqueue_head() is called after the call to +the torture_create_kthread() function that creates the ref_scale_reader +kthread. Although this init_waitqueue_head() call will very likely +complete before this kthread is created and starts running, it is +possible that the calling kthread will be delayed between the calls to +torture_create_kthread() and init_waitqueue_head(). In this case, the +new kthread will use the waitqueue head before it is properly initialized, +which is not good for the kernel's health and well-being. + +The above crash happened here: + + static inline void __add_wait_queue(...) + { + : + if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here + +The offset of flags from list_head entry in wait_queue_entry is +-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task +structure is zero initialized, the instruction will try to access address +0xffffffffffffffe8, which is exactly the fault address listed above. + +This commit therefore invokes init_waitqueue_head() before creating +the kthread. + +Fixes: 653ed64b01dc ("refperf: Add a test to measure performance of read-side synchronization") +Signed-off-by: Waiman Long +Reviewed-by: Qiuxu Zhuo +Reviewed-by: Davidlohr Bueso +Acked-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/refscale.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index 4e419ca6d6114..dbd670376c42e 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -692,12 +692,11 @@ ref_scale_init(void) + VERBOSE_SCALEOUT("Starting %d reader threads\n", nreaders); + + for (i = 0; i < nreaders; i++) { ++ init_waitqueue_head(&reader_tasks[i].wq); + firsterr = torture_create_kthread(ref_scale_reader, (void *)i, + reader_tasks[i].task); + if (firsterr) + goto unwind; +- +- init_waitqueue_head(&(reader_tasks[i].wq)); + } + + // Main Task +-- +2.40.1 + diff --git a/queue-5.10/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch b/queue-5.10/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch new file mode 100644 index 00000000000..80a1f34c525 --- /dev/null +++ b/queue-5.10/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch @@ -0,0 +1,98 @@ +From e3e1dd3e651d11ac3881a96e3855b3baef667e9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 17:55:33 +0300 +Subject: regmap: rbtree: Use alloc_flags for memory allocations + +From: Dan Carpenter + +[ Upstream commit 0c8b0bf42c8cef56f7cd9cd876fbb7ece9217064 ] + +The kunit tests discovered a sleeping in atomic bug. The allocations +in the regcache-rbtree code should use the map->alloc_flags instead of +GFP_KERNEL. + +[ 5.005510] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 +[ 5.005960] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 117, name: kunit_try_catch +[ 5.006219] preempt_count: 1, expected: 0 +[ 5.006414] 1 lock held by kunit_try_catch/117: +[ 5.006590] #0: 833b9010 (regmap_kunit:86:(config)->lock){....}-{2:2}, at: regmap_lock_spinlock+0x14/0x1c +[ 5.007493] irq event stamp: 162 +[ 5.007627] hardirqs last enabled at (161): [<80786738>] crng_make_state+0x1a0/0x294 +[ 5.007871] hardirqs last disabled at (162): [<80c531ec>] _raw_spin_lock_irqsave+0x7c/0x80 +[ 5.008119] softirqs last enabled at (0): [<801110ac>] copy_process+0x810/0x2138 +[ 5.008356] softirqs last disabled at (0): [<00000000>] 0x0 +[ 5.008688] CPU: 0 PID: 117 Comm: kunit_try_catch Tainted: G N 6.4.4-rc3-g0e8d2fdfb188 #1 +[ 5.009011] Hardware name: Generic DT based system +[ 5.009277] unwind_backtrace from show_stack+0x18/0x1c +[ 5.009497] show_stack from dump_stack_lvl+0x38/0x5c +[ 5.009676] dump_stack_lvl from __might_resched+0x188/0x2d0 +[ 5.009860] __might_resched from __kmem_cache_alloc_node+0x1dc/0x25c +[ 5.010061] __kmem_cache_alloc_node from kmalloc_trace+0x30/0xc8 +[ 5.010254] kmalloc_trace from regcache_rbtree_write+0x26c/0x468 +[ 5.010446] regcache_rbtree_write from _regmap_write+0x88/0x140 +[ 5.010634] _regmap_write from regmap_write+0x44/0x68 +[ 5.010803] regmap_write from basic_read_write+0x8c/0x270 +[ 5.010980] basic_read_write from kunit_try_run_case+0x48/0xa0 + +Fixes: 28644c809f44 ("regmap: Add the rbtree cache support") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/ee59d128-413c-48ad-a3aa-d9d350c80042@roeck-us.net/ +Signed-off-by: Dan Carpenter +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/58f12a07-5f4b-4a8f-ab84-0a42d1908cb9@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-rbtree.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c +index fabf87058d80b..ae6b8788d5f3f 100644 +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -277,7 +277,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + + blk = krealloc(rbnode->block, + blklen * map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!blk) + return -ENOMEM; + +@@ -286,7 +286,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { + present = krealloc(rbnode->cache_present, + BITS_TO_LONGS(blklen) * sizeof(*present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!present) + return -ENOMEM; + +@@ -320,7 +320,7 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + const struct regmap_range *range; + int i; + +- rbnode = kzalloc(sizeof(*rbnode), GFP_KERNEL); ++ rbnode = kzalloc(sizeof(*rbnode), map->alloc_flags); + if (!rbnode) + return NULL; + +@@ -346,13 +346,13 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + } + + rbnode->block = kmalloc_array(rbnode->blklen, map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->block) + goto err_free; + + rbnode->cache_present = kcalloc(BITS_TO_LONGS(rbnode->blklen), + sizeof(*rbnode->cache_present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->cache_present) + goto err_free_block; + +-- +2.40.1 + diff --git a/queue-5.10/reiserfs-check-the-return-value-from-__getblk.patch b/queue-5.10/reiserfs-check-the-return-value-from-__getblk.patch new file mode 100644 index 00000000000..a55d0e26e16 --- /dev/null +++ b/queue-5.10/reiserfs-check-the-return-value-from-__getblk.patch @@ -0,0 +1,49 @@ +From 06ee8d7afa2f296d21ebb950785c56458c07d0a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:16:06 +0100 +Subject: reiserfs: Check the return value from __getblk() + +From: Matthew Wilcox + +[ Upstream commit ba38980add7ffc9e674ada5b4ded4e7d14e76581 ] + +__getblk() can return a NULL pointer if we run out of memory or if we +try to access beyond the end of the device; check it and handle it +appropriately. + +Signed-off-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/lkml/CAFcO6XOacq3hscbXevPQP7sXRoYFz34ZdKPYjmd6k5sZuhGFDw@mail.gmail.com/ +Tested-by: butt3rflyh4ck +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # probably introduced in 2002 +Acked-by: Edward Shishkin +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/reiserfs/journal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index df5fc12a6ceed..cfa4defbd0401 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2325,7 +2325,7 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + int i, j; + + bh = __getblk(dev, block, bufsize); +- if (buffer_uptodate(bh)) ++ if (!bh || buffer_uptodate(bh)) + return (bh); + + if (block + BUFNR > max_block) { +@@ -2335,6 +2335,8 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + j = 1; + for (i = 1; i < blocks; i++) { + bh = __getblk(dev, block + i, bufsize); ++ if (!bh) ++ break; + if (buffer_uptodate(bh)) { + brelse(bh); + break; +-- +2.40.1 + diff --git a/queue-5.10/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch b/queue-5.10/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch new file mode 100644 index 00000000000..f3ef9aea761 --- /dev/null +++ b/queue-5.10/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch @@ -0,0 +1,124 @@ +From 92773e8abb61d14b50bf8b8f66a116dbbb006e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:57:14 +0300 +Subject: Revert "IB/isert: Fix incorrect release of isert connection" + +From: Leon Romanovsky + +[ Upstream commit dfe261107c080709459c32695847eec96238852b ] + +Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is +causing problems on OPA when DEVICE_REMOVAL is happening. + + ------------[ cut here ]------------ + WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 +ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc +scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file +rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs +rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod +opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm +ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core +x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt +ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma +intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter +acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul +crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci +ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse + CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 + Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS +SE5C610.86B.01.01.0014.121820151719 12/18/2015 + RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 +c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 +90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f + RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 + RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d + RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 + RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d + R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 + R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 + FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 + Call Trace: + + ? __warn+0x80/0x130 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + ? report_bug+0x195/0x1a0 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + disable_device+0x9d/0x160 [ib_core] + __ib_unregister_device+0x42/0xb0 [ib_core] + ib_unregister_device+0x22/0x30 [ib_core] + rvt_unregister_device+0x20/0x90 [rdmavt] + hfi1_unregister_ib_device+0x16/0xf0 [hfi1] + remove_one+0x55/0x1a0 [hfi1] + pci_device_remove+0x36/0xa0 + device_release_driver_internal+0x193/0x200 + driver_detach+0x44/0x90 + bus_remove_driver+0x69/0xf0 + pci_unregister_driver+0x2a/0xb0 + hfi1_mod_cleanup+0xc/0x3c [hfi1] + __do_sys_delete_module.constprop.0+0x17a/0x2f0 + ? exit_to_user_mode_prepare+0xc4/0xd0 + ? syscall_trace_enter.constprop.0+0x126/0x1a0 + do_syscall_64+0x5c/0x90 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? syscall_exit_work+0x103/0x130 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? exc_page_fault+0x65/0x150 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7ff1e643f5ab + Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 +66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 +ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab + RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 + RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 + R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 + R13: 0000000000000000 R14: 00005615267fdcb8 R15: 00007ffec9105ff8 + + ---[ end trace 0000000000000000 ]--- + +And... + + restrack: ------------[ cut here ]------------ + infiniband hfi1_0: BUG: RESTRACK detected leak of resources + restrack: Kernel PD object allocated by ib_isert is not freed + restrack: Kernel CQ object allocated by ib_core is not freed + restrack: Kernel QP object allocated by rdma_cm is not freed + restrack: ------------[ cut here ]------------ + +Fixes: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") +Reported-by: Dennis Dalessandro +Closes: https://lore.kernel.org/all/921cd1d9-2879-f455-1f50-0053fe6a6655@cornelisnetworks.com +Link: https://lore.kernel.org/r/a27982d3235005c58f6d321f3fad5eb6e1beaf9e.1692604607.git.leonro@nvidia.com +Tested-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 7cd90604502ec..ed375f517e8ac 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2560,6 +2560,8 @@ static void isert_wait_conn(struct iscsi_conn *conn) + isert_put_unsol_pending_cmds(conn); + isert_wait4cmds(conn); + isert_wait4logout(isert_conn); ++ ++ queue_work(isert_release_wq, &isert_conn->release_work); + } + + static void isert_free_conn(struct iscsi_conn *conn) +-- +2.40.1 + diff --git a/queue-5.10/rpmsg-glink-add-check-for-kstrdup.patch b/queue-5.10/rpmsg-glink-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..74f68edacad --- /dev/null +++ b/queue-5.10/rpmsg-glink-add-check-for-kstrdup.patch @@ -0,0 +1,39 @@ +From 85cec60df26312e184f66a41e97ad168938a2b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 11:06:31 +0800 +Subject: rpmsg: glink: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit b5c9ee8296a3760760c7b5d2e305f91412adc795 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230619030631.12361-1-jiasheng@iscas.ac.cn +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 98b6d4c09c82c..e776d1bfc9767 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -222,6 +222,10 @@ static struct glink_channel *qcom_glink_alloc_channel(struct qcom_glink *glink, + + channel->glink = glink; + channel->name = kstrdup(name, GFP_KERNEL); ++ if (!channel->name) { ++ kfree(channel); ++ return ERR_PTR(-ENOMEM); ++ } + + init_completion(&channel->open_req); + init_completion(&channel->open_ack); +-- +2.40.1 + diff --git a/queue-5.10/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch b/queue-5.10/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch new file mode 100644 index 00000000000..b7870de529d --- /dev/null +++ b/queue-5.10/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch @@ -0,0 +1,40 @@ +From 0d711c1de63bedaca4bef31a63a86f7fc1a9ae17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 14:23:45 +0200 +Subject: s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs + +From: Holger Dengler + +[ Upstream commit cba33db3fc4dbf2e54294b0e499d2335a3a00d78 ] + +Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC +private keys")' introduced PKEY_TYPE_EP11_AES securekey blobs as a +supplement to the PKEY_TYPE_EP11 (which won't work in environments +with session-bound keys). This new keyblobs has a different maximum +size, so fix paes crypto module to accept also these larger keyblobs. + +Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys") +Signed-off-by: Holger Dengler +Reviewed-by: Ingo Franzki +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/paes_s390.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c +index f3caeb17c85b9..a6727ad58d65a 100644 +--- a/arch/s390/crypto/paes_s390.c ++++ b/arch/s390/crypto/paes_s390.c +@@ -34,7 +34,7 @@ + * and padding is also possible, the limits need to be generous. + */ + #define PAES_MIN_KEYSIZE 16 +-#define PAES_MAX_KEYSIZE 320 ++#define PAES_MAX_KEYSIZE MAXEP11AESKEYBLOBSIZE + + static u8 *ctrblk; + static DEFINE_MUTEX(ctrblk_lock); +-- +2.40.1 + diff --git a/queue-5.10/s390-pkey-fix-harmonize-internal-keyblob-headers.patch b/queue-5.10/s390-pkey-fix-harmonize-internal-keyblob-headers.patch new file mode 100644 index 00000000000..c334c820516 --- /dev/null +++ b/queue-5.10/s390-pkey-fix-harmonize-internal-keyblob-headers.patch @@ -0,0 +1,89 @@ +From ca5be8e543b48eaacfc63f612c92e630fa4df422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 11:33:45 +0200 +Subject: s390/pkey: fix/harmonize internal keyblob headers + +From: Holger Dengler + +[ Upstream commit 37a08f010b7c423b5e4c9ed3b187d21166553007 ] + +Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC +private keys")' introduced PKEY_TYPE_EP11_AES as a supplement to +PKEY_TYPE_EP11. All pkeys have an internal header/payload structure, +which is opaque to the userspace. The header structures for +PKEY_TYPE_EP11 and PKEY_TYPE_EP11_AES are nearly identical and there +is no reason, why different structures are used. In preparation to fix +the keyversion handling in the broken PKEY IOCTLs, the same header +structure is used for PKEY_TYPE_EP11 and PKEY_TYPE_EP11_AES. This +reduces the number of different code paths and increases the +readability. + +Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys") +Signed-off-by: Holger Dengler +Reviewed-by: Ingo Franzki +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 2 +- + drivers/s390/crypto/zcrypt_ep11misc.c | 4 ++-- + drivers/s390/crypto/zcrypt_ep11misc.h | 9 +-------- + 3 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 870e00effe439..69882ff4db107 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -735,7 +735,7 @@ static int pkey_verifykey2(const u8 *key, size_t keylen, + if (ktype) + *ktype = PKEY_TYPE_EP11; + if (ksize) +- *ksize = kb->head.keybitlen; ++ *ksize = kb->head.bitlen; + + rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain, + ZCRYPT_CEX7, EP11_API_V, kb->wkvp); +diff --git a/drivers/s390/crypto/zcrypt_ep11misc.c b/drivers/s390/crypto/zcrypt_ep11misc.c +index 9ce5a71da69b8..3daf259ba10e7 100644 +--- a/drivers/s390/crypto/zcrypt_ep11misc.c ++++ b/drivers/s390/crypto/zcrypt_ep11misc.c +@@ -788,7 +788,7 @@ int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, + kb->head.type = TOKTYPE_NON_CCA; + kb->head.len = rep_pl->data_len; + kb->head.version = TOKVER_EP11_AES; +- kb->head.keybitlen = keybitsize; ++ kb->head.bitlen = keybitsize; + + out: + kfree(req); +@@ -1056,7 +1056,7 @@ static int ep11_unwrapkey(u16 card, u16 domain, + kb->head.type = TOKTYPE_NON_CCA; + kb->head.len = rep_pl->data_len; + kb->head.version = TOKVER_EP11_AES; +- kb->head.keybitlen = keybitsize; ++ kb->head.bitlen = keybitsize; + + out: + kfree(req); +diff --git a/drivers/s390/crypto/zcrypt_ep11misc.h b/drivers/s390/crypto/zcrypt_ep11misc.h +index 1e02b197c0035..d424fa901f1b0 100644 +--- a/drivers/s390/crypto/zcrypt_ep11misc.h ++++ b/drivers/s390/crypto/zcrypt_ep11misc.h +@@ -29,14 +29,7 @@ struct ep11keyblob { + union { + u8 session[32]; + /* only used for PKEY_TYPE_EP11: */ +- struct { +- u8 type; /* 0x00 (TOKTYPE_NON_CCA) */ +- u8 res0; /* unused */ +- u16 len; /* total length in bytes of this blob */ +- u8 version; /* 0x03 (TOKVER_EP11_AES) */ +- u8 res1; /* unused */ +- u16 keybitlen; /* clear key bit len, 0 for unknown */ +- } head; ++ struct ep11kblob_header head; + }; + u8 wkvp[16]; /* wrapping key verification pattern */ + u64 attr; /* boolean key attributes */ +-- +2.40.1 + diff --git a/queue-5.10/samples-bpf-fix-broken-map-lookup-probe.patch b/queue-5.10/samples-bpf-fix-broken-map-lookup-probe.patch new file mode 100644 index 00000000000..dc65aa2c8c5 --- /dev/null +++ b/queue-5.10/samples-bpf-fix-broken-map-lookup-probe.patch @@ -0,0 +1,71 @@ +From c05307f2137d148ac0c7d65abe196ffa3173a3fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 18:01:17 +0900 +Subject: samples/bpf: fix broken map lookup probe + +From: Daniel T. Lee + +[ Upstream commit d93a7cf6ca2cfcd7de5d06f753ce8d5e863316ac ] + +In the commit 7c4cd051add3 ("bpf: Fix syscall's stackmap lookup +potential deadlock"), a potential deadlock issue was addressed, which +resulted in *_map_lookup_elem not triggering BPF programs. +(prior to lookup, bpf_disable_instrumentation() is used) + +To resolve the broken map lookup probe using "htab_map_lookup_elem", +this commit introduces an alternative approach. Instead, it utilize +"bpf_map_copy_value" and apply a filter specifically for the hash table +with map_type. + +Signed-off-by: Daniel T. Lee +Fixes: 7c4cd051add3 ("bpf: Fix syscall's stackmap lookup potential deadlock") +Link: https://lore.kernel.org/r/20230818090119.477441-8-danieltimlee@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tracex6_kern.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/tracex6_kern.c b/samples/bpf/tracex6_kern.c +index acad5712d8b4f..fd602c2774b8b 100644 +--- a/samples/bpf/tracex6_kern.c ++++ b/samples/bpf/tracex6_kern.c +@@ -2,6 +2,8 @@ + #include + #include + #include ++#include ++#include + + struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); +@@ -45,13 +47,24 @@ int bpf_prog1(struct pt_regs *ctx) + return 0; + } + +-SEC("kprobe/htab_map_lookup_elem") +-int bpf_prog2(struct pt_regs *ctx) ++/* ++ * Since *_map_lookup_elem can't be expected to trigger bpf programs ++ * due to potential deadlocks (bpf_disable_instrumentation), this bpf ++ * program will be attached to bpf_map_copy_value (which is called ++ * from map_lookup_elem) and will only filter the hashtable type. ++ */ ++SEC("kprobe/bpf_map_copy_value") ++int BPF_KPROBE(bpf_prog2, struct bpf_map *map) + { + u32 key = bpf_get_smp_processor_id(); + struct bpf_perf_event_value *val, buf; ++ enum bpf_map_type type; + int error; + ++ type = BPF_CORE_READ(map, map_type); ++ if (type != BPF_MAP_TYPE_HASH) ++ return 0; ++ + error = bpf_perf_event_read_value(&counters, key, &buf, sizeof(buf)); + if (error) + return 0; +-- +2.40.1 + diff --git a/queue-5.10/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch b/queue-5.10/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..e6c6e989c2d --- /dev/null +++ b/queue-5.10/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,46 @@ +From f653442fa7d8ae8727819f7108734025aa751dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:59:38 +0800 +Subject: scsi: be2iscsi: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit ee0268f230f66cb472df3424f380ea668da2749a ] + +beiscsi_iface_set_param() parses nlattr with nla_for_each_attr and assumes +every attributes can be viewed as struct iscsi_iface_param_info. + +This is not true because there is no any nla_policy to validate the +attributes passed from the upper function iscsi_set_iface_params(). + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 0e43895ec1f4 ("[SCSI] be2iscsi: adding functionality to change network settings using iscsiadm") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075938.3713864-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_iscsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/be2iscsi/be_iscsi.c b/drivers/scsi/be2iscsi/be_iscsi.c +index c4881657a807b..e07052fb0ec32 100644 +--- a/drivers/scsi/be2iscsi/be_iscsi.c ++++ b/drivers/scsi/be2iscsi/be_iscsi.c +@@ -450,6 +450,10 @@ int beiscsi_iface_set_param(struct Scsi_Host *shost, + } + + nla_for_each_attr(attrib, data, dt_len, rm_len) { ++ /* ignore nla_type as it is never used */ ++ if (nla_len(attrib) < sizeof(*iface_param)) ++ return -EINVAL; ++ + iface_param = nla_data(attrib); + + if (iface_param->param_type != ISCSI_NET_PARAM) +-- +2.40.1 + diff --git a/queue-5.10/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch b/queue-5.10/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch new file mode 100644 index 00000000000..4d0c1492504 --- /dev/null +++ b/queue-5.10/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch @@ -0,0 +1,61 @@ +From f45e2b4f98566ca980a2913ea4d35c0e10d98acf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 10:03:25 -0400 +Subject: scsi: core: Use 32-bit hostnum in scsi_host_lookup() + +From: Tony Battersby + +[ Upstream commit 62ec2092095b678ff89ce4ba51c2938cd1e8e630 ] + +Change scsi_host_lookup() hostnum argument type from unsigned short to +unsigned int to match the type used everywhere else. + +Fixes: 6d49f63b415c ("[SCSI] Make host_no an unsigned int") +Signed-off-by: Tony Battersby +Link: https://lore.kernel.org/r/a02497e7-c12b-ef15-47fc-3f0a0b00ffce@cybernetics.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 4 ++-- + include/scsi/scsi_host.