From f6beece6406485ed98868824c86a5918b54f7001 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Sep 2022 08:52:09 -0400 Subject: [PATCH] Fixes for 5.19 Signed-off-by: Sasha Levin --- ...hlt-correct-the-handling-of-fmt_conf.patch | 57 ++++ ...ent-fix-checking-conn-for-le_conn_co.patch | 41 +++ ...ent-fix-vendor-unknown-opcode-status.patch | 72 +++++ ...nc-fix-suspend-performance-regressio.patch | 58 ++++ ...nc-hold-hdev-lock-when-cleanup-hci_c.patch | 42 +++ ...s-to-accept-pointers-with-a-fixed-si.patch | 165 ++++++++++++ ...-kernel-bug-in-purge_effective_progs.patch | 107 ++++++++ ...n_precision-for-arg_const_alloc_size.patch | 102 ++++++++ ...fix-a-data-race-around-bpf_jit_limit.patch | 38 +++ ...-restrict-bpf_sys_bpf-to-cap_perfmon.patch | 41 +++ .../bpf-tidy-up-verifier-check_func_arg.patch | 185 +++++++++++++ ...rror-return-code-in-cachefiles_ondem.patch | 61 +++++ ...on-demand-request-distribution-faire.patch | 80 ++++++ ...-avoid-warnings-when-registering-dua.patch | 83 ++++++ ...rm-i915-fix-null-pointer-dereference.patch | 99 +++++++ queue-5.19/drm-i915-gvt-fix-comet-lake.patch | 42 +++ .../drm-i915-ttm-fix-ccs-handling.patch | 138 ++++++++++ ...e-dp_recovered_clock_out_en-to-fix-t.patch | 65 +++++ ...edp-panel-as-the-first-connected-con.patch | 57 ++++ ...late-wb-or-intf-before-reset_intf_cf.patch | 48 ++++ ...number-of-regulators-for-msm8996_dsi.patch | 39 +++ ...-fix-number-of-regulators-for-sdm660.patch | 41 +++ ...m-dsi-fix-the-inconsistent-indenting.patch | 43 +++ ...-qos-request-if-devm_devfreq_add_dev.patch | 44 ++++ ...fix-sleep-in-atomic-context-bug-in-n.patch | 57 ++++ ...adf7242-defer-destroy_workqueue-call.patch | 60 +++++ ...adc-mcp3911-make-use-of-the-sign-bit.patch | 37 +++ ...t-tunnel-key-s-flow_flags-in-ip-tunn.patch | 117 +++++++++ .../kcm-fix-strp_init-order-and-cleanup.patch | 74 ++++++ ...e-compute-mdio-period-based-on-i1clk.patch | 247 ++++++++++++++++++ ...eleting-kobject-in-kmem_cache_destro.patch | 159 +++++++++++ ...use-irqsave-variant-for-u64-stats-up.patch | 65 +++++ ...ove-error-handle-in-lan966x_fdma_rx_.patch | 47 ++++ ...el-make-the-gpio-to-be-non-exclusive.patch | 54 ++++ ...tdevice-reference-leaks-in-attach_de.patch | 111 ++++++++ ...n-t-call-qdisc_put-while-holding-tre.patch | 54 ++++ ...c-remove-redundant-refcount-increase.patch | 37 +++ ...p-and-start-phy-during-suspend-and-r.patch | 61 +++++ ...andling-uneven-length-packets-in-man.patch | 40 +++ ...ingress-police-using-matchall-filter.patch | 50 ++++ ...memory-leak-at-failed-datapath-creat.patch | 73 ++++++ ...error-check-return-value-of-platform.patch | 39 +++ ...lanox-mlxreg-lc-fix-coverity-warning.patch | 40 +++ ...mellanox-mlxreg-lc-fix-locking-issue.patch | 176 +++++++++++++ ...-pmc_atom-fix-slp_typx-bitfield-mask.patch | 67 +++++ ...-android-tablets-fix-broken-touchscr.patch | 71 +++++ ...return-__net_xmit_stolen-when-consum.patch | 54 ++++ ...xhci-turn-off-port-power-in-shutdown.patch | 94 +++++++ ...__net_xmit_stolen-when-consuming-enq.patch | 61 +++++ queue-5.19/series | 60 +++++ ...rong-last-sg-check-in-sk_msg_recvmsg.patch | 67 +++++ ...e-qcom-fix-device-status-array-range.patch | 59 +++++ ...data-race-around-challenge_timestamp.patch | 47 ++++ ...d-helper-functions-to-enable-disable.patch | 107 ++++++++ ...nfigure-wakeup-interrupts-during-sus.patch | 155 +++++++++++ ...-qcom-fix-peripheral-and-otg-suspend.patch | 78 ++++++ .../usb-dwc3-qcom-fix-runtime-pm-wakeup.patch | 110 ++++++++ ...x-use-after-free-on-runtime-pm-wakeu.patch | 82 ++++++ ...bugfs-fix-return-type-in-ht40allow_m.patch | 41 +++ ...inter-dereference-in-remove-if-xhc-h.patch | 55 ++++ ...orrupted-packets-for-xdp_shared_umem.patch | 70 +++++ 61 files changed, 4624 insertions(+) create mode 100644 queue-5.19/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch create mode 100644 queue-5.19/bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch create mode 100644 queue-5.19/bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch create mode 100644 queue-5.19/bluetooth-hci_sync-fix-suspend-performance-regressio.patch create mode 100644 queue-5.19/bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch create mode 100644 queue-5.19/bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch create mode 100644 queue-5.19/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch create mode 100644 queue-5.19/bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch create mode 100644 queue-5.19/bpf-fix-a-data-race-around-bpf_jit_limit.patch create mode 100644 queue-5.19/bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch create mode 100644 queue-5.19/bpf-tidy-up-verifier-check_func_arg.patch create mode 100644 queue-5.19/cachefiles-fix-error-return-code-in-cachefiles_ondem.patch create mode 100644 queue-5.19/cachefiles-make-on-demand-request-distribution-faire.patch create mode 100644 queue-5.19/drm-i915-display-avoid-warnings-when-registering-dua.patch create mode 100644 queue-5.19/drm-i915-fix-null-pointer-dereference.patch create mode 100644 queue-5.19/drm-i915-gvt-fix-comet-lake.patch create mode 100644 queue-5.19/drm-i915-ttm-fix-ccs-handling.patch create mode 100644 queue-5.19/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch create mode 100644 queue-5.19/drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch create mode 100644 queue-5.19/drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch create mode 100644 queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch create mode 100644 queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch create mode 100644 queue-5.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch create mode 100644 queue-5.19/drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch create mode 100644 queue-5.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch create mode 100644 queue-5.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch create mode 100644 queue-5.19/iio-adc-mcp3911-make-use-of-the-sign-bit.patch create mode 100644 queue-5.19/ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch create mode 100644 queue-5.19/kcm-fix-strp_init-order-and-cleanup.patch create mode 100644 queue-5.19/mlxbf_gige-compute-mdio-period-based-on-i1clk.patch create mode 100644 queue-5.19/mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch create mode 100644 queue-5.19/net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch create mode 100644 queue-5.19/net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch create mode 100644 queue-5.19/net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch create mode 100644 queue-5.19/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch create mode 100644 queue-5.19/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch create mode 100644 queue-5.19/net-smc-remove-redundant-refcount-increase.patch create mode 100644 queue-5.19/net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch create mode 100644 queue-5.19/net-sparx5-fix-handling-uneven-length-packets-in-man.patch create mode 100644 queue-5.19/nfp-flower-fix-ingress-police-using-matchall-filter.patch create mode 100644 queue-5.19/openvswitch-fix-memory-leak-at-failed-datapath-creat.patch create mode 100644 queue-5.19/peci-aspeed-fix-error-check-return-value-of-platform.patch create mode 100644 queue-5.19/platform-mellanox-mlxreg-lc-fix-coverity-warning.patch create mode 100644 queue-5.19/platform-mellanox-mlxreg-lc-fix-locking-issue.patch create mode 100644 queue-5.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch create mode 100644 queue-5.19/platform-x86-x86-android-tablets-fix-broken-touchscr.patch create mode 100644 queue-5.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch create mode 100644 queue-5.19/revert-xhci-turn-off-port-power-in-shutdown.patch create mode 100644 queue-5.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch create mode 100644 queue-5.19/series create mode 100644 queue-5.19/skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch create mode 100644 queue-5.19/soundwire-qcom-fix-device-status-array-range.patch create mode 100644 queue-5.19/tcp-annotate-data-race-around-challenge_timestamp.patch create mode 100644 queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch create mode 100644 queue-5.19/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch create mode 100644 queue-5.19/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch create mode 100644 queue-5.19/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch create mode 100644 queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch create mode 100644 queue-5.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch create mode 100644 queue-5.19/xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch create mode 100644 queue-5.19/xsk-fix-corrupted-packets-for-xdp_shared_umem.patch diff --git a/queue-5.19/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch b/queue-5.19/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch new file mode 100644 index 00000000000..f826f371b41 --- /dev/null +++ b/queue-5.19/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch @@ -0,0 +1,57 @@ +From 26fb30cff9fc962bc4cf5192ed2c415a4c260532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 15:24:05 +0300 +Subject: ALSA: hda: intel-nhlt: Correct the handling of fmt_config flexible + array + +From: Peter Ujfalusi + +[ Upstream commit 2e6481a3f3ee6234ce577454e1d88aca55f51d47 ] + +The struct nhlt_format's fmt_config is a flexible array, it must not be +used as normal array. +When moving to the next nhlt_fmt_cfg we need to take into account the data +behind the ->config.caps (indicated by ->config.size). + +Fixes: a864e8f159b13 ("ALSA: hda: intel-nhlt: verify config type") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Jaska Uimonen +Link: https://lore.kernel.org/r/20220823122405.18464-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-nhlt.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/hda/intel-nhlt.c b/sound/hda/intel-nhlt.c +index 9db5ccd9aa2db..13bb0ccfb36c0 100644 +--- a/sound/hda/intel-nhlt.c ++++ b/sound/hda/intel-nhlt.c +@@ -55,16 +55,22 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt) + + /* find max number of channels based on format_configuration */ + if (fmt_configs->fmt_count) { ++ struct nhlt_fmt_cfg *fmt_cfg = fmt_configs->fmt_config; ++ + dev_dbg(dev, "found %d format definitions\n", + fmt_configs->fmt_count); + + for (i = 0; i < fmt_configs->fmt_count; i++) { + struct wav_fmt_ext *fmt_ext; + +- fmt_ext = &fmt_configs->fmt_config[i].fmt_ext; ++ fmt_ext = &fmt_cfg->fmt_ext; + + if (fmt_ext->fmt.channels > max_ch) + max_ch = fmt_ext->fmt.channels; ++ ++ /* Move to the next nhlt_fmt_cfg */ ++ fmt_cfg = (struct nhlt_fmt_cfg *)(fmt_cfg->config.caps + ++ fmt_cfg->config.size); + } + dev_dbg(dev, "max channels found %d\n", max_ch); + } else { +-- +2.35.1 + diff --git a/queue-5.19/bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch b/queue-5.19/bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch new file mode 100644 index 00000000000..e138b1fc923 --- /dev/null +++ b/queue-5.19/bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch @@ -0,0 +1,41 @@ +From 970e90bfae2c7ba0abf9469f273ad22d3197d8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 12:39:22 +0800 +Subject: Bluetooth: hci_event: Fix checking conn for le_conn_complete_evt + +From: Archie Pusaka + +[ Upstream commit f48735a9aaf8258f39918e13adf464ccd7dce33b ] + +To prevent multiple conn complete events, we shouldn't look up the +conn with hci_lookup_le_connect, since it requires the state to be +BT_CONNECT. By the time the duplicate event is processed, the state +might have changed, so we end up processing the new event anyway. + +Change the lookup function to hci_conn_hash_lookup_ba. + +Fixes: d5ebaa7c5f6f6 ("Bluetooth: hci_event: Ignore multiple conn complete events") +Signed-off-by: Archie Pusaka +Reviewed-by: Sonny Sasaka +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 67c61f5240596..2c320a8fe70d7 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5568,7 +5568,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, + */ + hci_dev_clear_flag(hdev, HCI_LE_ADV); + +- conn = hci_lookup_le_connect(hdev); ++ conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); + if (!conn) { + /* In case of error status and there is no connection pending + * just unlock as there is nothing to cleanup. +-- +2.35.1 + diff --git a/queue-5.19/bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch b/queue-5.19/bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch new file mode 100644 index 00000000000..08217ce0aab --- /dev/null +++ b/queue-5.19/bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch @@ -0,0 +1,72 @@ +From ffdbd7535888af8bf865b5db8d070057b7579aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 22:57:40 +0200 +Subject: Bluetooth: hci_event: Fix vendor (unknown) opcode status handling + +From: Hans de Goede + +[ Upstream commit b82a26d8633cc89367fac75beb3ec33061bea44a ] + +Commit c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to +handle Command Complete") was (presumably) meant to only refactor things +without any functional changes. + +But it does have one undesirable side-effect, before *status would always +be set to skb->data[0] and it might be overridden by some of the opcode +specific handling. While now it always set by the opcode specific handlers. +This means that if the opcode is not known *status does not get set any +more at all! + +This behavior change has broken bluetooth support for BCM4343A0 HCIs, +the hci_bcm.c code tries to configure UART attached HCIs at a higher +baudraute using vendor specific opcodes. The BCM4343A0 does not +support this and this used to simply fail: + +[ 25.646442] Bluetooth: hci0: BCM: failed to write clock (-56) +[ 25.646481] Bluetooth: hci0: Failed to set baudrate + +After which things would continue with the initial baudraute. But now +that hci_cmd_complete_evt() no longer sets status for unknown opcodes +*status is left at 0. This causes the hci_bcm.c code to think the baudraute +has been changed on the HCI side and to also adjust the UART baudrate, +after which communication with the HCI is broken, leading to: + +[ 28.579042] Bluetooth: hci0: command 0x0c03 tx timeout +[ 36.961601] Bluetooth: hci0: BCM: Reset failed (-110) + +And non working bluetooth. Fix this by restoring the previous +default "*status = skb->data[0]" handling for unknown opcodes. + +Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete") +Signed-off-by: Hans de Goede +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 7cb956d3abb26..67c61f5240596 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3998,6 +3998,17 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, + } + } + ++ if (i == ARRAY_SIZE(hci_cc_table)) { ++ /* Unknown opcode, assume byte 0 contains the status, so ++ * that e.g. __hci_cmd_sync() properly returns errors ++ * for vendor specific commands send by HCI drivers. ++ * If a vendor doesn't actually follow this convention we may ++ * need to introduce a vendor CC table in order to properly set ++ * the status. ++ */ ++ *status = skb->data[0]; ++ } ++ + handle_cmd_cnt_and_timer(hdev, ev->ncmd); + + hci_req_cmd_complete(hdev, *opcode, *status, req_complete, +-- +2.35.1 + diff --git a/queue-5.19/bluetooth-hci_sync-fix-suspend-performance-regressio.patch b/queue-5.19/bluetooth-hci_sync-fix-suspend-performance-regressio.patch new file mode 100644 index 00000000000..5dbf36b3fce --- /dev/null +++ b/queue-5.19/bluetooth-hci_sync-fix-suspend-performance-regressio.patch @@ -0,0 +1,58 @@ +From 211a156dbb5638ca8db3c06fc5103961d078ae41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 14:20:46 -0700 +Subject: Bluetooth: hci_sync: Fix suspend performance regression + +From: Luiz Augusto von Dentz + +[ Upstream commit 1fd02d56dae35b08e4cba8e6bd2c2e7ccff68ecc ] + +This attempts to fix suspend performance when there is no connections by +not updating the event mask. + +Fixes: ef61b6ea1544 ("Bluetooth: Always set event mask on suspend") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index b5e7d4b8ab24a..2012f23158839 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -4967,17 +4967,21 @@ int hci_suspend_sync(struct hci_dev *hdev) + /* Prevent disconnects from causing scanning to be re-enabled */ + hci_pause_scan_sync(hdev); + +- /* Soft disconnect everything (power off) */ +- err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF); +- if (err) { +- /* Set state to BT_RUNNING so resume doesn't notify */ +- hdev->suspend_state = BT_RUNNING; +- hci_resume_sync(hdev); +- return err; +- } ++ if (hci_conn_count(hdev)) { ++ /* Soft disconnect everything (power off) */ ++ err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF); ++ if (err) { ++ /* Set state to BT_RUNNING so resume doesn't notify */ ++ hdev->suspend_state = BT_RUNNING; ++ hci_resume_sync(hdev); ++ return err; ++ } + +- /* Update event mask so only the allowed event can wakeup the host */ +- hci_set_event_mask_sync(hdev); ++ /* Update event mask so only the allowed event can wakeup the ++ * host. ++ */ ++ hci_set_event_mask_sync(hdev); ++ } + + /* Only configure accept list if disconnect succeeded and wake + * isn't being prevented. +-- +2.35.1 + diff --git a/queue-5.19/bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch b/queue-5.19/bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch new file mode 100644 index 00000000000..e213f780943 --- /dev/null +++ b/queue-5.19/bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch @@ -0,0 +1,42 @@ +From e16abccdeaae95c011c8f0b071165e2a13f28250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:28:08 -0700 +Subject: Bluetooth: hci_sync: hold hdev->lock when cleanup hci_conn + +From: Zhengping Jiang + +[ Upstream commit 2da8eb834b775a9d1acea6214d3e4a78ac841e6e ] + +When disconnecting all devices, hci_conn_failed is used to cleanup +hci_conn object when the hci_conn object cannot be aborted. +The function hci_conn_failed requires the caller holds hdev->lock. + +Fixes: 9b3628d79b46f ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted") +Signed-off-by: Zhengping Jiang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 2012f23158839..3b4cee67bbd60 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -4452,9 +4452,11 @@ static int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, + /* Cleanup hci_conn object if it cannot be cancelled as it + * likelly means the controller and host stack are out of sync. + */ +- if (err) ++ if (err) { ++ hci_dev_lock(hdev); + hci_conn_failed(conn, err); +- ++ hci_dev_unlock(hdev); ++ } + return err; + case BT_CONNECT2: + return hci_reject_conn_sync(hdev, conn, reason); +-- +2.35.1 + diff --git a/queue-5.19/bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch b/queue-5.19/bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch new file mode 100644 index 00000000000..4253d5679ce --- /dev/null +++ b/queue-5.19/bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch @@ -0,0 +1,165 @@ +From 44da356255c120c508d056f23bd426fb95a92f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 16:48:43 +0300 +Subject: bpf: Allow helpers to accept pointers with a fixed size + +From: Maxim Mikityanskiy + +[ Upstream commit 508362ac66b0478affb4e52cb8da98478312d72d ] + +Before this commit, the BPF verifier required ARG_PTR_TO_MEM arguments +to be followed by ARG_CONST_SIZE holding the size of the memory region. +The helpers had to check that size in runtime. + +There are cases where the size expected by a helper is a compile-time +constant. Checking it in runtime is an unnecessary overhead and waste of +BPF registers. + +This commit allows helpers to accept pointers to memory without the +corresponding ARG_CONST_SIZE, given that they define the memory region +size in struct bpf_func_proto and use ARG_PTR_TO_FIXED_SIZE_MEM type. + +arg_size is unionized with arg_btf_id to reduce the kernel image size, +and it's valid because they are used by different argument types. + +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20220615134847.3753567-3-maximmi@nvidia.