diff --git a/patches.kernel.org/6.3.4-001-drm-fbdev-generic-prohibit-potential-out-of-bou.patch b/patches.kernel.org/6.3.4-001-drm-fbdev-generic-prohibit-potential-out-of-bou.patch new file mode 100644 index 0000000..38c6773 --- /dev/null +++ b/patches.kernel.org/6.3.4-001-drm-fbdev-generic-prohibit-potential-out-of-bou.patch @@ -0,0 +1,136 @@ +From: Sui Jingfeng +Date: Thu, 20 Apr 2023 11:05:00 +0800 +Subject: [PATCH] drm/fbdev-generic: prohibit potential out-of-bounds access +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c8687694bb1f5c48134f152f8c5c2e53483eb99d + +[ Upstream commit c8687694bb1f5c48134f152f8c5c2e53483eb99d ] + +The fbdev test of IGT may write after EOF, which lead to out-of-bound +access for drm drivers with fbdev-generic. For example, run fbdev test +on a x86+ast2400 platform, with 1680x1050 resolution, will cause the +linux kernel hang with the following call trace: + + Oops: 0000 [#1] PREEMPT SMP PTI + [IGT] fbdev: starting subtest eof + Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] + [IGT] fbdev: starting subtest nullptr + + RIP: 0010:memcpy_erms+0xa/0x20 + RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 + RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 + RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 + RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 + R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 + R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 + FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 + Call Trace: + + ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] + drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] + process_one_work+0x21f/0x430 + worker_thread+0x4e/0x3c0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xf4/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + + CR2: ffffa17d40e0b000 + ---[ end trace 0000000000000000 ]--- + +The is because damage rectangles computed by +drm_fb_helper_memory_range_to_clip() function is not guaranteed to be +bound in the screen's active display area. Possible reasons are: + +1) Buffers are allocated in the granularity of page size, for mmap system + call support. The shadow screen buffer consumed by fbdev emulation may + also choosed be page size aligned. + +2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() + will introduce off-by-one error. + +For example, on a 16KB page size system, in order to store a 1920x1080 +XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size +1920*1080*4 can not be divided exactly by 16KB. + + 1920 * 1080 * 4 = 8294400 bytes + 506 * 16 * 1024 = 8290304 bytes + 507 * 16 * 1024 = 8306688 bytes + + line_length = 1920*4 = 7680 bytes + + 507 * 16 * 1024 / 7680 = 1081.6 + + off / line_length = 507 * 16 * 1024 / 7680 = 1081 + DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082 + +memcpy_toio() typically issue the copy line by line, when copy the last +line, out-of-bound access will be happen. Because: + + 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688 + +Note that userspace may still write to the invisiable area if a larger +buffer than width x stride is exposed. But it is not a big issue as +long as there still have memory resolve the access if not drafting so +far. + + - Also limit the y1 (Daniel) + - keep fix patch it to minimal (Daniel) + - screen_size is page size aligned because of it need mmap (Thomas) + - Adding fixes tag (Thomas) + +Signed-off-by: Sui Jingfeng +Fixes: aa15c677cc34 ("drm/fb-helper: Fix vertical damage clipping") +Reviewed-by: Thomas Zimmermann +Tested-by: Geert Uytterhoeven +Link: https://lore.kernel.org/dri-devel/ad44df29-3241-0d9e-e708-b0338bf3c623@189.cn/ +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230420030500.1578756-1-suijingfeng@loongson.cn +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/drm_fb_helper.