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 18321cf9db5d6..59eb6c2969860 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -522,7 +522,7 @@ EXPORT_SYMBOL(scsi_host_alloc); + static int __scsi_host_match(struct device *dev, const void *data) + { + struct Scsi_Host *p; +- const unsigned short *hostnum = data; ++ const unsigned int *hostnum = data; + + p = class_to_shost(dev); + return p->host_no == *hostnum; +@@ -539,7 +539,7 @@ static int __scsi_host_match(struct device *dev, const void *data) + * that scsi_host_get() took. The put_device() below dropped + * the reference from class_find_device(). + **/ +-struct Scsi_Host *scsi_host_lookup(unsigned short hostnum) ++struct Scsi_Host *scsi_host_lookup(unsigned int hostnum) + { + struct device *cdev; + struct Scsi_Host *shost = NULL; +diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h +index 701f178b20aee..4a9f1e6e3aaca 100644 +--- a/include/scsi/scsi_host.h ++++ b/include/scsi/scsi_host.h +@@ -745,7 +745,7 @@ extern void scsi_remove_host(struct Scsi_Host *); + extern struct Scsi_Host *scsi_host_get(struct Scsi_Host *); + extern int scsi_host_busy(struct Scsi_Host *shost); + extern void scsi_host_put(struct Scsi_Host *t); +-extern struct Scsi_Host *scsi_host_lookup(unsigned short); ++extern struct Scsi_Host *scsi_host_lookup(unsigned int hostnum); + extern const char *scsi_host_state_name(enum scsi_host_state); + extern void scsi_host_complete_all_commands(struct Scsi_Host *shost, + int status); +-- +2.40.1 + diff --git a/queue-5.10/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch b/queue-5.10/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch new file mode 100644 index 00000000000..4dafc717161 --- /dev/null +++ b/queue-5.10/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch @@ -0,0 +1,156 @@ +From d46062ee758ddfcc0668b8470159bd90bea476d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 07:47:08 +0000 +Subject: scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock + +From: Chengfeng Ye + +[ Upstream commit 1a1975551943f681772720f639ff42fbaa746212 ] + +There is a long call chain that &fip->ctlr_lock is acquired by isr +fnic_isr_msix_wq_copy() under hard IRQ context. Thus other process context +code acquiring the lock should disable IRQ, otherwise deadlock could happen +if the IRQ preempts the execution while the lock is held in process context +on the same CPU. + +[ISR] +fnic_isr_msix_wq_copy() + -> fnic_wq_copy_cmpl_handler() + -> fnic_fcpio_cmpl_handler() + -> fnic_fcpio_flogi_reg_cmpl_handler() + -> fnic_flush_tx() + -> fnic_send_frame() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +[Process Context] +1. fcoe_ctlr_timer_work() + -> fcoe_ctlr_flogi_send() + -> spin_lock_bh(&fip->ctlr_lock) + +2. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_announce() + -> spin_lock_bh(&fip->ctlr_lock) + +3. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_flogi_retry() + -> spin_lock_bh(&fip->ctlr_lock) + +4. -> fcoe_xmit() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +spin_lock_bh() is not enough since fnic_isr_msix_wq_copy() is a +hardirq. + +These flaws were found by an experimental static analysis tool I am +developing for irq-related deadlock. + +The patch fix the potential deadlocks by spin_lock_irqsave() to disable +hard irq. + +Fixes: 794d98e77f59 ("[SCSI] libfcoe: retry rejected FLOGI to another FCF if possible") +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230817074708.7509-1-dg573847474@gmail.com +Reviewed-by: Davidlohr Bueso +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index bbc5d6b9be737..a2d60ad2a6835 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -319,16 +319,17 @@ static void fcoe_ctlr_announce(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *sel; + struct fcoe_fcf *fcf; ++ unsigned long flags; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + + kfree_skb(fip->flogi_req); + fip->flogi_req = NULL; + list_for_each_entry(fcf, &fip->fcfs, list) + fcf->flogi_sent = 0; + +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + sel = fip->sel_fcf; + + if (sel && ether_addr_equal(sel->fcf_mac, fip->dest_addr)) +@@ -699,6 +700,7 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + { + struct fc_frame *fp; + struct fc_frame_header *fh; ++ unsigned long flags; + u16 old_xid; + u8 op; + u8 mac[ETH_ALEN]; +@@ -732,11 +734,11 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + op = FIP_DT_FLOGI; + if (fip->mode == FIP_MODE_VN2VN) + break; +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + kfree_skb(fip->flogi_req); + fip->flogi_req = skb; + fip->flogi_req_send = 1; +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + schedule_work(&fip->timer_work); + return -EINPROGRESS; + case ELS_FDISC: +@@ -1713,10 +1715,11 @@ static int fcoe_ctlr_flogi_send_locked(struct fcoe_ctlr *fip) + static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + int error; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + LIBFCOE_FIP_DBG(fip, "re-sending FLOGI - reselect\n"); + fcf = fcoe_ctlr_select(fip); + if (!fcf || fcf->flogi_sent) { +@@ -1727,7 +1730,7 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + fcoe_ctlr_solicit(fip, NULL); + error = fcoe_ctlr_flogi_send_locked(fip); + } +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + mutex_unlock(&fip->ctlr_mutex); + return error; + } +@@ -1744,8 +1747,9 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + fcf = fip->sel_fcf; + if (!fcf || !fip->flogi_req_send) + goto unlock; +@@ -1772,7 +1776,7 @@ static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + } else /* XXX */ + LIBFCOE_FIP_DBG(fip, "No FCF selected - defer send\n"); + unlock: +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + } + + /** +-- +2.40.1 + diff --git a/queue-5.10/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch b/queue-5.10/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch new file mode 100644 index 00000000000..39a88b2f5fb --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch @@ -0,0 +1,90 @@ +From a068e5f3ebf44e8c22ffd9c6e724ef6a4b9b74bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 11:14:58 +0800 +Subject: scsi: hisi_sas: Fix normally completed I/O analysed as failed + +From: Xingui Yang + +[ Upstream commit f5393a5602cacfda2014e0ff8220e5a7564e7cd1 ] + +The PIO read command has no response frame and the struct iu[1024] won't be +filled. I/Os which are normally completed will be treated as failed in +sas_ata_task_done() when iu contains abnormal dirty data. + +Consequently ending_fis should not be filled by iu when the response frame +hasn't been written to memory. + +Fixes: d380f55503ed ("scsi: hisi_sas: Don't bother clearing status buffer IU in task prep") +Signed-off-by: Xingui Yang +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1689045300-44318-2-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 11 +++++++++-- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 ++++-- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +index 4bd26c7946328..f6e9114debd4d 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +@@ -2026,6 +2026,11 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, + u16 dma_tx_err_type = le16_to_cpu(err_record->dma_tx_err_type); + u16 sipc_rx_err_type = le16_to_cpu(err_record->sipc_rx_err_type); + u32 dma_rx_err_type = le32_to_cpu(err_record->dma_rx_err_type); ++ struct hisi_sas_complete_v2_hdr *complete_queue = ++ hisi_hba->complete_hdr[slot->cmplt_queue]; ++ struct hisi_sas_complete_v2_hdr *complete_hdr = ++ &complete_queue[slot->cmplt_queue_slot]; ++ u32 dw0 = le32_to_cpu(complete_hdr->dw0); + int error = -1; + + if (err_phase == 1) { +@@ -2310,7 +2315,8 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, + break; + } + } +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + } + break; + default: +@@ -2442,7 +2448,8 @@ static void slot_complete_v2_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: + { + ts->stat = SAS_SAM_STAT_GOOD; +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + } + default: +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 0aea82a1205bd..0d21c64efa817 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2175,7 +2175,8 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + ts->stat = SAS_OPEN_REJECT; + ts->open_rej_reason = SAS_OREJ_RSVD_RETRY; + } +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + case SAS_PROTOCOL_SMP: + ts->stat = SAS_SAM_STAT_CHECK_CONDITION; +@@ -2301,7 +2302,8 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: + ts->stat = SAS_SAM_STAT_GOOD; +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + default: + ts->stat = SAS_SAM_STAT_CHECK_CONDITION; +-- +2.40.1 + diff --git a/queue-5.10/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch b/queue-5.10/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch new file mode 100644 index 00000000000..b80fee03952 --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch @@ -0,0 +1,60 @@ +From 085e5497c9884dd9a1064a77ebd475c202f75307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 10:41:21 +0800 +Subject: scsi: hisi_sas: Fix warnings detected by sparse + +From: Xingui Yang + +[ Upstream commit c0328cc595124579328462fc45d7a29a084cf357 ] + +This patch fixes the following warning: + +drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:2168:43: sparse: sparse: restricted __le32 degrades to integer + +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202304161254.NztCVZIO-lkp@intel.com/ +Signed-off-by: Xingui Yang +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1684118481-95908-4-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index f3b53eb2cbefe..0aea82a1205bd 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2135,6 +2135,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + u32 trans_tx_fail_type = le32_to_cpu(record->trans_tx_fail_type); + u16 sipc_rx_err_type = le16_to_cpu(record->sipc_rx_err_type); + u32 dw3 = le32_to_cpu(complete_hdr->dw3); ++ u32 dw0 = le32_to_cpu(complete_hdr->dw0); + + switch (task->task_proto) { + case SAS_PROTOCOL_SSP: +@@ -2144,8 +2145,8 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + * but I/O information has been written to the host memory, we examine + * response IU. + */ +- if (!(complete_hdr->dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && +- (complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) ++ if (!(dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && ++ (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) + return false; + + ts->residual = trans_tx_fail_type; +@@ -2161,7 +2162,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + case SAS_PROTOCOL_SATA: + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: +- if ((complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && ++ if ((dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && + (sipc_rx_err_type & RX_FIS_STATUS_ERR_MSK)) { + ts->stat = SAS_PROTO_RESPONSE; + } else if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { +-- +2.40.1 + diff --git a/queue-5.10/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch b/queue-5.10/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch new file mode 100644 index 00000000000..0de26115097 --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch @@ -0,0 +1,61 @@ +From e81c26b83854e2b0c278a22a61d5d5c674582de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 02:23:21 +0800 +Subject: scsi: hisi_sas: Modify v3 HW SATA completion error processing + +From: Xingui Yang + +[ Upstream commit 7e15334f5d256367fb4c77f4ee0003e1e3d9bf9d ] + +If the I/O completion response frame returned by the target device has been +written to the host memory and the err bit in the status field of the +received fis is 1, ts->stat should set to SAS_PROTO_RESPONSE, and this will +let EH analyze and further determine cause of failure. + +Link: https://lore.kernel.org/r/1657823002-139010-5-git-send-email-john.garry@huawei.com +Signed-off-by: Xingui Yang +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 937e4ba46134e..f3b53eb2cbefe 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -467,6 +467,9 @@ struct hisi_sas_err_record_v3 { + #define RX_DATA_LEN_UNDERFLOW_OFF 6 + #define RX_DATA_LEN_UNDERFLOW_MSK (1 << RX_DATA_LEN_UNDERFLOW_OFF) + ++#define RX_FIS_STATUS_ERR_OFF 0 ++#define RX_FIS_STATUS_ERR_MSK (1 << RX_FIS_STATUS_ERR_OFF) ++ + #define HISI_SAS_COMMAND_ENTRIES_V3_HW 4096 + #define HISI_SAS_MSI_COUNT_V3_HW 32 + +@@ -2130,6 +2133,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + hisi_sas_status_buf_addr_mem(slot); + u32 dma_rx_err_type = le32_to_cpu(record->dma_rx_err_type); + u32 trans_tx_fail_type = le32_to_cpu(record->trans_tx_fail_type); ++ u16 sipc_rx_err_type = le16_to_cpu(record->sipc_rx_err_type); + u32 dw3 = le32_to_cpu(complete_hdr->dw3); + + switch (task->task_proto) { +@@ -2157,7 +2161,10 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + case SAS_PROTOCOL_SATA: + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: +- if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { ++ if ((complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && ++ (sipc_rx_err_type & RX_FIS_STATUS_ERR_MSK)) { ++ ts->stat = SAS_PROTO_RESPONSE; ++ } else if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { + ts->residual = trans_tx_fail_type; + ts->stat = SAS_DATA_UNDERRUN; + } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { +-- +2.40.1 + diff --git a/queue-5.10/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch b/queue-5.10/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch new file mode 100644 index 00000000000..f93ad876dac --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch @@ -0,0 +1,113 @@ +From ed6544705a61c76b7fc56bddab806360d7f36a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 19:51:29 +0800 +Subject: scsi: hisi_sas: Modify v3 HW SSP underflow error processing + +From: Xingui Yang + +[ Upstream commit 62413199cd6d2906c121c2dfa3d7b82fd05f08db ] + +In case of SSP underflow allow the response frame IU to be examined for +setting the response stat value rather than always setting +SAS_DATA_UNDERRUN. + +This will mean that we call sas_ssp_task_response() in those scenarios and +may send sense data to upper layer. + +Such a condition would be for bad blocks were we just reporting an +underflow error to upper layer, but now the sense data will tell +immediately that the media is faulty. + +Link: https://lore.kernel.org/r/1645703489-87194-7-git-send-email-john.garry@huawei.com +Signed-off-by: Xingui Yang +Signed-off-by: Qi Liu +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 39 +++++++++++++++++--------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 59ac0f8e6d5c3..937e4ba46134e 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -392,6 +392,8 @@ + #define CMPLT_HDR_ERROR_PHASE_MSK (0xff << CMPLT_HDR_ERROR_PHASE_OFF) + #define CMPLT_HDR_RSPNS_XFRD_OFF 10 + #define CMPLT_HDR_RSPNS_XFRD_MSK (0x1 << CMPLT_HDR_RSPNS_XFRD_OFF) ++#define CMPLT_HDR_RSPNS_GOOD_OFF 11 ++#define CMPLT_HDR_RSPNS_GOOD_MSK (0x1 << CMPLT_HDR_RSPNS_GOOD_OFF) + #define CMPLT_HDR_ERX_OFF 12 + #define CMPLT_HDR_ERX_MSK (0x1 << CMPLT_HDR_ERX_OFF) + #define CMPLT_HDR_ABORT_STAT_OFF 13 +@@ -2115,7 +2117,7 @@ static irqreturn_t fatal_axi_int_v3_hw(int irq_no, void *p) + return IRQ_HANDLED; + } + +-static void ++static bool + slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + struct hisi_sas_slot *slot) + { +@@ -2133,6 +2135,15 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + switch (task->task_proto) { + case SAS_PROTOCOL_SSP: + if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { ++ /* ++ * If returned response frame is incorrect because of data underflow, ++ * but I/O information has been written to the host memory, we examine ++ * response IU. ++ */ ++ if (!(complete_hdr->dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && ++ (complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) ++ return false; ++ + ts->residual = trans_tx_fail_type; + ts->stat = SAS_DATA_UNDERRUN; + } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { +@@ -2164,6 +2175,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + default: + break; + } ++ return true; + } + + static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, +@@ -2238,19 +2250,20 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + if ((dw0 & CMPLT_HDR_CMPLT_MSK) == 0x3) { + u32 *error_info = hisi_sas_status_buf_addr_mem(slot); + +- slot_err_v3_hw(hisi_hba, task, slot); +- if (ts->stat != SAS_DATA_UNDERRUN) +- dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d addr=%016llx CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", +- slot->idx, task, sas_dev->device_id, +- SAS_ADDR(device->sas_addr), +- dw0, dw1, complete_hdr->act, dw3, +- error_info[0], error_info[1], +- error_info[2], error_info[3]); +- if (unlikely(slot->abort)) { +- sas_task_abort(task); +- return; ++ if (slot_err_v3_hw(hisi_hba, task, slot)) { ++ if (ts->stat != SAS_DATA_UNDERRUN) ++ dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d addr=%016llx CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", ++ slot->idx, task, sas_dev->device_id, ++ SAS_ADDR(device->sas_addr), ++ dw0, dw1, complete_hdr->act, dw3, ++ error_info[0], error_info[1], ++ error_info[2], error_info[3]); ++ if (unlikely(slot->abort)) { ++ sas_task_abort(task); ++ return; ++ } ++ goto out; + } +- goto out; + } + + switch (task->task_proto) { +-- +2.40.1 + diff --git a/queue-5.10/scsi-hisi_sas-print-sas-address-for-v3-hw-erroneous-.patch b/queue-5.10/scsi-hisi_sas-print-sas-address-for-v3-hw-erroneous-.patch new file mode 100644 index 00000000000..208378773ce --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-print-sas-address-for-v3-hw-erroneous-.patch @@ -0,0 +1,45 @@ +From 53c4c5d77d54cad0d779e2adc9feeeb74534f7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 19:48:27 +0800 +Subject: scsi: hisi_sas: Print SAS address for v3 hw erroneous completion + print + +From: Luo Jiaxing + +[ Upstream commit 4da0b7f6fac331f2d2336df3ca88a335f545b4dc ] + +To help debugging efforts, print the device SAS address for v3 hw erroneous +completion log. + +Here is an example print: + +hisi_sas_v3_hw 0000:b4:02.0: erroneous completion iptt=2193 task=000000002b0c13f8 dev id=17 addr=570fd45f9d17b001 + +Link: https://lore.kernel.org/r/1617709711-195853-3-git-send-email-john.garry@huawei.com +Signed-off-by: Luo Jiaxing +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 65971bd80186b..e025855609336 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2240,8 +2240,9 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + + slot_err_v3_hw(hisi_hba, task, slot); + if (ts->stat != SAS_DATA_UNDERRUN) +- dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", ++ dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d addr=%016llx CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", + slot->idx, task, sas_dev->device_id, ++ SAS_ADDR(device->sas_addr), + dw0, dw1, complete_hdr->act, dw3, + error_info[0], error_info[1], + error_info[2], error_info[3]); +-- +2.40.1 + diff --git a/queue-5.10/scsi-iscsi-add-length-check-for-nlattr-payload.patch b/queue-5.10/scsi-iscsi-add-length-check-for-nlattr-payload.patch new file mode 100644 index 00000000000..f7e99c50a7a --- /dev/null +++ b/queue-5.10/scsi-iscsi-add-length-check-for-nlattr-payload.patch @@ -0,0 +1,306 @@ +From 641bcee880deb9d3684cd18318fcab9b2a003e09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:45:29 +0800 +Subject: scsi: iscsi: Add length check for nlattr payload + +From: Lin Ma + +[ Upstream commit 971dfcb74a800047952f5288512b9c7ddedb050a ] + +The current NETLINK_ISCSI netlink parsing loop checks every nlmsg to make +sure the length is bigger than sizeof(struct iscsi_uevent) and then calls +iscsi_if_recv_msg(). + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || + skb->len < nlh->nlmsg_len) { + break; + } + ... + err = iscsi_if_recv_msg(skb, nlh, &group); + +Hence, in iscsi_if_recv_msg() the nlmsg_data can be safely converted to +iscsi_uevent as the length is already checked. + +However, in other cases the length of nlattr payload is not checked before +the payload is converted to other data structures. One example is +iscsi_set_path() which converts the payload to type iscsi_path without any +checks: + + params = (struct iscsi_path *)((char *)ev + sizeof(*ev)); + +Whereas iscsi_if_transport_conn() correctly checks the pdu_len: + + pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); + if ((ev->u.send_pdu.hdr_size > pdu_len) .. + err = -EINVAL; + +To sum up, some code paths called in iscsi_if_recv_msg() do not check the +length of the data (see below picture) and directly convert the data to +another data structure. This could result in an out-of-bound reads and heap +dirty data leakage. + + _________ nlmsg_len(nlh) _______________ + / \ ++----------+--------------+---------------------------+ +| nlmsghdr | iscsi_uevent | data | ++----------+--------------+---------------------------+ + \ / + iscsi_uevent->u.set_param.len + +Fix the issue by adding the length check before accessing it. To clean up +the code, an additional parameter named rlen is added. The rlen is +calculated at the beginning of iscsi_if_recv_msg() which avoids duplicated +calculation. + +Fixes: ac20c7bf070d ("[SCSI] iscsi_transport: Added Ping support") +Fixes: 43514774ff40 ("[SCSI] iscsi class: Add new NETLINK_ISCSI messages for cnic/bnx2i driver.") +Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") +Fixes: 01cb225dad8d ("[SCSI] iscsi: add target discvery event to transport class") +Fixes: 264faaaa1254 ("[SCSI] iscsi: add transport end point callbacks") +Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230725024529.428311-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 72 +++++++++++++++++------------ + 1 file changed, 43 insertions(+), 29 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index a22bc594b2d4a..64bc403a4c285 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2991,14 +2991,15 @@ iscsi_if_destroy_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev + } + + static int +-iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + char *data = (char*)ev + sizeof(*ev); + struct iscsi_cls_conn *conn; + struct iscsi_cls_session *session; + int err = 0, value = 0, state; + +- if (ev->u.set_param.len > PAGE_SIZE) ++ if (ev->u.set_param.len > rlen || ++ ev->u.set_param.len > PAGE_SIZE) + return -EINVAL; + + session = iscsi_session_lookup(ev->u.set_param.sid); +@@ -3095,7 +3096,7 @@ static int iscsi_if_ep_disconnect(struct iscsi_transport *transport, + + static int + iscsi_if_transport_ep(struct iscsi_transport *transport, +- struct iscsi_uevent *ev, int msg_type) ++ struct iscsi_uevent *ev, int msg_type, u32 rlen) + { + struct iscsi_endpoint *ep; + int rc = 0; +@@ -3103,7 +3104,10 @@ iscsi_if_transport_ep(struct iscsi_transport *transport, + switch (msg_type) { + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST: + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT: +- rc = iscsi_if_ep_connect(transport, ev, msg_type); ++ if (rlen < sizeof(struct sockaddr)) ++ rc = -EINVAL; ++ else ++ rc = iscsi_if_ep_connect(transport, ev, msg_type); + break; + case ISCSI_UEVENT_TRANSPORT_EP_POLL: + if (!transport->ep_poll) +@@ -3127,12 +3131,15 @@ iscsi_if_transport_ep(struct iscsi_transport *transport, + + static int + iscsi_tgt_dscvr(struct iscsi_transport *transport, +- struct iscsi_uevent *ev) ++ struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct sockaddr *dst_addr; + int err; + ++ if (rlen < sizeof(*dst_addr)) ++ return -EINVAL; ++ + if (!transport->tgt_dscvr) + return -EINVAL; + +@@ -3153,7 +3160,7 @@ iscsi_tgt_dscvr(struct iscsi_transport *transport, + + static int + iscsi_set_host_param(struct iscsi_transport *transport, +- struct iscsi_uevent *ev) ++ struct iscsi_uevent *ev, u32 rlen) + { + char *data = (char*)ev + sizeof(*ev); + struct Scsi_Host *shost; +@@ -3162,7 +3169,8 @@ iscsi_set_host_param(struct iscsi_transport *transport, + if (!transport->set_host_param) + return -ENOSYS; + +- if (ev->u.set_host_param.len > PAGE_SIZE) ++ if (ev->u.set_host_param.len > rlen || ++ ev->u.set_host_param.len > PAGE_SIZE) + return -EINVAL; + + shost = scsi_host_lookup(ev->u.set_host_param.host_no); +@@ -3179,12 +3187,15 @@ iscsi_set_host_param(struct iscsi_transport *transport, + } + + static int +-iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct iscsi_path *params; + int err; + ++ if (rlen < sizeof(*params)) ++ return -EINVAL; ++ + if (!transport->set_path) + return -ENOSYS; + +@@ -3244,12 +3255,15 @@ iscsi_set_iface_params(struct iscsi_transport *transport, + } + + static int +-iscsi_send_ping(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_send_ping(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct sockaddr *dst_addr; + int err; + ++ if (rlen < sizeof(*dst_addr)) ++ return -EINVAL; ++ + if (!transport->send_ping) + return -ENOSYS; + +@@ -3747,13 +3761,12 @@ iscsi_get_host_stats(struct iscsi_transport *transport, struct nlmsghdr *nlh) + } + + static int iscsi_if_transport_conn(struct iscsi_transport *transport, +- struct nlmsghdr *nlh) ++ struct nlmsghdr *nlh, u32 pdu_len) + { + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_cls_session *session; + struct iscsi_cls_conn *conn = NULL; + struct iscsi_endpoint *ep; +- uint32_t pdu_len; + int err = 0; + + switch (nlh->nlmsg_type) { +@@ -3833,8 +3846,6 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + + break; + case ISCSI_UEVENT_SEND_PDU: +- pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); +- + if ((ev->u.send_pdu.hdr_size > pdu_len) || + (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { + err = -EINVAL; +@@ -3864,6 +3875,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + struct iscsi_internal *priv; + struct iscsi_cls_session *session; + struct iscsi_endpoint *ep = NULL; ++ u32 rlen; + + if (!netlink_capable(skb, CAP_SYS_ADMIN)) + return -EPERM; +@@ -3883,6 +3895,13 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + + portid = NETLINK_CB(skb).portid; + ++ /* ++ * Even though the remaining payload may not be regarded as nlattr, ++ * (like address or something else), calculate the remaining length ++ * here to ease following length checks. ++ */ ++ rlen = nlmsg_attrlen(nlh, sizeof(*ev)); ++ + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_CREATE_SESSION: + err = iscsi_if_create_session(priv, ep, ev, +@@ -3940,7 +3959,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SET_PARAM: +- err = iscsi_if_set_param(transport, ev); ++ err = iscsi_if_set_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_CREATE_CONN: + case ISCSI_UEVENT_DESTROY_CONN: +@@ -3948,7 +3967,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + case ISCSI_UEVENT_START_CONN: + case ISCSI_UEVENT_BIND_CONN: + case ISCSI_UEVENT_SEND_PDU: +- err = iscsi_if_transport_conn(transport, nlh); ++ err = iscsi_if_transport_conn(transport, nlh, rlen); + break; + case ISCSI_UEVENT_GET_STATS: + err = iscsi_if_get_stats(transport, nlh); +@@ -3957,23 +3976,22 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + case ISCSI_UEVENT_TRANSPORT_EP_POLL: + case ISCSI_UEVENT_TRANSPORT_EP_DISCONNECT: + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST: +- err = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type); ++ err = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type, rlen); + break; + case ISCSI_UEVENT_TGT_DSCVR: +- err = iscsi_tgt_dscvr(transport, ev); ++ err = iscsi_tgt_dscvr(transport, ev, rlen); + break; + case ISCSI_UEVENT_SET_HOST_PARAM: +- err = iscsi_set_host_param(transport, ev); ++ err = iscsi_set_host_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_PATH_UPDATE: +- err = iscsi_set_path(transport, ev); ++ err = iscsi_set_path(transport, ev, rlen); + break; + case ISCSI_UEVENT_SET_IFACE_PARAMS: +- err = iscsi_set_iface_params(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_set_iface_params(transport, ev, rlen); + break; + case ISCSI_UEVENT_PING: +- err = iscsi_send_ping(transport, ev); ++ err = iscsi_send_ping(transport, ev, rlen); + break; + case ISCSI_UEVENT_GET_CHAP: + err = iscsi_get_chap(transport, nlh); +@@ -3982,13 +4000,10 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = iscsi_delete_chap(transport, ev); + break; + case ISCSI_UEVENT_SET_FLASHNODE_PARAMS: +- err = iscsi_set_flashnode_param(transport, ev, +- nlmsg_attrlen(nlh, +- sizeof(*ev))); ++ err = iscsi_set_flashnode_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_NEW_FLASHNODE: +- err = iscsi_new_flashnode(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_new_flashnode(transport, ev, rlen); + break; + case ISCSI_UEVENT_DEL_FLASHNODE: + err = iscsi_del_flashnode(transport, ev); +@@ -4003,8 +4018,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = iscsi_logout_flashnode_sid(transport, ev); + break; + case ISCSI_UEVENT_SET_CHAP: +- err = iscsi_set_chap(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_set_chap(transport, ev, rlen); + break; + case ISCSI_UEVENT_GET_HOST_STATS: + err = iscsi_get_host_stats(transport, nlh); +-- +2.40.1 + diff --git a/queue-5.10/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch b/queue-5.10/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch new file mode 100644 index 00000000000..1cf0b904da1 --- /dev/null +++ b/queue-5.10/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch @@ -0,0 +1,79 @@ +From f4871a5867b3268951960c9756c62f86edf2c854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:58:20 +0800 +Subject: scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() + +From: Lin Ma + +[ Upstream commit ce51c817008450ef4188471db31639d42d37a5e1 ] + +The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an +nlattr payload to type char* and then call C string handling functions like +sscanf and kstrdup: + + char *data = (char*)ev + sizeof(*ev); + ... + sscanf(data, "%d", &value); + +However, since the nlattr is provided by the user-space program and the +nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see +netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can +lead to an OOB access for those string handling functions. + +By investigating how the bug is introduced, we find it is really +interesting as the old version parsing code starting from commit +fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated +the nlattr as integer bytes instead of string and had length check in +iscsi_copy_param(): + + if (ev->u.set_param.len != sizeof(uint32_t)) + BUG(); + +But, since the commit a54a52caad4b ("[SCSI] iscsi: fixup set/get param +functions"), the code treated the nlattr as C string while forgetting to +add any strlen checks(), opening the possibility of an OOB access. + +Fix the potential OOB by adding the strlen() check before accessing the +buf. If the data passes this check, all low-level set_param handlers can +safely treat this buf as legal C string. + +Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") +Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075820.3713119-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 64bc403a4c285..074cbd64aa253 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3007,6 +3007,10 @@ iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev, u + if (!conn || !session) + return -EINVAL; + ++ /* data will be regarded as NULL-ended string, do length check */ ++ if (strlen(data) > ev->u.set_param.len) ++ return -EINVAL; ++ + switch (ev->u.set_param.param) { + case ISCSI_PARAM_SESS_RECOVERY_TMO: + sscanf(data, "%d", &value); +@@ -3180,6 +3184,10 @@ iscsi_set_host_param(struct iscsi_transport *transport, + return -ENODEV; + } + ++ /* see similar check in iscsi_if_set_param() */ ++ if (strlen(data) > ev->u.set_host_param.len) ++ return -EINVAL; ++ + err = transport->set_host_param(shost, ev->u.set_host_param.param, + data, ev->u.set_host_param.len); + scsi_host_put(shost); +-- +2.40.1 + diff --git a/queue-5.10/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch b/queue-5.10/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch new file mode 100644 index 00000000000..dc7923d5e4e --- /dev/null +++ b/queue-5.10/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch @@ -0,0 +1,50 @@ +From 0b5da1baa257ea2355dfc6163bccf9538beccf50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 18:11:05 +0000 +Subject: scsi: iscsi: Rename iscsi_set_param() to iscsi_if_set_param() + +From: Wenchao Hao + +[ Upstream commit 0c26a2d7c98039e913e63f9250fde738a3f88a60 ] + +There are two iscsi_set_param() functions defined in libiscsi.c and +scsi_transport_iscsi.c respectively which is confusing. + +Rename the one in scsi_transport_iscsi.c to iscsi_if_set_param(). + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20221122181105.4123935-1-haowenchao@huawei.com +Reviewed-by: Mike Christie +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Stable-dep-of: 971dfcb74a80 ("scsi: iscsi: Add length check for nlattr payload") +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 092bd6a3d64a1..a22bc594b2d4a 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2991,7 +2991,7 @@ iscsi_if_destroy_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev + } + + static int +-iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + { + char *data = (char*)ev + sizeof(*ev); + struct iscsi_cls_conn *conn; +@@ -3940,7 +3940,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SET_PARAM: +- err = iscsi_set_param(transport, ev); ++ err = iscsi_if_set_param(transport, ev); + break; + case ISCSI_UEVENT_CREATE_CONN: + case ISCSI_UEVENT_DESTROY_CONN: +-- +2.40.1 + diff --git a/queue-5.10/scsi-libsas-introduce-more-sam-status-code-aliases-i.patch b/queue-5.10/scsi-libsas-introduce-more-sam-status-code-aliases-i.patch new file mode 100644 index 00000000000..129ebede565 --- /dev/null +++ b/queue-5.10/scsi-libsas-introduce-more-sam-status-code-aliases-i.patch @@ -0,0 +1,508 @@ +From d7045c3dbd7ec6d53196c04561dd0491eb701e3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 May 2021 19:54:55 -0700 +Subject: scsi: libsas: Introduce more SAM status code aliases in enum + exec_status + +From: Bart Van Assche + +[ Upstream commit d377f415dddc18b33c88dcd41cfe4fe6d9db82fb ] + +This patch prepares for converting SAM status codes into an enum. Without +this patch converting SAM status codes into an enumeration type would +trigger complaints about enum type mismatches for the SAS code. + +Link: https://lore.kernel.org/r/20210524025457.11299-2-bvanassche@acm.org +Cc: Hannes Reinecke +Cc: Artur Paszkiewicz +Cc: Jason Yan +Reviewed-by: John Garry +Reviewed-by: Himanshu Madhani +Acked-by: Jack Wang +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic94xx/aic94xx_task.c | 2 +- + drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 8 ++++---- + drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 8 ++++---- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 8 ++++---- + drivers/scsi/isci/request.c | 10 +++++----- + drivers/scsi/isci/task.c | 2 +- + drivers/scsi/libsas/sas_ata.c | 7 ++++--- + drivers/scsi/libsas/sas_expander.c | 2 +- + drivers/scsi/libsas/sas_task.c | 4 ++-- + drivers/scsi/mvsas/mv_sas.c | 10 +++++----- + drivers/scsi/pm8001/pm8001_hwi.c | 16 ++++++++-------- + drivers/scsi/pm8001/pm8001_sas.c | 4 ++-- + drivers/scsi/pm8001/pm80xx_hwi.c | 14 +++++++------- + include/scsi/libsas.h | 12 +++++++++--- + 14 files changed, 57 insertions(+), 50 deletions(-) + +diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c +index 593b167ceefee..2eb2885ee6e2f 100644 +--- a/drivers/scsi/aic94xx/aic94xx_task.c ++++ b/drivers/scsi/aic94xx/aic94xx_task.c +@@ -208,7 +208,7 @@ static void asd_task_tasklet_complete(struct asd_ascb *ascb, + switch (opcode) { + case TC_NO_ERROR: + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + break; + case TC_UNDERRUN: + ts->resp = SAS_TASK_COMPLETE; +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c +index 2c1028183b242..5b54cdd6b9767 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c +@@ -1152,14 +1152,14 @@ static void slot_err_v1_hw(struct hisi_hba *hisi_hba, + } + default: + { +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + } + } + } + break; + case SAS_PROTOCOL_SMP: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + + case SAS_PROTOCOL_SATA: +@@ -1281,7 +1281,7 @@ static void slot_complete_v1_hw(struct hisi_hba *hisi_hba, + struct scatterlist *sg_resp = &task->smp_task.smp_resp; + void *to = page_address(sg_page(sg_resp)); + +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + + dma_unmap_sg(dev, &task->smp_task.smp_req, 1, + DMA_TO_DEVICE); +@@ -1298,7 +1298,7 @@ static void slot_complete_v1_hw(struct hisi_hba *hisi_hba, + break; + + default: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + } + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +index b75d54339e40c..4bd26c7946328 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +@@ -2168,7 +2168,7 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, + } + break; + case SAS_PROTOCOL_SMP: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + + case SAS_PROTOCOL_SATA: +@@ -2427,7 +2427,7 @@ static void slot_complete_v2_hw(struct hisi_hba *hisi_hba, + struct scatterlist *sg_resp = &task->smp_task.smp_resp; + void *to = page_address(sg_page(sg_resp)); + +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + + dma_unmap_sg(dev, &task->smp_task.smp_req, 1, + DMA_TO_DEVICE); +@@ -2441,12 +2441,12 @@ static void slot_complete_v2_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: + { +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + hisi_sas_sata_done(task, slot); + break; + } + default: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + } + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index e025855609336..59ac0f8e6d5c3 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2159,7 +2159,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + hisi_sas_sata_done(task, slot); + break; + case SAS_PROTOCOL_SMP: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + default: + break; +@@ -2266,7 +2266,7 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + struct scatterlist *sg_resp = &task->smp_task.smp_resp; + void *to = page_address(sg_page(sg_resp)); + +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + + dma_unmap_sg(dev, &task->smp_task.smp_req, 1, + DMA_TO_DEVICE); +@@ -2279,11 +2279,11 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_SATA: + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + hisi_sas_sata_done(task, slot); + break; + default: +- ts->stat = SAM_STAT_CHECK_CONDITION; ++ ts->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + } + +diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c +index 6e0817941fa74..b6d68d871b6cb 100644 +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -2574,7 +2574,7 @@ static void isci_request_handle_controller_specific_errors( + if (!idev) + *status_ptr = SAS_DEVICE_UNKNOWN; + else +- *status_ptr = SAM_STAT_TASK_ABORTED; ++ *status_ptr = SAS_SAM_STAT_TASK_ABORTED; + + clear_bit(IREQ_COMPLETE_IN_TARGET, &request->flags); + } +@@ -2704,7 +2704,7 @@ static void isci_request_handle_controller_specific_errors( + default: + /* Task in the target is not done. */ + *response_ptr = SAS_TASK_UNDELIVERED; +- *status_ptr = SAM_STAT_TASK_ABORTED; ++ *status_ptr = SAS_SAM_STAT_TASK_ABORTED; + + if (task->task_proto == SAS_PROTOCOL_SMP) + set_bit(IREQ_COMPLETE_IN_TARGET, &request->flags); +@@ -2727,7 +2727,7 @@ static void isci_process_stp_response(struct sas_task *task, struct dev_to_host_ + if (ac_err_mask(fis->status)) + ts->stat = SAS_PROTO_RESPONSE; + else +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + + ts->resp = SAS_TASK_COMPLETE; + } +@@ -2790,7 +2790,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost, + case SCI_IO_SUCCESS_IO_DONE_EARLY: + + response = SAS_TASK_COMPLETE; +- status = SAM_STAT_GOOD; ++ status = SAS_SAM_STAT_GOOD; + set_bit(IREQ_COMPLETE_IN_TARGET, &request->flags); + + if (completion_status == SCI_IO_SUCCESS_IO_DONE_EARLY) { +@@ -2860,7 +2860,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost, + + /* Fail the I/O. */ + response = SAS_TASK_UNDELIVERED; +- status = SAM_STAT_TASK_ABORTED; ++ status = SAS_SAM_STAT_TASK_ABORTED; + + clear_bit(IREQ_COMPLETE_IN_TARGET, &request->flags); + break; +diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c +index 26fa1a4d1e6bf..1d1db40a1572c 100644 +--- a/drivers/scsi/isci/task.c ++++ b/drivers/scsi/isci/task.c +@@ -160,7 +160,7 @@ int isci_task_execute_task(struct sas_task *task, gfp_t gfp_flags) + + isci_task_refuse(ihost, task, + SAS_TASK_UNDELIVERED, +- SAM_STAT_TASK_ABORTED); ++ SAS_SAM_STAT_TASK_ABORTED); + } else { + task->task_state_flags |= SAS_TASK_AT_INITIATOR; + spin_unlock_irqrestore(&task->task_state_lock, flags); +diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c +index a1a06a832d866..f92b889369c39 100644 +--- a/drivers/scsi/libsas/sas_ata.c ++++ b/drivers/scsi/libsas/sas_ata.c +@@ -122,9 +122,10 @@ static void sas_ata_task_done(struct sas_task *task) + } + } + +- if (stat->stat == SAS_PROTO_RESPONSE || stat->stat == SAM_STAT_GOOD || +- ((stat->stat == SAM_STAT_CHECK_CONDITION && +- dev->sata_dev.class == ATA_DEV_ATAPI))) { ++ if (stat->stat == SAS_PROTO_RESPONSE || ++ stat->stat == SAS_SAM_STAT_GOOD || ++ (stat->stat == SAS_SAM_STAT_CHECK_CONDITION && ++ dev->sata_dev.class == ATA_DEV_ATAPI)) { + memcpy(dev->sata_dev.fis, resp->ending_fis, ATA_RESP_FIS_SIZE); + + if (!link->sactive) { +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 51485d0251f2d..8444a4287ac1c 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -101,7 +101,7 @@ static int smp_execute_task_sg(struct domain_device *dev, + } + } + if (task->task_status.resp == SAS_TASK_COMPLETE && +- task->task_status.stat == SAM_STAT_GOOD) { ++ task->task_status.stat == SAS_SAM_STAT_GOOD) { + res = 0; + break; + } +diff --git a/drivers/scsi/libsas/sas_task.c b/drivers/scsi/libsas/sas_task.c +index e2d42593ce529..2966ead1d4217 100644 +--- a/drivers/scsi/libsas/sas_task.c ++++ b/drivers/scsi/libsas/sas_task.c +@@ -20,7 +20,7 @@ void sas_ssp_task_response(struct device *dev, struct sas_task *task, + else if (iu->datapres == 1) + tstat->stat = iu->resp_data[3]; + else if (iu->datapres == 2) { +- tstat->stat = SAM_STAT_CHECK_CONDITION; ++ tstat->stat = SAS_SAM_STAT_CHECK_CONDITION; + tstat->buf_valid_size = + min_t(int, SAS_STATUS_BUF_SIZE, + be32_to_cpu(iu->sense_data_len)); +@@ -32,7 +32,7 @@ void sas_ssp_task_response(struct device *dev, struct sas_task *task, + } + else + /* when datapres contains corrupt/unknown value... */ +- tstat->stat = SAM_STAT_CHECK_CONDITION; ++ tstat->stat = SAS_SAM_STAT_CHECK_CONDITION; + } + EXPORT_SYMBOL_GPL(sas_ssp_task_response); + +diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c +index 484e01428da28..a2a13969c686e 100644 +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -1314,7 +1314,7 @@ static int mvs_exec_internal_tmf_task(struct domain_device *dev, + } + + if (task->task_status.resp == SAS_TASK_COMPLETE && +- task->task_status.stat == SAM_STAT_GOOD) { ++ task->task_status.stat == SAS_SAM_STAT_GOOD) { + res = TMF_RESP_FUNC_COMPLETE; + break; + } +@@ -1764,7 +1764,7 @@ int mvs_slot_complete(struct mvs_info *mvi, u32 rx_desc, u32 flags) + case SAS_PROTOCOL_SSP: + /* hw says status == 0, datapres == 0 */ + if (rx_desc & RXQ_GOOD) { +- tstat->stat = SAM_STAT_GOOD; ++ tstat->stat = SAS_SAM_STAT_GOOD; + tstat->resp = SAS_TASK_COMPLETE; + } + /* response frame present */ +@@ -1773,12 +1773,12 @@ int mvs_slot_complete(struct mvs_info *mvi, u32 rx_desc, u32 flags) + sizeof(struct mvs_err_info); + sas_ssp_task_response(mvi->dev, task, iu); + } else +- tstat->stat = SAM_STAT_CHECK_CONDITION; ++ tstat->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + + case SAS_PROTOCOL_SMP: { + struct scatterlist *sg_resp = &task->smp_task.smp_resp; +- tstat->stat = SAM_STAT_GOOD; ++ tstat->stat = SAS_SAM_STAT_GOOD; + to = kmap_atomic(sg_page(sg_resp)); + memcpy(to + sg_resp->offset, + slot->response + sizeof(struct mvs_err_info), +@@ -1795,7 +1795,7 @@ int mvs_slot_complete(struct mvs_info *mvi, u32 rx_desc, u32 flags) + } + + default: +- tstat->stat = SAM_STAT_CHECK_CONDITION; ++ tstat->stat = SAS_SAM_STAT_CHECK_CONDITION; + break; + } + if (!slot->port->port_attached) { +diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c +index da9fbe62a34d1..e9b3485baee01 100644 +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -1881,7 +1881,7 @@ mpi_ssp_completion(struct pm8001_hba_info *pm8001_ha , void *piomb) + param); + if (param == 0) { + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + } else { + ts->resp = SAS_TASK_COMPLETE; + ts->stat = SAS_PROTO_RESPONSE; +@@ -2341,7 +2341,7 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_dbg(pm8001_ha, IO, "IO_SUCCESS\n"); + if (param == 0) { + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + /* check if response is for SEND READ LOG */ + if (pm8001_dev && + (pm8001_dev->id & NCQ_READ_LOG_FLAG)) { +@@ -2864,7 +2864,7 @@ mpi_smp_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + case IO_SUCCESS: + pm8001_dbg(pm8001_ha, IO, "IO_SUCCESS\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + if (pm8001_dev) + atomic_dec(&pm8001_dev->running_req); + break; +@@ -2891,17 +2891,17 @@ mpi_smp_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + case IO_ERROR_HW_TIMEOUT: + pm8001_dbg(pm8001_ha, IO, "IO_ERROR_HW_TIMEOUT\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_XFER_ERROR_BREAK: + pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_BREAK\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_XFER_ERROR_PHY_NOT_READY: + pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_PHY_NOT_READY\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_OPEN_CNX_ERROR_PROTOCOL_NOT_SUPPORTED: + pm8001_dbg(pm8001_ha, IO, +@@ -3656,7 +3656,7 @@ int pm8001_mpi_task_abort_resp(struct pm8001_hba_info *pm8001_ha, void *piomb) + case IO_SUCCESS: + pm8001_dbg(pm8001_ha, EH, "IO_SUCCESS\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + break; + case IO_NOT_VALID: + pm8001_dbg(pm8001_ha, EH, "IO_NOT_VALID\n"); +@@ -4288,7 +4288,7 @@ static int pm8001_chip_sata_req(struct pm8001_hba_info *pm8001_ha, + + spin_lock_irqsave(&task->task_state_lock, flags); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + task->task_state_flags &= ~SAS_TASK_STATE_PENDING; + task->task_state_flags &= ~SAS_TASK_AT_INITIATOR; + task->task_state_flags |= SAS_TASK_STATE_DONE; +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index