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 13 +++++++++++++ + kernel/bpf/verifier.c | 43 ++++++++++++++++++++++++++++++++----------- + 2 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 7424cf234ae03..ed352c00330cd 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -398,6 +398,9 @@ enum bpf_type_flag { + /* DYNPTR points to a ringbuf record. */ + DYNPTR_TYPE_RINGBUF = BIT(9 + BPF_BASE_TYPE_BITS), + ++ /* Size is known at compile time. */ ++ MEM_FIXED_SIZE = BIT(10 + BPF_BASE_TYPE_BITS), ++ + __BPF_TYPE_FLAG_MAX, + __BPF_TYPE_LAST_FLAG = __BPF_TYPE_FLAG_MAX - 1, + }; +@@ -461,6 +464,8 @@ enum bpf_arg_type { + * all bytes or clear them in error case. + */ + ARG_PTR_TO_UNINIT_MEM = MEM_UNINIT | ARG_PTR_TO_MEM, ++ /* Pointer to valid memory of size known at compile time. */ ++ ARG_PTR_TO_FIXED_SIZE_MEM = MEM_FIXED_SIZE | ARG_PTR_TO_MEM, + + /* This must be the last entry. Its purpose is to ensure the enum is + * wide enough to hold the higher bits reserved for bpf_type_flag. +@@ -526,6 +531,14 @@ struct bpf_func_proto { + u32 *arg5_btf_id; + }; + u32 *arg_btf_id[5]; ++ struct { ++ size_t arg1_size; ++ size_t arg2_size; ++ size_t arg3_size; ++ size_t arg4_size; ++ size_t arg5_size; ++ }; ++ size_t arg_size[5]; + }; + int *ret_btf_id; /* return value btf_id */ + bool (*allowed)(const struct bpf_prog *prog); +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 0e45d405f151c..f0dd73bf69ddf 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5847,6 +5847,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; + enum bpf_arg_type arg_type = fn->arg_type[arg]; + enum bpf_reg_type type = reg->type; ++ u32 *arg_btf_id = NULL; + int err = 0; + + if (arg_type == ARG_DONTCARE) +@@ -5883,7 +5884,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + */ + goto skip_type_check; + +- err = check_reg_type(env, regno, arg_type, fn->arg_btf_id[arg], meta); ++ /* arg_btf_id and arg_size are in a union. */ ++ if (base_type(arg_type) == ARG_PTR_TO_BTF_ID) ++ arg_btf_id = fn->arg_btf_id[arg]; ++ ++ err = check_reg_type(env, regno, arg_type, arg_btf_id, meta); + if (err) + return err; + +@@ -6010,6 +6015,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + * next is_mem_size argument below. + */ + meta->raw_mode = arg_type & MEM_UNINIT; ++ if (arg_type & MEM_FIXED_SIZE) { ++ err = check_helper_mem_access(env, regno, ++ fn->arg_size[arg], false, ++ meta); ++ } + } else if (arg_type_is_mem_size(arg_type)) { + bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); + +@@ -6400,11 +6410,19 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn) + return count <= 1; + } + +-static bool check_args_pair_invalid(enum bpf_arg_type arg_curr, +- enum bpf_arg_type arg_next) ++static bool check_args_pair_invalid(const struct bpf_func_proto *fn, int arg) + { +- return (base_type(arg_curr) == ARG_PTR_TO_MEM) != +- arg_type_is_mem_size(arg_next); ++ bool is_fixed = fn->arg_type[arg] & MEM_FIXED_SIZE; ++ bool has_size = fn->arg_size[arg] != 0; ++ bool is_next_size = false; ++ ++ if (arg + 1 < ARRAY_SIZE(fn->arg_type)) ++ is_next_size = arg_type_is_mem_size(fn->arg_type[arg + 1]); ++ ++ if (base_type(fn->arg_type[arg]) != ARG_PTR_TO_MEM) ++ return is_next_size; ++ ++ return has_size == is_next_size || is_next_size == is_fixed; + } + + static bool check_arg_pair_ok(const struct bpf_func_proto *fn) +@@ -6415,11 +6433,11 @@ static bool check_arg_pair_ok(const struct bpf_func_proto *fn) + * helper function specification. + */ + if (arg_type_is_mem_size(fn->arg1_type) || +- base_type(fn->arg5_type) == ARG_PTR_TO_MEM || +- check_args_pair_invalid(fn->arg1_type, fn->arg2_type) || +- check_args_pair_invalid(fn->arg2_type, fn->arg3_type) || +- check_args_pair_invalid(fn->arg3_type, fn->arg4_type) || +- check_args_pair_invalid(fn->arg4_type, fn->arg5_type)) ++ check_args_pair_invalid(fn, 0) || ++ check_args_pair_invalid(fn, 1) || ++ check_args_pair_invalid(fn, 2) || ++ check_args_pair_invalid(fn, 3) || ++ check_args_pair_invalid(fn, 4)) + return false; + + return true; +@@ -6460,7 +6478,10 @@ static bool check_btf_id_ok(const struct bpf_func_proto *fn) + if (base_type(fn->arg_type[i]) == ARG_PTR_TO_BTF_ID && !fn->arg_btf_id[i]) + return false; + +- if (base_type(fn->arg_type[i]) != ARG_PTR_TO_BTF_ID && fn->arg_btf_id[i]) ++ if (base_type(fn->arg_type[i]) != ARG_PTR_TO_BTF_ID && fn->arg_btf_id[i] && ++ /* arg_btf_id and arg_size are in a union. */ ++ (base_type(fn->arg_type[i]) != ARG_PTR_TO_MEM || ++ !(fn->arg_type[i] & MEM_FIXED_SIZE))) + return false; + } + +-- +2.35.1 + diff --git a/queue-5.19/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch b/queue-5.19/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch new file mode 100644 index 00000000000..67e212be290 --- /dev/null +++ b/queue-5.19/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch @@ -0,0 +1,107 @@ +From d8cfa5e63a8533b53d4e5baf4c4c9e701a5e619b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 21:40:30 +0800 +Subject: bpf, cgroup: Fix kernel BUG in purge_effective_progs + +From: Pu Lehui + +[ Upstream commit 7d6620f107bae6ed687ff07668e8e8f855487aa9 ] + +Syzkaller reported a triggered kernel BUG as follows: + + ------------[ cut here ]------------ + kernel BUG at kernel/bpf/cgroup.c:925! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0 + Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84 + 28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48 + 8b 0c5 + RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578 + RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000 + R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00 + FS: 00007f68213d2b80(0000) GS:ffff88813bc80000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0 + Call Trace: + + cgroup_bpf_prog_detach+0xcc/0x100 + __sys_bpf+0x2273/0x2a00 + __x64_sys_bpf+0x17/0x20 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x7f68214dbcb9 + Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 + f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 + f0 ff8 + RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 + RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9 + RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009 + RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003 + R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20 + R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0 + + Modules linked in: + ---[ end trace 0000000000000000 ]--- + +Repetition steps: + +For the following cgroup tree, + + root + | + cg1 + | + cg2 + + 1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs + attach type is NONE or OVERRIDE. + 2. write 1 to /proc/thread-self/fail-nth for failslab. + 3. detach prog1 for cg1, and then kernel BUG occur. + +Failslab injection will cause kmalloc fail and fall back to +purge_effective_progs. The problem is that cg2 have attached another prog, +so when go through cg2 layer, iteration will add pos to 1, and subsequent +operations will be skipped by the following condition, and cg will meet +NULL in the end. + + `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))` + +The NULL cg means no link or prog match, this is as expected, and it's not +a bug. So here just skip the no match situation. + +Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs") +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220813134030.1972696-1-pulehui@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/cgroup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index 7a394f7c205c4..34dfa45ef4f3b 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -762,8 +762,10 @@ static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog, + pos++; + } + } ++ ++ /* no link or prog match, skip the cgroup of this layer */ ++ continue; + found: +- BUG_ON(!cg); + progs = rcu_dereference_protected( + desc->bpf.effective[atype], + lockdep_is_held(&cgroup_mutex)); +-- +2.35.1 + diff --git a/queue-5.19/bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch b/queue-5.19/bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch new file mode 100644 index 00000000000..08c1768cfb4 --- /dev/null +++ b/queue-5.19/bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch @@ -0,0 +1,102 @@ +From 242382d8f9a13324889ac2d1d347cff58fa295c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 20:52:59 +0200 +Subject: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 2fc31465c5373b5ca4edf2e5238558cb62902311 ] + +Precision markers need to be propagated whenever we have an ARG_CONST_* +style argument, as the verifier cannot consider imprecise scalars to be +equivalent for the purposes of states_equal check when such arguments +refine the return value (in this case, set mem_size for PTR_TO_MEM). The +resultant mem_size for the R0 is derived from the constant value, and if +the verifier incorrectly prunes states considering them equivalent where +such arguments exist (by seeing that both registers have reg->precise as +false in regsafe), we can end up with invalid programs passing the +verifier which can do access beyond what should have been the correct +mem_size in that explored state. + +To show a concrete example of the problem: + +0000000000000000 : + 0: r2 = *(u32 *)(r1 + 80) + 1: r1 = *(u32 *)(r1 + 76) + 2: r3 = r1 + 3: r3 += 4 + 4: if r3 > r2 goto +18 + 5: w2 = 0 + 6: *(u32 *)(r1 + 0) = r2 + 7: r1 = *(u32 *)(r1 + 0) + 8: r2 = 1 + 9: if w1 == 0 goto +1 + 10: r2 = -1 + +0000000000000058 : + 11: r1 = 0 ll + 13: r3 = 0 + 14: call bpf_ringbuf_reserve + 15: if r0 == 0 goto +7 + 16: r1 = r0 + 17: r1 += 16777215 + 18: w2 = 0 + 19: *(u8 *)(r1 + 0) = r2 + 20: r1 = r0 + 21: r2 = 0 + 22: call bpf_ringbuf_submit + +00000000000000b8 : + 23: w0 = 0 + 24: exit + +For the first case, the single line execution's exploration will prune +the search at insn 14 for the branch insn 9's second leg as it will be +verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will +always be 0 so at runtime we don't get error for being greater than +UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just +sees reg->precise as false for both r2 registers in both states, hence +considers them equal for purposes of states_equal. + +If we propagated precise markers using the backtracking support, we +would use the precise marking to then ensure that old r2 (UINT_MAX) was +within the new r2 (1) and this would never be true, so the verification +would rightfully fail. + +The end result is that the out of bounds access at instruction 19 would +be permitted without this fix. + +Note that reg->precise is always set to true when user does not have +CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static +or global functions)), hence this is only a problem when precision marks +need to be explicitly propagated (i.e. privileged users with CAP_BPF). + +A simplified test case has been included in the next patch to prevent +future regressions. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 20df58c351abf..339147061127a 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6066,6 +6066,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + return -EACCES; + } + meta->mem_size = reg->var_off.value; ++ err = mark_chain_precision(env, regno); ++ if (err) ++ return err; + break; + case ARG_PTR_TO_INT: + case ARG_PTR_TO_LONG: +-- +2.35.1 + diff --git a/queue-5.19/bpf-fix-a-data-race-around-bpf_jit_limit.patch b/queue-5.19/bpf-fix-a-data-race-around-bpf_jit_limit.patch new file mode 100644 index 00000000000..14196ff76dd --- /dev/null +++ b/queue-5.19/bpf-fix-a-data-race-around-bpf_jit_limit.patch @@ -0,0 +1,38 @@ +From 1dfa4958fb37ffa974b5e15238d6a934fcb59c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 14:58:04 -0700 +Subject: bpf: Fix a data-race around bpf_jit_limit. + +From: Kuniyuki Iwashima + +[ Upstream commit 0947ae1121083d363d522ff7518ee72b55bd8d29 ] + +While reading bpf_jit_limit, it can be changed concurrently via sysctl, +WRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit +is long, so we need to add a paired READ_ONCE() to avoid load-tearing. + +Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220823215804.2177-1-kuniyu@amazon.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index fb6bd57228a84..cf44ff50b1f23 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1005,7 +1005,7 @@ pure_initcall(bpf_jit_charge_init); + + int bpf_jit_charge_modmem(u32 size) + { +- if (atomic_long_add_return(size, &bpf_jit_current) > bpf_jit_limit) { ++ if (atomic_long_add_return(size, &bpf_jit_current) > READ_ONCE(bpf_jit_limit)) { + if (!bpf_capable()) { + atomic_long_sub(size, &bpf_jit_current); + return -EPERM; +-- +2.35.1 + diff --git a/queue-5.19/bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch b/queue-5.19/bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch new file mode 100644 index 00000000000..5e3ac57e02e --- /dev/null +++ b/queue-5.19/bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch @@ -0,0 +1,41 @@ +From 702b62a2eead72e41d0ea01a15165d756708d4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 20:55:16 +0000 +Subject: bpf: Restrict bpf_sys_bpf to CAP_PERFMON + +From: YiFei Zhu + +[ Upstream commit 14b20b784f59bdd95f6f1cfb112c9818bcec4d84 ] + +The verifier cannot perform sufficient validation of any pointers passed +into bpf_attr and treats them as integers rather than pointers. The helper +will then read from arbitrary pointers passed into it. Restrict the helper +to CAP_PERFMON since the security model in BPF of arbitrary kernel read is +CAP_BPF + CAP_PERFMON. + +Fixes: af2ac3e13e45 ("bpf: Prepare bpf syscall to be used from kernel and user space.") +Signed-off-by: YiFei Zhu +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 82e83cfb4114a..dd0fc2a86ce17 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5153,7 +5153,7 @@ syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) + { + switch (func_id) { + case BPF_FUNC_sys_bpf: +- return &bpf_sys_bpf_proto; ++ return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto; + case BPF_FUNC_btf_find_by_name_kind: + return &bpf_btf_find_by_name_kind_proto; + case BPF_FUNC_sys_close: +-- +2.35.1 + diff --git a/queue-5.19/bpf-tidy-up-verifier-check_func_arg.patch b/queue-5.19/bpf-tidy-up-verifier-check_func_arg.patch new file mode 100644 index 00000000000..989199ba2f1 --- /dev/null +++ b/queue-5.19/bpf-tidy-up-verifier-check_func_arg.patch @@ -0,0 +1,185 @@ +From 6e6a8741bc31447cde10a75a1e3e9b2d40a15aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 14:06:03 -0700 +Subject: bpf: Tidy up verifier check_func_arg() + +From: Joanne Koong + +[ Upstream commit 8ab4cdcf03d0b060fbf73f76460f199bbd759ff7 ] + +This patch does two things: + +1. For matching against the arg type, the match should be against the +base type of the arg type, since the arg type can have different +bpf_type_flags set on it. + +2. Uses switch casing to improve readability + efficiency. + +Signed-off-by: Joanne Koong +Acked-by: Hao Luo +Link: https://lore.kernel.org/r/20220712210603.123791-1-joannelkoong@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 66 +++++++++++++++++++++++++------------------ + 1 file changed, 38 insertions(+), 28 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f0dd73bf69ddf..20df58c351abf 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5533,17 +5533,6 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type) + type == ARG_CONST_SIZE_OR_ZERO; + } + +-static bool arg_type_is_alloc_size(enum bpf_arg_type type) +-{ +- return type == ARG_CONST_ALLOC_SIZE_OR_ZERO; +-} +- +-static bool arg_type_is_int_ptr(enum bpf_arg_type type) +-{ +- return type == ARG_PTR_TO_INT || +- type == ARG_PTR_TO_LONG; +-} +- + static bool arg_type_is_release(enum bpf_arg_type type) + { + return type & OBJ_RELEASE; +@@ -5929,7 +5918,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + meta->ref_obj_id = reg->ref_obj_id; + } + +- if (arg_type == ARG_CONST_MAP_PTR) { ++ switch (base_type(arg_type)) { ++ case ARG_CONST_MAP_PTR: + /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ + if (meta->map_ptr) { + /* Use map_uid (which is unique id of inner map) to reject: +@@ -5954,7 +5944,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + } + meta->map_ptr = reg->map_ptr; + meta->map_uid = reg->map_uid; +- } else if (arg_type == ARG_PTR_TO_MAP_KEY) { ++ break; ++ case ARG_PTR_TO_MAP_KEY: + /* bpf_map_xxx(..., map_ptr, ..., key) call: + * check that [key, key + map->key_size) are within + * stack limits and initialized +@@ -5971,7 +5962,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + err = check_helper_mem_access(env, regno, + meta->map_ptr->key_size, false, + NULL); +- } else if (base_type(arg_type) == ARG_PTR_TO_MAP_VALUE) { ++ break; ++ case ARG_PTR_TO_MAP_VALUE: + if (type_may_be_null(arg_type) && register_is_null(reg)) + return 0; + +@@ -5987,14 +5979,16 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + err = check_helper_mem_access(env, regno, + meta->map_ptr->value_size, false, + meta); +- } else if (arg_type == ARG_PTR_TO_PERCPU_BTF_ID) { ++ break; ++ case ARG_PTR_TO_PERCPU_BTF_ID: + if (!reg->btf_id) { + verbose(env, "Helper has invalid btf_id in R%d\n", regno); + return -EACCES; + } + meta->ret_btf = reg->btf; + meta->ret_btf_id = reg->btf_id; +- } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) { ++ break; ++ case ARG_PTR_TO_SPIN_LOCK: + if (meta->func_id == BPF_FUNC_spin_lock) { + if (process_spin_lock(env, regno, true)) + return -EACCES; +@@ -6005,12 +5999,15 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + verbose(env, "verifier internal error\n"); + return -EFAULT; + } +- } else if (arg_type == ARG_PTR_TO_TIMER) { ++ break; ++ case ARG_PTR_TO_TIMER: + if (process_timer_func(env, regno, meta)) + return -EACCES; +- } else if (arg_type == ARG_PTR_TO_FUNC) { ++ break; ++ case ARG_PTR_TO_FUNC: + meta->subprogno = reg->subprogno; +- } else if (base_type(arg_type) == ARG_PTR_TO_MEM) { ++ break; ++ case ARG_PTR_TO_MEM: + /* The access to this pointer is only checked when we hit the + * next is_mem_size argument below. + */ +@@ -6020,11 +6017,14 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + fn->arg_size[arg], false, + meta); + } +- } else if (arg_type_is_mem_size(arg_type)) { +- bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); +- +- err = check_mem_size_reg(env, reg, regno, zero_size_allowed, meta); +- } else if (arg_type_is_dynptr(arg_type)) { ++ break; ++ case ARG_CONST_SIZE: ++ err = check_mem_size_reg(env, reg, regno, false, meta); ++ break; ++ case ARG_CONST_SIZE_OR_ZERO: ++ err = check_mem_size_reg(env, reg, regno, true, meta); ++ break; ++ case ARG_PTR_TO_DYNPTR: + if (arg_type & MEM_UNINIT) { + if (!is_dynptr_reg_valid_uninit(env, reg)) { + verbose(env, "Dynptr has to be an uninitialized dynptr\n"); +@@ -6058,21 +6058,28 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + err_extra, arg + 1); + return -EINVAL; + } +- } else if (arg_type_is_alloc_size(arg_type)) { ++ break; ++ case ARG_CONST_ALLOC_SIZE_OR_ZERO: + if (!tnum_is_const(reg->var_off)) { + verbose(env, "R%d is not a known constant'\n", + regno); + return -EACCES; + } + meta->mem_size = reg->var_off.value; +- } else if (arg_type_is_int_ptr(arg_type)) { ++ break; ++ case ARG_PTR_TO_INT: ++ case ARG_PTR_TO_LONG: ++ { + int size = int_ptr_type_to_size(arg_type); + + err = check_helper_mem_access(env, regno, size, false, meta); + if (err) + return err; + err = check_ptr_alignment(env, reg, 0, size, true); +- } else if (arg_type == ARG_PTR_TO_CONST_STR) { ++ break; ++ } ++ case ARG_PTR_TO_CONST_STR: ++ { + struct bpf_map *map = reg->map_ptr; + int map_off; + u64 map_addr; +@@ -6111,9 +6118,12 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, + verbose(env, "string is not zero-terminated\n"); + return -EINVAL; + } +- } else if (arg_type == ARG_PTR_TO_KPTR) { ++ break; ++ } ++ case ARG_PTR_TO_KPTR: + if (process_kptr_func(env, regno, meta)) + return -EACCES; ++ break; + } + + return err; +-- +2.35.1 + diff --git a/queue-5.19/cachefiles-fix-error-return-code-in-cachefiles_ondem.patch b/queue-5.19/cachefiles-fix-error-return-code-in-cachefiles_ondem.patch new file mode 100644 index 00000000000..7e2e1758743 --- /dev/null +++ b/queue-5.19/cachefiles-fix-error-return-code-in-cachefiles_ondem.patch @@ -0,0 +1,61 @@ +From 11a0751b8641543b5ba684097ed53fc4a36f9b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 10:35:15 +0800 +Subject: cachefiles: fix error return code in cachefiles_ondemand_copen() + +From: Sun Ke + +[ Upstream commit c93ccd63b18c8d108c57b2bb0e5f3b058b9d2029 ] + +The cache_size field of copen is specified by the user daemon. +If cache_size < 0, then the OPEN request is expected to fail, +while copen itself shall succeed. However, returning 0 is indeed +unexpected when cache_size is an invalid error code. + +Fix this by returning error when cache_size is an invalid error code. + +Changes +======= +v4: update the code suggested by Dan +v3: update the commit log suggested by Jingbo. + +Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie") +Signed-off-by: Sun Ke +Suggested-by: Jeffle Xu +Suggested-by: Dan Carpenter +Signed-off-by: David Howells +Reviewed-by: Gao Xiang +Reviewed-by: Jingbo Xu +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20220818111935.1683062-1-sunke32@huawei.com/ # v2 +Link: https://lore.kernel.org/r/20220818125038.2247720-1-sunke32@huawei.com/ # v3 +Link: https://lore.kernel.org/r/20220826023515.3437469-1-sunke32@huawei.com/ # v4 +Signed-off-by: Sasha Levin +--- + fs/cachefiles/ondemand.