ba5852548bee3..a16ed0695f1ae 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -764,7 +764,7 @@ static int pm8001_exec_internal_tmf_task(struct domain_device *dev, + } + + if (task->task_status.resp == SAS_TASK_COMPLETE && +- task->task_status.stat == SAM_STAT_GOOD) { ++ task->task_status.stat == SAS_SAM_STAT_GOOD) { + res = TMF_RESP_FUNC_COMPLETE; + break; + } +@@ -846,7 +846,7 @@ pm8001_exec_internal_task_abort(struct pm8001_hba_info *pm8001_ha, + } + + if (task->task_status.resp == SAS_TASK_COMPLETE && +- task->task_status.stat == SAM_STAT_GOOD) { ++ task->task_status.stat == SAS_SAM_STAT_GOOD) { + res = TMF_RESP_FUNC_COMPLETE; + break; + +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 0305c8999ba5d..c98c0a53a018c 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -1916,7 +1916,7 @@ mpi_ssp_completion(struct pm8001_hba_info *pm8001_ha , void *piomb) + param); + if (param == 0) { + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + } else { + ts->resp = SAS_TASK_COMPLETE; + ts->stat = SAS_PROTO_RESPONSE; +@@ -2450,7 +2450,7 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_dbg(pm8001_ha, IO, "IO_SUCCESS\n"); + if (param == 0) { + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + /* check if response is for SEND READ LOG */ + if (pm8001_dev && + (pm8001_dev->id & NCQ_READ_LOG_FLAG)) { +@@ -3004,7 +3004,7 @@ mpi_smp_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + case IO_SUCCESS: + pm8001_dbg(pm8001_ha, IO, "IO_SUCCESS\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + if (pm8001_dev) + atomic_dec(&pm8001_dev->running_req); + if (pm8001_ha->smp_exp_mode == SMP_DIRECT) { +@@ -3046,17 +3046,17 @@ mpi_smp_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + case IO_ERROR_HW_TIMEOUT: + pm8001_dbg(pm8001_ha, IO, "IO_ERROR_HW_TIMEOUT\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_XFER_ERROR_BREAK: + pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_BREAK\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_XFER_ERROR_PHY_NOT_READY: + pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_PHY_NOT_READY\n"); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_BUSY; ++ ts->stat = SAS_SAM_STAT_BUSY; + break; + case IO_OPEN_CNX_ERROR_PROTOCOL_NOT_SUPPORTED: + pm8001_dbg(pm8001_ha, IO, +@@ -4679,7 +4679,7 @@ static int pm80xx_chip_sata_req(struct pm8001_hba_info *pm8001_ha, + + spin_lock_irqsave(&task->task_state_lock, flags); + ts->resp = SAS_TASK_COMPLETE; +- ts->stat = SAM_STAT_GOOD; ++ ts->stat = SAS_SAM_STAT_GOOD; + task->task_state_flags &= ~SAS_TASK_STATE_PENDING; + task->task_state_flags &= ~SAS_TASK_AT_INITIATOR; + task->task_state_flags |= SAS_TASK_STATE_DONE; +diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h +index e6a43163ab5b7..daf9b07956abf 100644 +--- a/include/scsi/libsas.h ++++ b/include/scsi/libsas.h +@@ -474,10 +474,16 @@ enum service_response { + }; + + enum exec_status { +- /* The SAM_STAT_.. codes fit in the lower 6 bits, alias some of +- * them here to silence 'case value not in enumerated type' warnings ++ /* ++ * Values 0..0x7f are used to return the SAM_STAT_* codes. To avoid ++ * 'case value not in enumerated type' compiler warnings every value ++ * returned through the exec_status enum needs an alias with the SAS_ ++ * prefix here. + */ +- __SAM_STAT_CHECK_CONDITION = SAM_STAT_CHECK_CONDITION, ++ SAS_SAM_STAT_GOOD = SAM_STAT_GOOD, ++ SAS_SAM_STAT_BUSY = SAM_STAT_BUSY, ++ SAS_SAM_STAT_TASK_ABORTED = SAM_STAT_TASK_ABORTED, ++ SAS_SAM_STAT_CHECK_CONDITION = SAM_STAT_CHECK_CONDITION, + + SAS_DEV_NO_RESPONSE = 0x80, + SAS_DATA_UNDERRUN, +-- +2.40.1 + diff --git a/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch new file mode 100644 index 00000000000..31dff0d2412 --- /dev/null +++ b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch @@ -0,0 +1,67 @@ +From aaa78ae1d3bbc4eb19ba5e49abf7c81611208057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:33 +0200 +Subject: scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() + directly + +From: Oleksandr Natalenko + +[ Upstream commit 31b5991a9a91ba97237ac9da509d78eec453ff72 ] + +The qedf_dbg_debug_cmd_read() function invokes sprintf() directly on a +__user pointer, which may crash the kernel. + +Avoid doing that by using a small on-stack buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-3-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 3eb4334ac6a32..1c5716540e465 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count, + loff_t *ppos) + { + int cnt; ++ char cbuf[32]; + struct qedf_dbg_ctx *qedf_dbg = + (struct qedf_dbg_ctx *)filp->private_data; + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug); +- cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug); ++ cnt = scnprintf(cbuf, sizeof(cbuf), "debug mask = 0x%x\n", qedf_debug); + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch new file mode 100644 index 00000000000..01fa553986e --- /dev/null +++ b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch @@ -0,0 +1,112 @@ +From fc9da68035d73a9969ca4559ae1f1ddbd41851c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:34 +0200 +Subject: scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() + directly + +From: Oleksandr Natalenko + +[ Upstream commit 25dbc20deab5165f847b4eb42f376f725a986ee8 ] + +The qedf_dbg_fp_int_cmd_read() function invokes sprintf() directly on a +__user pointer, which may crash the kernel. + +Avoid doing that by vmalloc()'ating a buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-4-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_dbg.h | 2 ++ + drivers/scsi/qedf/qedf_debugfs.c | 21 +++++++++++++++------ + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h +index 2386bfb73c461..4a536c8377081 100644 +--- a/drivers/scsi/qedf/qedf_dbg.h ++++ b/drivers/scsi/qedf/qedf_dbg.h +@@ -60,6 +60,8 @@ extern uint qedf_debug; + #define QEDF_LOG_NOTICE 0x40000000 /* Notice logs */ + #define QEDF_LOG_WARN 0x80000000 /* Warning logs */ + ++#define QEDF_DEBUGFS_LOG_LEN (2 * PAGE_SIZE) ++ + /* Debug context structure */ + struct qedf_dbg_ctx { + unsigned int host_no; +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 1c5716540e465..451fd236bfd05 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include "qedf.h" + #include "qedf_dbg.h" +@@ -98,7 +99,9 @@ static ssize_t + qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + loff_t *ppos) + { ++ ssize_t ret; + size_t cnt = 0; ++ char *cbuf; + int id; + struct qedf_fastpath *fp = NULL; + struct qedf_dbg_ctx *qedf_dbg = +@@ -108,19 +111,25 @@ qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); + +- cnt = sprintf(buffer, "\nFastpath I/O completions\n\n"); ++ cbuf = vmalloc(QEDF_DEBUGFS_LOG_LEN); ++ if (!cbuf) ++ return 0; ++ ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, "\nFastpath I/O completions\n\n"); + + for (id = 0; id < qedf->num_queues; id++) { + fp = &(qedf->fp_array[id]); + if (fp->sb_id == QEDF_SB_ID_NULL) + continue; +- cnt += sprintf((buffer + cnt), "#%d: %lu\n", id, +- fp->completions); ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, ++ "#%d: %lu\n", id, fp->completions); + } + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ ret = simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); ++ ++ vfree(cbuf); ++ ++ return ret; + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch new file mode 100644 index 00000000000..35f3ed1481c --- /dev/null +++ b/queue-5.10/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch @@ -0,0 +1,70 @@ +From d3f96c09334d9da329fe1d6067d2d2f9e6d80cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:32 +0200 +Subject: scsi: qedf: Do not touch __user pointer in + qedf_dbg_stop_io_on_error_cmd_read() directly + +From: Oleksandr Natalenko + +[ Upstream commit 7d3d20dee4f648ec44e9717d5f647d594d184433 ] + +The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf() +directly on a __user pointer, which may crash the kernel. + +Avoid doing that by using a small on-stack buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-2-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index a3ed681c8ce3f..3eb4334ac6a32 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer, + size_t count, loff_t *ppos) + { + int cnt; ++ char cbuf[7]; + struct qedf_dbg_ctx *qedf_dbg = + (struct qedf_dbg_ctx *)filp->private_data; + struct qedf_ctx *qedf = container_of(qedf_dbg, + struct qedf_ctx, dbg_ctx); + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); +- cnt = sprintf(buffer, "%s\n", ++ cnt = scnprintf(cbuf, sizeof(cbuf), "%s\n", + qedf->stop_io_on_error ? "true" : "false"); + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.10/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch b/queue-5.10/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..e318cf71924 --- /dev/null +++ b/queue-5.10/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,80 @@ +From 8c59c2ba1e26e02eda327a98c7c252a20301afd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:00:53 +0800 +Subject: scsi: qla4xxx: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] + +There are three places that qla4xxx parses nlattrs: + + - qla4xxx_set_chap_entry() + + - qla4xxx_iface_set_param() + + - qla4xxx_sysfs_ddb_set_param() + +and each of them directly converts the nlattr to specific pointer of +structure without length checking. This could be dangerous as those +attributes are not validated and a malformed nlattr (e.g., length 0) could +result in an OOB read that leaks heap dirty data. + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") +Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") +Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 8d82d2a83059d..05ae9b1157096 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -973,6 +973,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) + memset(&chap_rec, 0, sizeof(chap_rec)); + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*param_info)) { ++ rc = -EINVAL; ++ goto exit_set_chap; ++ } ++ + param_info = nla_data(attr); + + switch (param_info->param) { +@@ -2755,6 +2760,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) + } + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*iface_param)) { ++ rval = -EINVAL; ++ goto exit_init_fw_cb; ++ } ++ + iface_param = nla_data(attr); + + if (iface_param->param_type == ISCSI_NET_PARAM) { +@@ -8119,6 +8129,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, + + memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*fnode_param)) { ++ rc = -EINVAL; ++ goto exit_set_param; ++ } ++ + fnode_param = nla_data(attr); + + switch (fnode_param->param) { +-- +2.40.1 + diff --git a/queue-5.10/scsi-rdma-srp-fix-residual-handling.patch b/queue-5.10/scsi-rdma-srp-fix-residual-handling.patch new file mode 100644 index 00000000000..b5f58386ef1 --- /dev/null +++ b/queue-5.10/scsi-rdma-srp-fix-residual-handling.patch @@ -0,0 +1,49 @@ +From e3a8253b2ffc21975fa47101fa017f29f1ec3f52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 13:08:30 -0700 +Subject: scsi: RDMA/srp: Fix residual handling + +From: Bart Van Assche + +[ Upstream commit 89e637c19b2441aabc8dbf22a8745b932fd6996e ] + +Although the code for residual handling in the SRP initiator follows the +SCSI documentation, that documentation has never been correct. Because +scsi_finish_command() starts from the data buffer length and subtracts the +residual, scsi_set_resid() must not be called if a residual overflow +occurs. Hence remove the scsi_set_resid() calls from the SRP initiator if a +residual overflow occurrs. + +Cc: Leon Romanovsky +Cc: Jason Gunthorpe +Fixes: 9237f04e12cc ("scsi: core: Fix scsi_get/set_resid() interface") +Fixes: e714531a349f ("IB/srp: Fix residual handling") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230724200843.3376570-3-bvanassche@acm.org +Acked-by: Leon Romanovsky +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index adbd56af379ff..9b9b9557ae746 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1990,12 +1990,8 @@ static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp) + + if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER)) + scsi_set_resid(scmnd, be32_to_cpu(rsp->data_in_res_cnt)); +- else if (unlikely(rsp->flags & SRP_RSP_FLAG_DIOVER)) +- scsi_set_resid(scmnd, -be32_to_cpu(rsp->data_in_res_cnt)); + else if (unlikely(rsp->flags & SRP_RSP_FLAG_DOUNDER)) + scsi_set_resid(scmnd, be32_to_cpu(rsp->data_out_res_cnt)); +- else if (unlikely(rsp->flags & SRP_RSP_FLAG_DOOVER)) +- scsi_set_resid(scmnd, -be32_to_cpu(rsp->data_out_res_cnt)); + + srp_free_req(ch, req, scmnd, + be32_to_cpu(rsp->req_lim_delta)); +-- +2.40.1 + diff --git a/queue-5.10/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch b/queue-5.10/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch new file mode 100644 index 00000000000..0a553c5621e --- /dev/null +++ b/queue-5.10/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch @@ -0,0 +1,52 @@ +From bef7f92afb378a5086dea353f3d9b33eba00bfb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:07:27 +0800 +Subject: selftests/bpf: Clean up fmod_ret in bench_rename test script +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yipeng Zou + +[ Upstream commit 83a89c4b6ae93481d3f618aba6a29d89208d26ed ] + +Running the bench_rename test script, the following error occurs: + + # ./benchs/run_bench_rename.sh + base : 0.819 ± 0.012M/s + kprobe : 0.538 ± 0.009M/s + kretprobe : 0.503 ± 0.004M/s + rawtp : 0.779 ± 0.020M/s + fentry : 0.726 ± 0.007M/s + fexit : 0.691 ± 0.007M/s + benchmark 'rename-fmodret' not found + +The bench_rename_fmodret has been removed in commit b000def2e052 +("selftests: Remove fmod_ret from test_overhead"), thus remove it +from the runners in the test script. + +Fixes: b000def2e052 ("selftests: Remove fmod_ret from test_overhead") +Signed-off-by: Yipeng Zou +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230814030727.3010390-1-zouyipeng@huawei.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/benchs/run_bench_rename.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/benchs/run_bench_rename.sh b/tools/testing/selftests/bpf/benchs/run_bench_rename.sh +index 16f774b1cdbed..7b281dbe41656 100755 +--- a/tools/testing/selftests/bpf/benchs/run_bench_rename.sh ++++ b/tools/testing/selftests/bpf/benchs/run_bench_rename.sh +@@ -2,7 +2,7 @@ + + set -eufo pipefail + +-for i in base kprobe kretprobe rawtp fentry fexit fmodret ++for i in base kprobe kretprobe rawtp fentry fexit + do + summary=$(sudo ./bench -w2 -d5 -a rename-$i | tail -n1 | cut -d'(' -f1 | cut -d' ' -f3-) + printf "%-10s: %s\n" $i "$summary" +-- +2.40.1 + diff --git a/queue-5.10/selftests-bpf-fix-static-assert-compilation-issue-fo.patch b/queue-5.10/selftests-bpf-fix-static-assert-compilation-issue-fo.patch new file mode 100644 index 00000000000..62c6bcd639a --- /dev/null +++ b/queue-5.10/selftests-bpf-fix-static-assert-compilation-issue-fo.patch @@ -0,0 +1,82 @@ +From 168901c33f6b2a5039958dc101cfe0b2a64f8ddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:39:06 +0100 +Subject: selftests/bpf: fix static assert compilation issue for test_cls_*.c + +From: Alan Maguire + +[ Upstream commit 416c6d01244ecbf0abfdb898fd091b50ef951b48 ] + +commit bdeeed3498c7 ("libbpf: fix offsetof() and container_of() to work with CO-RE") + +...was backported to stable trees such as 5.15. The problem is that with older +LLVM/clang (14/15) - which is often used for older kernels - we see compilation +failures in BPF selftests now: + +In file included from progs/test_cls_redirect_subprogs.c:2: +progs/test_cls_redirect.c:90:2: error: static assertion expression is not an integral constant expression + sizeof(flow_ports_t) != + ^~~~~~~~~~~~~~~~~~~~~~~ +progs/test_cls_redirect.c:91:3: note: cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression + offsetofend(struct bpf_sock_tuple, ipv4.dport) - + ^ +progs/test_cls_redirect.c:32:3: note: expanded from macro 'offsetofend' + (offsetof(TYPE, MEMBER) + sizeof((((TYPE *)0)->MEMBER))) + ^ +tools/testing/selftests/bpf/tools/include/bpf/bpf_helpers.h:86:33: note: expanded from macro 'offsetof' + ^ +In file included from progs/test_cls_redirect_subprogs.c:2: +progs/test_cls_redirect.c:95:2: error: static assertion expression is not an integral constant expression + sizeof(flow_ports_t) != + ^~~~~~~~~~~~~~~~~~~~~~~ +progs/test_cls_redirect.c:96:3: note: cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression + offsetofend(struct bpf_sock_tuple, ipv6.dport) - + ^ +progs/test_cls_redirect.c:32:3: note: expanded from macro 'offsetofend' + (offsetof(TYPE, MEMBER) + sizeof((((TYPE *)0)->MEMBER))) + ^ +tools/testing/selftests/bpf/tools/include/bpf/bpf_helpers.h:86:33: note: expanded from macro 'offsetof' + ^ +2 errors generated. +make: *** [Makefile:594: tools/testing/selftests/bpf/test_cls_redirect_subprogs.bpf.o] Error 1 + +The problem is the new offsetof() does not play nice with static asserts. +Given that the context is a static assert (and CO-RE relocation is not +needed at compile time), offsetof() usage can be replaced by restoring +the original offsetof() definition as __builtin_offsetof(). + +Fixes: bdeeed3498c7 ("libbpf: fix offsetof() and container_of() to work with CO-RE") +Reported-by: Colm Harrington +Signed-off-by: Alan Maguire +Tested-by: Yipeng Zou +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230802073906.3197480-1-alan.maguire@oracle.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_cls_redirect.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/test_cls_redirect.h b/tools/testing/selftests/bpf/progs/test_cls_redirect.h +index 76eab0aacba0c..233b089d1fbac 100644 +--- a/tools/testing/selftests/bpf/progs/test_cls_redirect.h ++++ b/tools/testing/selftests/bpf/progs/test_cls_redirect.h +@@ -12,6 +12,15 @@ + #include + #include + ++/* offsetof() is used in static asserts, and the libbpf-redefined CO-RE ++ * friendly version breaks compilation for older clang versions <= 15 ++ * when invoked in a static assert. Restore original here. ++ */ ++#ifdef offsetof ++#undef offsetof ++#define offsetof(type, member) __builtin_offsetof(type, member) ++#endif ++ + struct gre_base_hdr { + uint16_t flags; + uint16_t protocol; +-- +2.40.1 + diff --git a/queue-5.10/selftests-harness-actually-report-skip-for-signal-te.patch b/queue-5.10/selftests-harness-actually-report-skip-for-signal-te.patch new file mode 100644 index 00000000000..903d32b94f2 --- /dev/null +++ b/queue-5.10/selftests-harness-actually-report-skip-for-signal-te.patch @@ -0,0 +1,56 @@ +From ba492f7f605640653814b4cb934eaec91b6f6834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 10:43:58 -0700 +Subject: selftests/harness: Actually report SKIP for signal tests + +From: Kees Cook + +[ Upstream commit b3d46e11fec0c5a8972e5061bb1462119ae5736d ] + +Tests that were expecting a signal were not correctly checking for a +SKIP condition. Move the check before the signal checking when +processing test result. + +Cc: Shuah Khan +Cc: Andy Lutomirski +Cc: Will Drewry +Cc: linux-kselftest@vger.kernel.org +Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 3e7b2e521cde4..2fadc99d93619 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -910,7 +910,11 @@ void __wait_for_test(struct __test_metadata *t) + fprintf(TH_LOG_STREAM, + "# %s: Test terminated by timeout\n", t->name); + } else if (WIFEXITED(status)) { +- if (t->termsig != -1) { ++ if (WEXITSTATUS(status) == 255) { ++ /* SKIP */ ++ t->passed = 1; ++ t->skip = 1; ++ } else if (t->termsig != -1) { + t->passed = 0; + fprintf(TH_LOG_STREAM, + "# %s: Test exited normally instead of by signal (code: %d)\n", +@@ -922,11 +926,6 @@ void __wait_for_test(struct __test_metadata *t) + case 0: + t->passed = 1; + break; +- /* SKIP */ +- case 255: +- t->passed = 1; +- t->skip = 1; +- break; + /* Other failure, assume step report. */ + default: + t->passed = 0; +-- +2.40.1 + diff --git a/queue-5.10/selftests-resctrl-close-perf-value-read-fd-on-errors.patch b/queue-5.10/selftests-resctrl-close-perf-value-read-fd-on-errors.patch new file mode 100644 index 00000000000..f7eb78b26b0 --- /dev/null +++ b/queue-5.10/selftests-resctrl-close-perf-value-read-fd-on-errors.patch @@ -0,0 +1,85 @@ +From 7c478f73628f2c31f4ab322c3c2d4427fea8df68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:52 +0300 +Subject: selftests/resctrl: Close perf value read fd on errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 51a0c3b7f028169e40db930575dd01fe81c3e765 ] + +Perf event fd (fd_lm) is not closed when run_fill_buf() returns error. + +Close fd_lm only in cat_val() to make it easier to track it is always +closed. + +Fixes: 790bf585b0ee ("selftests/resctrl: Add Cache Allocation Technology (CAT) selftest") +Signed-off-by: Ilpo Järvinen +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/cache.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/resctrl/cache.c b/tools/testing/selftests/resctrl/cache.c +index 5922cc1b03867..b3c0e858c4e07 100644 +--- a/tools/testing/selftests/resctrl/cache.c ++++ b/tools/testing/selftests/resctrl/cache.c +@@ -89,21 +89,19 @@ static int reset_enable_llc_perf(pid_t pid, int cpu_no) + static int get_llc_perf(unsigned long *llc_perf_miss) + { + __u64 total_misses; ++ int ret; + + /* Stop counters after one span to get miss rate */ + + ioctl(fd_lm, PERF_EVENT_IOC_DISABLE, 0); + +- if (read(fd_lm, &rf_cqm, sizeof(struct read_format)) == -1) { ++ ret = read(fd_lm, &rf_cqm, sizeof(struct read_format)); ++ if (ret == -1) { + perror("Could not get llc misses through perf"); +- + return -1; + } + + total_misses = rf_cqm.values[0].value; +- +- close(fd_lm); +- + *llc_perf_miss = total_misses; + + return 0; +@@ -256,17 +254,23 @@ int cat_val(struct resctrl_val_param *param) + memflush, operation, resctrl_val)) { + fprintf(stderr, "Error-running fill buffer\n"); + ret = -1; +- break; ++ goto pe_close; + } + + sleep(1); + ret = measure_cache_vals(param, bm_pid); + if (ret) +- break; ++ goto pe_close; ++ ++ close(fd_lm); + } else { + break; + } + } + + return ret; ++ ++pe_close: ++ close(fd_lm); ++ return ret; + } +-- +2.40.1 + diff --git a/queue-5.10/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch b/queue-5.10/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch new file mode 100644 index 00000000000..0a6b847a1a2 --- /dev/null +++ b/queue-5.10/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch @@ -0,0 +1,55 @@ +From 75190c108d317f120b48dd3b283afa0f311a717b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:50 +0300 +Subject: selftests/resctrl: Don't leak buffer in fill_cache() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 2d320b1029ee7329ee0638181be967789775b962 ] + +The error path in fill_cache() does return before the allocated buffer +is freed leaking the buffer. + +The leak was introduced when fill_cache_read() started to return errors +in commit c7b607fa9325 ("selftests/resctrl: Fix null pointer +dereference on open failed"), before that both fill functions always +returned 0. + +Move free() earlier to prevent the mem leak. + +Fixes: c7b607fa9325 ("selftests/resctrl: Fix null pointer dereference on open failed") +Signed-off-by: Ilpo Järvinen +Reviewed-by: Reinette Chatre +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/fill_buf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/resctrl/fill_buf.c b/tools/testing/selftests/resctrl/fill_buf.c +index c20d0a7ecbe63..ab1d91328d67b 100644 +--- a/tools/testing/selftests/resctrl/fill_buf.c ++++ b/tools/testing/selftests/resctrl/fill_buf.c +@@ -184,12 +184,13 @@ fill_cache(unsigned long long buf_size, int malloc_and_init, int memflush, + else + ret = fill_cache_write(start_ptr, end_ptr, resctrl_val); + ++ free(startptr); ++ + if (ret) { + printf("\n Error in fill cache read/write...