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c +index 1fee702d55293..7e1586bd5cf34 100644 +--- a/fs/cachefiles/ondemand.c ++++ b/fs/cachefiles/ondemand.c +@@ -158,9 +158,13 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) + + /* fail OPEN request if daemon reports an error */ + if (size < 0) { +- if (!IS_ERR_VALUE(size)) +- size = -EINVAL; +- req->error = size; ++ if (!IS_ERR_VALUE(size)) { ++ req->error = -EINVAL; ++ ret = -EINVAL; ++ } else { ++ req->error = size; ++ ret = 0; ++ } + goto out; + } + +-- +2.35.1 + diff --git a/queue-5.19/cachefiles-make-on-demand-request-distribution-faire.patch b/queue-5.19/cachefiles-make-on-demand-request-distribution-faire.patch new file mode 100644 index 00000000000..93db302127f --- /dev/null +++ b/queue-5.19/cachefiles-make-on-demand-request-distribution-faire.patch @@ -0,0 +1,80 @@ +From 6a7381482185c73c6b27ffc2838fbfa24ad9ca94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 10:09:45 +0800 +Subject: cachefiles: make on-demand request distribution fairer + +From: Xin Yin + +[ Upstream commit 1122f40072731525c06b1371cfa30112b9b54d27 ] + +For now, enqueuing and dequeuing on-demand requests all start from +idx 0, this makes request distribution unfair. In the weighty +concurrent I/O scenario, the request stored in higher idx will starve. + +Searching requests cyclically in cachefiles_ondemand_daemon_read, +makes distribution fairer. + +Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie") +Reported-by: Yongqing Li +Signed-off-by: Xin Yin +Signed-off-by: David Howells +Reviewed-by: Jeffle Xu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20220817065200.11543-1-yinxin.x@bytedance.com/ # v1 +Link: https://lore.kernel.org/r/20220825020945.2293-1-yinxin.x@bytedance.com/ # v2 +Signed-off-by: Sasha Levin +--- + fs/cachefiles/internal.h | 1 + + fs/cachefiles/ondemand.c | 12 +++++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h +index 6cba2c6de2f96..2ad58c4652084 100644 +--- a/fs/cachefiles/internal.h ++++ b/fs/cachefiles/internal.h +@@ -111,6 +111,7 @@ struct cachefiles_cache { + char *tag; /* cache binding tag */ + refcount_t unbind_pincount;/* refcount to do daemon unbind */ + struct xarray reqs; /* xarray of pending on-demand requests */ ++ unsigned long req_id_next; + struct xarray ondemand_ids; /* xarray for ondemand_id allocation */ + u32 ondemand_id_next; + }; +diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c +index 7e1586bd5cf34..0254ed39f68ce 100644 +--- a/fs/cachefiles/ondemand.c ++++ b/fs/cachefiles/ondemand.c +@@ -242,14 +242,19 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, + unsigned long id = 0; + size_t n; + int ret = 0; +- XA_STATE(xas, &cache->reqs, 0); ++ XA_STATE(xas, &cache->reqs, cache->req_id_next); + + /* +- * Search for a request that has not ever been processed, to prevent +- * requests from being processed repeatedly. ++ * Cyclically search for a request that has not ever been processed, ++ * to prevent requests from being processed repeatedly, and make ++ * request distribution fair. + */ + xa_lock(&cache->reqs); + req = xas_find_marked(&xas, UINT_MAX, CACHEFILES_REQ_NEW); ++ if (!req && cache->req_id_next > 0) { ++ xas_set(&xas, 0); ++ req = xas_find_marked(&xas, cache->req_id_next - 1, CACHEFILES_REQ_NEW); ++ } + if (!req) { + xa_unlock(&cache->reqs); + return 0; +@@ -264,6 +269,7 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, + } + + xas_clear_mark(&xas, CACHEFILES_REQ_NEW); ++ cache->req_id_next = xas.xa_index + 1; + xa_unlock(&cache->reqs); + + id = xas.xa_index; +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-display-avoid-warnings-when-registering-dua.patch b/queue-5.19/drm-i915-display-avoid-warnings-when-registering-dua.patch new file mode 100644 index 00000000000..82d6374d2e1 --- /dev/null +++ b/queue-5.19/drm-i915-display-avoid-warnings-when-registering-dua.patch @@ -0,0 +1,83 @@ +From 835b1daea701753c6df9f273d532e6ea949e5f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 09:27:50 +0530 +Subject: drm/i915/display: avoid warnings when registering dual panel + backlight + +From: Arun R Murthy + +[ Upstream commit 868e8e5156a1f8d92ca83fdbac6fd52798650792 ] + +Commit 20f85ef89d94 ("drm/i915/backlight: use unique backlight device +names") added support for multiple backlight devices on dual panel +systems, but did so with error handling on -EEXIST from +backlight_device_register(). Unfortunately, that triggered a warning in +dmesg all the way down from sysfs_add_file_mode_ns() and +sysfs_warn_dup(). + +Instead of optimistically always attempting to register with the default +name ("intel_backlight", which we have to retain for backward +compatibility), check if a backlight device with the name exists first, +and, if so, use the card and connector based name. + +v2: reworked on top of the patch commit 20f85ef89d94 +("drm/i915/backlight: use unique backlight device names") +v3: fixed the ref count leak(Jani N) + +Fixes: 20f85ef89d94 ("drm/i915/backlight: use unique backlight device names") +Signed-off-by: Arun R Murthy +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220808035750.3111046-1-arun.r.murthy@intel.com +(cherry picked from commit 4234ea30051200fc6016de10e4d58369e60b38f1) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + .../gpu/drm/i915/display/intel_backlight.c | 26 +++++++++---------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_backlight.c b/drivers/gpu/drm/i915/display/intel_backlight.c +index c8e1fc53a881f..79f8a586623dc 100644 +--- a/drivers/gpu/drm/i915/display/intel_backlight.c ++++ b/drivers/gpu/drm/i915/display/intel_backlight.c +@@ -970,26 +970,24 @@ int intel_backlight_device_register(struct intel_connector *connector) + if (!name) + return -ENOMEM; + +- bd = backlight_device_register(name, connector->base.kdev, connector, +- &intel_backlight_device_ops, &props); +- +- /* +- * Using the same name independent of the drm device or connector +- * prevents registration of multiple backlight devices in the +- * driver. However, we need to use the default name for backward +- * compatibility. Use unique names for subsequent backlight devices as a +- * fallback when the default name already exists. +- */ +- if (IS_ERR(bd) && PTR_ERR(bd) == -EEXIST) { ++ bd = backlight_device_get_by_name(name); ++ if (bd) { ++ put_device(&bd->dev); ++ /* ++ * Using the same name independent of the drm device or connector ++ * prevents registration of multiple backlight devices in the ++ * driver. However, we need to use the default name for backward ++ * compatibility. Use unique names for subsequent backlight devices as a ++ * fallback when the default name already exists. ++ */ + kfree(name); + name = kasprintf(GFP_KERNEL, "card%d-%s-backlight", + i915->drm.primary->index, connector->base.name); + if (!name) + return -ENOMEM; +- +- bd = backlight_device_register(name, connector->base.kdev, connector, +- &intel_backlight_device_ops, &props); + } ++ bd = backlight_device_register(name, connector->base.kdev, connector, ++ &intel_backlight_device_ops, &props); + + if (IS_ERR(bd)) { + drm_err(&i915->drm, +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-fix-null-pointer-dereference.patch b/queue-5.19/drm-i915-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..2f2ce722ea6 --- /dev/null +++ b/queue-5.19/drm-i915-fix-null-pointer-dereference.patch @@ -0,0 +1,99 @@ +From 356bf27ff53cf4d590d593f6e0442875daa77b32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Feb 2022 16:33:54 +0100 +Subject: drm/i915: fix null pointer dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Bartosik + +[ Upstream commit 458ec0c8f35963626ccd51c3d50b752de5f1b9d4 ] + +Asus chromebook CX550 crashes during boot on v5.17-rc1 kernel. +The root cause is null pointer defeference of bi_next +in tgl_get_bw_info() in drivers/gpu/drm/i915/display/intel_bw.c. + +BUG: kernel NULL pointer dereference, address: 000000000000002e +PGD 0 P4D 0 +Oops: 0002 [#1] PREEMPT SMP NOPTI +CPU: 0 PID: 1 Comm: swapper/0 Tainted: G U 5.17.0-rc1 +Hardware name: Google Delbin/Delbin, BIOS Google_Delbin.13672.156.3 05/14/2021 +RIP: 0010:tgl_get_bw_info+0x2de/0x510 +... +[ 2.554467] Call Trace: +[ 2.554467] +[ 2.554467] intel_bw_init_hw+0x14a/0x434 +[ 2.554467] ? _printk+0x59/0x73 +[ 2.554467] ? _dev_err+0x77/0x91 +[ 2.554467] i915_driver_hw_probe+0x329/0x33e +[ 2.554467] i915_driver_probe+0x4c8/0x638 +[ 2.554467] i915_pci_probe+0xf8/0x14e +[ 2.554467] ? _raw_spin_unlock_irqrestore+0x12/0x2c +[ 2.554467] pci_device_probe+0xaa/0x142 +[ 2.554467] really_probe+0x13f/0x2f4 +[ 2.554467] __driver_probe_device+0x9e/0xd3 +[ 2.554467] driver_probe_device+0x24/0x7c +[ 2.554467] __driver_attach+0xba/0xcf +[ 2.554467] ? driver_attach+0x1f/0x1f +[ 2.554467] bus_for_each_dev+0x8c/0xc0 +[ 2.554467] bus_add_driver+0x11b/0x1f7 +[ 2.554467] driver_register+0x60/0xea +[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16 +[ 2.554467] i915_init+0x2c/0xb9 +[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16 +[ 2.554467] do_one_initcall+0x12e/0x2b3 +[ 2.554467] do_initcall_level+0xd6/0xf3 +[ 2.554467] do_initcalls+0x4e/0x79 +[ 2.554467] kernel_init_freeable+0xed/0x14d +[ 2.554467] ? rest_init+0xc1/0xc1 +[ 2.554467] kernel_init+0x1a/0x120 +[ 2.554467] ret_from_fork+0x1f/0x30 +[ 2.554467] +... +Kernel panic - not syncing: Fatal exception + +Fixes: c64a9a7c05be ("drm/i915: Update memory bandwidth formulae") +Signed-off-by: Łukasz Bartosik +Reviewed-by: Radhakrishna Sripada +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220201153354.11971-1-lukasz.bartosik@semihalf.com +(cherry picked from commit c247cd03898c4c43c3bce6d4014730403bc13032) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_bw.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_bw.c b/drivers/gpu/drm/i915/display/intel_bw.c +index 37bd7b17f3d0b..f2fad199e2e0b 100644 +--- a/drivers/gpu/drm/i915/display/intel_bw.c ++++ b/drivers/gpu/drm/i915/display/intel_bw.c +@@ -404,15 +404,17 @@ static int tgl_get_bw_info(struct drm_i915_private *dev_priv, const struct intel + int clpchgroup; + int j; + +- if (i < num_groups - 1) +- bi_next = &dev_priv->max_bw[i + 1]; +- + clpchgroup = (sa->deburst * qi.deinterleave / num_channels) << i; + +- if (i < num_groups - 1 && clpchgroup < clperchgroup) +- bi_next->num_planes = (ipqdepth - clpchgroup) / clpchgroup + 1; +- else +- bi_next->num_planes = 0; ++ if (i < num_groups - 1) { ++ bi_next = &dev_priv->max_bw[i + 1]; ++ ++ if (clpchgroup < clperchgroup) ++ bi_next->num_planes = (ipqdepth - clpchgroup) / ++ clpchgroup + 1; ++ else ++ bi_next->num_planes = 0; ++ } + + bi->num_qgv_points = qi.num_points; + bi->num_psf_gv_points = qi.num_psf_points; +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-gvt-fix-comet-lake.patch b/queue-5.19/drm-i915-gvt-fix-comet-lake.patch new file mode 100644 index 00000000000..8bf406a0ec1 --- /dev/null +++ b/queue-5.19/drm-i915-gvt-fix-comet-lake.patch @@ -0,0 +1,42 @@ +From 0c148529f08cb98f1d4677664667f8ae42e55bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 15:55:48 -0600 +Subject: drm/i915/gvt: Fix Comet Lake + +From: Alex Williamson + +[ Upstream commit b75ef35bb57791a5d675699ed4a40c870d1da12f ] + +Prior to the commit below the GAMT_CHKN_BIT_REG address was setup for +devices matching (D_KBL | D_CFL), where intel_gvt_get_device_type() +returns D_CFL for either Coffee Lake or Comet Lake. Include the missed +platform.` + +Link: https://lore.kernel.org/all/20220808142711.02d16782.alex.williamson@redhat.com +Fixes: e0f74ed4634d ("i915/gvt: Separate the MMIO tracking table from GVT-g") +Signed-off-by: Alex Williamson +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/166016852965.780835.10366587502693016900.stgit@omen +Reviewed-by: Zhenyu Wang +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/intel_gvt_mmio_table.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_gvt_mmio_table.c b/drivers/gpu/drm/i915/intel_gvt_mmio_table.c +index 72dac1718f3e7..6163aeaee9b98 100644 +--- a/drivers/gpu/drm/i915/intel_gvt_mmio_table.c ++++ b/drivers/gpu/drm/i915/intel_gvt_mmio_table.c +@@ -1074,7 +1074,8 @@ static int iterate_skl_plus_mmio(struct intel_gvt_mmio_table_iter *iter) + MMIO_D(GEN8_HDC_CHICKEN1); + MMIO_D(GEN9_WM_CHICKEN3); + +- if (IS_KABYLAKE(dev_priv) || IS_COFFEELAKE(dev_priv)) ++ if (IS_KABYLAKE(dev_priv) || ++ IS_COFFEELAKE(dev_priv) || IS_COMETLAKE(dev_priv)) + MMIO_D(GAMT_CHKN_BIT_REG); + if (!IS_BROXTON(dev_priv)) + MMIO_D(GEN9_CTX_PREEMPT_REG); +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-ttm-fix-ccs-handling.patch b/queue-5.19/drm-i915-ttm-fix-ccs-handling.patch new file mode 100644 index 00000000000..5afd7217ee6 --- /dev/null +++ b/queue-5.19/drm-i915-ttm-fix-ccs-handling.patch @@ -0,0 +1,138 @@ +From b7379f1f635ab0e8422782fdd5ec43826f040945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Aug 2022 14:22:40 +0100 +Subject: drm/i915/ttm: fix CCS handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +[ Upstream commit 8d905254162965c8e6be697d82c7dbf5d08f574d ] + +Crucible + recent Mesa seems to sometimes hit: + +GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER) + +And it looks like we can also trigger this with gem_lmem_swapping, if we +modify the test to use slightly larger object sizes. + +Looking closer it looks like we have the following issues in +migrate_copy(): + + - We are using plain integer in various places, which we can easily + overflow with a large object. + + - We pass the entire object size (when the src is lmem) into + emit_pte() and then try to copy it, which doesn't work, since we + only have a few fixed sized windows in which to map the pages and + perform the copy. With an object > 8M we therefore aren't properly + copying the pages. And then with an object > 64M we trigger the + GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER). + +So it looks like our copy handling for any object > 8M (which is our +CHUNK_SZ) is currently broken on DG2. + +Fixes: da0595ae91da ("drm/i915/migrate: Evict and restore the flatccs capable lmem obj") +Testcase: igt@gem_lmem_swapping +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Cc: Ramalingam C +Reviewed-by: Ramalingam C +Link: https://patchwork.freedesktop.org/patch/msgid/20220805132240.442747-2-matthew.auld@intel.com +(cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_migrate.c | 44 ++++++++++++------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_migrate.c b/drivers/gpu/drm/i915/gt/intel_migrate.c +index 2b10b96b17b5b..933648cc90ff9 100644 +--- a/drivers/gpu/drm/i915/gt/intel_migrate.c ++++ b/drivers/gpu/drm/i915/gt/intel_migrate.c +@@ -638,9 +638,9 @@ static int emit_copy(struct i915_request *rq, + return 0; + } + +-static int scatter_list_length(struct scatterlist *sg) ++static u64 scatter_list_length(struct scatterlist *sg) + { +- int len = 0; ++ u64 len = 0; + + while (sg && sg_dma_len(sg)) { + len += sg_dma_len(sg); +@@ -650,28 +650,26 @@ static int scatter_list_length(struct scatterlist *sg) + return len; + } + +-static void ++static int + calculate_chunk_sz(struct drm_i915_private *i915, bool src_is_lmem, +- int *src_sz, u32 bytes_to_cpy, u32 ccs_bytes_to_cpy) ++ u64 bytes_to_cpy, u64 ccs_bytes_to_cpy) + { +- if (ccs_bytes_to_cpy) { +- if (!src_is_lmem) +- /* +- * When CHUNK_SZ is passed all the pages upto CHUNK_SZ +- * will be taken for the blt. in Flat-ccs supported +- * platform Smem obj will have more pages than required +- * for main meory hence limit it to the required size +- * for main memory +- */ +- *src_sz = min_t(int, bytes_to_cpy, CHUNK_SZ); +- } else { /* ccs handling is not required */ +- *src_sz = CHUNK_SZ; +- } ++ if (ccs_bytes_to_cpy && !src_is_lmem) ++ /* ++ * When CHUNK_SZ is passed all the pages upto CHUNK_SZ ++ * will be taken for the blt. in Flat-ccs supported ++ * platform Smem obj will have more pages than required ++ * for main meory hence limit it to the required size ++ * for main memory ++ */ ++ return min_t(u64, bytes_to_cpy, CHUNK_SZ); ++ else ++ return CHUNK_SZ; + } + +-static void get_ccs_sg_sgt(struct sgt_dma *it, u32 bytes_to_cpy) ++static void get_ccs_sg_sgt(struct sgt_dma *it, u64 bytes_to_cpy) + { +- u32 len; ++ u64 len; + + do { + GEM_BUG_ON(!it->sg || !sg_dma_len(it->sg)); +@@ -702,12 +700,12 @@ intel_context_migrate_copy(struct intel_context *ce, + { + struct sgt_dma it_src = sg_sgt(src), it_dst = sg_sgt(dst), it_ccs; + struct drm_i915_private *i915 = ce->engine->i915; +- u32 ccs_bytes_to_cpy = 0, bytes_to_cpy; ++ u64 ccs_bytes_to_cpy = 0, bytes_to_cpy; + enum i915_cache_level ccs_cache_level; + u32 src_offset, dst_offset; + u8 src_access, dst_access; + struct i915_request *rq; +- int src_sz, dst_sz; ++ u64 src_sz, dst_sz; + bool ccs_is_src, overwrite_ccs; + int err; + +@@ -790,8 +788,8 @@ intel_context_migrate_copy(struct intel_context *ce, + if (err) + goto out_rq; + +- calculate_chunk_sz(i915, src_is_lmem, &src_sz, +- bytes_to_cpy, ccs_bytes_to_cpy); ++ src_sz = calculate_chunk_sz(i915, src_is_lmem, ++ bytes_to_cpy, ccs_bytes_to_cpy); + + len = emit_pte(rq, &it_src, src_cache_level, src_is_lmem, + src_offset, src_sz); +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch b/queue-5.19/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch new file mode 100644 index 00000000000..048f0b9f079 --- /dev/null +++ b/queue-5.19/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch @@ -0,0 +1,65 @@ +From 0d393f579bf6986ee27cb815bc7ca082f4492309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 15:57:50 -0700 +Subject: drm/msm/dp: delete DP_RECOVERED_CLOCK_OUT_EN to fix tps4 + +From: Kuogee Hsieh + +[ Upstream commit 032d57960176ac01cc5adff5bcc5eb51317f8781 ] + +Data Symbols scrambled is required for tps4 at link training 2. +Therefore SCRAMBLING_DISABLE bit should not be set for tps4 to +work. + +RECOVERED_CLOCK_OUT_EN is for enable simple EYE test for jitter +measurement with minimal equipment for embedded applications purpose +and is not required to be set during normal operation. Current +implementation always have RECOVERED_CLOCK_OUT_EN bit set which +cause SCRAMBLING_DISABLE bit wrongly set at tps4 which prevent +tps4 from working. + +This patch delete setting RECOVERED_CLOCK_OUT_EN to fix +SCRAMBLING_DISABLE be wrongly set at tps4. + +Changes in v2: +-- fix Fixes tag + +Changes in v3: +-- revise commit text + +Changes in v4: +-- fix commit text newline + +Changes in v5: +-- fix commit text line over 75 chars + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Kuogee Hsieh + +Reviewed-by: Abhinav Kumar +Reviewed-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/497194/ +Link: https://lore.kernel.org/r/1660258670-4200-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 703249384e7c7..45aa06a31a9fd 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1214,7 +1214,7 @@ static int dp_ctrl_link_train_2(struct dp_ctrl_private *ctrl, + if (ret) + return ret; + +- dp_ctrl_train_pattern_set(ctrl, pattern | DP_RECOVERED_CLOCK_OUT_EN); ++ dp_ctrl_train_pattern_set(ctrl, pattern); + + for (tries = 0; tries <= maximum_retries; tries++) { + drm_dp_link_train_channel_eq_delay(ctrl->aux, ctrl->panel->dpcd); +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch b/queue-5.19/drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch new file mode 100644 index 00000000000..b2d1369d94e --- /dev/null +++ b/queue-5.19/drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch @@ -0,0 +1,57 @@ +From dac8d04f6b390bed8b8cd0301fbc5df7c332b3b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 12:32:08 -0700 +Subject: drm/msm/dp: make eDP panel as the first connected connector + +From: Kuogee Hsieh + +[ Upstream commit deffa2d75db7e7a9a1fe3dad4f99310bff7b6449 ] + +Some userspace presumes that the first connected connector is the main +display, where it's supposed to display e.g. the login screen. For +laptops, this should be the main panel. + +This patch call drm_helper_move_panel_connectors_to_head() after +drm_bridge_connector_init() to make sure eDP stay at head of +connected connector list. This fixes unexpected corruption happen +at eDP panel if eDP is not placed at head of connected connector +list. + +Changes in v2: +-- move drm_helper_move_panel_connectors_to_head() to + dpu_kms_drm_obj_init() + +Changes in v4: +-- move drm_helper_move_panel_connectors_to_head() to msm_drm_init() + +Signed-off-by: Kuogee Hsieh +Reviewed-by: Abhinav Kumar +Reviewed-by: Douglas Anderson +Tested-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Stephen Boyd +Fixes: ef7837ff091c ("drm/msm/dp: Add DP controllers for sc7280") +Patchwork: https://patchwork.freedesktop.org/patch/492581/ +Link: https://lore.kernel.org/r/1657135928-31195-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 14ab9a627d8b0..7c0314d6566af 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -424,6 +424,8 @@ static int msm_drm_init(struct device *dev, const struct drm_driver *drv) + } + } + ++ drm_helper_move_panel_connectors_to_head(ddev); ++ + ddev->mode_config.funcs = &mode_config_funcs; + ddev->mode_config.helper_private = &mode_config_helper_funcs; + +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch b/queue-5.19/drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch new file mode 100644 index 00000000000..c45a3792e6a --- /dev/null +++ b/queue-5.19/drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch @@ -0,0 +1,48 @@ +From 7678eecfd938dc3a4387ebf8dec73a4e93cec14b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 12:14:28 -0700 +Subject: drm/msm/dpu: populate wb or intf before reset_intf_cfg + +From: Abhinav Kumar + +[ Upstream commit ef3ac3ae147c6ab370875727791e9b3eaf176cea ] + +dpu_encoder_helper_phys_cleanup() was not populating neither +wb or intf to the intf_cfg before calling the reset_intf_cfg(). + +This causes the reset of the active bits of wb/intf to be +skipped which is incorrect. + +Fix this by populating the relevant wb or intf indices correctly. + +Fixes: ae4d721ce100 ("drm/msm/dpu: add an API to reset the encoder related hw blocks") +Signed-off-by: Abhinav Kumar +Reviewed-by: Jessica Zhang +Tested-by: Jessica Zhang # Trogdor (SC8170) +Patchwork: https://patchwork.freedesktop.org/patch/494298/ +Link: https://lore.kernel.org/r/1657912468-17254-1-git-send-email-quic_abhinavk@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 9b4df3084366b..d98c7f7da7c08 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -1998,6 +1998,12 @@ void dpu_encoder_helper_phys_cleanup(struct dpu_encoder_phys *phys_enc) + + intf_cfg.stream_sel = 0; /* Don't care value for video mode */ + intf_cfg.mode_3d = dpu_encoder_helper_get_3d_blend_mode(phys_enc); ++ ++ if (phys_enc->hw_intf) ++ intf_cfg.intf = phys_enc->hw_intf->idx; ++ if (phys_enc->hw_wb) ++ intf_cfg.wb = phys_enc->hw_wb->idx; ++ + if (phys_enc->hw_pp->merge_3d) + intf_cfg.merge_3d = phys_enc->hw_pp->merge_3d->idx; + +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch b/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch new file mode 100644 index 00000000000..43883ac3288 --- /dev/null +++ b/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch @@ -0,0 +1,39 @@ +From 5f9ba8d318eb5c62c414d7ff13b55c1572e8b870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 07:38:48 -0700 +Subject: drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg + +From: Douglas Anderson + +[ Upstream commit 1e00d6ac8a3422765bae37aeac2002dfd3c0bda6 ] + +3 regulators are listed but the number 2 is specified. Fix it. + +Fixes: 3a3ff88a0fc1 ("drm/msm/dsi: Add 8x96 info in dsi_cfg") +Signed-off-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/496318/ +Link: https://lore.kernel.org/r/20220804073608.v4.1.I1056ee3f77f71287f333279efe4c85f88d403f65@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +index 2c23324a2296b..02000a7b7a18c 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +@@ -109,7 +109,7 @@ static const char * const dsi_8996_bus_clk_names[] = { + static const struct msm_dsi_config msm8996_dsi_cfg = { + .io_offset = DSI_6G_REG_SHIFT, + .reg_cfg = { +- .num = 2, ++ .num = 3, + .regs = { + {"vdda", 18160, 1 }, /* 1.25 V */ + {"vcca", 17000, 32 }, /* 0.925 V */ +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch b/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch new file mode 100644 index 00000000000..596f4898365 --- /dev/null +++ b/queue-5.19/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch @@ -0,0 +1,41 @@ +From 1226df9d344879aca775d3bf313c51eb7b4f4075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 07:38:49 -0700 +Subject: drm/msm/dsi: Fix number of regulators for SDM660 + +From: Douglas Anderson + +[ Upstream commit a1653a75987749ba6dba94fa2e62f0f36b387d1a ] + +1 regulator is listed but the number 2 is specified. This presumably +means we try to get a regulator with no name. Fix it. + +Fixes: 462f7017a691 ("drm/msm/dsi: Fix DSI and DSI PHY regulator config from SDM660") +Signed-off-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/496323/ +Link: https://lore.kernel.org/r/20220804073608.v4.2.I94b3c3e412b7c208061349f05659e126483171b1@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +index 02000a7b7a18c..72c018e26f47f 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +@@ -148,7 +148,7 @@ static const char * const dsi_sdm660_bus_clk_names[] = { + static const struct msm_dsi_config sdm660_dsi_cfg = { + .io_offset = DSI_6G_REG_SHIFT, + .reg_cfg = { +- .num = 2, ++ .num = 1, + .regs = { + {"vdda", 12560, 4 }, /* 1.2 V */ + }, +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch b/queue-5.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch new file mode 100644 index 00000000000..852195d0ed3 --- /dev/null +++ b/queue-5.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch @@ -0,0 +1,43 @@ +From 859073e0c8fbe478fef96fbd26a0d1aa1d67ab50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 09:56:22 +0800 +Subject: drm/msm/dsi: fix the inconsistent indenting + +From: sunliming + +[ Upstream commit 2f25a1fb4ec516c5ad67afd754334b491b9f09a5 ] + +Fix the inconsistent indenting in function msm_dsi_dphy_timing_calc_v3(). + +Fix the following smatch warnings: + +drivers/gpu/drm/msm/dsi/phy/dsi_phy.c:350 msm_dsi_dphy_timing_calc_v3() warn: inconsistent indenting + +Fixes: f1fa7ff44056 ("drm/msm/dsi: implement auto PHY timing calculator for 10nm PHY") +Reported-by: kernel test robot +Signed-off-by: sunliming +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/494662/ +Link: https://lore.kernel.org/r/20220719015622.646718-1-sunliming@kylinos.cn +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index a39de3bdc7faf..56dfa2d24be1f 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -347,7 +347,7 @@ int msm_dsi_dphy_timing_calc_v3(struct msm_dsi_dphy_timing *timing, + } else { + timing->shared_timings.clk_pre = + linear_inter(tmax, tmin, pcnt2, 0, false); +- timing->shared_timings.clk_pre_inc_by_2 = 0; ++ timing->shared_timings.clk_pre_inc_by_2 = 0; + } + + timing->ta_go = 3; +-- +2.35.1 + diff --git a/queue-5.19/drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch b/queue-5.19/drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch new file mode 100644 index 00000000000..736c04721dc --- /dev/null +++ b/queue-5.19/drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch @@ -0,0 +1,44 @@ +From 77d318b2082a0b67ab3e776842227f0f62698995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 09:26:32 -0700 +Subject: drm/msm/gpu: Drop qos request if devm_devfreq_add_device() fails + +From: Bjorn Andersson + +[ Upstream commit 02b9f2636209beb843ca501d47f7fddc8792b2d7 ] + +In the event that devm_devfreq_add_device() fails the device's qos freq +list is left referencing df->idle_freq and df->boost_freq. Attempting to +initialize devfreq again after a probe deferral will then cause invalid +memory accesses in dev_pm_qos_add_request(). + +Fix this by dropping the requests in the error path. + +Fixes: 7c0ffcd40b16 ("drm/msm/gpu: Respect PM QoS constraints") +Signed-off-by: Bjorn Andersson +Reviewed-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/493001/ +Link: https://lore.kernel.org/r/20220708162632.3529864-1-bjorn.andersson@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gpu_devfreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_gpu_devfreq.c b/drivers/gpu/drm/msm/msm_gpu_devfreq.c +index ea94bc18e72eb..89cc93eb67557 100644 +--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c ++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c +@@ -213,6 +213,8 @@ void msm_devfreq_init(struct msm_gpu *gpu) + + if (IS_ERR(df->devfreq)) { + DRM_DEV_ERROR(&gpu->pdev->dev, "Couldn't initialize GPU devfreq\n"); ++ dev_pm_qos_remove_request(&df->idle_freq); ++ dev_pm_qos_remove_request(&df->boost_freq); + df->devfreq = NULL; + return; + } +-- +2.35.1 + diff --git a/queue-5.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch b/queue-5.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch new file mode 100644 index 00000000000..ee58281a739 --- /dev/null +++ b/queue-5.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch @@ -0,0 +1,57 @@ +From 28ca108b75cabf1d40dc76ab2f7751ac75961e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 23:38:15 +0800 +Subject: ethernet: rocker: fix sleep in atomic context bug in + neigh_timer_handler + +From: Duoming Zhou + +[ Upstream commit c0955bf957be4bead01fae1d791476260da7325d ] + +The function neigh_timer_handler() is a timer handler that runs in an +atomic context. When used by rocker, neigh_timer_handler() calls +"kzalloc(.., GFP_KERNEL)" that may sleep. As a result, the sleep in +atomic context bug will happen. One of the processes is shown below: + +ofdpa_fib4_add() + ... + neigh_add_timer() + +(wait a timer) + +neigh_timer_handler() + neigh_release() + neigh_destroy() + rocker_port_neigh_destroy() + rocker_world_port_neigh_destroy() + ofdpa_port_neigh_destroy() + ofdpa_port_ipv4_neigh() + kzalloc(sizeof(.., GFP_KERNEL) //may sleep + +This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to +GFP_ATOMIC in order to mitigate the bug. + +Fixes: 00fc0c51e35b ("rocker: Change world_ops API and implementation to be switchdev independant") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_ofdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c +index bc70c6abd6a5b..58cf7cc54f408 100644 +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c +@@ -1273,7 +1273,7 @@ static int ofdpa_port_ipv4_neigh(struct ofdpa_port *ofdpa_port, + bool removing; + int err = 0; + +- entry = kzalloc(sizeof(*entry), GFP_KERNEL); ++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC); + if (!entry) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch b/queue-5.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch new file mode 100644 index 00000000000..5904db503bf --- /dev/null +++ b/queue-5.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch @@ -0,0 +1,60 @@ +From 66071bfe9243c2077bb27e412c90babea827fcbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 11:42:24 +0800 +Subject: ieee802154/adf7242: defer destroy_workqueue call + +From: Lin Ma + +[ Upstream commit afe7116f6d3b888778ed6d95e3cf724767b9aedf ] + +There is a possible race condition (use-after-free) like below + + (FREE) | (USE) + adf7242_remove | adf7242_channel + cancel_delayed_work_sync | + destroy_workqueue (1) | adf7242_cmd_rx + | mod_delayed_work (2) + | + +The root cause for this race is that the upper layer (ieee802154) is +unaware of this detaching event and the function adf7242_channel can +be called without any checks. + +To fix this, we can add a flag write at the beginning of adf7242_remove +and add flag check in adf7242_channel. Or we can just defer the +destructive operation like other commit 3e0588c291d6 ("hamradio: defer +ax25 kfree after unregister_netdev") which let the +ieee802154_unregister_hw() to handle the synchronization. This patch +takes the second option. + +Fixes: 58e9683d1475 ("net: ieee802154: adf7242: Fix OCL calibration +runs") +Signed-off-by: Lin Ma +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20220808034224.12642-1-linma@zju.edu.cn +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 6afdf1622944e..5cf218c674a5a 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1310,10 +1310,11 @@ static void adf7242_remove(struct spi_device *spi) + + debugfs_remove_recursive(lp->debugfs_root); + ++ ieee802154_unregister_hw(lp->hw); ++ + cancel_delayed_work_sync(&lp->work); + destroy_workqueue(lp->wqueue); + +- ieee802154_unregister_hw(lp->hw); + mutex_destroy(&lp->bmux); + ieee802154_free_hw(lp->hw); + } +-- +2.35.1 + diff --git a/queue-5.19/iio-adc-mcp3911-make-use-of-the-sign-bit.patch b/queue-5.19/iio-adc-mcp3911-make-use-of-the-sign-bit.patch new file mode 100644 index 00000000000..dbc80e3b00e --- /dev/null +++ b/queue-5.19/iio-adc-mcp3911-make-use-of-the-sign-bit.patch @@ -0,0 +1,37 @@ +From 2eadc1f283728b6f4068aadccd95709404fa621c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 15:07:18 +0200 +Subject: iio: adc: mcp3911: make use of the sign bit + +From: Marcus Folkesson + +[ Upstream commit 8f89e33bf040bbef66386c426198622180233178 ] + +The device supports negative values as well. + +Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911") +Signed-off-by: Marcus Folkesson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220722130726.7627-2-marcus.folkesson@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/mcp3911.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/mcp3911.c b/drivers/iio/adc/mcp3911.c +index 1cb4590fe4125..f581cefb67195 100644 +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -113,6 +113,8 @@ static int mcp3911_read_raw(struct iio_dev *indio_dev, + if (ret) + goto out; + ++ *val = sign_extend32(*val, 23); ++ + ret = IIO_VAL_INT; + break; + +-- +2.35.1 + diff --git a/queue-5.19/ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch b/queue-5.19/ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch new file mode 100644 index 00000000000..8e58954ee9b --- /dev/null +++ b/queue-5.19/ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch @@ -0,0 +1,117 @@ +From 6862afd1ad0f919e26e88a46213e49e0c2c91db0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 10:41:18 +0300 +Subject: ip_tunnel: Respect tunnel key's "flow_flags" in IP tunnels + +From: Eyal Birger + +[ Upstream commit 7ec9fce4b31604f8415136a4c07f7dc8ad431aec ] + +Commit 451ef36bd229 ("ip_tunnels: Add new flow flags field to ip_tunnel_key") +added a "flow_flags" member to struct ip_tunnel_key which was later used by +the commit in the fixes tag to avoid dropping packets with sources that +aren't locally configured when set in bpf_set_tunnel_key(). + +VXLAN and GENEVE were made to respect this flag, ip tunnels like IPIP and GRE +were not. + +This commit fixes this omission by making ip_tunnel_init_flow() receive +the flow flags from the tunnel key in the relevant collect_md paths. + +Fixes: b8fff748521c ("bpf: Set flow flag to allow any source IP in bpf_tunnel_key") +Signed-off-by: Eyal Birger +Signed-off-by: Daniel Borkmann +Reviewed-by: Paul Chaignon +Link: https://lore.kernel.org/bpf/20220818074118.726639-1-eyal.birger@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 ++- + include/net/ip_tunnels.h | 4 +++- + net/ipv4/ip_gre.c | 2 +- + net/ipv4/ip_tunnel.c | 7 ++++--- + 4 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c +index fe663b0ab7086..68d87e61bdc05 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c +@@ -423,7 +423,8 @@ mlxsw_sp_span_gretap4_route(const struct net_device *to_dev, + + parms = mlxsw_sp_ipip_netdev_parms4(to_dev); + ip_tunnel_init_flow(&fl4, parms.iph.protocol, *daddrp, *saddrp, +- 0, 0, dev_net(to_dev), parms.link, tun->fwmark, 0); ++ 0, 0, dev_net(to_dev), parms.link, tun->fwmark, 0, ++ 0); + + rt = ip_route_output_key(tun->net, &fl4); + if (IS_ERR(rt)) +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 20f60d9da7418..cf1f22c01ed3d 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -246,7 +246,8 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4, + __be32 daddr, __be32 saddr, + __be32 key, __u8 tos, + struct net *net, int oif, +- __u32 mark, __u32 tun_inner_hash) ++ __u32 mark, __u32 tun_inner_hash, ++ __u8 flow_flags) + { + memset(fl4, 0, sizeof(*fl4)); + +@@ -263,6 +264,7 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4, + fl4->fl4_gre_key = key; + fl4->flowi4_mark = mark; + fl4->flowi4_multipath_hash = tun_inner_hash; ++ fl4->flowi4_flags = flow_flags; + } + + int ip_tunnel_init(struct net_device *dev); +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 5c58e21f724e9..f866d6282b2b3 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -609,7 +609,7 @@ static int gre_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + ip_tunnel_init_flow(&fl4, IPPROTO_GRE, key->u.ipv4.dst, key->u.ipv4.src, + tunnel_id_to_key32(key->tun_id), + key->tos & ~INET_ECN_MASK, dev_net(dev), 0, +- skb->mark, skb_get_hash(skb)); ++ skb->mark, skb_get_hash(skb), key->flow_flags); + rt = ip_route_output_key(dev_net(dev), &fl4); + if (IS_ERR(rt)) + return PTR_ERR(rt); +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 94017a8c39945..1ad8809fc2e3b 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -295,7 +295,7 @@ static int ip_tunnel_bind_dev(struct net_device *dev) + ip_tunnel_init_flow(&fl4, iph->protocol, iph->daddr, + iph->saddr, tunnel->parms.o_key, + RT_TOS(iph->tos), dev_net(dev), +- tunnel->parms.link, tunnel->fwmark, 0); ++ tunnel->parms.link, tunnel->fwmark, 0, 0); + rt = ip_route_output_key(tunnel->net, &fl4); + + if (!IS_ERR(rt)) { +@@ -570,7 +570,8 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + } + ip_tunnel_init_flow(&fl4, proto, key->u.ipv4.dst, key->u.ipv4.src, + tunnel_id_to_key32(key->tun_id), RT_TOS(tos), +- dev_net(dev), 0, skb->mark, skb_get_hash(skb)); ++ dev_net(dev), 0, skb->mark, skb_get_hash(skb), ++ key->flow_flags); + if (tunnel->encap.type != TUNNEL_ENCAP_NONE) + goto tx_error; + +@@ -728,7 +729,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + ip_tunnel_init_flow(&fl4, protocol, dst, tnl_params->saddr, + tunnel->parms.o_key, RT_TOS(tos), + dev_net(dev), tunnel->parms.link, +- tunnel->fwmark, skb_get_hash(skb)); ++ tunnel->fwmark, skb_get_hash(skb), 0); + + if (ip_tunnel_encap(skb, tunnel, &protocol, &fl4) < 0) + goto tx_error; +-- +2.35.1 + diff --git a/queue-5.19/kcm-fix-strp_init-order-and-cleanup.patch b/queue-5.19/kcm-fix-strp_init-order-and-cleanup.patch new file mode 100644 index 00000000000..59504e9d8f7 --- /dev/null +++ b/queue-5.19/kcm-fix-strp_init-order-and-cleanup.patch @@ -0,0 +1,74 @@ +From 24f0a9d904818a2c912d3ce6a9e6bc73f620af7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 11:13:14 -0700 +Subject: kcm: fix strp_init() order and cleanup + +From: Cong Wang + +[ Upstream commit 8fc29ff3910f3af08a7c40a75d436b5720efe2bf ] + +strp_init() is called just a few lines above this csk->sk_user_data +check, it also initializes strp->work etc., therefore, it is +unnecessary to call strp_done() to cancel the freshly initialized +work. + +And if sk_user_data is already used by KCM, psock->strp should not be +touched, particularly strp->work state, so we need to move strp_init() +after the csk->sk_user_data check. + +This also makes a lockdep warning reported by syzbot go away. + +Reported-and-tested-by: syzbot+9fc084a4348493ef65d2@syzkaller.appspotmail.com +Reported-by: syzbot+e696806ef96cdd2d87cd@syzkaller.appspotmail.com +Fixes: e5571240236c ("kcm: Check if sk_user_data already set in kcm_attach") +Fixes: dff8baa26117 ("kcm: Call strp_stop before strp_done in kcm_attach") +Cc: Tom Herbert +Signed-off-by: Cong Wang +Link: https://lore.kernel.org/r/20220827181314.193710-1-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 71899e5a5a111..1215c863e1c41 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1412,12 +1412,6 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + psock->sk = csk; + psock->bpf_prog = prog; + +- err = strp_init(&psock->strp, csk, &cb); +- if (err) { +- kmem_cache_free(kcm_psockp, psock); +- goto out; +- } +- + write_lock_bh(&csk->sk_callback_lock); + + /* Check if sk_user_data is already by KCM or someone else. +@@ -1425,13 +1419,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + */ + if (csk->sk_user_data) { + write_unlock_bh(&csk->sk_callback_lock); +- strp_stop(&psock->strp); +- strp_done(&psock->strp); + kmem_cache_free(kcm_psockp, psock); + err = -EALREADY; + goto out; + } + ++ err = strp_init(&psock->strp, csk, &cb); ++ if (err) { ++ write_unlock_bh(&csk->sk_callback_lock); ++ kmem_cache_free(kcm_psockp, psock); ++ goto out; ++ } ++ + psock->save_data_ready = csk->sk_data_ready; + psock->save_write_space = csk->sk_write_space; + psock->save_state_change = csk->sk_state_change; +-- +2.35.1 + diff --git a/queue-5.19/mlxbf_gige-compute-mdio-period-based-on-i1clk.patch b/queue-5.19/mlxbf_gige-compute-mdio-period-based-on-i1clk.patch new file mode 100644 index 00000000000..e0686e7e6a7 --- /dev/null +++ b/queue-5.19/mlxbf_gige-compute-mdio-period-based-on-i1clk.patch @@ -0,0 +1,247 @@ +From d75b1364ed90cec79ce3d0278beb58e0f2379168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 11:59:16 -0400 +Subject: mlxbf_gige: compute MDIO period based on i1clk + +From: David Thompson + +[ Upstream commit 3a1a274e933fca73fdc960cb1f60636cd285a265 ] + +This patch adds logic to compute the MDIO period based on +the i1clk, and thereafter write the MDIO period into the YU +MDIO config register. The i1clk resource from the ACPI table +is used to provide addressing to YU bootrecord PLL registers. +The values in these registers are used to compute MDIO period. +If the i1clk resource is not present in the ACPI table, then +the current default hardcorded value of 430Mhz is used. +The i1clk clock value of 430MHz is only accurate for boards +with BF2 mid bin and main bin SoCs. The BF2 high bin SoCs +have i1clk = 500MHz, but can support a slower MDIO period. + +Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") +Reviewed-by: Asmaa Mnebhi +Signed-off-by: David Thompson +Link: https://lore.kernel.org/r/20220826155916.12491-1-davthompson@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 4 +- + .../mellanox/mlxbf_gige/mlxbf_gige_mdio.c | 122 +++++++++++++++--- + .../mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 + + 3 files changed, 110 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h +index 5fdf9b7179f55..5a1027b072155 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h +@@ -75,6 +75,7 @@ struct mlxbf_gige { + struct net_device *netdev; + struct platform_device *pdev; + void __iomem *mdio_io; ++ void __iomem *clk_io; + struct mii_bus *mdiobus; + spinlock_t lock; /* for packet processing indices */ + u16 rx_q_entries; +@@ -137,7 +138,8 @@ enum mlxbf_gige_res { + MLXBF_GIGE_RES_MDIO9, + MLXBF_GIGE_RES_GPIO0, + MLXBF_GIGE_RES_LLU, +- MLXBF_GIGE_RES_PLU ++ MLXBF_GIGE_RES_PLU, ++ MLXBF_GIGE_RES_CLK + }; + + /* Version of register data returned by mlxbf_gige_get_regs() */ +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c +index 2e6c1b7af0964..85155cd9405c5 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_mdio.c +@@ -22,10 +22,23 @@ + #include + + #include "mlxbf_gige.h" ++#include "mlxbf_gige_regs.h" + + #define MLXBF_GIGE_MDIO_GW_OFFSET 0x0 + #define MLXBF_GIGE_MDIO_CFG_OFFSET 0x4 + ++#define MLXBF_GIGE_MDIO_FREQ_REFERENCE 156250000ULL ++#define MLXBF_GIGE_MDIO_COREPLL_CONST 16384ULL ++#define MLXBF_GIGE_MDC_CLK_NS 400 ++#define MLXBF_GIGE_MDIO_PLL_I1CLK_REG1 0x4 ++#define MLXBF_GIGE_MDIO_PLL_I1CLK_REG2 0x8 ++#define MLXBF_GIGE_MDIO_CORE_F_SHIFT 0 ++#define MLXBF_GIGE_MDIO_CORE_F_MASK GENMASK(25, 0) ++#define MLXBF_GIGE_MDIO_CORE_R_SHIFT 26 ++#define MLXBF_GIGE_MDIO_CORE_R_MASK GENMASK(31, 26) ++#define MLXBF_GIGE_MDIO_CORE_OD_SHIFT 0 ++#define MLXBF_GIGE_MDIO_CORE_OD_MASK GENMASK(3, 0) ++ + /* Support clause 22 */ + #define MLXBF_GIGE_MDIO_CL22_ST1 0x1 + #define MLXBF_GIGE_MDIO_CL22_WRITE 0x1 +@@ -50,27 +63,76 @@ + #define MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK GENMASK(23, 16) + #define MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK GENMASK(31, 24) + ++#define MLXBF_GIGE_MDIO_CFG_VAL (FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_MODE_MASK, 1) | \ ++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO3_3_MASK, 1) | \ ++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_FULL_DRIVE_MASK, 1) | \ ++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK, 6) | \ ++ FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK, 13)) ++ ++#define MLXBF_GIGE_BF2_COREPLL_ADDR 0x02800c30 ++#define MLXBF_GIGE_BF2_COREPLL_SIZE 0x0000000c ++ ++static struct resource corepll_params[] = { ++ [MLXBF_GIGE_VERSION_BF2] = { ++ .start = MLXBF_GIGE_BF2_COREPLL_ADDR, ++ .end = MLXBF_GIGE_BF2_COREPLL_ADDR + MLXBF_GIGE_BF2_COREPLL_SIZE - 1, ++ .name = "COREPLL_RES" ++ }, ++}; ++ ++/* Returns core clock i1clk in Hz */ ++static u64 calculate_i1clk(struct mlxbf_gige *priv) ++{ ++ u8 core_od, core_r; ++ u64 freq_output; ++ u32 reg1, reg2; ++ u32 core_f; ++ ++ reg1 = readl(priv->clk_io + MLXBF_GIGE_MDIO_PLL_I1CLK_REG1); ++ reg2 = readl(priv->clk_io + MLXBF_GIGE_MDIO_PLL_I1CLK_REG2); ++ ++ core_f = (reg1 & MLXBF_GIGE_MDIO_CORE_F_MASK) >> ++ MLXBF_GIGE_MDIO_CORE_F_SHIFT; ++ core_r = (reg1 & MLXBF_GIGE_MDIO_CORE_R_MASK) >> ++ MLXBF_GIGE_MDIO_CORE_R_SHIFT; ++ core_od = (reg2 & MLXBF_GIGE_MDIO_CORE_OD_MASK) >> ++ MLXBF_GIGE_MDIO_CORE_OD_SHIFT; ++ ++ /* Compute PLL output frequency as follow: ++ * ++ * CORE_F / 16384 ++ * freq_output = freq_reference * ---------------------------- ++ * (CORE_R + 1) * (CORE_OD + 1) ++ */ ++ freq_output = div_u64((MLXBF_GIGE_MDIO_FREQ_REFERENCE * core_f), ++ MLXBF_GIGE_MDIO_COREPLL_CONST); ++ freq_output = div_u64(freq_output, (core_r + 1) * (core_od + 1)); ++ ++ return freq_output; ++} ++ + /* Formula for encoding the MDIO period. The encoded value is + * passed to the MDIO config register. + * +- * mdc_clk = 2*(val + 1)*i1clk ++ * mdc_clk = 2*(val + 1)*(core clock in sec) + * +- * 400 ns = 2*(val + 1)*(((1/430)*1000) ns) ++ * i1clk is in Hz: ++ * 400 ns = 2*(val + 1)*(1/i1clk) + * +- * val = (((400 * 430 / 1000) / 2) - 1) ++ * val = (((400/10^9) / (1/i1clk) / 2) - 1) ++ * val = (400/2 * i1clk)/10^9 - 1 + */ +-#define MLXBF_GIGE_I1CLK_MHZ 430 +-#define MLXBF_GIGE_MDC_CLK_NS 400 ++static u8 mdio_period_map(struct mlxbf_gige *priv) ++{ ++ u8 mdio_period; ++ u64 i1clk; + +-#define MLXBF_GIGE_MDIO_PERIOD (((MLXBF_GIGE_MDC_CLK_NS * MLXBF_GIGE_I1CLK_MHZ / 1000) / 2) - 1) ++ i1clk = calculate_i1clk(priv); + +-#define MLXBF_GIGE_MDIO_CFG_VAL (FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_MODE_MASK, 1) | \ +- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO3_3_MASK, 1) | \ +- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_FULL_DRIVE_MASK, 1) | \ +- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDC_PERIOD_MASK, \ +- MLXBF_GIGE_MDIO_PERIOD) | \ +- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_IN_SAMP_MASK, 6) | \ +- FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDIO_OUT_SAMP_MASK, 13)) ++ mdio_period = div_u64((MLXBF_GIGE_MDC_CLK_NS >> 1) * i1clk, 1000000000) - 1; ++ ++ return mdio_period; ++} + + static u32 mlxbf_gige_mdio_create_cmd(u16 data, int phy_add, + int phy_reg, u32 opcode) +@@ -124,9 +186,9 @@ static int mlxbf_gige_mdio_write(struct mii_bus *bus, int phy_add, + int phy_reg, u16 val) + { + struct mlxbf_gige *priv = bus->priv; ++ u32 temp; + u32 cmd; + int ret; +- u32 temp; + + if (phy_reg & MII_ADDR_C45) + return -EOPNOTSUPP; +@@ -144,18 +206,44 @@ static int mlxbf_gige_mdio_write(struct mii_bus *bus, int phy_add, + return ret; + } + ++static void mlxbf_gige_mdio_cfg(struct mlxbf_gige *priv) ++{ ++ u8 mdio_period; ++ u32 val; ++ ++ mdio_period = mdio_period_map(priv); ++ ++ val = MLXBF_GIGE_MDIO_CFG_VAL; ++ val |= FIELD_PREP(MLXBF_GIGE_MDIO_CFG_MDC_PERIOD_MASK, mdio_period); ++ writel(val, priv->mdio_io + MLXBF_GIGE_MDIO_CFG_OFFSET); ++} ++ + int mlxbf_gige_mdio_probe(struct platform_device *pdev, struct mlxbf_gige *priv) + { + struct device *dev = &pdev->dev; ++ struct resource *res; + int ret; + + priv->mdio_io = devm_platform_ioremap_resource(pdev, MLXBF_GIGE_RES_MDIO9); + if (IS_ERR(priv->mdio_io)) + return PTR_ERR(priv->mdio_io); + +- /* Configure mdio parameters */ +- writel(MLXBF_GIGE_MDIO_CFG_VAL, +- priv->mdio_io + MLXBF_GIGE_MDIO_CFG_OFFSET); ++ /* clk resource shared with other drivers so cannot use ++ * devm_platform_ioremap_resource ++ */ ++ res = platform_get_resource(pdev, IORESOURCE_MEM, MLXBF_GIGE_RES_CLK); ++ if (!res) { ++ /* For backward compatibility with older ACPI tables, also keep ++ * CLK resource internal to the driver. ++ */ ++ res = &corepll_params[MLXBF_GIGE_VERSION_BF2]; ++ } ++ ++ priv->clk_io = devm_ioremap(dev, res->start, resource_size(res)); ++ if (IS_ERR(priv->clk_io)) ++ return PTR_ERR(priv->clk_io); ++ ++ mlxbf_gige_mdio_cfg(priv); + + priv->mdiobus = devm_mdiobus_alloc(dev); + if (!priv->mdiobus) { +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h +index 5fb33c9294bf9..7be3a793984d5 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h +@@ -8,6 +8,8 @@ + #ifndef __MLXBF_GIGE_REGS_H__ + #define __MLXBF_GIGE_REGS_H__ + ++#define MLXBF_GIGE_VERSION 0x0000 ++#define MLXBF_GIGE_VERSION_BF2 0x0 + #define MLXBF_GIGE_STATUS 0x0010 + #define MLXBF_GIGE_STATUS_READY BIT(0) + #define MLXBF_GIGE_INT_STATUS 0x0028 +-- +2.35.1 + diff --git a/queue-5.19/mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch b/queue-5.19/mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch new file mode 100644 index 00000000000..f5d25a423eb --- /dev/null +++ b/queue-5.19/mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch @@ -0,0 +1,159 @@ +From b3c4b534f017194df30f9fa3a993d134f54f5119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 14:30:33 -0400 +Subject: mm/slab_common: Deleting kobject in kmem_cache_destroy() without + holding slab_mutex/cpu_hotplug_lock + +From: Waiman Long + +[ Upstream commit 0495e337b7039191dfce6e03f5f830454b1fae6b ] + +A circular locking problem is reported by lockdep due to the following +circular locking dependency. + + +--> cpu_hotplug_lock --> slab_mutex --> kn->active --+ + | | + +-----------------------------------------------------+ + +The forward cpu_hotplug_lock ==> slab_mutex ==> kn->active dependency +happens in + + kmem_cache_destroy(): cpus_read_lock(); mutex_lock(&slab_mutex); + ==> sysfs_slab_unlink() + ==> kobject_del() + ==> kernfs_remove() + ==> __kernfs_remove() + ==> kernfs_drain(): rwsem_acquire(&kn->dep_map, ...); + +The backward kn->active ==> cpu_hotplug_lock dependency happens in + + kernfs_fop_write_iter(): kernfs_get_active(); + ==> slab_attr_store() + ==> cpu_partial_store() + ==> flush_all(): cpus_read_lock() + +One way to break this circular locking chain is to avoid holding +cpu_hotplug_lock and slab_mutex while deleting the kobject in +sysfs_slab_unlink() which should be equivalent to doing a write_lock +and write_unlock pair of the kn->active virtual lock. + +Since the kobject structures are not protected by slab_mutex or the +cpu_hotplug_lock, we can certainly release those locks before doing +the delete operation. + +Move sysfs_slab_unlink() and sysfs_slab_release() to the newly +created kmem_cache_release() and call it outside the slab_mutex & +cpu_hotplug_lock critical sections. There will be a slight delay +in the deletion of sysfs files if kmem_cache_release() is called +indirectly from a work function. + +Fixes: 5a836bf6b09f ("mm: slub: move flush_cpu_slab() invocations __free_slab() invocations out of IRQ context") +Signed-off-by: Waiman Long +Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Reviewed-by: Roman Gushchin +Acked-by: David Rientjes +Link: https://lore.kernel.org/all/YwOImVd+nRUsSAga@hyeyoo/ +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +--- + mm/slab_common.c | 45 +++++++++++++++++++++++++++++---------------- + 1 file changed, 29 insertions(+), 16 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index 77c3adf40e504..dbd4b6f9b0e79 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -420,6 +420,28 @@ kmem_cache_create(const char *name, unsigned int size, unsigned int align, + } + EXPORT_SYMBOL(kmem_cache_create); + ++#ifdef SLAB_SUPPORTS_SYSFS ++/* ++ * For a given kmem_cache, kmem_cache_destroy() should only be called ++ * once or there will be a use-after-free problem. The actual deletion ++ * and release of the kobject does not need slab_mutex or cpu_hotplug_lock ++ * protection. So they are now done without holding those locks. ++ * ++ * Note that there will be a slight delay in the deletion of sysfs files ++ * if kmem_cache_release() is called indrectly from a work function. ++ */ ++static void kmem_cache_release(struct kmem_cache *s) ++{ ++ sysfs_slab_unlink(s); ++ sysfs_slab_release(s); ++} ++#else ++static void kmem_cache_release(struct kmem_cache *s) ++{ ++ slab_kmem_cache_release(s); ++} ++#endif ++ + static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work) + { + LIST_HEAD(to_destroy); +@@ -446,11 +468,7 @@ static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work) + list_for_each_entry_safe(s, s2, &to_destroy, list) { + debugfs_slab_release(s); + kfence_shutdown_cache(s); +-#ifdef SLAB_SUPPORTS_SYSFS +- sysfs_slab_release(s); +-#else +- slab_kmem_cache_release(s); +-#endif ++ kmem_cache_release(s); + } + } + +@@ -465,20 +483,11 @@ static int shutdown_cache(struct kmem_cache *s) + list_del(&s->list); + + if (s->flags & SLAB_TYPESAFE_BY_RCU) { +-#ifdef SLAB_SUPPORTS_SYSFS +- sysfs_slab_unlink(s); +-#endif + list_add_tail(&s->list, &slab_caches_to_rcu_destroy); + schedule_work(&slab_caches_to_rcu_destroy_work); + } else { + kfence_shutdown_cache(s); + debugfs_slab_release(s); +-#ifdef SLAB_SUPPORTS_SYSFS +- sysfs_slab_unlink(s); +- sysfs_slab_release(s); +-#else +- slab_kmem_cache_release(s); +-#endif + } + + return 0; +@@ -493,14 +502,16 @@ void slab_kmem_cache_release(struct kmem_cache *s) + + void kmem_cache_destroy(struct kmem_cache *s) + { ++ int refcnt; ++ + if (unlikely(!s) || !kasan_check_byte(s)) + return; + + cpus_read_lock(); + mutex_lock(&slab_mutex); + +- s->refcount--; +- if (s->refcount) ++ refcnt = --s->refcount; ++ if (refcnt) + goto out_unlock; + + WARN(shutdown_cache(s), +@@ -509,6 +520,8 @@ void kmem_cache_destroy(struct kmem_cache *s) + out_unlock: + mutex_unlock(&slab_mutex); + cpus_read_unlock(); ++ if (!refcnt && !(s->flags & SLAB_TYPESAFE_BY_RCU)) ++ kmem_cache_release(s); + } + EXPORT_SYMBOL(kmem_cache_destroy); + +-- +2.35.1 + diff --git a/queue-5.19/net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch b/queue-5.19/net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch new file mode 100644 index 00000000000..5a986c043de --- /dev/null +++ b/queue-5.19/net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch @@ -0,0 +1,65 @@ +From b86d51b3e5e922801c30e5193c424aef95815fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 13:36:44 +0200 +Subject: net: dsa: xrs700x: Use irqsave variant for u64 stats update + +From: Sebastian Andrzej Siewior + +[ Upstream commit 3f8ae9fe0409698799e173f698b714f34570b64b ] + +xrs700x_read_port_counters() updates the stats from a worker using the +u64_stats_update_begin() version. This is okay on 32-UP since on the +reader side preemption is disabled. +On 32bit-SMP the writer can be preempted by the reader at which point +the reader will spin on the seqcount until writer continues and +completes the update. + +Assigning the mib_mutex mutex to the underlying seqcount would ensure +proper synchronisation. The API for that on the u64_stats_init() side +isn't available. Since it is the only user, just use disable interrupts +during the update. + +Use u64_stats_update_begin_irqsave() on the writer side to ensure an +uninterrupted update. + +Fixes: ee00b24f32eb8 ("net: dsa: add Arrow SpeedChips XRS700x driver") +Cc: Andrew Lunn +Cc: Florian Fainelli +Cc: George McCollister +Cc: Vivien Didelot +Cc: Vladimir Oltean +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: George McCollister +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/xrs700x/xrs700x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/xrs700x/xrs700x.c b/drivers/net/dsa/xrs700x/xrs700x.c +index 3887ed33c5fe2..fa622639d6401 100644 +--- a/drivers/net/dsa/xrs700x/xrs700x.c ++++ b/drivers/net/dsa/xrs700x/xrs700x.c +@@ -109,6 +109,7 @@ static void xrs700x_read_port_counters(struct xrs700x *priv, int port) + { + struct xrs700x_port *p = &priv->ports[port]; + struct rtnl_link_stats64 stats; ++ unsigned long flags; + int i; + + memset(&stats, 0, sizeof(stats)); +@@ -138,9 +139,9 @@ static void xrs700x_read_port_counters(struct xrs700x *priv, int port) + */ + stats.rx_packets += stats.multicast; + +- u64_stats_update_begin(&p->syncp); ++ flags = u64_stats_update_begin_irqsave(&p->syncp); + p->stats64 = stats; +- u64_stats_update_end(&p->syncp); ++ u64_stats_update_end_irqrestore(&p->syncp, flags); + + mutex_unlock(&p->mib_mutex); + } +-- +2.35.1 + diff --git a/queue-5.19/net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch b/queue-5.19/net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch new file mode 100644 index 00000000000..4599d1440c1 --- /dev/null +++ b/queue-5.19/net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch @@ -0,0 +1,47 @@ +From 5ababbafdb2e63a951d9880e9ac7d7135cf7b14a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 18:00:30 +0300 +Subject: net: lan966x: improve error handle in lan966x_fdma_rx_get_frame() + +From: Dan Carpenter + +[ Upstream commit 13a9d08c296228d18289de60b83792c586e1d073 ] + +Don't just print a warning. Clean up and return an error as well. + +Fixes: c8349639324a ("net: lan966x: Add FDMA functionality") +Signed-off-by: Dan Carpenter +Reviewed-by: Horatiu Vultur +Link: https://lore.kernel.org/r/YwjgDm/SVd5c1tQU@kili +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +index 6dea7f8c14814..51f8a08163777 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +@@ -425,7 +425,8 @@ static struct sk_buff *lan966x_fdma_rx_get_frame(struct lan966x_rx *rx) + lan966x_ifh_get_src_port(skb->data, &src_port); + lan966x_ifh_get_timestamp(skb->data, ×tamp); + +- WARN_ON(src_port >= lan966x->num_phys_ports); ++ if (WARN_ON(src_port >= lan966x->num_phys_ports)) ++ goto free_skb; + + skb->dev = lan966x->ports[src_port]->dev; + skb_pull(skb, IFH_LEN * sizeof(u32)); +@@ -449,6 +450,8 @@ static struct sk_buff *lan966x_fdma_rx_get_frame(struct lan966x_rx *rx) + + return skb; + ++free_skb: ++ kfree_skb(skb); + unmap_page: + dma_unmap_page(lan966x->dev, (dma_addr_t)db->dataptr, + FDMA_DCB_STATUS_BLOCKL(db->status), +-- +2.35.1 + diff --git a/queue-5.19/net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch b/queue-5.19/net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch new file mode 100644 index 00000000000..66e4d0c7e2c --- /dev/null +++ b/queue-5.19/net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch @@ -0,0 +1,54 @@ +From 7de532302be7d476c6f8a0ca69cb2f4765ea65b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 08:40:55 +0200 +Subject: net: phy: micrel: Make the GPIO to be non-exclusive + +From: Horatiu Vultur + +[ Upstream commit 4a4ce82212ef014d70f486a427005b2b5bab8e34 ] + +The same GPIO line can be shared by multiple phys for the coma mode pin. +If that is the case then, all the other phys that share the same line +will failed to be probed because the access to the gpio line is not +non-exclusive. +Fix this by making access to the gpio line to be nonexclusive using flag +GPIOD_FLAGS_BIT_NONEXCLUSIVE. This allows all the other PHYs to be +probed. + +Fixes: 738871b09250ee ("net: phy: micrel: add coma mode GPIO") +Reviewed-by: Andrew Lunn +Signed-off-by: Horatiu Vultur +Link: https://lore.kernel.org/r/20220830064055.2340403-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 22139901f01c7..34483a4bd688a 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -2838,12 +2838,18 @@ static int lan8814_config_init(struct phy_device *phydev) + return 0; + } + ++/* It is expected that there will not be any 'lan8814_take_coma_mode' ++ * function called in suspend. Because the GPIO line can be shared, so if one of ++ * the phys goes back in coma mode, then all the other PHYs will go, which is ++ * wrong. ++ */ + static int lan8814_release_coma_mode(struct phy_device *phydev) + { + struct gpio_desc *gpiod; + + gpiod = devm_gpiod_get_optional(&phydev->mdio.dev, "coma-mode", +- GPIOD_OUT_HIGH_OPEN_DRAIN); ++ GPIOD_OUT_HIGH_OPEN_DRAIN | ++ GPIOD_FLAGS_BIT_NONEXCLUSIVE); + if (IS_ERR(gpiod)) + return PTR_ERR(gpiod); + +-- +2.35.1 + diff --git a/queue-5.19/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch b/queue-5.19/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch new file mode 100644 index 00000000000..756cfd3474d --- /dev/null +++ b/queue-5.19/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch @@ -0,0 +1,111 @@ +From 1d3faf28cd4308ab222cea752f10fb2449308c1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 17:00:55 +0800 +Subject: net/sched: fix netdevice reference leaks in attach_default_qdiscs() + +From: Wang Hai + +[ Upstream commit f612466ebecb12a00d9152344ddda6f6345f04dc ] + +In attach_default_qdiscs(), if a dev has multiple queues and queue 0 fails +to attach qdisc because there is no memory in attach_one_default_qdisc(). +Then dev->qdisc will be noop_qdisc by default. But the other queues may be +able to successfully attach to default qdisc. + +In this case, the fallback to noqueue process will be triggered. If the +original attached qdisc is not released and a new one is directly +attached, this will cause netdevice reference leaks. + +The following is the bug log: + +veth0: default qdisc (fq_codel) fail, fallback to noqueue +unregister_netdevice: waiting for veth0 to become free. Usage count = 32 +leaked reference. + qdisc_alloc+0x12e/0x210 + qdisc_create_dflt+0x62/0x140 + attach_one_default_qdisc.constprop.41+0x44/0x70 + dev_activate+0x128/0x290 + __dev_open+0x12a/0x190 + __dev_change_flags+0x1a2/0x1f0 + dev_change_flags+0x23/0x60 + do_setlink+0x332/0x1150 + __rtnl_newlink+0x52f/0x8e0 + rtnl_newlink+0x43/0x70 + rtnetlink_rcv_msg+0x140/0x3b0 + netlink_rcv_skb+0x50/0x100 + netlink_unicast+0x1bb/0x290 + netlink_sendmsg+0x37c/0x4e0 + sock_sendmsg+0x5f/0x70 + ____sys_sendmsg+0x208/0x280 + +Fix this bug by clearing any non-noop qdiscs that may have been assigned +before trying to re-attach. + +Fixes: bf6dba76d278 ("net: sched: fallback to qdisc noqueue if default qdisc setup fail") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20220826090055.24424-1-wanghai38@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_generic.