\n"); + return -1; + } + +- free(startptr); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.10/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch b/queue-5.10/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch new file mode 100644 index 00000000000..585857b6a99 --- /dev/null +++ b/queue-5.10/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch @@ -0,0 +1,44 @@ +From 0283ca377b9ee1258c4c628f17091176cf99399d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:51 +0300 +Subject: selftests/resctrl: Unmount resctrl FS if child fails to run benchmark +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f99e413eb54652e2436cc56d081176bc9a34cd8d ] + +A child calls PARENT_EXIT() when it fails to run a benchmark to kill +the parent process. PARENT_EXIT() lacks unmount for the resctrl FS and +the parent won't be there to unmount it either after it gets killed. + +Add the resctrl FS unmount also to PARENT_EXIT(). + +Fixes: 591a6e8588fc ("selftests/resctrl: Add basic resctrl file system operations and data") +Signed-off-by: Ilpo Järvinen +Reviewed-by: Reinette Chatre +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/resctrl.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/resctrl/resctrl.h b/tools/testing/selftests/resctrl/resctrl.h +index 36da6136af968..c38f2d58df927 100644 +--- a/tools/testing/selftests/resctrl/resctrl.h ++++ b/tools/testing/selftests/resctrl/resctrl.h +@@ -33,6 +33,7 @@ + do { \ + perror(err_msg); \ + kill(ppid, SIGKILL); \ ++ umount_resctrlfs(); \ + exit(EXIT_FAILURE); \ + } while (0) + +-- +2.40.1 + diff --git a/queue-5.10/serial-sprd-assign-sprd_port-after-initialized-to-av.patch b/queue-5.10/serial-sprd-assign-sprd_port-after-initialized-to-av.patch new file mode 100644 index 00000000000..948da3fa121 --- /dev/null +++ b/queue-5.10/serial-sprd-assign-sprd_port-after-initialized-to-av.patch @@ -0,0 +1,118 @@ +From 8abcaeae462fc40487c7332664738f9330f9d261 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:40:52 +0800 +Subject: serial: sprd: Assign sprd_port after initialized to avoid wrong + access + +From: Chunyan Zhang + +[ Upstream commit f9608f1887568b728839d006024585ab02ef29e5 ] + +The global pointer 'sprd_port' may not zero when sprd_probe returns +failure, that is a risk for sprd_port to be accessed afterward, and +may lead to unexpected errors. + +For example: + +There are two UART ports, UART1 is used for console and configured in +kernel command line, i.e. "console="; + +The UART1 probe failed and the memory allocated to sprd_port[1] was +released, but sprd_port[1] was not set to NULL; + +In UART2 probe, the same virtual address was allocated to sprd_port[2], +and UART2 probe process finally will go into sprd_console_setup() to +register UART1 as console since it is configured as preferred console +(filled to console_cmdline[]), but the console parameters (sprd_port[1]) +belong to UART2. + +So move the sprd_port[] assignment to where the port already initialized +can avoid the above issue. + +Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support") +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230725064053.235448-1-chunyan.zhang@unisoc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sprd_serial.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 9a7ae6384edfa..144c03ca3366a 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -1133,7 +1133,7 @@ static bool sprd_uart_is_console(struct uart_port *uport) + static int sprd_clk_init(struct uart_port *uport) + { + struct clk *clk_uart, *clk_parent; +- struct sprd_uart_port *u = sprd_port[uport->line]; ++ struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port); + + clk_uart = devm_clk_get(uport->dev, "uart"); + if (IS_ERR(clk_uart)) { +@@ -1176,22 +1176,22 @@ static int sprd_probe(struct platform_device *pdev) + { + struct resource *res; + struct uart_port *up; ++ struct sprd_uart_port *sport; + int irq; + int index; + int ret; + + index = of_alias_get_id(pdev->dev.of_node, "serial"); +- if (index < 0 || index >= ARRAY_SIZE(sprd_port)) { ++ if (index < 0 || index >= UART_NR_MAX) { + dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index); + return -EINVAL; + } + +- sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]), +- GFP_KERNEL); +- if (!sprd_port[index]) ++ sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL); ++ if (!sport) + return -ENOMEM; + +- up = &sprd_port[index]->port; ++ up = &sport->port; + up->dev = &pdev->dev; + up->line = index; + up->type = PORT_SPRD; +@@ -1222,7 +1222,7 @@ static int sprd_probe(struct platform_device *pdev) + * Allocate one dma buffer to prepare for receive transfer, in case + * memory allocation failure at runtime. + */ +- ret = sprd_rx_alloc_buf(sprd_port[index]); ++ ret = sprd_rx_alloc_buf(sport); + if (ret) + return ret; + +@@ -1233,14 +1233,23 @@ static int sprd_probe(struct platform_device *pdev) + return ret; + } + } ++ + sprd_ports_num++; ++ sprd_port[index] = sport; + + ret = uart_add_one_port(&sprd_uart_driver, up); + if (ret) +- sprd_remove(pdev); ++ goto clean_port; + + platform_set_drvdata(pdev, up); + ++ return 0; ++ ++clean_port: ++ sprd_port[index] = NULL; ++ if (--sprd_ports_num == 0) ++ uart_unregister_driver(&sprd_uart_driver); ++ sprd_rx_free_buf(sport); + return ret; + } + +-- +2.40.1 + diff --git a/queue-5.10/serial-sprd-fix-dma-buffer-leak-issue.patch b/queue-5.10/serial-sprd-fix-dma-buffer-leak-issue.patch new file mode 100644 index 00000000000..68f25e75498 --- /dev/null +++ b/queue-5.10/serial-sprd-fix-dma-buffer-leak-issue.patch @@ -0,0 +1,54 @@ +From 038de665429c8b3804faaccc723de89f657e7088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:40:53 +0800 +Subject: serial: sprd: Fix DMA buffer leak issue + +From: Chunyan Zhang + +[ Upstream commit cd119fdc3ee1450fbf7f78862b5de44c42b6e47f ] + +Release DMA buffer when _probe() returns failure to avoid memory leak. + +Fixes: f4487db58eb7 ("serial: sprd: Add DMA mode support") +Signed-off-by: Chunyan Zhang +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20230725064053.235448-2-chunyan.zhang@unisoc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sprd_serial.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 144c03ca3366a..a1952e4f1fcbb 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -367,7 +367,7 @@ static void sprd_rx_free_buf(struct sprd_uart_port *sp) + if (sp->rx_dma.virt) + dma_free_coherent(sp->port.dev, SPRD_UART_RX_SIZE, + sp->rx_dma.virt, sp->rx_dma.phys_addr); +- ++ sp->rx_dma.virt = NULL; + } + + static int sprd_rx_dma_config(struct uart_port *port, u32 burst) +@@ -1230,7 +1230,7 @@ static int sprd_probe(struct platform_device *pdev) + ret = uart_register_driver(&sprd_uart_driver); + if (ret < 0) { + pr_err("Failed to register SPRD-UART driver\n"); +- return ret; ++ goto free_rx_buf; + } + } + +@@ -1249,6 +1249,7 @@ static int sprd_probe(struct platform_device *pdev) + sprd_port[index] = NULL; + if (--sprd_ports_num == 0) + uart_unregister_driver(&sprd_uart_driver); ++free_rx_buf: + sprd_rx_free_buf(sport); + return ret; + } +-- +2.40.1 + diff --git a/queue-5.10/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch b/queue-5.10/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch new file mode 100644 index 00000000000..2e8d266c25f --- /dev/null +++ b/queue-5.10/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch @@ -0,0 +1,41 @@ +From edb7950e42dc9091a764acf1c78a310b0d9f30f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 18:54:06 +0800 +Subject: serial: tegra: handle clk prepare error in tegra_uart_hw_init() + +From: Yi Yang + +[ Upstream commit 5abd01145d0cc6cd1b7c2fe6ee0b9ea0fa13671e ] + +In tegra_uart_hw_init(), the return value of clk_prepare_enable() should +be checked since it might fail. + +Fixes: e9ea096dd225 ("serial: tegra: add serial driver") +Signed-off-by: Yi Yang +Link: https://lore.kernel.org/r/20230817105406.228674-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial-tegra.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c +index 62377c831894d..fac4d90047b03 100644 +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -994,7 +994,11 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + tup->ier_shadow = 0; + tup->current_baud = 0; + +- clk_prepare_enable(tup->uart_clk); ++ ret = clk_prepare_enable(tup->uart_clk); ++ if (ret) { ++ dev_err(tup->uport.dev, "could not enable clk\n"); ++ return ret; ++ } + + /* Reset the UART controller to clear all previous status.*/ + reset_control_assert(tup->rst); +-- +2.40.1 + diff --git a/queue-5.10/series b/queue-5.10/series index c1c19d316d1..309e3303874 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -62,3 +62,208 @@ net-avoid-address-overwrite-in-kernel_connect.patch udf-check-consistency-of-space-bitmap-descriptor.patch udf-handle-error-when-adding-extent-to-a-file.patch revert-net-macsec-preserve-ingress-frame-ordering.patch +reiserfs-check-the-return-value-from-__getblk.patch +eventfd-export-eventfd_ctx_do_read.patch +eventfd-prevent-underflow-for-eventfd-semaphores.patch +fs-fix-error-checking-for-d_hash_and_lookup.patch +tmpfs-verify-g-u-id-mount-options-correctly.patch +selftests-harness-actually-report-skip-for-signal-te.patch +refscale-fix-uninitalized-use-of-wait_queue_head_t.patch +opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch +selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch +selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch +selftests-resctrl-close-perf-value-read-fd-on-errors.patch +x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch +perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch +s390-pkey-fix-harmonize-internal-keyblob-headers.patch +s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch +x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch +cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch +bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch +bpf-clear-the-probe_addr-for-uprobe.patch +tcp-tcp_enter_quickack_mode-should-be-static.patch +hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch +regmap-rbtree-use-alloc_flags-for-memory-allocations.patch +udp-re-score-reuseport-groups-when-connected-sockets.patch +bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch +wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch +spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch +can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch +wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch +wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch +selftests-bpf-fix-static-assert-compilation-issue-fo.patch +crypto-stm32-properly-handle-pm_runtime_get-failing.patch +crypto-blake2b-sync-with-blake2s-implementation.patch +crypto-api-use-work-queue-in-crypto_destroy_instance.patch +bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch +bluetooth-fix-potential-use-after-free-when-clear-ke.patch +net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch +selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch +ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch +crypto-caam-fix-unchecked-return-value-error.patch +hwrng-iproc-rng200-implement-suspend-and-resume-call.patch +lwt-fix-return-values-of-bpf-xmit-ops.patch +lwt-check-lwtunnel_xmit_continue-strictly.patch +fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch +wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch +wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch +samples-bpf-fix-broken-map-lookup-probe.patch +wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch +wifi-ath9k-protect-wmi-command-response-buffer-repla.patch +wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch +bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch +wifi-ath9k-use-is_err-with-debugfs_create_dir.patch +net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch +mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch +mlxsw-i2c-limit-single-transaction-buffer-size.patch +hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch +net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch +netrom-deny-concurrent-connect.patch +drm-bridge-tc358764-fix-debug-print-parameter-order.patch +quota-factor-out-dquot_write_dquot.patch +quota-rename-dquot_active-to-inode_quota_active.patch +quota-add-new-helper-dquot_active.patch +quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch +asoc-stac9766-fix-build-errors-with-regmap_ac97.patch +soc-qcom-ocmem-add-ocmem-hardware-version-print.patch +soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch +arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch +drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch +arm-dts-bcm5301x-harmonize-ehci-ohci-dt-nodes-name.patch +arm-dts-bcm53573-describe-on-soc-bcm53125-rev-4-swit.patch +arm-dts-bcm53573-drop-nonexistent-usb-cells.patch +arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch +arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch +drm-etnaviv-fix-dumping-of-active-mmu-context.patch +x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch +arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch +arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch +arm-dts-s5pv210-adjust-node-names-to-dt-spec.patch +arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch +arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch +drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch +arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch +arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch +arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch +drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch +md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch +md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch +drm-tegra-remove-superfluous-error-messages-around-p.patch +drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch +of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch +drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch +drm-panel-simple-add-missing-connector-type-and-pixe.patch +ima-remove-deprecated-ima_trusted_keyring-kconfig.patch +drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch +drm-msm-mdp5-don-t-leak-some-plane-state.patch +firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch +smackfs-prevent-underflow-in-smk_set_cipso.patch +drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch +drm-msm-a2xx-call-adreno_gpu_init-earlier.patch +audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch +bus-ti-sysc-fix-build-warning-for-64-bit-build.patch +drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch +bus-ti-sysc-fix-cast-to-enum-warning.patch +md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch +md-raid1-hold-the-barrier-until-handle_read_error-fi.patch +of-unittest-fix-overlay-type-in-apply-revert-check.patch +alsa-ac97-fix-possible-error-value-of-rac97.patch +ipmi-ssif-add-check-for-kstrdup.patch +ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch +drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch +clk-sunxi-ng-modify-mismatched-function-name.patch +clk-qcom-gcc-sc7180-use-array_size-instead-of-specif.patch +clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch +ext4-correct-grp-validation-in-ext4_mb_good_group.patch +clk-qcom-gcc-sm8250-use-array_size-instead-of-specif.patch +clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch +clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch +pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch +pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch +pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch +pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch +clk-imx8mp-fix-sai4-clock.patch +clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch +vfio-type1-fix-cap_migration-information-leak.patch +powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch +powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch +drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch +drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch +net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch +wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch +powerpc-don-t-include-lppaca.h-in-paca.h.patch +powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch +nfs-blocklayout-use-the-passed-in-gfp-flags.patch +powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch +jfs-validate-max-amount-of-blocks-before-allocation.patch +fs-lockd-avoid-possible-wrong-null-parameter.patch +nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch +nfs-guard-against-readdir-loop-when-entry-names-exce.patch +nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch +media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch +media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch +media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch +drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch +media-dib7000p-fix-potential-division-by-zero.patch +media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch +media-cx24120-add-retval-check-for-cx24120_message_s.patch +scsi-hisi_sas-print-sas-address-for-v3-hw-erroneous-.patch +scsi-libsas-introduce-more-sam-status-code-aliases-i.patch +scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch +scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch +scsi-hisi_sas-fix-warnings-detected-by-sparse.patch +scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch +media-rkvdec-increase-max-supported-height-for-h.264.patch +media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch +usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch +scsi-rdma-srp-fix-residual-handling.patch +scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch +scsi-iscsi-add-length-check-for-nlattr-payload.patch +scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch +scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch +scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch +serial-sprd-assign-sprd_port-after-initialized-to-av.patch +serial-sprd-fix-dma-buffer-leak-issue.patch +x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch +coresight-tmc-explicit-type-conversions-to-prevent-i.patch +dma-buf-sync_file-fix-docs-syntax.patch +driver-core-test_async-fix-an-error-code.patch +ib-uverbs-fix-an-potential-error-pointer-dereference.patch +fsi-aspeed-reset-master-errors-after-cfam-reset.patch +iommu-qcom-disable-and-reset-context-bank-before-pro.patch +iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch +media-go7007-remove-redundant-if-statement.patch +usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch +media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch +media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch +media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch +media-ov2680-fix-ov2680_bayer_order.patch +media-ov2680-fix-vflip-hflip-set-functions.patch +media-ov2680-fix-regulators-being-left-enabled-on-ov.patch +cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch +scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch +scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch +serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch +amba-bus-fix-refcount-leak.patch +revert-ib-isert-fix-incorrect-release-of-isert-conne.patch +rdma-siw-balance-the-reference-of-cep-kref-in-the-er.patch +rdma-siw-correct-wrong-debug-message.patch +hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch +hid-multitouch-correct-devm-device-reference-for-hid.patch +x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch +tracing-fix-race-issue-between-cpu-buffer-write-and-.patch +mtd-rawnand-brcmnand-fix-mtd-oobsize.patch +phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch +phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch +phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch +rpmsg-glink-add-check-for-kstrdup.patch +leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch +mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch +mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch +um-fix-hostaudio-build-errors.patch +dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch +cpufreq-fix-the-race-condition-while-updating-the-tr.patch +virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch diff --git a/queue-5.10/smackfs-prevent-underflow-in-smk_set_cipso.patch b/queue-5.10/smackfs-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..686cd91b4de --- /dev/null +++ b/queue-5.10/smackfs-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,37 @@ +From 75b597d810440691f724a277b30df85072b52e18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 08:52:39 +0300 +Subject: smackfs: Prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 3ad49d37cf5759c3b8b68d02e3563f633d9c1aee ] + +There is a upper bound to "catlen" but no lower bound to prevent +negatives. I don't see that this necessarily causes a problem but we +may as well be safe. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 3eabcc469669e..8403c91a6b297 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -895,7 +895,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &catlen); +- if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) ++ if (ret != 1 || catlen < 0 || catlen > SMACK_CIPSO_MAXCATNUM) + goto out; + + if (format == SMK_FIXED24_FMT && +-- +2.40.1 + diff --git a/queue-5.10/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch b/queue-5.10/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch new file mode 100644 index 00000000000..5afee9db469 --- /dev/null +++ b/queue-5.10/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch @@ -0,0 +1,53 @@ +From 2fcdef35d2bb4cebe810fa90c1c8d103cedfd84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 10:41:15 +0200 +Subject: soc: qcom: ocmem: Add OCMEM hardware version print + +From: Luca Weiss + +[ Upstream commit e81a16e77259294cd4ff0a9c1fbe5aa0e311a47d ] + +It might be useful to know what hardware version of the OCMEM block the +SoC contains. Add a debug print for that. + +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230509-ocmem-hwver-v3-1-e51f3488e0f4@z3ntu.xyz +Stable-dep-of: a7b484b1c933 ("soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros") +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/ocmem.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c +index 1dfdd0b9ba24d..ae023bef81b6f 100644 +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -76,6 +76,10 @@ struct ocmem { + #define OCMEM_REG_GFX_MPU_START 0x00001004 + #define OCMEM_REG_GFX_MPU_END 0x00001008 + ++#define OCMEM_HW_VERSION_MAJOR(val) FIELD_GET(GENMASK(31, 28), val) ++#define OCMEM_HW_VERSION_MINOR(val) FIELD_GET(GENMASK(27, 16), val) ++#define OCMEM_HW_VERSION_STEP(val) FIELD_GET(GENMASK(15, 0), val) ++ + #define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_PREP(0x0000000f, (val)) + #define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_PREP(0x00003f00, (val)) + +@@ -357,6 +361,12 @@ static int ocmem_dev_probe(struct platform_device *pdev) + } + } + ++ reg = ocmem_read(ocmem, OCMEM_REG_HW_VERSION); ++ dev_dbg(dev, "OCMEM hardware version: %lu.%lu.%lu\n", ++ OCMEM_HW_VERSION_MAJOR(reg), ++ OCMEM_HW_VERSION_MINOR(reg), ++ OCMEM_HW_VERSION_STEP(reg)); ++ + reg = ocmem_read(ocmem, OCMEM_REG_HW_PROFILE); + ocmem->num_ports = OCMEM_HW_PROFILE_NUM_PORTS(reg); + ocmem->num_macros = OCMEM_HW_PROFILE_NUM_MACROS(reg); +-- +2.40.1 + diff --git a/queue-5.10/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch b/queue-5.10/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch new file mode 100644 index 00000000000..cc123ce5386 --- /dev/null +++ b/queue-5.10/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch @@ -0,0 +1,50 @@ +From d92499057e77be739b220221485ae330e8ec30d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 18:35:47 +0200 +Subject: soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros + +From: Luca Weiss + +[ Upstream commit a7b484b1c9332a1ee12e8799d62a11ee3f8e0801 ] + +Since we're using these two macros to read a value from a register, we +need to use the FIELD_GET instead of the FIELD_PREP macro, otherwise +we're getting wrong values. + +So instead of: + + [ 3.111779] ocmem fdd00000.sram: 2 ports, 1 regions, 512 macros, not interleaved + +we now get the correct value of: + + [ 3.129672] ocmem fdd00000.sram: 2 ports, 1 regions, 2 macros, not interleaved + +Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") +Reviewed-by: Caleb Connolly +Reviewed-by: Konrad Dybcio +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230506-msm8226-ocmem-v3-1-79da95a2581f@z3ntu.xyz +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/ocmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c +index ae023bef81b6f..8b80c8e94c77a 100644 +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -80,8 +80,8 @@ struct ocmem { + #define OCMEM_HW_VERSION_MINOR(val) FIELD_GET(GENMASK(27, 16), val) + #define OCMEM_HW_VERSION_STEP(val) FIELD_GET(GENMASK(15, 0), val) + +-#define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_PREP(0x0000000f, (val)) +-#define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_PREP(0x00003f00, (val)) ++#define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_GET(0x0000000f, (val)) ++#define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_GET(0x00003f00, (val)) + + #define OCMEM_HW_PROFILE_LAST_REGN_HALFSIZE 0x00010000 + #define OCMEM_HW_PROFILE_INTERLEAVING 0x00020000 +-- +2.40.1 + diff --git a/queue-5.10/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch b/queue-5.10/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch new file mode 100644 index 00000000000..31952b186de --- /dev/null +++ b/queue-5.10/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch @@ -0,0 +1,44 @@ +From 90f76bb372c160ae1e6a7995865c5afa54f5261a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 23:49:09 +0800 +Subject: spi: tegra20-sflash: fix to check return value of platform_get_irq() + in tegra_sflash_probe() + +From: Zhang Shurong + +[ Upstream commit 29a449e765ff70a5bd533be94babb6d36985d096 ] + +The platform_get_irq might be failed and return a negative result. So +there should have an error handling code. + +Fixed this by adding an error handling code. + +Fixes: 8528547bcc33 ("spi: tegra: add spi driver for sflash controller") +Signed-off-by: Zhang Shurong +Link: https://lore.kernel.org/r/tencent_71FC162D589E4788C2152AAC84CD8D5C6D06@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-sflash.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra20-sflash.c b/drivers/spi/spi-tegra20-sflash.c +index cfb7de7379376..62e50830b7f95 100644 +--- a/drivers/spi/spi-tegra20-sflash.c ++++ b/drivers/spi/spi-tegra20-sflash.c +@@ -456,7 +456,11 @@ static int tegra_sflash_probe(struct platform_device *pdev) + goto exit_free_master; + } + +- tsd->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto exit_free_master; ++ tsd->irq = ret; ++ + ret = request_irq(tsd->irq, tegra_sflash_isr, 0, + dev_name(&pdev->dev), tsd); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-5.10/tcp-tcp_enter_quickack_mode-should-be-static.patch b/queue-5.10/tcp-tcp_enter_quickack_mode-should-be-static.patch new file mode 100644 index 00000000000..70d6bfb8d1a --- /dev/null +++ b/queue-5.10/tcp-tcp_enter_quickack_mode-should-be-static.patch @@ -0,0 +1,60 @@ +From fad468ffce9754a86d4102b0d3dcdec9ef38002a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 16:20:49 +0000 +Subject: tcp: tcp_enter_quickack_mode() should be static + +From: Eric Dumazet + +[ Upstream commit 03b123debcbc8db987bda17ed8412cc011064c22 ] + +After commit d2ccd7bc8acd ("tcp: avoid resetting ACK timer in DCTCP"), +tcp_enter_quickack_mode() is only used from net/ipv4/tcp_input.c. + +Fixes: d2ccd7bc8acd ("tcp: avoid resetting ACK timer in DCTCP") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Neal Cardwell +Link: https://lore.kernel.org/r/20230718162049.1444938-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 - + net/ipv4/tcp_input.c | 3 +-- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index dcca41f3a2240..b56f346020351 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -337,7 +337,6 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos, + struct pipe_inode_info *pipe, size_t len, + unsigned int flags); + +-void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks); + static inline void tcp_dec_quickack_mode(struct sock *sk, + const unsigned int pkts) + { +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d6dfbb88dcf5b..b8d2c45edbe02 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -286,7 +286,7 @@ static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks) + icsk->icsk_ack.quick = quickacks; + } + +-void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) ++static void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) + { + struct inet_connection_sock *icsk = inet_csk(sk); + +@@ -294,7 +294,6 @@ void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) + inet_csk_exit_pingpong_mode(sk); + icsk->icsk_ack.ato = TCP_ATO_MIN; + } +-EXPORT_SYMBOL(tcp_enter_quickack_mode); + + /* Send ACKs quickly, if "quick" count is not exhausted + * and the session is not interactive. +-- +2.40.1 + diff --git a/queue-5.10/tmpfs-verify-g-u-id-mount-options-correctly.patch b/queue-5.10/tmpfs-verify-g-u-id-mount-options-correctly.patch new file mode 100644 index 00000000000..3fa156ce3d0 --- /dev/null +++ b/queue-5.10/tmpfs-verify-g-u-id-mount-options-correctly.patch @@ -0,0 +1,98 @@ +From 6adc49f459656f3ed26d7f94be1cb7d6dcd24d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 18:17:04 +0200 +Subject: tmpfs: verify {g,u}id mount options correctly + +From: Christian Brauner + +[ Upstream commit 0200679fc7953177941e41c2a4241d0b6c2c5de8 ] + +A while ago we received the following report: + +"The other outstanding issue I noticed comes from the fact that +fsconfig syscalls may occur in a different userns than that which +called fsopen. That means that resolving the uid/gid via +current_user_ns() can save a kuid that isn't mapped in the associated +namespace when the filesystem is finally mounted. This means that it +is possible for an unprivileged user to create files owned by any +group in a tmpfs mount (since we can set the SUID bit on the tmpfs +directory), or a tmpfs that is owned by any user, including the root +group/user." + +The contract for {g,u}id mount options and {g,u}id values in general set +from userspace has always been that they are translated according to the +caller's idmapping. In so far, tmpfs has been doing the correct thing. +But since tmpfs is mountable in unprivileged contexts it is also +necessary to verify that the resulting {k,g}uid is representable in the +namespace of the superblock to avoid such bugs as above. + +The new mount api's cross-namespace delegation abilities are already +widely used. After having talked to a bunch of userspace this is the +most faithful solution with minimal regression risks. I know of one +users - systemd - that makes use of the new mount api in this way and +they don't set unresolable {g,u}ids. So the regression risk is minimal. + +Link: https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com +Fixes: f32356261d44 ("vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new mount API") +Reviewed-by: "Seth Forshee (DigitalOcean)" +Reported-by: Seth Jenkins +Message-Id: <20230801-vfs-fs_context-uidgid-v1-1-daf46a050bbf@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index cfa8f43cb3a62..e173d83b44481 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3455,6 +3455,8 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param) + unsigned long long size; + char *rest; + int opt; ++ kuid_t kuid; ++ kgid_t kgid; + + opt = fs_parse(fc, shmem_fs_parameters, param, &result); + if (opt < 0) +@@ -3490,14 +3492,32 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param) + ctx->mode = result.uint_32 & 07777; + break; + case Opt_uid: +- ctx->uid = make_kuid(current_user_ns(), result.uint_32); +- if (!uid_valid(ctx->uid)) ++ kuid = make_kuid(current_user_ns(), result.uint_32); ++ if (!uid_valid(kuid)) + goto bad_value; ++ ++ /* ++ * The requested uid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kuid_has_mapping(fc->user_ns, kuid)) ++ goto bad_value; ++ ++ ctx->uid = kuid; + break; + case Opt_gid: +- ctx->gid = make_kgid(current_user_ns(), result.uint_32); +- if (!gid_valid(ctx->gid)) ++ kgid = make_kgid(current_user_ns(), result.uint_32); ++ if (!gid_valid(kgid)) + goto bad_value; ++ ++ /* ++ * The requested gid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kgid_has_mapping(fc->user_ns, kgid)) ++ goto bad_value; ++ ++ ctx->gid = kgid; + break; + case Opt_huge: + ctx->huge = result.uint_32; +-- +2.40.1 + diff --git a/queue-5.10/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch b/queue-5.10/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch new file mode 100644 index 00000000000..49fac50e1a2 --- /dev/null +++ b/queue-5.10/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch @@ -0,0 +1,141 @@ +From 58296e6970da560c93b56eea4b6b5c572def05fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 21:27:39 +0800 +Subject: tracing: Fix race issue between cpu buffer write and swap + +From: Zheng Yejian + +[ Upstream commit 3163f635b20e9e1fb4659e74f47918c9dddfe64e ] + +Warning happened in rb_end_commit() at code: + if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing))) + + WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142 + rb_commit+0x402/0x4a0 + Call Trace: + ring_buffer_unlock_commit+0x42/0x250 + trace_buffer_unlock_commit_regs+0x3b/0x250 + trace_event_buffer_commit+0xe5/0x440 + trace_event_buffer_reserve+0x11c/0x150 + trace_event_raw_event_sched_switch+0x23c/0x2c0 + __traceiter_sched_switch+0x59/0x80 + __schedule+0x72b/0x1580 + schedule+0x92/0x120 + worker_thread+0xa0/0x6f0 + +It is because the race between writing event into cpu buffer and swapping +cpu buffer through file per_cpu/cpu0/snapshot: + + Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1 + -------- -------- + tracing_snapshot_write() + [...] + + ring_buffer_lock_reserve() + cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a'; + [...] + rb_reserve_next_event() + [...] + + ring_buffer_swap_cpu() + if (local_read(&cpu_buffer_a->committing)) + goto out_dec; + if (local_read(&cpu_buffer_b->committing)) + goto out_dec; + buffer_a->buffers[cpu] = cpu_buffer_b; + buffer_b->buffers[cpu] = cpu_buffer_a; + // 2. cpu_buffer has swapped here. + + rb_start_commit(cpu_buffer); + if (unlikely(READ_ONCE(cpu_buffer->buffer) + != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer' + [...] // has not changed here. + return NULL; + } + cpu_buffer_b->buffer = buffer_a; + cpu_buffer_a->buffer = buffer_b; + [...] + + // 4. Reserve event from 'cpu_buffer_a'. + + ring_buffer_unlock_commit() + [...] + cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!! + rb_commit(cpu_buffer) + rb_end_commit() // 6. WARN for the wrong 'committing' state !!! + +Based on above analysis, we can easily reproduce by following testcase: + ``` bash + #!/bin/bash + + dmesg -n 7 + sysctl -w kernel.panic_on_warn=1 + TR=/sys/kernel/tracing + echo 7 > ${TR}/buffer_size_kb + echo "sched:sched_switch" > ${TR}/set_event + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + ``` + +To fix it, IIUC, we can use smp_call_function_single() to do the swap on +the target cpu where the buffer is located, so that above race would be +avoided. + +Link: https://lore.kernel.org/linux-trace-kernel/20230831132739.4070878-1-zhengyejian1@huawei.com + +Cc: +Fixes: f1affcaaa861 ("tracing: Add snapshot in the per_cpu trace directories") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 2ded5012543bf..fbe13cfdb85b0 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7164,6 +7164,11 @@ static int tracing_snapshot_open(struct inode *inode, struct file *file) + return ret; + } + ++static void tracing_swap_cpu_buffer(void *tr) ++{ ++ update_max_tr_single((struct trace_array *)tr, current, smp_processor_id()); ++} ++ + static ssize_t + tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt, + loff_t *ppos) +@@ -7222,13 +7227,15 @@ tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt, + ret = tracing_alloc_snapshot_instance(tr); + if (ret < 0) + break; +- local_irq_disable(); + /* Now, we're going to swap */ +- if (iter->cpu_file == RING_BUFFER_ALL_CPUS) ++ if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { ++ local_irq_disable(); + update_max_tr(tr, current, smp_processor_id(), NULL); +- else +- update_max_tr_single(tr, current, iter->cpu_file); +- local_irq_enable(); ++ local_irq_enable(); ++ } else { ++ smp_call_function_single(iter->cpu_file, tracing_swap_cpu_buffer, ++ (void *)tr, 1); ++ } + break; + default: + if (tr->allocated_snapshot) { +-- +2.40.1 + diff --git a/queue-5.10/udp-re-score-reuseport-groups-when-connected-sockets.patch b/queue-5.10/udp-re-score-reuseport-groups-when-connected-sockets.patch new file mode 100644 index 00000000000..a714e5193f3 --- /dev/null +++ b/queue-5.10/udp-re-score-reuseport-groups-when-connected-sockets.patch @@ -0,0 +1,114 @@ +From 8234d4f1a5e875afc11d0adab062729b3f4188be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:05 +0200 +Subject: udp: re-score reuseport groups when connected sockets are present + +From: Lorenz Bauer + +[ Upstream commit f0ea27e7bfe1c34e1f451a63eb68faa1d4c3a86d ] + +Contrary to TCP, UDP reuseport groups can contain TCP_ESTABLISHED +sockets. To support these properly we remember whether a group has +a connected socket and skip the fast reuseport early-return. In +effect we continue scoring all reuseport sockets and then choose the +one with the highest score. + +The current code fails to re-calculate the score for the result of +lookup_reuseport. According to Kuniyuki Iwashima: + + 1) SO_INCOMING_CPU is set + -> selected sk might have +1 score + + 2) BPF prog returns ESTABLISHED and/or SO_INCOMING_CPU sk + -> selected sk will have more than 8 + + Using the old score could trigger more lookups depending on the + order that sockets are created. + + sk -> sk (SO_INCOMING_CPU) -> sk (ESTABLISHED) + | | + `-> select the next SO_INCOMING_CPU sk + | + `-> select itself (We should save this lookup) + +Fixes: efc6b6f6c311 ("udp: Improve load balancing for SO_REUSEPORT.") +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-1-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 20 +++++++++++++++----- + net/ipv6/udp.c | 19 ++++++++++++++----- + 2 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index f0db66e415bd6..913966e7703fc 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -443,14 +443,24 @@ static struct sock *udp4_lib_lookup2(struct net *net, + score = compute_score(sk, net, saddr, sport, + daddr, hnum, dif, sdif); + if (score > badness) { +- result = lookup_reuseport(net, sk, skb, +- saddr, sport, daddr, hnum); ++ badness = score; ++ result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ if (!result) { ++ result = sk; ++ continue; ++ } ++ + /* Fall back to scoring if group has connections */ +- if (result && !reuseport_has_conns(sk)) ++ if (!reuseport_has_conns(sk)) + return result; + +- result = result ? : sk; +- badness = score; ++ /* Reuseport logic returned an error, keep original score. */ ++ if (IS_ERR(result)) ++ continue; ++ ++ badness = compute_score(result, net, saddr, sport, ++ daddr, hnum, dif, sdif); ++ + } + } + return result; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 788bb19f32e99..5385037209a6b 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -189,14 +189,23 @@ static struct sock *udp6_lib_lookup2(struct net *net, + score = compute_score(sk, net, saddr, sport, + daddr, hnum, dif, sdif); + if (score > badness) { +- result = lookup_reuseport(net, sk, skb, +- saddr, sport, daddr, hnum); ++ badness = score; ++ result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ if (!result) { ++ result = sk; ++ continue; ++ } ++ + /* Fall back to scoring if group has connections */ +- if (result && !reuseport_has_conns(sk)) ++ if (!reuseport_has_conns(sk)) + return result; + +- result = result ? : sk; +- badness = score; ++ /* Reuseport logic returned an error, keep original score. */ ++ if (IS_ERR(result)) ++ continue; ++ ++ badness = compute_score(sk, net, saddr, sport, ++ daddr, hnum, dif, sdif); + } + } + return result; +-- +2.40.1 + diff --git a/queue-5.10/um-fix-hostaudio-build-errors.patch b/queue-5.10/um-fix-hostaudio-build-errors.patch new file mode 100644 index 00000000000..1dcec54a753 --- /dev/null +++ b/queue-5.10/um-fix-hostaudio-build-errors.patch @@ -0,0 +1,148 @@ +From 8f60cbf9f38c9c72987b99a35ff5a51d3f41d310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:15:00 -0700 +Subject: um: Fix hostaudio build errors + +From: Randy Dunlap + +[ Upstream commit db4bfcba7bb8d10f00bba2a3da6b9a9c2a1d7b71 ] + +Use "select" to ensure that the required kconfig symbols are set +as expected. +Drop HOSTAUDIO since it is now equivalent to UML_SOUND. + +Set CONFIG_SOUND=m in ARCH=um defconfig files to maintain the +status quo of the default configs. + +Allow SOUND with UML regardless of HAS_IOMEM. Otherwise there is a +kconfig warning for unmet dependencies. (This was not an issue when +SOUND was defined in arch/um/drivers/Kconfig. I have done 50 randconfig +builds and didn't find any issues.) + +This fixes build errors when CONFIG_SOUND is not set: + +ld: arch/um/drivers/hostaudio_kern.o: in function `hostaudio_cleanup_module': +hostaudio_kern.c:(.exit.text+0xa): undefined reference to `unregister_sound_mixer' +ld: hostaudio_kern.c:(.exit.text+0x15): undefined reference to `unregister_sound_dsp' +ld: arch/um/drivers/hostaudio_kern.o: in function `hostaudio_init_module': +hostaudio_kern.c:(.init.text+0x19): undefined reference to `register_sound_dsp' +ld: hostaudio_kern.c:(.init.text+0x31): undefined reference to `register_sound_mixer' +ld: hostaudio_kern.c:(.init.text+0x49): undefined reference to `unregister_sound_dsp' + +and this kconfig warning: +WARNING: unmet direct dependencies detected for SOUND + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: d886e87cb82b ("sound: make OSS sound core optional") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: lore.kernel.org/r/202307141416.vxuRVpFv-lkp@intel.com +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: linux-um@lists.infradead.org +Cc: Tejun Heo +Cc: Takashi Iwai +Cc: Jaroslav Kysela +Cc: Masahiro Yamada +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Nicolas Schier +Cc: linux-kbuild@vger.kernel.org +Cc: alsa-devel@alsa-project.org +Reviewed-by: Masahiro Yamada +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/configs/i386_defconfig | 1 + + arch/um/configs/x86_64_defconfig | 1 + + arch/um/drivers/Kconfig | 16 +++------------- + arch/um/drivers/Makefile | 2 +- + sound/Kconfig | 2 +- + 5 files changed, 7 insertions(+), 15 deletions(-) + +diff --git a/arch/um/configs/i386_defconfig b/arch/um/configs/i386_defconfig +index fb51bd206dbed..4d7f99a02c1eb 100644 +--- a/arch/um/configs/i386_defconfig ++++ b/arch/um/configs/i386_defconfig +@@ -35,6 +35,7 @@ CONFIG_TTY_CHAN=y + CONFIG_XTERM_CHAN=y + CONFIG_CON_CHAN="pts" + CONFIG_SSL_CHAN="pts" ++CONFIG_SOUND=m + CONFIG_UML_SOUND=m + CONFIG_DEVTMPFS=y + CONFIG_DEVTMPFS_MOUNT=y +diff --git a/arch/um/configs/x86_64_defconfig b/arch/um/configs/x86_64_defconfig +index 477b873174243..4bdd83008f623 100644 +--- a/arch/um/configs/x86_64_defconfig ++++ b/arch/um/configs/x86_64_defconfig +@@ -33,6 +33,7 @@ CONFIG_TTY_CHAN=y + CONFIG_XTERM_CHAN=y + CONFIG_CON_CHAN="pts" + CONFIG_SSL_CHAN="pts" ++CONFIG_SOUND=m + CONFIG_UML_SOUND=m + CONFIG_DEVTMPFS=y + CONFIG_DEVTMPFS_MOUNT=y +diff --git a/arch/um/drivers/Kconfig b/arch/um/drivers/Kconfig +index 2e7b8e0e7194b..01dfbd57e29d7 100644 +--- a/arch/um/drivers/Kconfig ++++ b/arch/um/drivers/Kconfig +@@ -104,24 +104,14 @@ config SSL_CHAN + + config UML_SOUND + tristate "Sound support" ++ depends on SOUND ++ select SOUND_OSS_CORE + help + This option enables UML sound support. If enabled, it will pull in +- soundcore and the UML hostaudio relay, which acts as a intermediary ++ the UML hostaudio relay, which acts as a intermediary + between the host's dsp and mixer devices and the UML sound system. + It is safe to say 'Y' here. + +-config SOUND +- tristate +- default UML_SOUND +- +-config SOUND_OSS_CORE +- bool +- default UML_SOUND +- +-config HOSTAUDIO +- tristate +- default UML_SOUND +- + endmenu + + menu "UML Network Devices" +diff --git a/arch/um/drivers/Makefile b/arch/um/drivers/Makefile +index 2a249f6194671..207d62ab519df 100644 +--- a/arch/um/drivers/Makefile ++++ b/arch/um/drivers/Makefile +@@ -52,7 +52,7 @@ obj-$(CONFIG_UML_NET) += net.o + obj-$(CONFIG_MCONSOLE) += mconsole.o + obj-$(CONFIG_MMAPPER) += mmapper_kern.o + obj-$(CONFIG_BLK_DEV_UBD) += ubd.o +-obj-$(CONFIG_HOSTAUDIO) += hostaudio.o ++obj-$(CONFIG_UML_SOUND) += hostaudio.o + obj-$(CONFIG_NULL_CHAN) += null.o + obj-$(CONFIG_PORT_CHAN) += port.o + obj-$(CONFIG_PTY_CHAN) += pty.o +diff --git a/sound/Kconfig b/sound/Kconfig +index 36785410fbe15..aaf2022ffc57d 100644 +--- a/sound/Kconfig ++++ b/sound/Kconfig +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + menuconfig SOUND + tristate "Sound card support" +- depends on HAS_IOMEM ++ depends on HAS_IOMEM || UML + help + If you have a sound card in your computer, i.e. if it can say more + than an occasional beep, say Y. +-- +2.40.1 + diff --git a/queue-5.10/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch b/queue-5.10/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch new file mode 100644 index 00000000000..9c2a883fec2 --- /dev/null +++ b/queue-5.10/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch @@ -0,0 +1,37 @@ +From d4f37d4d455563f2a14197122a07fc5bb126d905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 13:47:04 -0400 +Subject: USB: gadget: f_mass_storage: Fix unused variable warning + +From: Alan Stern + +[ Upstream commit 55c3e571d2a0aabef4f1354604443f1c415d2e85 ] + +Fix a "variable set but not used" warning in f_mass_storage.c. rc is +used if verbose debugging is enabled but not otherwise. + +Signed-off-by: Alan Stern +Fixes: d5e2b67aae79 ("USB: g_mass_storage: template f_mass_storage.c file created") +Link: https://lore.kernel.org/r/cfed16c7-aa46-494b-ba84-b0e0dc99be3a@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 950c9435beec3..553547f12fd20 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -951,7 +951,7 @@ static void invalidate_sub(struct fsg_lun *curlun) + { + struct file *filp = curlun->filp; + struct inode *inode = file_inode(filp); +- unsigned long rc; ++ unsigned long __maybe_unused rc; + + rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); + VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); +-- +2.40.1 + diff --git a/queue-5.10/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch b/queue-5.10/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch new file mode 100644 index 00000000000..2bf4816a3c0 --- /dev/null +++ b/queue-5.10/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch @@ -0,0 +1,50 @@ +From c87c4e6ba92c8cb8e0dd71e546804d015367e2f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 19:03:52 +0800 +Subject: usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() + +From: Xu Yang + +[ Upstream commit 5eda42aebb7668b4dcff025cd3ccb0d3d7c53da6 ] + +The function mxs_phy_is_otg_host() will return true if OTG_ID_VALUE is +0 at USBPHY_CTRL register. However, OTG_ID_VALUE will not reflect the real +state if the ID pin is float, such as Host-only or Type-C cases. The value +of OTG_ID_VALUE is always 1 which means device mode. +This patch will fix the issue by judging the current mode based on +last_event. The controller will update last_event in time. + +Fixes: 7b09e67639d6 ("usb: phy: mxs: refine mxs_phy_disconnect_line") +Signed-off-by: Xu Yang +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230627110353.1879477-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-mxs-usb.