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index a64c3c1541118..b3596d4bd14a2 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1125,6 +1125,21 @@ struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue, + } + EXPORT_SYMBOL(dev_graft_qdisc); + ++static void shutdown_scheduler_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_qdisc_default) ++{ ++ struct Qdisc *qdisc = dev_queue->qdisc_sleeping; ++ struct Qdisc *qdisc_default = _qdisc_default; ++ ++ if (qdisc) { ++ rcu_assign_pointer(dev_queue->qdisc, qdisc_default); ++ dev_queue->qdisc_sleeping = qdisc_default; ++ ++ qdisc_put(qdisc); ++ } ++} ++ + static void attach_one_default_qdisc(struct net_device *dev, + struct netdev_queue *dev_queue, + void *_unused) +@@ -1172,6 +1187,7 @@ static void attach_default_qdiscs(struct net_device *dev) + if (qdisc == &noop_qdisc) { + netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n", + default_qdisc_ops->id, noqueue_qdisc_ops.id); ++ netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + dev->priv_flags |= IFF_NO_QUEUE; + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); + qdisc = txq->qdisc_sleeping; +@@ -1450,21 +1466,6 @@ void dev_init_scheduler(struct net_device *dev) + timer_setup(&dev->watchdog_timer, dev_watchdog, 0); + } + +-static void shutdown_scheduler_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_qdisc_default) +-{ +- struct Qdisc *qdisc = dev_queue->qdisc_sleeping; +- struct Qdisc *qdisc_default = _qdisc_default; +- +- if (qdisc) { +- rcu_assign_pointer(dev_queue->qdisc, qdisc_default); +- dev_queue->qdisc_sleeping = qdisc_default; +- +- qdisc_put(qdisc); +- } +-} +- + void dev_shutdown(struct net_device *dev) + { + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); +-- +2.35.1 + diff --git a/queue-5.19/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch b/queue-5.19/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch new file mode 100644 index 00000000000..76235308920 --- /dev/null +++ b/queue-5.19/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch @@ -0,0 +1,54 @@ +From 7cba19da54c3420bf850b7d7ba098d2a63bdae85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 09:39:30 +0800 +Subject: net: sched: tbf: don't call qdisc_put() while holding tree lock + +From: Zhengchao Shao + +[ Upstream commit b05972f01e7d30419987a1f221b5593668fd6448 ] + +The issue is the same to commit c2999f7fb05b ("net: sched: multiq: don't +call qdisc_put() while holding tree lock"). Qdiscs call qdisc_put() while +holding sch tree spinlock, which results sleeping-while-atomic BUG. + +Fixes: c266f64dbfa2 ("net: sched: protect block state with mutex") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20220826013930.340121-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_tbf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index 72102277449e1..36079fdde2cb5 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -356,6 +356,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + struct nlattr *tb[TCA_TBF_MAX + 1]; + struct tc_tbf_qopt *qopt; + struct Qdisc *child = NULL; ++ struct Qdisc *old = NULL; + struct psched_ratecfg rate; + struct psched_ratecfg peak; + u64 max_size; +@@ -447,7 +448,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + if (child) { + qdisc_tree_flush_backlog(q->qdisc); +- qdisc_put(q->qdisc); ++ old = q->qdisc; + q->qdisc = child; + } + q->limit = qopt->limit; +@@ -467,6 +468,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + memcpy(&q->peak, &peak, sizeof(struct psched_ratecfg)); + + sch_tree_unlock(sch); ++ qdisc_put(old); + err = 0; + + tbf_offload_change(sch); +-- +2.35.1 + diff --git a/queue-5.19/net-smc-remove-redundant-refcount-increase.patch b/queue-5.19/net-smc-remove-redundant-refcount-increase.patch new file mode 100644 index 00000000000..87d487a1ee1 --- /dev/null +++ b/queue-5.19/net-smc-remove-redundant-refcount-increase.patch @@ -0,0 +1,37 @@ +From 2c41abd07e52b8f318e623d371c09bb6f1e35b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:23:14 +0800 +Subject: net/smc: Remove redundant refcount increase + +From: Yacan Liu + +[ Upstream commit a8424a9b4522a3ab9f32175ad6d848739079071f ] + +For passive connections, the refcount increment has been done in +smc_clcsock_accept()-->smc_sock_alloc(). + +Fixes: 3b2dec2603d5 ("net/smc: restructure client and server code in af_smc") +Signed-off-by: Yacan Liu +Reviewed-by: Tony Lu +Link: https://lore.kernel.org/r/20220830152314.838736-1-liuyacan@corp.netease.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 433bb5a7df31e..a51d5ed2ad764 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1812,7 +1812,6 @@ static void smc_listen_out_connected(struct smc_sock *new_smc) + { + struct sock *newsmcsk = &new_smc->sk; + +- sk_refcnt_debug_inc(newsmcsk); + if (newsmcsk->sk_state == SMC_INIT) + newsmcsk->sk_state = SMC_ACTIVE; + +-- +2.35.1 + diff --git a/queue-5.19/net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch b/queue-5.19/net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch new file mode 100644 index 00000000000..1b2e2f00ca6 --- /dev/null +++ b/queue-5.19/net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch @@ -0,0 +1,61 @@ +From 6e908586368a0f577c18244e32b6d1a0a94261b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 19:39:51 -0700 +Subject: net: smsc911x: Stop and start PHY during suspend and resume + +From: Florian Fainelli + +[ Upstream commit 3ce9f2bef75528936c78a7053301f5725f622f3a ] + +Commit 744d23c71af3 ("net: phy: Warn about incorrect +mdio_bus_phy_resume() state") unveiled that the smsc911x driver was not +properly stopping and restarting the PHY during suspend/resume. Correct +that by indicating that the MAC is in charge of PHY PM operations and +ensure that all MDIO bus activity is quiescent during suspend. + +Tested-by: Geert Uytterhoeven +Tested-by: Marek Szyprowski +Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM") +Fixes: 2aa70f864955 ("net: smsc911x: Quieten netif during suspend") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220825023951.3220-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smsc911x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c +index 3bf20211cceb4..3829c2805b16c 100644 +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -1037,6 +1037,8 @@ static int smsc911x_mii_probe(struct net_device *dev) + return ret; + } + ++ /* Indicate that the MAC is responsible for managing PHY PM */ ++ phydev->mac_managed_pm = true; + phy_attached_info(phydev); + + phy_set_max_speed(phydev, SPEED_100); +@@ -2587,6 +2589,8 @@ static int smsc911x_suspend(struct device *dev) + if (netif_running(ndev)) { + netif_stop_queue(ndev); + netif_device_detach(ndev); ++ if (!device_may_wakeup(dev)) ++ phy_stop(ndev->phydev); + } + + /* enable wake on LAN, energy detection and the external PME +@@ -2628,6 +2632,8 @@ static int smsc911x_resume(struct device *dev) + if (netif_running(ndev)) { + netif_device_attach(ndev); + netif_start_queue(ndev); ++ if (!device_may_wakeup(dev)) ++ phy_start(ndev->phydev); + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.19/net-sparx5-fix-handling-uneven-length-packets-in-man.patch b/queue-5.19/net-sparx5-fix-handling-uneven-length-packets-in-man.patch new file mode 100644 index 00000000000..fdcc6fc1162 --- /dev/null +++ b/queue-5.19/net-sparx5-fix-handling-uneven-length-packets-in-man.patch @@ -0,0 +1,40 @@ +From fd2d872a5cf920792caf3dc47cd808b0c8918a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 10:49:55 +0200 +Subject: net: sparx5: fix handling uneven length packets in manual extraction + +From: Casper Andersson + +[ Upstream commit 7498a457ecf7ff2c4d379360aa8f24566bb1543e ] + +Packets that are not of length divisible by 4 (e.g. 77, 78, 79) would +have the checksum included up to next multiple of 4 (a 77 bytes packet +would have 3 bytes of ethernet checksum included). The check for the +value expects it in host (Little) endian. + +Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support") +Signed-off-by: Casper Andersson +Reviewed-by: Steen Hegelund +Link: https://lore.kernel.org/r/20220825084955.684637-1-casper.casan@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index 304f84aadc36b..21844beba72df 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -113,6 +113,8 @@ static void sparx5_xtr_grp(struct sparx5 *sparx5, u8 grp, bool byte_swap) + /* This assumes STATUS_WORD_POS == 1, Status + * just after last data + */ ++ if (!byte_swap) ++ val = ntohl((__force __be32)val); + byte_cnt -= (4 - XTR_VALID_BYTES(val)); + eof_flag = true; + break; +-- +2.35.1 + diff --git a/queue-5.19/nfp-flower-fix-ingress-police-using-matchall-filter.patch b/queue-5.19/nfp-flower-fix-ingress-police-using-matchall-filter.patch new file mode 100644 index 00000000000..0b7ef9715a7 --- /dev/null +++ b/queue-5.19/nfp-flower-fix-ingress-police-using-matchall-filter.patch @@ -0,0 +1,50 @@ +From 75448971929345be70297d426835b997db7200e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 10:08:45 +0200 +Subject: nfp: flower: fix ingress police using matchall filter + +From: Tianyu Yuan + +[ Upstream commit ebe5555c2f34505cdb1ae5c3de8b24e33740b3e0 ] + +Referenced commit introduced nfp_policer_validate in the progress +installing rate limiter. This validate check the action id and will +reject police with CONTINUE, which is required to support ingress +police offload. + +Fix this issue by allowing FLOW_ACTION_CONTINUE as notexceed action +id in nfp_policer_validate + +Fixes: d97b4b105ce7 ("flow_offload: reject offload for all drivers with invalid police parameters") +Signed-off-by: Tianyu Yuan +Reviewed-by: Baowen Zheng +Reviewed-by: Louis Peens +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20220825080845.507534-1-simon.horman@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/flower/qos_conf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c b/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c +index 3206ba83b1aaa..de2ef5bf8c694 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/qos_conf.c +@@ -127,10 +127,11 @@ static int nfp_policer_validate(const struct flow_action *action, + return -EOPNOTSUPP; + } + +- if (act->police.notexceed.act_id != FLOW_ACTION_PIPE && ++ if (act->police.notexceed.act_id != FLOW_ACTION_CONTINUE && ++ act->police.notexceed.act_id != FLOW_ACTION_PIPE && + act->police.notexceed.act_id != FLOW_ACTION_ACCEPT) { + NL_SET_ERR_MSG_MOD(extack, +- "Offload not supported when conform action is not pipe or ok"); ++ "Offload not supported when conform action is not continue, pipe or ok"); + return -EOPNOTSUPP; + } + +-- +2.35.1 + diff --git a/queue-5.19/openvswitch-fix-memory-leak-at-failed-datapath-creat.patch b/queue-5.19/openvswitch-fix-memory-leak-at-failed-datapath-creat.patch new file mode 100644 index 00000000000..3861e3fb5f1 --- /dev/null +++ b/queue-5.19/openvswitch-fix-memory-leak-at-failed-datapath-creat.patch @@ -0,0 +1,73 @@ +From e758f887f41680d299c71fe47e77a7f1dbf65ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 05:03:26 +0300 +Subject: openvswitch: fix memory leak at failed datapath creation + +From: Andrey Zhadchenko + +[ Upstream commit a87406f4adee9c53b311d8a1ba2849c69e29a6d0 ] + +ovs_dp_cmd_new()->ovs_dp_change()->ovs_dp_set_upcall_portids() +allocates array via kmalloc. +If for some reason new_vport() fails during ovs_dp_cmd_new() +dp->upcall_portids must be freed. +Add missing kfree. + +Kmemleak example: +unreferenced object 0xffff88800c382500 (size 64): + comm "dump_state", pid 323, jiffies 4294955418 (age 104.347s) + hex dump (first 32 bytes): + 5e c2 79 e4 1f 7a 38 c7 09 21 38 0c 80 88 ff ff ^.y..z8..!8..... + 03 00 00 00 0a 00 00 00 14 00 00 00 28 00 00 00 ............(... + backtrace: + [<0000000071bebc9f>] ovs_dp_set_upcall_portids+0x38/0xa0 + [<000000000187d8bd>] ovs_dp_change+0x63/0xe0 + [<000000002397e446>] ovs_dp_cmd_new+0x1f0/0x380 + [<00000000aa06f36e>] genl_family_rcv_msg_doit+0xea/0x150 + [<000000008f583bc4>] genl_rcv_msg+0xdc/0x1e0 + [<00000000fa10e377>] netlink_rcv_skb+0x50/0x100 + [<000000004959cece>] genl_rcv+0x24/0x40 + [<000000004699ac7f>] netlink_unicast+0x23e/0x360 + [<00000000c153573e>] netlink_sendmsg+0x24e/0x4b0 + [<000000006f4aa380>] sock_sendmsg+0x62/0x70 + [<00000000d0068654>] ____sys_sendmsg+0x230/0x270 + [<0000000012dacf7d>] ___sys_sendmsg+0x88/0xd0 + [<0000000011776020>] __sys_sendmsg+0x59/0xa0 + [<000000002e8f2dc1>] do_syscall_64+0x3b/0x90 + [<000000003243e7cb>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: b83d23a2a38b ("openvswitch: Introduce per-cpu upcall dispatch") +Acked-by: Aaron Conole +Signed-off-by: Andrey Zhadchenko +Link: https://lore.kernel.org/r/20220825020326.664073-1-andrey.zhadchenko@virtuozzo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 7e8a39a356271..6c9d153afbeee 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1802,7 +1802,7 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info) + ovs_dp_reset_user_features(skb, info); + } + +- goto err_unlock_and_destroy_meters; ++ goto err_destroy_portids; + } + + err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid, +@@ -1817,6 +1817,8 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info) + ovs_notify(&dp_datapath_genl_family, reply, info); + return 0; + ++err_destroy_portids: ++ kfree(rcu_dereference_raw(dp->upcall_portids)); + err_unlock_and_destroy_meters: + ovs_unlock(); + ovs_meters_exit(dp); +-- +2.35.1 + diff --git a/queue-5.19/peci-aspeed-fix-error-check-return-value-of-platform.patch b/queue-5.19/peci-aspeed-fix-error-check-return-value-of-platform.patch new file mode 100644 index 00000000000..727fce3e5fa --- /dev/null +++ b/queue-5.19/peci-aspeed-fix-error-check-return-value-of-platform.patch @@ -0,0 +1,39 @@ +From 2b6962f6d466c0165cf5fb904a88d36af2900806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 01:04:25 +0000 +Subject: peci: aspeed: fix error check return value of platform_get_irq() + +From: Lv Ruyi + +[ Upstream commit e79b548b7202bb3accdfe64f113129a4340bc2f9 ] + +platform_get_irq() return negative value on failure, so null check of +priv->irq is incorrect. Fix it by comparing whether it is less than zero. + +Fixes: a85e4c52086c ("peci: Add peci-aspeed controller driver") +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Link: https://lore.kernel.org/r/20220413010425.2534887-1-lv.ruyi@zte.com.cn +Reviewed-by: Iwona Winiarska +Signed-off-by: Iwona Winiarska +Signed-off-by: Sasha Levin +--- + drivers/peci/controller/peci-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/peci/controller/peci-aspeed.c b/drivers/peci/controller/peci-aspeed.c +index 1925ddc13f002..731c5d8f75c66 100644 +--- a/drivers/peci/controller/peci-aspeed.c ++++ b/drivers/peci/controller/peci-aspeed.c +@@ -523,7 +523,7 @@ static int aspeed_peci_probe(struct platform_device *pdev) + return PTR_ERR(priv->base); + + priv->irq = platform_get_irq(pdev, 0); +- if (!priv->irq) ++ if (priv->irq < 0) + return priv->irq; + + ret = devm_request_irq(&pdev->dev, priv->irq, aspeed_peci_irq_handler, +-- +2.35.1 + diff --git a/queue-5.19/platform-mellanox-mlxreg-lc-fix-coverity-warning.patch b/queue-5.19/platform-mellanox-mlxreg-lc-fix-coverity-warning.patch new file mode 100644 index 00000000000..1c742cd62c1 --- /dev/null +++ b/queue-5.19/platform-mellanox-mlxreg-lc-fix-coverity-warning.patch @@ -0,0 +1,40 @@ +From ee877ecd8389a7e22893ccfda2be995b4b30849a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 23:19:34 +0300 +Subject: platform/mellanox: mlxreg-lc: Fix coverity warning + +From: Vadim Pasternak + +[ Upstream commit 17c2bd6bea4c32fe691c1f9ebcc20fd48d77454a ] + +Fix smatch warning: +drivers/platform/mellanox/mlxreg-lc.c:866 mlxreg_lc_probe() warn: passing zero to 'PTR_ERR' +by removing 'err = PTR_ERR(regmap)'. + +Fixes: b4b830a34d80 ("platform/mellanox: mlxreg-lc: Fix error flow and extend verbosity") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20220823201937.46855-2-vadimp@nvidia.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxreg-lc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c +index 55834ccb4ac7c..9a1bfcd24317d 100644 +--- a/drivers/platform/mellanox/mlxreg-lc.c ++++ b/drivers/platform/mellanox/mlxreg-lc.c +@@ -863,7 +863,6 @@ static int mlxreg_lc_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "Failed to sync regmap for client %s at bus %d at addr 0x%02x\n", + data->hpdev.brdinfo->type, data->hpdev.nr, data->hpdev.brdinfo->addr); +- err = PTR_ERR(regmap); + goto regcache_sync_fail; + } + +-- +2.35.1 + diff --git a/queue-5.19/platform-mellanox-mlxreg-lc-fix-locking-issue.patch b/queue-5.19/platform-mellanox-mlxreg-lc-fix-locking-issue.patch new file mode 100644 index 00000000000..499ab4d1550 --- /dev/null +++ b/queue-5.19/platform-mellanox-mlxreg-lc-fix-locking-issue.patch @@ -0,0 +1,176 @@ +From fbc47b523eb83cbfc706ecc59f7eac899754d28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 23:19:35 +0300 +Subject: platform/mellanox: mlxreg-lc: Fix locking issue + +From: Vadim Pasternak + +[ Upstream commit 1e092b7faa6b507125b69c92a51bb22c2d549d37 ] + +Fix locking issues: +- mlxreg_lc_state_update() takes a lock when set or clear + "MLXREG_LC_POWERED". +- All the devices can be deleted before MLXREG_LC_POWERED flag is cleared. + +To fix it: +- Add lock() / unlock() at the beginning / end of + mlxreg_lc_event_handler() and remove locking from + mlxreg_lc_power_on_off() and mlxreg_lc_enable_disable() +- Add locked version of mlxreg_lc_state_update() - + mlxreg_lc_state_update_locked() for using outside + mlxreg_lc_event_handler(). + +(2) Remove redundant NULL check for of if 'data->notifier'. + +Fixes: 62f9529b8d5c87b ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices") +Reported-by: Dan Carpenter +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20220823201937.46855-3-vadimp@nvidia.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxreg-lc.c | 37 ++++++++++++++++++--------- + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c +index 9a1bfcd24317d..e578c7bc060bb 100644 +--- a/drivers/platform/mellanox/mlxreg-lc.c ++++ b/drivers/platform/mellanox/mlxreg-lc.c +@@ -460,8 +460,6 @@ static int mlxreg_lc_power_on_off(struct mlxreg_lc *mlxreg_lc, u8 action) + u32 regval; + int err; + +- mutex_lock(&mlxreg_lc->lock); +- + err = regmap_read(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_pwr, ®val); + if (err) + goto regmap_read_fail; +@@ -474,7 +472,6 @@ static int mlxreg_lc_power_on_off(struct mlxreg_lc *mlxreg_lc, u8 action) + err = regmap_write(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_pwr, regval); + + regmap_read_fail: +- mutex_unlock(&mlxreg_lc->lock); + return err; + } + +@@ -491,8 +488,6 @@ static int mlxreg_lc_enable_disable(struct mlxreg_lc *mlxreg_lc, bool action) + * line card which is already has been enabled. Disabling does not affect the disabled line + * card. + */ +- mutex_lock(&mlxreg_lc->lock); +- + err = regmap_read(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_ena, ®val); + if (err) + goto regmap_read_fail; +@@ -505,7 +500,6 @@ static int mlxreg_lc_enable_disable(struct mlxreg_lc *mlxreg_lc, bool action) + err = regmap_write(mlxreg_lc->par_regmap, mlxreg_lc->data->reg_ena, regval); + + regmap_read_fail: +- mutex_unlock(&mlxreg_lc->lock); + return err; + } + +@@ -537,6 +531,15 @@ mlxreg_lc_sn4800_c16_config_init(struct mlxreg_lc *mlxreg_lc, void *regmap, + + static void + mlxreg_lc_state_update(struct mlxreg_lc *mlxreg_lc, enum mlxreg_lc_state state, u8 action) ++{ ++ if (action) ++ mlxreg_lc->state |= state; ++ else ++ mlxreg_lc->state &= ~state; ++} ++ ++static void ++mlxreg_lc_state_update_locked(struct mlxreg_lc *mlxreg_lc, enum mlxreg_lc_state state, u8 action) + { + mutex_lock(&mlxreg_lc->lock); + +@@ -560,8 +563,11 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind, + dev_info(mlxreg_lc->dev, "linecard#%d state %d event kind %d action %d\n", + mlxreg_lc->data->slot, mlxreg_lc->state, kind, action); + +- if (!(mlxreg_lc->state & MLXREG_LC_INITIALIZED)) ++ mutex_lock(&mlxreg_lc->lock); ++ if (!(mlxreg_lc->state & MLXREG_LC_INITIALIZED)) { ++ mutex_unlock(&mlxreg_lc->lock); + return 0; ++ } + + switch (kind) { + case MLXREG_HOTPLUG_LC_SYNCED: +@@ -574,7 +580,7 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind, + if (!(mlxreg_lc->state & MLXREG_LC_POWERED) && action) { + err = mlxreg_lc_power_on_off(mlxreg_lc, 1); + if (err) +- return err; ++ goto mlxreg_lc_power_on_off_fail; + } + /* In case line card is configured - enable it. */ + if (mlxreg_lc->state & MLXREG_LC_CONFIGURED && action) +@@ -588,12 +594,13 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind, + /* In case line card is configured - enable it. */ + if (mlxreg_lc->state & MLXREG_LC_CONFIGURED) + err = mlxreg_lc_enable_disable(mlxreg_lc, 1); ++ mutex_unlock(&mlxreg_lc->lock); + return err; + } + err = mlxreg_lc_create_static_devices(mlxreg_lc, mlxreg_lc->main_devs, + mlxreg_lc->main_devs_num); + if (err) +- return err; ++ goto mlxreg_lc_create_static_devices_fail; + + /* In case line card is already in ready state - enable it. */ + if (mlxreg_lc->state & MLXREG_LC_CONFIGURED) +@@ -620,6 +627,10 @@ static int mlxreg_lc_event_handler(void *handle, enum mlxreg_hotplug_kind kind, + break; + } + ++mlxreg_lc_power_on_off_fail: ++mlxreg_lc_create_static_devices_fail: ++ mutex_unlock(&mlxreg_lc->lock); ++ + return err; + } + +@@ -665,7 +676,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent, + if (err) + goto mlxreg_lc_create_static_devices_failed; + +- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_POWERED, 1); ++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_POWERED, 1); + } + + /* Verify if line card is synchronized. */ +@@ -676,7 +687,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent, + /* Power on line card if necessary. */ + if (regval & mlxreg_lc->data->mask) { + mlxreg_lc->state |= MLXREG_LC_SYNCED; +- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_SYNCED, 1); ++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1); + if (mlxreg_lc->state & ~MLXREG_LC_POWERED) { + err = mlxreg_lc_power_on_off(mlxreg_lc, 1); + if (err) +@@ -684,7 +695,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent, + } + } + +- mlxreg_lc_state_update(mlxreg_lc, MLXREG_LC_INITIALIZED, 1); ++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_INITIALIZED, 1); + + return 0; + +@@ -904,6 +915,8 @@ static int mlxreg_lc_remove(struct platform_device *pdev) + struct mlxreg_core_data *data = dev_get_platdata(&pdev->dev); + struct mlxreg_lc *mlxreg_lc = platform_get_drvdata(pdev); + ++ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_INITIALIZED, 0); ++ + /* + * Probing and removing are invoked by hotplug events raised upon line card insertion and + * removing. If probing procedure fails all data is cleared. However, hotplug event still +-- +2.35.1 + diff --git a/queue-5.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch b/queue-5.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch new file mode 100644 index 00000000000..5c6ea82b58d --- /dev/null +++ b/queue-5.