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/phy/phy-mxs-usb.c b/drivers/usb/phy/phy-mxs-usb.c +index 67b39dc62b373..70e23334b27f9 100644 +--- a/drivers/usb/phy/phy-mxs-usb.c ++++ b/drivers/usb/phy/phy-mxs-usb.c +@@ -388,14 +388,8 @@ static void __mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool disconnect) + + static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy) + { +- void __iomem *base = mxs_phy->phy.io_priv; +- u32 phyctrl = readl(base + HW_USBPHY_CTRL); +- +- if (IS_ENABLED(CONFIG_USB_OTG) && +- !(phyctrl & BM_USBPHY_CTRL_OTG_ID_VALUE)) +- return true; +- +- return false; ++ return IS_ENABLED(CONFIG_USB_OTG) && ++ mxs_phy->phy.last_event == USB_EVENT_ID; + } + + static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on) +-- +2.40.1 + diff --git a/queue-5.10/vfio-type1-fix-cap_migration-information-leak.patch b/queue-5.10/vfio-type1-fix-cap_migration-information-leak.patch new file mode 100644 index 00000000000..3d0c01ad795 --- /dev/null +++ b/queue-5.10/vfio-type1-fix-cap_migration-information-leak.patch @@ -0,0 +1,93 @@ +From 08976dbcbf532f6d72b13eca0fa5f3924a5bbaca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 11:53:52 -0400 +Subject: vfio/type1: fix cap_migration information leak + +From: Stefan Hajnoczi + +[ Upstream commit cd24e2a60af633f157d7e59c0a6dba64f131c0b1 ] + +Fix an information leak where an uninitialized hole in struct +vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. + +The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as +shown in this pahole(1) output: + + struct vfio_iommu_type1_info_cap_migration { + struct vfio_info_cap_header header; /* 0 8 */ + __u32 flags; /* 8 4 */ + + /* XXX 4 bytes hole, try to pack */ + + __u64 pgsize_bitmap; /* 16 8 */ + __u64 max_dirty_bitmap_size; /* 24 8 */ + + /* size: 32, cachelines: 1, members: 4 */ + /* sum members: 28, holes: 1, sum holes: 4 */ + /* last cacheline: 32 bytes */ + }; + +The cap_mig variable is filled in without initializing the hole: + + static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, + struct vfio_info_cap *caps) + { + struct vfio_iommu_type1_info_cap_migration cap_mig; + + cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; + cap_mig.header.version = 1; + + cap_mig.flags = 0; + /* support minimum pgsize */ + cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); + cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; + + return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); + } + +The structure is then copied to a temporary location on the heap. At this point +it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace +later: + + int vfio_info_add_capability(struct vfio_info_cap *caps, + struct vfio_info_cap_header *cap, size_t size) + { + struct vfio_info_cap_header *header; + + header = vfio_info_cap_add(caps, size, cap->id, cap->version); + if (IS_ERR(header)) + return PTR_ERR(header); + + memcpy(header + 1, cap + 1, size - sizeof(*header)); + + return 0; + } + +This issue was found by code inspection. + +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Kevin Tian +Fixes: ad721705d09c ("vfio iommu: Add migration capability to report supported features") +Link: https://lore.kernel.org/r/20230801155352.1391945-1-stefanha@redhat.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index ec1428dbdf9d9..9b01f88ae4762 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -2659,7 +2659,7 @@ static int vfio_iommu_iova_build_caps(struct vfio_iommu *iommu, + static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, + struct vfio_info_cap *caps) + { +- struct vfio_iommu_type1_info_cap_migration cap_mig; ++ struct vfio_iommu_type1_info_cap_migration cap_mig = {}; + + cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; + cap_mig.header.version = 1; +-- +2.40.1 + diff --git a/queue-5.10/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch b/queue-5.10/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch new file mode 100644 index 00000000000..c95b16b6f88 --- /dev/null +++ b/queue-5.10/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch @@ -0,0 +1,80 @@ +From 70eddefc07ce96a95bb8cd9b7ac760fb6353bea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 05:10:59 +0000 +Subject: virtio_ring: fix avail_wrap_counter in virtqueue_add_packed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yuan Yao + +[ Upstream commit 1acfe2c1225899eab5ab724c91b7e1eb2881b9ab ] + +In current packed virtqueue implementation, the avail_wrap_counter won't +flip, in the case when the driver supplies a descriptor chain with a +length equals to the queue size; total_sg == vq->packed.vring.num. + +Let’s assume the following situation: +vq->packed.vring.num=4 +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 0 + +Then the driver adds a descriptor chain containing 4 descriptors. + +We expect the following result with avail_wrap_counter flipped: +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 1 + +But, the current implementation gives the following result: +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 0 + +To reproduce the bug, you can set a packed queue size as small as +possible, so that the driver is more likely to provide a descriptor +chain with a length equal to the packed queue size. For example, in +qemu run following commands: +sudo qemu-system-x86_64 \ +-enable-kvm \ +-nographic \ +-kernel "path/to/kernel_image" \ +-m 1G \ +-drive file="path/to/rootfs",if=none,id=disk \ +-device virtio-blk,drive=disk \ +-drive file="path/to/disk_image",if=none,id=rwdisk \ +-device virtio-blk,drive=rwdisk,packed=on,queue-size=4,\ +indirect_desc=off \ +-append "console=ttyS0 root=/dev/vda rw init=/bin/bash" + +Inside the VM, create a directory and mount the rwdisk device on it. The +rwdisk will hang and mount operation will not complete. + +This commit fixes the wrap counter error by flipping the +packed.avail_wrap_counter, when start of descriptor chain equals to the +end of descriptor chain (head == i). + +Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support") +Signed-off-by: Yuan Yao +Message-Id: <20230808051110.3492693-1-yuanyaogoog@chromium.org> +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index 3cc2a4ee7152c..cf0e8e1893ee6 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -1190,7 +1190,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, + } + } + +- if (i < head) ++ if (i <= head) + vq->packed.avail_wrap_counter ^= 1; + + /* We're using some buffers from the free list. */ +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.10/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..e6223530343 --- /dev/null +++ b/queue-5.10/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,61 @@ +From 2bf22dd790d2393232ee3634964b7b42cce117b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:05:02 +0300 +Subject: wifi: ath10k: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f139492a09f15254fa261245cdbd65555cdf39e3 ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. + +Use RMW capability accessors which does proper locking to avoid losing +concurrent updates to the register value. On restore, clear the ASPMC field +properly. + +Suggested-by: Lukas Wunner +Fixes: 76d870ed09ab ("ath10k: enable ASPM") +Link: https://lore.kernel.org/r/20230717120503.15276-11-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Simon Horman +Acked-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 67e240327fb31..2c8f04b415c71 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1963,8 +1963,9 @@ static int ath10k_pci_hif_start(struct ath10k *ar) + ath10k_pci_irq_enable(ar); + ath10k_pci_rx_post(ar); + +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl); ++ pcie_capability_clear_and_set_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC, ++ ar_pci->link_ctl & PCI_EXP_LNKCTL_ASPMC); + + return 0; + } +@@ -2820,8 +2821,8 @@ static int ath10k_pci_hif_power_up(struct ath10k *ar, + + pcie_capability_read_word(ar_pci->pdev, PCI_EXP_LNKCTL, + &ar_pci->link_ctl); +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl & ~PCI_EXP_LNKCTL_ASPMC); ++ pcie_capability_clear_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC); + + /* + * Bring the target up cleanly. +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch b/queue-5.10/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch new file mode 100644 index 00000000000..05355017ada --- /dev/null +++ b/queue-5.10/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch @@ -0,0 +1,129 @@ +From d57e12d1f1409457b454c1089020f30a36170304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:26:06 +0300 +Subject: wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit b674fb513e2e7a514fcde287c0f73915d393fdb6 ] + +Currently, the synchronization between ath9k_wmi_cmd() and +ath9k_wmi_ctrl_rx() is exposed to a race condition which, although being +rather unlikely, can lead to invalid behaviour of ath9k_wmi_cmd(). + +Consider the following scenario: + +CPU0 CPU1 + +ath9k_wmi_cmd(...) + mutex_lock(&wmi->op_mutex) + ath9k_wmi_cmd_issue(...) + wait_for_completion_timeout(...) + --- + timeout + --- + /* the callback is being processed + * before last_seq_id became zero + */ + ath9k_wmi_ctrl_rx(...) + spin_lock_irqsave(...) + /* wmi->last_seq_id check here + * doesn't detect timeout yet + */ + spin_unlock_irqrestore(...) + /* last_seq_id is zeroed to + * indicate there was a timeout + */ + wmi->last_seq_id = 0 + mutex_unlock(&wmi->op_mutex) + return -ETIMEDOUT + +ath9k_wmi_cmd(...) + mutex_lock(&wmi->op_mutex) + /* the buffer is replaced with + * another one + */ + wmi->cmd_rsp_buf = rsp_buf + wmi->cmd_rsp_len = rsp_len + ath9k_wmi_cmd_issue(...) + spin_lock_irqsave(...) + spin_unlock_irqrestore(...) + wait_for_completion_timeout(...) + /* the continuation of the + * callback left after the first + * ath9k_wmi_cmd call + */ + ath9k_wmi_rsp_callback(...) + /* copying data designated + * to already timeouted + * WMI command into an + * inappropriate wmi_cmd_buf + */ + memcpy(...) + complete(&wmi->cmd_wait) + /* awakened by the bogus callback + * => invalid return result + */ + mutex_unlock(&wmi->op_mutex) + return 0 + +To fix this, update last_seq_id on timeout path inside ath9k_wmi_cmd() +under the wmi_lock. Move ath9k_wmi_rsp_callback() under wmi_lock inside +ath9k_wmi_ctrl_rx() so that the wmi->cmd_wait can be completed only for +initially designated wmi_cmd call, otherwise the path would be rejected +with last_seq_id check. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230425192607.18015-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index d652c647d56b5..04f363cb90fe5 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -242,10 +242,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + goto free_skb; + } +- spin_unlock_irqrestore(&wmi->wmi_lock, flags); + + /* WMI command response */ + ath9k_wmi_rsp_callback(wmi, skb); ++ spin_unlock_irqrestore(&wmi->wmi_lock, flags); + + free_skb: + kfree_skb(skb); +@@ -308,8 +308,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + struct ath_common *common = ath9k_hw_common(ah); + u16 headroom = sizeof(struct htc_frame_hdr) + + sizeof(struct wmi_cmd_hdr); ++ unsigned long time_left, flags; + struct sk_buff *skb; +- unsigned long time_left; + int ret = 0; + + if (ah->ah_flags & AH_UNPLUGGED) +@@ -345,7 +345,9 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + if (!time_left) { + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); ++ spin_lock_irqsave(&wmi->wmi_lock, flags); + wmi->last_seq_id = 0; ++ spin_unlock_irqrestore(&wmi->wmi_lock, flags); + mutex_unlock(&wmi->op_mutex); + return -ETIMEDOUT; + } +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch b/queue-5.10/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch new file mode 100644 index 00000000000..05f61df4d98 --- /dev/null +++ b/queue-5.10/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch @@ -0,0 +1,78 @@ +From 5db389f87a2d1a7e49a95df031c56ba06c945324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:26:07 +0300 +Subject: wifi: ath9k: protect WMI command response buffer replacement with a + lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 454994cfa9e4c18b6df9f78b60db8eadc20a6c25 ] + +If ath9k_wmi_cmd() has exited with a timeout, it is possible that during +next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command +writes to new wmi->cmd_rsp_buf and makes a completion. This results in an +invalid ath9k_wmi_cmd() return value. + +Move the replacement of WMI command response buffer and length under +wmi_lock. Note that last_seq_id value is updated there, too. + +Thus, the buffer cannot be written to by a belated wmi_rsp callback +because that path is properly rejected by the last_seq_id check. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 04f363cb90fe5..1476b42b52a91 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -283,7 +283,8 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi, + + static int ath9k_wmi_cmd_issue(struct wmi *wmi, + struct sk_buff *skb, +- enum wmi_cmd_id cmd, u16 len) ++ enum wmi_cmd_id cmd, u16 len, ++ u8 *rsp_buf, u32 rsp_len) + { + struct wmi_cmd_hdr *hdr; + unsigned long flags; +@@ -293,6 +294,11 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi, + hdr->seq_no = cpu_to_be16(++wmi->tx_seq_id); + + spin_lock_irqsave(&wmi->wmi_lock, flags); ++ ++ /* record the rsp buffer and length */ ++ wmi->cmd_rsp_buf = rsp_buf; ++ wmi->cmd_rsp_len = rsp_len; ++ + wmi->last_seq_id = wmi->tx_seq_id; + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + +@@ -333,11 +339,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + goto out; + } + +- /* record the rsp buffer and length */ +- wmi->cmd_rsp_buf = rsp_buf; +- wmi->cmd_rsp_len = rsp_len; +- +- ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len); ++ ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len, rsp_buf, rsp_len); + if (ret) + goto out; + +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch b/queue-5.10/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch new file mode 100644 index 00000000000..78a63391e54 --- /dev/null +++ b/queue-5.10/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch @@ -0,0 +1,44 @@ +From 9a696b331092986146efd5f26449194a81245640 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 11:03:44 +0800 +Subject: wifi: ath9k: use IS_ERR() with debugfs_create_dir() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wang Ming + +[ Upstream commit 1e4134610d93271535ecf900a676e1f094e9944c ] + +The debugfs_create_dir() function returns error pointers, +it never returns NULL. Most incorrect error checks were fixed, +but the one in ath9k_htc_init_debug() was forgotten. + +Fix the remaining error check. + +Fixes: e5facc75fa91 ("ath9k_htc: Cleanup HTC debugfs") +Signed-off-by: Wang Ming +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230713030358.12379-1-machel@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index b3ed65e5c4da8..c55aab01fff5d 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -491,7 +491,7 @@ int ath9k_htc_init_debug(struct ath_hw *ah) + + priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME, + priv->hw->wiphy->debugfsdir); +- if (!priv->debug.debugfs_phy) ++ if (IS_ERR(priv->debug.debugfs_phy)) + return -ENOMEM; + + ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy); +-- +2.40.1 + diff --git a/queue-5.10/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch b/queue-5.10/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch new file mode 100644 index 00000000000..3f4faa6fe54 --- /dev/null +++ b/queue-5.10/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch @@ -0,0 +1,41 @@ +From 194d5a87c7713f83d28bbbd4234795a900a282bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:03:50 +0800 +Subject: wifi: mt76: testmode: add nla_policy for MT76_TM_ATTR_TX_LENGTH + +From: Lin Ma + +[ Upstream commit 74f12d511625e603fac8c0c2b6872e687e56dd61 ] + +It seems that the nla_policy in mt76_tm_policy is missed for attribute +MT76_TM_ATTR_TX_LENGTH. This patch adds the correct description to make +sure the + + u32 val = nla_get_u32(tb[MT76_TM_ATTR_TX_LENGTH]); + +in function mt76_testmode_cmd() is safe and will not result in +out-of-attribute read. + +Fixes: f0efa8621550 ("mt76: add API for testmode support") +Signed-off-by: Lin Ma +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/testmode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/testmode.c b/drivers/net/wireless/mediatek/mt76/testmode.c +index 883f59c7a7e4a..7ab99efb7f9b0 100644 +--- a/drivers/net/wireless/mediatek/mt76/testmode.c ++++ b/drivers/net/wireless/mediatek/mt76/testmode.c +@@ -6,6 +6,7 @@ static const struct nla_policy mt76_tm_policy[NUM_MT76_TM_ATTRS] = { + [MT76_TM_ATTR_RESET] = { .type = NLA_FLAG }, + [MT76_TM_ATTR_STATE] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_COUNT] = { .type = NLA_U32 }, ++ [MT76_TM_ATTR_TX_LENGTH] = { .type = NLA_U32 }, + [MT76_TM_ATTR_TX_RATE_MODE] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_RATE_NSS] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_RATE_IDX] = { .type = NLA_U8 }, +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch b/queue-5.10/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch new file mode 100644 index 00000000000..6fe2f1f4ced --- /dev/null +++ b/queue-5.10/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch @@ -0,0 +1,50 @@ +From 7ca47cb7380ba1c78c2451bcce88c12e877904b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 12:49:57 +0300 +Subject: wifi: mwifiex: avoid possible NULL skb pointer dereference + +From: Dmitry Antipov + +[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ] + +In 'mwifiex_handle_uap_rx_forward()', always check the value +returned by 'skb_copy()' to avoid potential NULL pointer +dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop +original skb in case of copying failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 5c5beedd6aa7b..780ea467471f6 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -265,7 +265,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv, + + if (is_multicast_ether_addr(ra)) { + skb_uap = skb_copy(skb, GFP_ATOMIC); +- mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ if (likely(skb_uap)) { ++ mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ } else { ++ mwifiex_dbg(adapter, ERROR, ++ "failed to copy skb for uAP\n"); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return -1; ++ } + } else { + if (mwifiex_get_sta_entry(priv, ra)) { + /* Requeue Intra-BSS packet */ +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch b/queue-5.10/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch new file mode 100644 index 00000000000..8bc48f71c63 --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch @@ -0,0 +1,121 @@ +From 264a371cbd81afb724c79978a4135afcdfe393f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:43:07 +0300 +Subject: wifi: mwifiex: fix error recovery in PCIE buffer descriptor + management + +From: Dmitry Antipov + +[ Upstream commit 288c63d5cb4667a51a04668b3e2bb0ea499bc5f4 ] + +Add missing 'kfree_skb()' in 'mwifiex_init_rxq_ring()' and never do +'kfree(card->rxbd_ring_vbase)' because this area is DMAed and should +be released with 'dma_free_coherent()'. The latter is performed in +'mwifiex_pcie_delete_rxbd_ring()', which is now called to recover +from possible errors in 'mwifiex_pcie_create_rxbd_ring()'. Likewise +for 'mwifiex_pcie_init_evt_ring()', 'kfree(card->evtbd_ring_vbase)' +'mwifiex_pcie_delete_evtbd_ring()' and 'mwifiex_pcie_create_rxbd_ring()'. + +Fixes: d930faee141b ("mwifiex: add support for Marvell pcie8766 chipset") +Signed-off-by: Dmitry Antipov +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230731074334.56463-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 25 ++++++++++++++------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index 50c34630ca302..7cec6398da71c 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -200,6 +200,8 @@ static int mwifiex_pcie_probe_of(struct device *dev) + } + + static void mwifiex_pcie_work(struct work_struct *work); ++static int mwifiex_pcie_delete_rxbd_ring(struct mwifiex_adapter *adapter); ++static int mwifiex_pcie_delete_evtbd_ring(struct mwifiex_adapter *adapter); + + static int + mwifiex_map_pci_memory(struct mwifiex_adapter *adapter, struct sk_buff *skb, +@@ -794,14 +796,15 @@ static int mwifiex_init_rxq_ring(struct mwifiex_adapter *adapter) + if (!skb) { + mwifiex_dbg(adapter, ERROR, + "Unable to allocate skb for RX ring.\n"); +- kfree(card->rxbd_ring_vbase); + return -ENOMEM; + } + + if (mwifiex_map_pci_memory(adapter, skb, + MWIFIEX_RX_DATA_BUF_SIZE, +- DMA_FROM_DEVICE)) +- return -1; ++ DMA_FROM_DEVICE)) { ++ kfree_skb(skb); ++ return -ENOMEM; ++ } + + buf_pa = MWIFIEX_SKB_DMA_ADDR(skb); + +@@ -851,7 +854,6 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter) + if (!skb) { + mwifiex_dbg(adapter, ERROR, + "Unable to allocate skb for EVENT buf.\n"); +- kfree(card->evtbd_ring_vbase); + return -ENOMEM; + } + skb_put(skb, MAX_EVENT_SIZE); +@@ -859,8 +861,7 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter) + if (mwifiex_map_pci_memory(adapter, skb, MAX_EVENT_SIZE, + DMA_FROM_DEVICE)) { + kfree_skb(skb); +- kfree(card->evtbd_ring_vbase); +- return -1; ++ return -ENOMEM; + } + + buf_pa = MWIFIEX_SKB_DMA_ADDR(skb); +@@ -1060,6 +1061,7 @@ static int mwifiex_pcie_delete_txbd_ring(struct mwifiex_adapter *adapter) + */ + static int mwifiex_pcie_create_rxbd_ring(struct mwifiex_adapter *adapter) + { ++ int ret; + struct pcie_service_card *card = adapter->card; + const struct mwifiex_pcie_card_reg *reg = card->pcie.reg; + +@@ -1098,7 +1100,10 @@ static int mwifiex_pcie_create_rxbd_ring(struct mwifiex_adapter *adapter) + (u32)((u64)card->rxbd_ring_pbase >> 32), + card->rxbd_ring_size); + +- return mwifiex_init_rxq_ring(adapter); ++ ret = mwifiex_init_rxq_ring(adapter); ++ if (ret) ++ mwifiex_pcie_delete_rxbd_ring(adapter); ++ return ret; + } + + /* +@@ -1129,6 +1134,7 @@ static int mwifiex_pcie_delete_rxbd_ring(struct mwifiex_adapter *adapter) + */ + static int mwifiex_pcie_create_evtbd_ring(struct mwifiex_adapter *adapter) + { ++ int ret; + struct pcie_service_card *card = adapter->card; + const struct mwifiex_pcie_card_reg *reg = card->pcie.reg; + +@@ -1163,7 +1169,10 @@ static int mwifiex_pcie_create_evtbd_ring(struct mwifiex_adapter *adapter) + (u32)((u64)card->evtbd_ring_pbase >> 32), + card->evtbd_ring_size); + +- return mwifiex_pcie_init_evt_ring(adapter); ++ ret = mwifiex_pcie_init_evt_ring(adapter); ++ if (ret) ++ mwifiex_pcie_delete_evtbd_ring(adapter); ++ return ret; + } + + /* +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch b/queue-5.10/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch new file mode 100644 index 00000000000..3e79ad4721f --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch @@ -0,0 +1,52 @@ +From d25d6b2feab0b4e6a087f37c119b42cfc08d3a4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 19:07:15 +0300 +Subject: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() + +From: Dmitry Antipov + +[ Upstream commit 9c8fd72a5c2a031cbc680a2990107ecd958ffcdb ] + +Always free the zeroed page on return from 'mwifiex_histogram_read()'. + +Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support") + +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802160726.85545-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c +index dded92db1f373..1e7dc724c6a94 100644 +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -265,8 +265,11 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + if (!p) + return -ENOMEM; + +- if (!priv || !priv->hist_data) +- return -EFAULT; ++ if (!priv || !priv->hist_data) { ++ ret = -EFAULT; ++ goto free_and_exit; ++ } ++ + phist_data = priv->hist_data; + + p += sprintf(p, "\n" +@@ -321,6 +324,8 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + ret = simple_read_from_buffer(ubuf, count, ppos, (char *)page, + (unsigned long)p - page); + ++free_and_exit: ++ free_page(page); + return ret; + } + +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch b/queue-5.10/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch new file mode 100644 index 00000000000..333bc844d05 --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch @@ -0,0 +1,51 @@ +From 329ae3084ff14e5999a660597986c9f047a1aea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 08:39:11 +0000 +Subject: wifi: mwifiex: Fix missed return in oob checks failed path + +From: Polaris Pi + +[ Upstream commit 2785851c627f2db05f9271f7f63661b5dbd95c4c ] + +Add missed return in mwifiex_uap_queue_bridged_pkt() and +mwifiex_process_rx_packet(). + +Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets") +Signed-off-by: Polaris Pi +Reported-by: Dmitry Antipov +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230810083911.3725248-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 1 + + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 685a5b6697046..3c555946cb2cc 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -104,6 +104,7 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + skb->len, rx_pkt_off); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return -1; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index f46afd7f1b6a4..5c5beedd6aa7b 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -122,6 +122,7 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch b/queue-5.10/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch new file mode 100644 index 00000000000..b7f2e2142e9 --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch @@ -0,0 +1,127 @@ +From a9a6537fb5400ff59de7903040472971b268f245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 07:07:41 +0000 +Subject: wifi: mwifiex: Fix OOB and integer underflow when rx packets + +From: Polaris Pi + +[ Upstream commit 11958528161731c58e105b501ed60b83a91ea941 ] + +Make sure mwifiex_process_mgmt_packet, +mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, +mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet +not out-of-bounds access the skb->data buffer. + +Fixes: 2dbaf751b1de ("mwifiex: report received management frames to cfg80211") +Signed-off-by: Polaris Pi +Reviewed-by: Matthew Wang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723070741.1544662-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 11 ++++++++++- + .../net/wireless/marvell/mwifiex/uap_txrx.c | 19 +++++++++++++++++++ + drivers/net/wireless/marvell/mwifiex/util.c | 10 +++++++--- + 3 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 0d2adf8879005..685a5b6697046 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -98,6 +98,14 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length); + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off; + ++ if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "wrong rx packet offset: len=%d, rx_pkt_off=%d\n", ++ skb->len, rx_pkt_off); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -206,7 +214,8 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv, + + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset; + +- if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) { ++ if ((rx_pkt_offset + rx_pkt_length) > skb->len || ++ sizeof(rx_pkt_hdr->eth803_hdr) + rx_pkt_offset > skb->len) { + mwifiex_dbg(adapter, ERROR, + "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n", + skb->len, rx_pkt_offset, rx_pkt_length); +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 9bbdb8dfce62a..f46afd7f1b6a4 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -115,6 +115,15 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + return; + } + ++ if (sizeof(*rx_pkt_hdr) + ++ le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -379,6 +388,16 @@ int mwifiex_process_uap_rx_packet(struct mwifiex_private *priv, + rx_pkt_type = le16_to_cpu(uap_rx_pd->rx_pkt_type); + rx_pkt_hdr = (void *)uap_rx_pd + le16_to_cpu(uap_rx_pd->rx_pkt_offset); + ++ if (le16_to_cpu(uap_rx_pd->rx_pkt_offset) + ++ sizeof(rx_pkt_hdr->eth803_hdr) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet for struct ethhdr: len=%d, offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return 0; ++ } ++ + ether_addr_copy(ta, rx_pkt_hdr->eth803_hdr.h_source); + + if ((le16_to_cpu(uap_rx_pd->rx_pkt_offset) + +diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c +index d583fa600a296..1f5a6dab9ce55 100644 +--- a/drivers/net/wireless/marvell/mwifiex/util.c ++++ b/drivers/net/wireless/marvell/mwifiex/util.c +@@ -405,11 +405,15 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + } + + rx_pd = (struct rxpd *)skb->data; ++ pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ if (pkt_len < sizeof(struct ieee80211_hdr) + sizeof(pkt_len)) { ++ mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length"); ++ return -1; ++ } + + skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset)); + skb_pull(skb, sizeof(pkt_len)); +- +- pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ pkt_len -= sizeof(pkt_len); + + ieee_hdr = (void *)skb->data; + if (ieee80211_is_mgmt(ieee_hdr->frame_control)) { +@@ -422,7 +426,7 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + skb->data + sizeof(struct ieee80211_hdr), + pkt_len - sizeof(struct ieee80211_hdr)); + +- pkt_len -= ETH_ALEN + sizeof(pkt_len); ++ pkt_len -= ETH_ALEN; + rx_pd->rx_pkt_length = cpu_to_le16(pkt_len); + + cfg80211_rx_mgmt(&priv->wdev, priv->roc_cfg.chan.center_freq, +-- +2.40.1 + diff --git a/queue-5.10/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch b/queue-5.10/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch new file mode 100644 index 00000000000..d117442417a --- /dev/null +++ b/queue-5.10/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch @@ -0,0 +1,46 @@ +From 99ec4844a61f79f4c898d96bea12b1d89d9ebf39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 18:11:20 -0700 +Subject: x86/APM: drop the duplicate APM_MINOR_DEV macro + +From: Randy Dunlap + +[ Upstream commit 4ba2909638a29630a346d6c4907a3105409bee7d ] + +This source file already includes , which contains +the same macro. It doesn't need to be defined here again. + +Fixes: 874bcd00f520 ("apm-emulation: move APM_MINOR_DEV to include/linux/miscdevice.h") +Signed-off-by: Randy Dunlap +Cc: Jiri Kosina +Cc: x86@kernel.org +Cc: Sohil Mehta +Cc: Corentin Labbe +Reviewed-by: Sohil Mehta +Link: https://lore.kernel.org/r/20230728011120.759-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apm_32.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c +index 660270359d393..166d9991e7111 100644 +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -237,12 +237,6 @@ + extern int (*console_blank_hook)(int); + #endif + +-/* +- * The apm_bios device is one of the misc char devices. +- * This is its minor number. +- */ +-#define APM_MINOR_DEV 134 +- + /* + * Various options can be changed at boot time as follows: + * (We allow underscores for compatibility with the modules code) +-- +2.40.1 + diff --git a/queue-5.10/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch b/queue-5.10/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch new file mode 100644 index 00000000000..0afef7afe68 --- /dev/null +++ b/queue-5.10/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch @@ -0,0 +1,113 @@ +From f05a49a613ba12099b93e61717d3d12f0739e371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 18:26:58 +0200 +Subject: x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ard Biesheuvel + +[ Upstream commit 264b82fdb4989cf6a44a2bcd0c6ea05e8026b2ac ] + +The 4-to-5 level mode switch trampoline disables long mode and paging in +order to be able to flick the LA57 bit. According to section 3.4.1.1 of +the x86 architecture manual [0], 64-bit GPRs might not retain the upper +32 bits of their contents across such a mode switch. + +Given that RBP, RBX and RSI are live at this point, preserve them on the +stack, along with the return address that might be above 4G as well. + +[0] Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture + + "Because the upper 32 bits of 64-bit general-purpose registers are + undefined in 32-bit modes, the upper 32 bits of any general-purpose + register are not preserved when switching from 64-bit mode to a 32-bit + mode (to protected mode or compatibility mode). Software must not + depend on these bits to maintain a value after a 64-bit to 32-bit + mode switch." + +Fixes: 194a9749c73d650c ("x86/boot/compressed/64: Handle 5-level paging boot if kernel is above 4G") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230807162720.545787-2-ardb@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_64.S | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index b55e2007b30c6..473d84eb5dda9 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -454,11 +454,25 @@ SYM_CODE_START(startup_64) + /* Save the trampoline address in RCX */ + movq %rax, %rcx + ++ /* Set up 32-bit addressable stack */ ++ leaq TRAMPOLINE_32BIT_STACK_END(%rcx), %rsp ++ ++ /* ++ * Preserve live 64-bit registers on the stack: this is necessary ++ * because the architecture does not guarantee that GPRs will retain ++ * their full 64-bit values across a 32-bit mode switch. ++ */ ++ pushq %rbp ++ pushq %rbx ++ pushq %rsi ++ + /* +- * Load the address of trampoline_return() into RDI. +- * It will be used by the trampoline to return to the main code. ++ * Push the 64-bit address of trampoline_return() onto the new stack. ++ * It will be used by the trampoline to return to the main code. Due to ++ * the 32-bit mode switch, it cannot be kept it in a register either. + */ + leaq trampoline_return(%rip), %rdi ++ pushq %rdi + + /* Switch to compatibility mode (CS.L = 0 CS.D = 1) via far return */ + pushq $__KERNEL32_CS +@@ -466,6 +480,11 @@ SYM_CODE_START(startup_64) + pushq %rax + lretq + trampoline_return: ++ /* Restore live 64-bit registers */ ++ popq %rsi ++ popq %rbx ++ popq %rbp ++ + /* Restore the stack, the 32-bit trampoline uses its own stack */ + leaq rva(boot_stack_end)(%rbx), %rsp + +@@ -586,7 +605,7 @@ SYM_FUNC_END(.Lrelocated) + /* + * This is the 32-bit trampoline that will be copied over to low memory. + * +- * RDI contains the return address (might be above 4G). ++ * Return address is at the top of the stack (might be above 4G). + * ECX contains the base address of the trampoline memory. + * Non zero RDX means trampoline needs to enable 5-level paging. + */ +@@ -596,9 +615,6 @@ SYM_CODE_START(trampoline_32bit_src) + movl %eax, %ds + movl %eax, %ss + +- /* Set up new stack */ +- leal TRAMPOLINE_32BIT_STACK_END(%ecx), %esp +- + /* Disable paging */ + movl %cr0, %eax + btrl $X86_CR0_PG_BIT, %eax +@@ -658,7 +674,7 @@ SYM_CODE_END(trampoline_32bit_src) + .code64 + SYM_FUNC_START_LOCAL_NOALIGN(.Lpaging_enabled) + /* Return from the trampoline */ +- jmp *%rdi ++ retq + SYM_FUNC_END(.Lpaging_enabled) + + /* +-- +2.40.1 + diff --git a/queue-5.10/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch b/queue-5.10/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch new file mode 100644 index 00000000000..08d0d07c400 --- /dev/null +++ b/queue-5.10/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch @@ -0,0 +1,38 @@ +From b700848ab4d9b9d63c0fc2346ac1ccbfe0647892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 17:51:58 -0400 +Subject: x86/efistub: Fix PCI ROM preservation in mixed mode + +From: Mikel Rychliski + +[ Upstream commit 8b94da92559f7e403dc7ab81937cc50f949ee2fd ] + +preserve_pci_rom_image() was accessing the romsize field in +efi_pci_io_protocol_t directly instead of using the efi_table_attr() +helper. This prevents the ROM image from being saved correctly during a +mixed mode boot. + +Fixes: 2c3625cb9fa2 ("efi/x86: Fold __setup_efi_pci32() and __setup_efi_pci64() into one function") +Signed-off-by: Mikel Rychliski +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/x86-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c +index 5d0f1b1966fc6..9f998e6bff957 100644 +--- a/drivers/firmware/efi/libstub/x86-stub.c ++++ b/drivers/firmware/efi/libstub/x86-stub.c +@@ -60,7 +60,7 @@ preserve_pci_rom_image(efi_pci_io_protocol_t *pci, struct pci_setup_rom **__rom) + rom->data.type = SETUP_PCI; + rom->data.len = size - sizeof(struct setup_data); + rom->data.next = 0; +- rom->pcilen = pci->romsize; ++ rom->pcilen = romsize; + *__rom = rom; + + status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16, +-- +2.40.1 + diff --git a/queue-5.10/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch b/queue-5.10/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch new file mode 100644 index 00000000000..eba8d33075c --- /dev/null +++ b/queue-5.10/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch @@ -0,0 +1,107 @@ +From dbc5331ff6678002a15ac5adaea67fa4429cccfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 09:36:14 +0200 +Subject: x86/mm: Fix PAT bit missing from page protection modify mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Janusz Krzysztofik + +[ Upstream commit 548cb932051fb6232ac983ed6673dae7bdf3cf4c ] + +Visible glitches have been observed when running graphics applications on +Linux under Xen hypervisor. Those observations have been confirmed with +failures from kms_pwrite_crc Intel GPU test that verifies data coherency +of DRM frame buffer objects using hardware CRC checksums calculated by +display controllers, exposed to userspace via debugfs. Affected +processing paths have then been identified with new IGT test variants that +mmap the objects using different methods and caching modes [1]. + +When running as a Xen PV guest, Linux uses Xen provided PAT configuration +which is different from its native one. In particular, Xen specific PTE +encoding of write-combining caching, likely used by graphics applications, +differs from the Linux default one found among statically defined minimal +set of supported modes. Since Xen defines PTE encoding of the WC mode as +_PAGE_PAT, it no longer belongs to the minimal set, depends on correct +handling of _PAGE_PAT bit, and can be mismatched with write-back caching. + +When a user calls mmap() for a DRM buffer object, DRM device specific +.mmap file operation, called from mmap_region(), takes care of setting PTE +encoding bits in a vm_page_prot field of an associated virtual memory area +structure. Unfortunately, _PAGE_PAT bit is not preserved when the vma's +.vm_flags are then applied to .vm_page_prot via vm_set_page_prot(). Bits +to be preserved are determined with _PAGE_CHG_MASK symbol that doesn't +cover _PAGE_PAT. As a consequence, WB caching is requested instead of WC +when running under Xen (also, WP is silently changed to WT, and UC +downgraded to UC_MINUS). When running on bare metal, WC is not affected, +but WP and WT extra modes are unintentionally replaced with WC and UC, +respectively. + +WP and WT modes, encoded with _PAGE_PAT bit set, were introduced by commit +281d4078bec3 ("x86: Make page cache mode a real type"). Care was taken +to extend _PAGE_CACHE_MASK symbol with that additional bit, but that +symbol has never been used for identification of bits preserved when +applying page protection flags. Support for all cache modes under Xen, +including the problematic WC mode, was then introduced by commit +47591df50512 ("xen: Support Xen pv-domains using PAT"). + +The issue needs to be fixed by including _PAGE_PAT bit into a bitmask used +by pgprot_modify() for selecting bits to be preserved. We can do that +either internally to pgprot_modify() (as initially proposed), or by making +_PAGE_PAT a part of _PAGE_CHG_MASK. If we go for the latter then, since +_PAGE_PAT is the same as _PAGE_PSE, we need to note that _HPAGE_CHG_MASK +-- a huge pmds' counterpart of _PAGE_CHG_MASK, introduced by commit +c489f1257b8c ("thp: add pmd_modify"), defined as (_PAGE_CHG_MASK | +_PAGE_PSE) -- will no longer differ from _PAGE_CHG_MASK. If such +modification of _PAGE_CHG_MASK was irrelevant to its users then one might +wonder why that new _HPAGE_CHG_MASK symbol was introduced instead of +reusing the existing one with that otherwise irrelevant bit (_PAGE_PSE in +that case) added. + +Add _PAGE_PAT to _PAGE_CHG_MASK and _PAGE_PAT_LARGE to _HPAGE_CHG_MASK for +symmetry. Split out common bits from both symbols to a common symbol for +clarity. + +[ dhansen: tweak the solution changelog description ] + +[1] https://gitlab.freedesktop.org/drm/igt-gpu-tools/-/commit/0f0754413f14 + +Fixes: 281d4078bec3 ("x86: Make page cache mode a real type") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Dave Hansen +Reviewed-by: Andi Shyti +Reviewed-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Link: https://gitlab.freedesktop.org/drm/intel/-/issues/7648 +Link: https://lore.kernel.org/all/20230710073613.8006-2-janusz.krzysztofik%40linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_types.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 394757ee030a6..85baa72cb8947 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -125,11 +125,12 @@ + * instance, and is *not* included in this mask since + * pte_modify() does modify it. + */ +-#define _PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ +- _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY | \ +- _PAGE_SOFT_DIRTY | _PAGE_DEVMAP | _PAGE_ENC | \ +- _PAGE_UFFD_WP) +-#define _HPAGE_CHG_MASK (_PAGE_CHG_MASK | _PAGE_PSE) ++#define _COMMON_PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ ++ _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY |\ ++ _PAGE_SOFT_DIRTY | _PAGE_DEVMAP | _PAGE_ENC | \ ++ _PAGE_UFFD_WP) ++#define _PAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PAT) ++#define _HPAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PSE | _PAGE_PAT_LARGE) + + /* + * The cache modes defined here are used to translate between pure SW usage +-- +2.40.1 + diff --git a/queue-5.10/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch b/queue-5.10/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch new file mode 100644 index 00000000000..4181a0602bf --- /dev/null +++ b/queue-5.10/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch @@ -0,0 +1,76 @@ +From 6a2510c3b484da954882e3d1096a5c27fd858d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 08:07:25 -0700 +Subject: x86/speculation: Mark all Skylake CPUs as vulnerable to GDS + +From: Dave Hansen + +[ Upstream commit c9f4c45c8ec3f07f4f083f9750032a1ec3eab6b2 ] + +The Gather Data Sampling (GDS) vulnerability is common to all Skylake +processors. However, the "client" Skylakes* are now in this list: + + https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html + +which means they are no longer included for new vulnerabilities here: + + https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html + +or in other GDS documentation. Thus, they were not included in the +original GDS mitigation patches. + +Mark SKYLAKE and SKYLAKE_L as vulnerable to GDS to match all the +other Skylake CPUs (which include Kaby Lake). Also group the CPUs +so that the ones that share the exact same vulnerabilities are next +to each other. + +Last, move SRBDS to the end of each line. This makes it clear at a +glance that SKYLAKE_X is unique. Of the five Skylakes, it is the +only "server" CPU and has a different implementation from the +clients of the "special register" hardware, making it immune to SRBDS. + +This makes the diff much harder to read, but the resulting table is +worth it. + +I very much appreciate the report from Michael Zhivich about this +issue. Despite what level of support a hardware vendor is providing, +the kernel very much needs an accurate and up-to-date list of +vulnerable CPUs. More reports like this are very welcome. + +* Client Skylakes are CPUID 406E3/506E3 which is family 6, models + 0x4E and 0x5E, aka INTEL_FAM6_SKYLAKE and INTEL_FAM6_SKYLAKE_L. + +Reported-by: Michael Zhivich +Fixes: 8974eb588283 ("x86/speculation: Add Gather Data Sampling mitigation") +Signed-off-by: Dave Hansen +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Sneddon +Cc: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index c1ff75ad11358..4ecc6072e9a48 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1145,11 +1145,11 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { + VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED | GDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), + VULNBL_INTEL_STEPPINGS(CANNONLAKE_L, X86_STEPPING_ANY, RETBLEED), + VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS), + VULNBL_INTEL_STEPPINGS(ICELAKE_D, X86_STEPPING_ANY, MMIO | GDS), +-- +2.40.1 + -- 2.47.3