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch @@ -0,0 +1,67 @@ +From b2a4cb004e3ba752a0efd40f58608946d87c2edb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:37:31 +0300 +Subject: platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask + +From: Andy Shevchenko + +[ Upstream commit 0a90ed8d0cfa29735a221eba14d9cb6c735d35b6 ] + +On Intel hardware the SLP_TYPx bitfield occupies bits 10-12 as per ACPI +specification (see Table 4.13 "PM1 Control Registers Fixed Hardware +Feature Control Bits" for the details). + +Fix the mask and other related definitions accordingly. + +Fixes: 93e5eadd1f6e ("x86/platform: New Intel Atom SOC power management controller driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220801113734.36131-1-andriy.shevchenko@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 2 +- + include/linux/platform_data/x86/pmc_atom.h | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 154317e9910d2..5c757c7f64dee 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -232,7 +232,7 @@ static void pmc_power_off(void) + pm1_cnt_port = acpi_base_addr + PM1_CNT; + + pm1_cnt_value = inl(pm1_cnt_port); +- pm1_cnt_value &= SLEEP_TYPE_MASK; ++ pm1_cnt_value &= ~SLEEP_TYPE_MASK; + pm1_cnt_value |= SLEEP_TYPE_S5; + pm1_cnt_value |= SLEEP_ENABLE; + +diff --git a/include/linux/platform_data/x86/pmc_atom.h b/include/linux/platform_data/x86/pmc_atom.h +index 6807839c718bd..ea01dd80153b3 100644 +--- a/include/linux/platform_data/x86/pmc_atom.h ++++ b/include/linux/platform_data/x86/pmc_atom.h +@@ -7,6 +7,8 @@ + #ifndef PMC_ATOM_H + #define PMC_ATOM_H + ++#include ++ + /* ValleyView Power Control Unit PCI Device ID */ + #define PCI_DEVICE_ID_VLV_PMC 0x0F1C + /* CherryTrail Power Control Unit PCI Device ID */ +@@ -139,9 +141,9 @@ + #define ACPI_MMIO_REG_LEN 0x100 + + #define PM1_CNT 0x4 +-#define SLEEP_TYPE_MASK 0xFFFFECFF ++#define SLEEP_TYPE_MASK GENMASK(12, 10) + #define SLEEP_TYPE_S5 0x1C00 +-#define SLEEP_ENABLE 0x2000 ++#define SLEEP_ENABLE BIT(13) + + extern int pmc_atom_read(int offset, u32 *value); + +-- +2.35.1 + diff --git a/queue-5.19/platform-x86-x86-android-tablets-fix-broken-touchscr.patch b/queue-5.19/platform-x86-x86-android-tablets-fix-broken-touchscr.patch new file mode 100644 index 00000000000..5d09144bece --- /dev/null +++ b/queue-5.19/platform-x86-x86-android-tablets-fix-broken-touchscr.patch @@ -0,0 +1,71 @@ +From 09be5c25e94275e818474e1eb2e158ec84434750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 16:19:34 +0200 +Subject: platform/x86: x86-android-tablets: Fix broken touchscreen on Chuwi + Hi8 with Windows BIOS + +From: Hans de Goede + +[ Upstream commit 2986c51540ed50ac654ffb5a772e546c02628c91 ] + +The x86-android-tablets handling for the Chuwi Hi8 is only necessary with +the Android BIOS and it is causing problems with the Windows BIOS version. + +Specifically when trying to register the already present touchscreen +x86_acpi_irq_helper_get() calls acpi_unregister_gsi(), this breaks +the working of the touchscreen and also leads to an oops: + +[ 14.248946] ------------[ cut here ]------------ +[ 14.248954] remove_proc_entry: removing non-empty directory 'irq/75', leaking at least 'MSSL0001:00' +[ 14.248983] WARNING: CPU: 3 PID: 440 at fs/proc/generic.c:718 remove_proc_entry +... +[ 14.249293] unregister_irq_proc+0xe0/0x100 +[ 14.249305] free_desc+0x29/0x70 +[ 14.249312] irq_free_descs+0x4b/0x80 +[ 14.249320] mp_unmap_irq+0x5c/0x60 +[ 14.249329] acpi_unregister_gsi_ioapic+0x2a/0x40 +[ 14.249338] x86_acpi_irq_helper_get+0x4b/0x190 [x86_android_tablets] +[ 14.249355] x86_android_tablet_init+0x178/0xe34 [x86_android_tablets] + +Add an init callback for the Chuwi Hi8, which detects when the Windows BIOS +is in use and exits with -ENODEV in that case, fixing this. + +Fixes: 84c2dcdd475f ("platform/x86: x86-android-tablets: Add an init() callback to struct x86_dev_info") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220810141934.140771-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/x86-android-tablets.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c +index 4803759774358..4acd6fa8d43b8 100644 +--- a/drivers/platform/x86/x86-android-tablets.c ++++ b/drivers/platform/x86/x86-android-tablets.c +@@ -663,9 +663,23 @@ static const struct x86_i2c_client_info chuwi_hi8_i2c_clients[] __initconst = { + }, + }; + ++static int __init chuwi_hi8_init(void) ++{ ++ /* ++ * Avoid the acpi_unregister_gsi() call in x86_acpi_irq_helper_get() ++ * breaking the touchscreen + logging various errors when the Windows ++ * BIOS is used. ++ */ ++ if (acpi_dev_present("MSSL0001", NULL, 1)) ++ return -ENODEV; ++ ++ return 0; ++} ++ + static const struct x86_dev_info chuwi_hi8_info __initconst = { + .i2c_client_info = chuwi_hi8_i2c_clients, + .i2c_client_count = ARRAY_SIZE(chuwi_hi8_i2c_clients), ++ .init = chuwi_hi8_init, + }; + + #define CZC_EC_EXTRA_PORT 0x68 +-- +2.35.1 + diff --git a/queue-5.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch b/queue-5.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch new file mode 100644 index 00000000000..b3f0e2fbd24 --- /dev/null +++ b/queue-5.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch @@ -0,0 +1,54 @@ +From 9811c1d1b3fd897ef4d6adc328031bf8457eff30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 20:01:32 -0700 +Subject: Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued + skb" + +From: Jakub Kicinski + +[ Upstream commit 0b4f688d53fdc2a731b9d9cdf0c96255bc024ea6 ] + +This reverts commit 90fabae8a2c225c4e4936723c38857887edde5cc. + +Patch was applied hastily, revert and let the v2 be reviewed. + +Fixes: 90fabae8a2c2 ("sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb") +Link: https://lore.kernel.org/all/87wnao2ha3.fsf@toke.dk/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index a04928082e4ab..a43a58a73d096 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1713,7 +1713,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; +- ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1772,7 +1771,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); +- ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1906,7 +1904,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return ret; ++ return NET_XMIT_SUCCESS; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-5.19/revert-xhci-turn-off-port-power-in-shutdown.patch b/queue-5.19/revert-xhci-turn-off-port-power-in-shutdown.patch new file mode 100644 index 00000000000..9693d86c582 --- /dev/null +++ b/queue-5.19/revert-xhci-turn-off-port-power-in-shutdown.patch @@ -0,0 +1,94 @@ +From 671b9674313e10f01ce9ab509c41f6e5a855a699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 18:08:40 +0300 +Subject: Revert "xhci: turn off port power in shutdown" + +From: Mathias Nyman + +[ Upstream commit 8531aa1659f7278d4f2ec7408cc000eaa8d85217 ] + +This reverts commit 83810f84ecf11dfc5a9414a8b762c3501b328185. + +Turning off port power in shutdown did cause issues such as a laptop not +proprly powering off, and some specific usb devies failing to enumerate the +subsequent boot after a warm reset. + +So revert this. + +Fixes: 83810f84ecf1 ("xhci: turn off port power in shutdown") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220825150840.132216-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-hub.c | 2 +- + drivers/usb/host/xhci.c | 15 ++------------- + drivers/usb/host/xhci.h | 2 -- + 3 files changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 0fdc014c94011..c54f2bc23d3f8 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -652,7 +652,7 @@ struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd) + * It will release and re-aquire the lock while calling ACPI + * method. + */ +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, ++static void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, + u16 index, bool on, unsigned long *flags) + __must_hold(&xhci->lock) + { +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 65858f6074377..cb99bed5f755e 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -791,8 +791,6 @@ static void xhci_stop(struct usb_hcd *hcd) + void xhci_shutdown(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- unsigned long flags; +- int i; + + if (xhci->quirks & XHCI_SPURIOUS_REBOOT) + usb_disable_xhci_ports(to_pci_dev(hcd->self.sysdev)); +@@ -808,21 +806,12 @@ void xhci_shutdown(struct usb_hcd *hcd) + del_timer_sync(&xhci->shared_hcd->rh_timer); + } + +- spin_lock_irqsave(&xhci->lock, flags); ++ spin_lock_irq(&xhci->lock); + xhci_halt(xhci); +- +- /* Power off USB2 ports*/ +- for (i = 0; i < xhci->usb2_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->main_hcd, i, false, &flags); +- +- /* Power off USB3 ports*/ +- for (i = 0; i < xhci->usb3_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->shared_hcd, i, false, &flags); +- + /* Workaround for spurious wakeups at shutdown with HSW */ + if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) + xhci_reset(xhci, XHCI_RESET_SHORT_USEC); +- spin_unlock_irqrestore(&xhci->lock, flags); ++ spin_unlock_irq(&xhci->lock); + + xhci_cleanup_msix(xhci); + +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 1960b47acfb28..da51ad90a7006 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2196,8 +2196,6 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex, + int xhci_hub_status_data(struct usb_hcd *hcd, char *buf); + int xhci_find_raw_port_number(struct usb_hcd *hcd, int port1); + struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd); +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, u16 index, +- bool on, unsigned long *flags); + + void xhci_hc_died(struct xhci_hcd *xhci); + +-- +2.35.1 + diff --git a/queue-5.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch b/queue-5.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch new file mode 100644 index 00000000000..e3aa54d069d --- /dev/null +++ b/queue-5.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch @@ -0,0 +1,61 @@ +From 899c0746fedad2362139b35099d19001f8a1cc4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 11:21:03 +0200 +Subject: sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ] + +When the GSO splitting feature of sch_cake is enabled, GSO superpackets +will be broken up and the resulting segments enqueued in place of the +original skb. In this case, CAKE calls consume_skb() on the original skb, +but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into +assuming the original skb still exists, when it really has been freed. Fix +this by adding the __NET_XMIT_STOLEN flag to the return value in this case. + +Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments") +Signed-off-by: Toke Høiland-Jørgensen +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231 +Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index a43a58a73d096..a04928082e4ab 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1713,6 +1713,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; ++ ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1771,6 +1772,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); ++ ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1904,7 +1906,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return NET_XMIT_SUCCESS; ++ return ret; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-5.19/series b/queue-5.19/series new file mode 100644 index 00000000000..3287f61c600 --- /dev/null +++ b/queue-5.19/series @@ -0,0 +1,60 @@ +drm-msm-dp-make-edp-panel-as-the-first-connected-con.patch +drm-msm-dsi-fix-the-inconsistent-indenting.patch +drm-msm-dpu-populate-wb-or-intf-before-reset_intf_cf.patch +drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch +drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch +drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch +platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch +platform-x86-x86-android-tablets-fix-broken-touchscr.patch +xsk-fix-corrupted-packets-for-xdp_shared_umem.patch +drm-msm-gpu-drop-qos-request-if-devm_devfreq_add_dev.patch +peci-aspeed-fix-error-check-return-value-of-platform.patch +iio-adc-mcp3911-make-use-of-the-sign-bit.patch +skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch +bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch +usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch +usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch +usb-dwc3-qcom-fix-runtime-pm-wakeup.patch +usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch +ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch +bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch +drm-i915-gvt-fix-comet-lake.patch +ieee802154-adf7242-defer-destroy_workqueue-call.patch +bpf-fix-a-data-race-around-bpf_jit_limit.patch +drm-i915-ttm-fix-ccs-handling.patch +drm-i915-display-avoid-warnings-when-registering-dua.patch +alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch +wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch +xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch +revert-xhci-turn-off-port-power-in-shutdown.patch +bpf-allow-helpers-to-accept-pointers-with-a-fixed-si.patch +bpf-tidy-up-verifier-check_func_arg.patch +bpf-do-mark_chain_precision-for-arg_const_alloc_size.patch +bluetooth-hci_event-fix-vendor-unknown-opcode-status.patch +bluetooth-hci_sync-fix-suspend-performance-regressio.patch +bluetooth-hci_event-fix-checking-conn-for-le_conn_co.patch +bluetooth-hci_sync-hold-hdev-lock-when-cleanup-hci_c.patch +net-sparx5-fix-handling-uneven-length-packets-in-man.patch +net-smsc911x-stop-and-start-phy-during-suspend-and-r.patch +openvswitch-fix-memory-leak-at-failed-datapath-creat.patch +nfp-flower-fix-ingress-police-using-matchall-filter.patch +net-dsa-xrs700x-use-irqsave-variant-for-u64-stats-up.patch +drm-i915-fix-null-pointer-dereference.patch +net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch +net-sched-fix-netdevice-reference-leaks-in-attach_de.patch +net-phy-micrel-make-the-gpio-to-be-non-exclusive.patch +net-lan966x-improve-error-handle-in-lan966x_fdma_rx_.patch +ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch +cachefiles-fix-error-return-code-in-cachefiles_ondem.patch +cachefiles-make-on-demand-request-distribution-faire.patch +mlxbf_gige-compute-mdio-period-based-on-i1clk.patch +kcm-fix-strp_init-order-and-cleanup.patch +sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch +tcp-annotate-data-race-around-challenge_timestamp.patch +revert-sch_cake-return-__net_xmit_stolen-when-consum.patch +net-smc-remove-redundant-refcount-increase.patch +soundwire-qcom-fix-device-status-array-range.patch +mm-slab_common-deleting-kobject-in-kmem_cache_destro.patch +platform-mellanox-mlxreg-lc-fix-coverity-warning.patch +platform-mellanox-mlxreg-lc-fix-locking-issue.patch diff --git a/queue-5.19/skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch b/queue-5.19/skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch new file mode 100644 index 00000000000..ad48ad17912 --- /dev/null +++ b/queue-5.19/skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch @@ -0,0 +1,67 @@ +From fe2c12806707683b535e77a60a4f9237950b2c45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Aug 2022 17:49:15 +0800 +Subject: skmsg: Fix wrong last sg check in sk_msg_recvmsg() + +From: Liu Jian + +[ Upstream commit 583585e48d965338e73e1eb383768d16e0922d73 ] + +Fix one kernel NULL pointer dereference as below: + +[ 224.462334] Call Trace: +[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380 +[ 224.462441] ? sock_has_perm+0x78/0xa0 +[ 224.462463] tcp_bpf_recvmsg+0x12e/0x220 +[ 224.462494] inet_recvmsg+0x5b/0xd0 +[ 224.462534] __sys_recvfrom+0xc8/0x130 +[ 224.462574] ? syscall_trace_enter+0x1df/0x2e0 +[ 224.462606] ? __do_page_fault+0x2de/0x500 +[ 224.462635] __x64_sys_recvfrom+0x24/0x30 +[ 224.462660] do_syscall_64+0x5d/0x1d0 +[ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca + +In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in +sk_msg_recvmsg()"), we change last sg check to sg_is_last(), +but in sockmap redirection case (without stream_parser/stream_verdict/ +skb_verdict), we did not mark the end of the scatterlist. Check the +sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all +do not mark the end of sg. They are expected to use sg.end for end +judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here. + +Fixes: 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()") +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20220809094915.150391-1-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 84209e661171e..69ac686c7cae3 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -462,7 +462,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + + if (copied == len) + break; +- } while (!sg_is_last(sge)); ++ } while ((i != msg_rx->sg.end) && !sg_is_last(sge)); + + if (unlikely(peek)) { + msg_rx = sk_psock_next_msg(psock, msg_rx); +@@ -472,7 +472,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + } + + msg_rx->sg.start = i; +- if (!sge->length && sg_is_last(sge)) { ++ if (!sge->length && (i == msg_rx->sg.end || sg_is_last(sge))) { + msg_rx = sk_psock_dequeue_msg(psock); + kfree_sk_msg(msg_rx); + } +-- +2.35.1 + diff --git a/queue-5.19/soundwire-qcom-fix-device-status-array-range.patch b/queue-5.19/soundwire-qcom-fix-device-status-array-range.patch new file mode 100644 index 00000000000..9ac37c9c720 --- /dev/null +++ b/queue-5.19/soundwire-qcom-fix-device-status-array-range.patch @@ -0,0 +1,59 @@ +From b099e44e7c2b0d7114414b9d47fde3ce3a8fb1cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 11:47:47 +0100 +Subject: soundwire: qcom: fix device status array range + +From: Srinivas Kandagatla + +[ Upstream commit 4ef3f2aff1267bfa6d5a90c42a30b927b8aa239b ] + +This patch updates device status array range from 11 to 12 as we will +be reading status from device number 0 to device number 11 inclusive. + +Without this patch we can potentially access status array out of range +during auto-enumeration. + +Fixes: aa1262ca6695 ("soundwire: qcom: Check device status before reading devid") +Reported-by: Dan Carpenter +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220708104747.8722-1-srinivas.kandagatla@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/qcom.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index b5ec7726592c8..71d2931cb885c 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -167,7 +167,7 @@ struct qcom_swrm_ctrl { + u8 wcmd_id; + struct qcom_swrm_port_config pconfig[QCOM_SDW_MAX_PORTS]; + struct sdw_stream_runtime *sruntime[SWRM_MAX_DAIS]; +- enum sdw_slave_status status[SDW_MAX_DEVICES]; ++ enum sdw_slave_status status[SDW_MAX_DEVICES + 1]; + int (*reg_read)(struct qcom_swrm_ctrl *ctrl, int reg, u32 *val); + int (*reg_write)(struct qcom_swrm_ctrl *ctrl, int reg, int val); + u32 slave_status; +@@ -411,7 +411,7 @@ static int qcom_swrm_get_alert_slave_dev_num(struct qcom_swrm_ctrl *ctrl) + + ctrl->reg_read(ctrl, SWRM_MCP_SLV_STATUS, &val); + +- for (dev_num = 0; dev_num < SDW_MAX_DEVICES; dev_num++) { ++ for (dev_num = 0; dev_num <= SDW_MAX_DEVICES; dev_num++) { + status = (val >> (dev_num * SWRM_MCP_SLV_STATUS_SZ)); + + if ((status & SWRM_MCP_SLV_STATUS_MASK) == SDW_SLAVE_ALERT) { +@@ -431,7 +431,7 @@ static void qcom_swrm_get_device_status(struct qcom_swrm_ctrl *ctrl) + ctrl->reg_read(ctrl, SWRM_MCP_SLV_STATUS, &val); + ctrl->slave_status = val; + +- for (i = 0; i < SDW_MAX_DEVICES; i++) { ++ for (i = 0; i <= SDW_MAX_DEVICES; i++) { + u32 s; + + s = (val >> (i * 2)); +-- +2.35.1 + diff --git a/queue-5.19/tcp-annotate-data-race-around-challenge_timestamp.patch b/queue-5.19/tcp-annotate-data-race-around-challenge_timestamp.patch new file mode 100644 index 00000000000..9b818ed84e8 --- /dev/null +++ b/queue-5.19/tcp-annotate-data-race-around-challenge_timestamp.patch @@ -0,0 +1,47 @@ +From 837f367e4465cbe98c61781c1a6d31f26ef4b3a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 11:56:55 -0700 +Subject: tcp: annotate data-race around challenge_timestamp + +From: Eric Dumazet + +[ Upstream commit 8c70521238b7863c2af607e20bcba20f974c969b ] + +challenge_timestamp can be read an written by concurrent threads. + +This was expected, but we need to annotate the race to avoid potential issues. + +Following patch moves challenge_timestamp and challenge_count +to per-netns storage to provide better isolation. + +Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index b1637990d5708..e5435156e545d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3630,11 +3630,11 @@ static void tcp_send_challenge_ack(struct sock *sk) + + /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; +- if (now != challenge_timestamp) { ++ if (now != READ_ONCE(challenge_timestamp)) { + u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); + u32 half = (ack_limit + 1) >> 1; + +- challenge_timestamp = now; ++ WRITE_ONCE(challenge_timestamp, now); + WRITE_ONCE(challenge_count, half + prandom_u32_max(ack_limit)); + } + count = READ_ONCE(challenge_count); +-- +2.35.1 + diff --git a/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch b/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch new file mode 100644 index 00000000000..874ec961001 --- /dev/null +++ b/queue-5.19/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch @@ -0,0 +1,107 @@ +From 47eede1934128173679d2079830cb4187e7ea525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 10:00:52 +0530 +Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs + +From: Sandeep Maheswaram + +[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ] + +Adding helper functions to enable,disable wake irqs to make +the code simple and readable. + +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Pavankumar Kondeti +Signed-off-by: Sandeep Maheswaram +Signed-off-by: Krishna Kurapati +Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++-------------------- + 1 file changed, 26 insertions(+), 32 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 3582fd6dfa141..27ff18aeea266 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + ++static void dwc3_qcom_enable_wakeup_irq(int irq) ++{ ++ if (!irq) ++ return; ++ ++ enable_irq(irq); ++ enable_irq_wake(irq); ++} ++ ++static void dwc3_qcom_disable_wakeup_irq(int irq) ++{ ++ if (!irq) ++ return; ++ ++ disable_irq_wake(irq); ++ disable_irq_nosync(irq); ++} ++ + static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) + { +- if (qcom->hs_phy_irq) { +- disable_irq_wake(qcom->hs_phy_irq); +- disable_irq_nosync(qcom->hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); + +- if (qcom->dp_hs_phy_irq) { +- disable_irq_wake(qcom->dp_hs_phy_irq); +- disable_irq_nosync(qcom->dp_hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); + +- if (qcom->dm_hs_phy_irq) { +- disable_irq_wake(qcom->dm_hs_phy_irq); +- disable_irq_nosync(qcom->dm_hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); + +- if (qcom->ss_phy_irq) { +- disable_irq_wake(qcom->ss_phy_irq); +- disable_irq_nosync(qcom->ss_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); + } + + static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + { +- if (qcom->hs_phy_irq) { +- enable_irq(qcom->hs_phy_irq); +- enable_irq_wake(qcom->hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); + +- if (qcom->dp_hs_phy_irq) { +- enable_irq(qcom->dp_hs_phy_irq); +- enable_irq_wake(qcom->dp_hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); + +- if (qcom->dm_hs_phy_irq) { +- enable_irq(qcom->dm_hs_phy_irq); +- enable_irq_wake(qcom->dm_hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); + +- if (qcom->ss_phy_irq) { +- enable_irq(qcom->ss_phy_irq); +- enable_irq_wake(qcom->ss_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); + } + + static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) +-- +2.35.1 + diff --git a/queue-5.19/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch b/queue-5.19/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch new file mode 100644 index 00000000000..5a9e3a6d617 --- /dev/null +++ b/queue-5.19/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch @@ -0,0 +1,155 @@ +From 49a0d326a917eb97f00db955cc50118bac59be96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 10:00:53 +0530 +Subject: usb: dwc3: qcom: Configure wakeup interrupts during suspend + +From: Sandeep Maheswaram + +[ Upstream commit 6895ea55c385c9afdd2aec1eef27ec24917a112f ] + +Configure DP/DM line interrupts based on the USB2 device attached to +the root hub port. When HS/FS device is connected, configure the DP line +as falling edge to detect both disconnect and remote wakeup scenarios. When +LS device is connected, configure DM line as falling edge to detect both +disconnect and remote wakeup. When no device is connected, configure both +DP and DM lines as rising edge to detect HS/HS/LS device connect scenario. + +Reviewed-by: Pavankumar Kondeti +Reviewed-by: Matthias Kaehlcke +Signed-off-by: Sandeep Maheswaram +Signed-off-by: Krishna Kurapati +Link: https://lore.kernel.org/r/1655094654-24052-5-git-send-email-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 72 +++++++++++++++++++++++++++++++----- + 1 file changed, 62 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 27ff18aeea266..be2e3dd364408 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -20,7 +20,8 @@ + #include + #include + #include +- ++#include ++#include + #include "core.h" + + /* USB QSCRATCH Hardware registers */ +@@ -76,6 +77,7 @@ struct dwc3_qcom { + int dp_hs_phy_irq; + int dm_hs_phy_irq; + int ss_phy_irq; ++ enum usb_device_speed usb2_speed; + + struct extcon_dev *edev; + struct extcon_dev *host_edev; +@@ -296,11 +298,34 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + +-static void dwc3_qcom_enable_wakeup_irq(int irq) ++static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) ++{ ++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci); ++ struct usb_device *udev; ++ ++ /* ++ * It is possible to query the speed of all children of ++ * USB2.0 root hub via usb_hub_for_each_child(). DWC3 code ++ * currently supports only 1 port per controller. So ++ * this is sufficient. ++ */ ++ udev = usb_hub_find_child(hcd->self.root_hub, 1); ++ ++ if (!udev) ++ return USB_SPEED_UNKNOWN; ++ ++ return udev->speed; ++} ++ ++static void dwc3_qcom_enable_wakeup_irq(int irq, unsigned int polarity) + { + if (!irq) + return; + ++ if (polarity) ++ irq_set_irq_type(irq, polarity); ++ + enable_irq(irq); + enable_irq_wake(irq); + } +@@ -318,22 +343,47 @@ static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) + { + dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); + +- dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); +- +- dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ if (qcom->usb2_speed == USB_SPEED_LOW) { ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) || ++ (qcom->usb2_speed == USB_SPEED_FULL)) { ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); ++ } else { ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ } + + dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); + } + + static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + { +- dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); ++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq, 0); + +- dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); ++ /* ++ * Configure DP/DM line interrupts based on the USB2 device attached to ++ * the root hub port. When HS/FS device is connected, configure the DP line ++ * as falling edge to detect both disconnect and remote wakeup scenarios. When ++ * LS device is connected, configure DM line as falling edge to detect both ++ * disconnect and remote wakeup. When no device is connected, configure both ++ * DP and DM lines as rising edge to detect HS/HS/LS device connect scenario. ++ */ + +- dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); ++ if (qcom->usb2_speed == USB_SPEED_LOW) { ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq, ++ IRQ_TYPE_EDGE_FALLING); ++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) || ++ (qcom->usb2_speed == USB_SPEED_FULL)) { ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq, ++ IRQ_TYPE_EDGE_FALLING); ++ } else { ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq, ++ IRQ_TYPE_EDGE_RISING); ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq, ++ IRQ_TYPE_EDGE_RISING); ++ } + +- dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); ++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0); + } + + static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) +@@ -355,8 +405,10 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (device_may_wakeup(qcom->dev)) ++ if (device_may_wakeup(qcom->dev)) { ++ qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); ++ } + + qcom->is_suspended = true; + +-- +2.35.1 + diff --git a/queue-5.19/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch b/queue-5.19/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch new file mode 100644 index 00000000000..f617b62a1eb --- /dev/null +++ b/queue-5.19/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch @@ -0,0 +1,78 @@ +From 24c8db3a3963ef8c711e4309701faea9223c090a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:58 +0200 +Subject: usb: dwc3: qcom: fix peripheral and OTG suspend + +From: Johan Hovold + +[ Upstream commit c5f14abeb52b0177b940fd734133d383da3521d8 ] + +A recent commit implementing wakeup support in host mode instead broke +suspend for peripheral and OTG mode. + +The hack that was added in the suspend path to determine the speed of +any device connected to the USB2 bus not only accesses internal driver +data for a child device, but also dereferences a NULL pointer or +accesses freed data when the controller is not acting as host. + +There's no quick fix to the layering violation, but since reverting +would leave us with broken suspend in host mode with wakeup triggering +immediately, let's keep the hack for now. + +Fix the immediate issues by only checking the host bus speed and +enabling wakeup interrupts when acting as host. + +Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") +Reported-by: kernel test robot +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-7-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 25ae37b1a39df..436264db6afe9 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -309,8 +309,13 @@ static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) + static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) + { + struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); +- struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci); + struct usb_device *udev; ++ struct usb_hcd *hcd; ++ ++ /* ++ * FIXME: Fix this layering violation. ++ */ ++ hcd = platform_get_drvdata(dwc->xhci); + + /* + * It is possible to query the speed of all children of +@@ -413,7 +418,11 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (wakeup) { ++ /* ++ * The role is stable during suspend as role switching is done from a ++ * freezable workqueue. ++ */ ++ if (dwc3_qcom_is_host(qcom) && wakeup) { + qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); + } +@@ -431,7 +440,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup) + if (!qcom->is_suspended) + return 0; + +- if (wakeup) ++ if (dwc3_qcom_is_host(qcom) && wakeup) + dwc3_qcom_disable_interrupts(qcom); + + for (i = 0; i < qcom->num_clocks; i++) { +-- +2.35.1 + diff --git a/queue-5.19/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch b/queue-5.19/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch new file mode 100644 index 00000000000..631a706864b --- /dev/null +++ b/queue-5.19/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch @@ -0,0 +1,110 @@ +From 456ac35d57d38f91c559bcac202e6676455ca38a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:57 +0200 +Subject: usb: dwc3: qcom: fix runtime PM wakeup + +From: Johan Hovold + +[ Upstream commit 6498a96c8c9ce8ae4078e586a607851491e29a33 ] + +A device must enable wakeups during runtime suspend regardless of +whether it is capable and allowed to wake the system up from system +suspend. + +Fixes: 2664deb09306 ("usb: dwc3: qcom: Honor wakeup enabled/disabled state") +Tested-by: Matthias Kaehlcke +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-6-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index be2e3dd364408..19642d0df419c 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -386,7 +386,7 @@ static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0); + } + +-static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) ++static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup) + { + u32 val; + int i, ret; +@@ -405,7 +405,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (device_may_wakeup(qcom->dev)) { ++ if (wakeup) { + qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); + } +@@ -415,7 +415,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + return 0; + } + +-static int dwc3_qcom_resume(struct dwc3_qcom *qcom) ++static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup) + { + int ret; + int i; +@@ -423,7 +423,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom) + if (!qcom->is_suspended) + return 0; + +- if (device_may_wakeup(qcom->dev)) ++ if (wakeup) + dwc3_qcom_disable_interrupts(qcom); + + for (i = 0; i < qcom->num_clocks; i++) { +@@ -930,9 +930,11 @@ static int dwc3_qcom_remove(struct platform_device *pdev) + static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); ++ bool wakeup = device_may_wakeup(dev); + int ret = 0; + +- ret = dwc3_qcom_suspend(qcom); ++ ++ ret = dwc3_qcom_suspend(qcom, wakeup); + if (!ret) + qcom->pm_suspended = true; + +@@ -942,9 +944,10 @@ static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev) + static int __maybe_unused dwc3_qcom_pm_resume(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); ++ bool wakeup = device_may_wakeup(dev); + int ret; + +- ret = dwc3_qcom_resume(qcom); ++ ret = dwc3_qcom_resume(qcom, wakeup); + if (!ret) + qcom->pm_suspended = false; + +@@ -955,14 +958,14 @@ static int __maybe_unused dwc3_qcom_runtime_suspend(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); + +- return dwc3_qcom_suspend(qcom); ++ return dwc3_qcom_suspend(qcom, true); + } + + static int __maybe_unused dwc3_qcom_runtime_resume(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); + +- return dwc3_qcom_resume(qcom); ++ return dwc3_qcom_resume(qcom, true); + } + + static const struct dev_pm_ops dwc3_qcom_dev_pm_ops = { +-- +2.35.1 + diff --git a/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch new file mode 100644 index 00000000000..cac382d464b --- /dev/null +++ b/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch @@ -0,0 +1,82 @@ +From f2bcee907ea77917cf12fd034566f10318ce72c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:56 +0200 +Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup + +From: Johan Hovold + +[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] + +The Qualcomm dwc3 runtime-PM implementation checks the xhci +platform-device pointer in the wakeup-interrupt handler to determine +whether the controller is in host mode and if so triggers a resume. + +After a role switch in OTG mode the xhci platform-device would have been +freed and the next wakeup from runtime suspend would access the freed +memory. + +Note that role switching is executed from a freezable workqueue, which +guarantees that the pointer is stable during suspend. + +Also note that runtime PM has been broken since commit 2664deb09306 +("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which +incidentally also prevents this issue from being triggered. + +Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") +Cc: stable@vger.kernel.org # 4.18 +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- + drivers/usb/dwc3/host.c | 1 + + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 19642d0df419c..25ae37b1a39df 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + ++/* Only usable in contexts where the role can not change. */ ++static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) ++{ ++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ ++ return dwc->xhci; ++} ++ + static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) + { + struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); +@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) + if (qcom->pm_suspended) + return IRQ_HANDLED; + +- if (dwc->xhci) ++ /* ++ * This is safe as role switching is done from a freezable workqueue ++ * and the wakeup interrupts are disabled as part of resume. ++ */ ++ if (dwc3_qcom_is_host(qcom)) + pm_runtime_resume(&dwc->xhci->dev); + + return IRQ_HANDLED; +diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c +index f56c30cf151e4..f6f13e7f1ba14 100644 +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -135,4 +135,5 @@ int dwc3_host_init(struct dwc3 *dwc) + void dwc3_host_exit(struct dwc3 *dwc) + { + platform_device_unregister(dwc->xhci); ++ dwc->xhci = NULL; + } +-- +2.35.1 + diff --git a/queue-5.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch b/queue-5.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch new file mode 100644 index 00000000000..5ea1f10a251 --- /dev/null +++ b/queue-5.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch @@ -0,0 +1,41 @@ +From 767c744722e6cd8d49d356c14c0ab8821a90e4ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 10:03:21 +0300 +Subject: wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() + +From: Dan Carpenter + +[ Upstream commit d776763f48084926b5d9e25507a3ddb7c9243d5e ] + +The return type is supposed to be ssize_t, which is signed long, +but "r" was declared as unsigned int. This means that on 64 bit systems +we return positive values instead of negative error codes. + +Fixes: 80a3511d70e8 ("cfg80211: add debugfs HT40 allow map") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YutvOQeJm0UjLhwU@kili +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/debugfs.c b/net/wireless/debugfs.c +index aab43469a2f04..0878b162890af 100644 +--- a/net/wireless/debugfs.c ++++ b/net/wireless/debugfs.c +@@ -65,9 +65,10 @@ static ssize_t ht40allow_map_read(struct file *file, + { + struct wiphy *wiphy = file->private_data; + char *buf; +- unsigned int offset = 0, buf_size = PAGE_SIZE, i, r; ++ unsigned int offset = 0, buf_size = PAGE_SIZE, i; + enum nl80211_band band; + struct ieee80211_supported_band *sband; ++ ssize_t r; + + buf = kzalloc(buf_size, GFP_KERNEL); + if (!buf) +-- +2.35.1 + diff --git a/queue-5.19/xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch b/queue-5.19/xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch new file mode 100644 index 00000000000..551ffb046be --- /dev/null +++ b/queue-5.19/xhci-fix-null-pointer-dereference-in-remove-if-xhc-h.patch @@ -0,0 +1,55 @@ +From d2d457e0df90659f0ae37945abfeb80a078971cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 18:08:38 +0300 +Subject: xhci: Fix null pointer dereference in remove if xHC has only one + roothub + +From: Mathias Nyman + +[ Upstream commit 4a593a62a9e3a25ab4bc37f612e4edec144f7f43 ] + +The remove path in xhci platform driver tries to remove and put both main +and shared hcds even if only a main hcd exists (one roothub) + +This causes a null pointer dereference in reboot for those controllers. + +Check that the shared_hcd exists before trying to remove it. + +Fixes: e0fe986972f5 ("usb: host: xhci-plat: prepare operation w/o shared hcd") +Reported-by: Alexey Sheplyakov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220825150840.132216-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 044855818cb11..a8641b6536eea 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -398,12 +398,17 @@ static int xhci_plat_remove(struct platform_device *dev) + pm_runtime_get_sync(&dev->dev); + xhci->xhc_state |= XHCI_STATE_REMOVING; + +- usb_remove_hcd(shared_hcd); +- xhci->shared_hcd = NULL; ++ if (shared_hcd) { ++ usb_remove_hcd(shared_hcd); ++ xhci->shared_hcd = NULL; ++ } ++ + usb_phy_shutdown(hcd->usb_phy); + + usb_remove_hcd(hcd); +- usb_put_hcd(shared_hcd); ++ ++ if (shared_hcd) ++ usb_put_hcd(shared_hcd); + + clk_disable_unprepare(clk); + clk_disable_unprepare(reg_clk); +-- +2.35.1 + diff --git a/queue-5.19/xsk-fix-corrupted-packets-for-xdp_shared_umem.patch b/queue-5.19/xsk-fix-corrupted-packets-for-xdp_shared_umem.patch new file mode 100644 index 00000000000..f2c87e2652b --- /dev/null +++ b/queue-5.19/xsk-fix-corrupted-packets-for-xdp_shared_umem.patch @@ -0,0 +1,70 @@ +From 9b1e85488975d6a7905ca6b7e9c1fbf91bdeabd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 13:32:59 +0200 +Subject: xsk: Fix corrupted packets for XDP_SHARED_UMEM + +From: Magnus Karlsson + +[ Upstream commit 58ca14ed98c87cfe0d1408cc65a9745d9e9b7a56 ] + +Fix an issue in XDP_SHARED_UMEM mode together with aligned mode where +packets are corrupted for the second and any further sockets bound to +the same umem. In other words, this does not affect the first socket +bound to the umem. The culprit for this bug is that the initialization +of the DMA addresses for the pre-populated xsk buffer pool entries was +not performed for any socket but the first one bound to the umem. Only +the linear array of DMA addresses was populated. Fix this by populating +the DMA addresses in the xsk buffer pool for every socket bound to the +same umem. + +Fixes: 94033cd8e73b8 ("xsk: Optimize for aligned case") +Reported-by: Alasdair McWilliam +Reported-by: Intrusion Shield Team +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Tested-by: Alasdair McWilliam +Acked-by: Maciej Fijalkowski +Link: https://lore.kernel.org/xdp-newbies/6205E10C-292E-4995-9D10-409649354226@outlook.com/ +Link: https://lore.kernel.org/bpf/20220812113259.531-1-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index f70112176b7c1..a71a8c6edf553 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -379,6 +379,16 @@ static void xp_check_dma_contiguity(struct xsk_dma_map *dma_map) + + static int xp_init_dma_info(struct xsk_buff_pool *pool, struct xsk_dma_map *dma_map) + { ++ if (!pool->unaligned) { ++ u32 i; ++ ++ for (i = 0; i < pool->heads_cnt; i++) { ++ struct xdp_buff_xsk *xskb = &pool->heads[i]; ++ ++ xp_init_xskb_dma(xskb, pool, dma_map->dma_pages, xskb->orig_addr); ++ } ++ } ++ + pool->dma_pages = kvcalloc(dma_map->dma_pages_cnt, sizeof(*pool->dma_pages), GFP_KERNEL); + if (!pool->dma_pages) + return -ENOMEM; +@@ -428,12 +438,6 @@ int xp_dma_map(struct xsk_buff_pool *pool, struct device *dev, + + if (pool->unaligned) + xp_check_dma_contiguity(dma_map); +- else +- for (i = 0; i < pool->heads_cnt; i++) { +- struct xdp_buff_xsk *xskb = &pool->heads[i]; +- +- xp_init_xskb_dma(xskb, pool, dma_map->dma_pages, xskb->orig_addr); +- } + + err = xp_init_dma_info(pool, dma_map); + if (err) { +-- +2.35.1 + -- 2.47.3