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index 2fe8349b..2a4e9fea 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -625,19 +625,27 @@ static void drm_fb_helper_damage(struct drm_fb_helper *helper, u32 x, u32 y, + static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, size_t len, + struct drm_rect *clip) + { ++ u32 line_length = info->fix.line_length; ++ u32 fb_height = info->var.yres; + off_t end = off + len; + u32 x1 = 0; +- u32 y1 = off / info->fix.line_length; ++ u32 y1 = off / line_length; + u32 x2 = info->var.xres; +- u32 y2 = DIV_ROUND_UP(end, info->fix.line_length); ++ u32 y2 = DIV_ROUND_UP(end, line_length); ++ ++ /* Don't allow any of them beyond the bottom bound of display area */ ++ if (y1 > fb_height) ++ y1 = fb_height; ++ if (y2 > fb_height) ++ y2 = fb_height; + + if ((y2 - y1) == 1) { + /* + * We've only written to a single scanline. Try to reduce + * the number of horizontal pixels that need an update. + */ +- off_t bit_off = (off % info->fix.line_length) * 8; +- off_t bit_end = (end % info->fix.line_length) * 8; ++ off_t bit_off = (off % line_length) * 8; ++ off_t bit_end = (end % line_length) * 8; + + x1 = bit_off / info->var.bits_per_pixel; + x2 = DIV_ROUND_UP(bit_end, info->var.bits_per_pixel); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-002-firmware-sysfb-Fix-VESA-format-selection.patch b/patches.kernel.org/6.3.4-002-firmware-sysfb-Fix-VESA-format-selection.patch new file mode 100644 index 0000000..b9bff24 --- /dev/null +++ b/patches.kernel.org/6.3.4-002-firmware-sysfb-Fix-VESA-format-selection.patch @@ -0,0 +1,62 @@ +From: Pierre Asselin +Date: Wed, 19 Apr 2023 00:48:34 -0400 +Subject: [PATCH] firmware/sysfb: Fix VESA format selection +Patch-mainline: 6.3.4 +References: bsc#1012628 bsc#1211119 +Git-commit: 1b617bc93178912fa36f87a957c15d1f1708c299 + +[ Upstream commit 1b617bc93178912fa36f87a957c15d1f1708c299 ] + +Some legacy BIOSes report no reserved bits in their 32-bit rgb mode, +breaking the calculation of bits_per_pixel in commit f35cd3fa7729 +("firmware/sysfb: Fix EFI/VESA format selection"). However they report +lfb_depth correctly for those modes. Keep the computation but +set bits_per_pixel to lfb_depth if the latter is larger. + +v2 fixes the warnings from a max3() macro with arguments of different +types; split the bits_per_pixel assignment to avoid uglyfing the code +with too many typecasts. + +v3 fixes space and formatting blips pointed out by Javier, and change +the bit_per_pixel assignment back to a single statement using two casts. + +v4 go back to v2 and use max_t() + +Signed-off-by: Pierre Asselin +Fixes: f35cd3fa7729 ("firmware/sysfb: Fix EFI/VESA format selection") +Link: https://lore.kernel.org/r/4Psm6B6Lqkz1QXM@panix3.panix.com +Link: https://lore.kernel.org/r/20230412150225.3757223-1-javierm@redhat.com +Tested-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230419044834.10816-1-pa@panix.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/firmware/sysfb_simplefb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/sysfb_simplefb.c b/drivers/firmware/sysfb_simplefb.c +index 82c64cb9..74363ed7 100644 +--- a/drivers/firmware/sysfb_simplefb.c ++++ b/drivers/firmware/sysfb_simplefb.c +@@ -51,7 +51,8 @@ __init bool sysfb_parse_mode(const struct screen_info *si, + * + * It's not easily possible to fix this in struct screen_info, + * as this could break UAPI. The best solution is to compute +- * bits_per_pixel here and ignore lfb_depth. In the loop below, ++ * bits_per_pixel from the color bits, reserved bits and ++ * reported lfb_depth, whichever is highest. In the loop below, + * ignore simplefb formats with alpha bits, as EFI and VESA + * don't specify alpha channels. + */ +@@ -60,6 +61,7 @@ __init bool sysfb_parse_mode(const struct screen_info *si, + si->green_size + si->green_pos, + si->blue_size + si->blue_pos), + si->rsvd_size + si->rsvd_pos); ++ bits_per_pixel = max_t(u32, bits_per_pixel, si->lfb_depth); + } else { + bits_per_pixel = si->lfb_depth; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-003-drm-dsc-fix-DP_DSC_MAX_BPP_DELTA_-macro-values.patch b/patches.kernel.org/6.3.4-003-drm-dsc-fix-DP_DSC_MAX_BPP_DELTA_-macro-values.patch new file mode 100644 index 0000000..5c7d581 --- /dev/null +++ b/patches.kernel.org/6.3.4-003-drm-dsc-fix-DP_DSC_MAX_BPP_DELTA_-macro-values.patch @@ -0,0 +1,41 @@ +From: Jani Nikula +Date: Thu, 6 Apr 2023 16:46:15 +0300 +Subject: [PATCH] drm/dsc: fix DP_DSC_MAX_BPP_DELTA_* macro values +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0d68683838f2850dd8ff31f1121e05bfb7a2def0 + +[ Upstream commit 0d68683838f2850dd8ff31f1121e05bfb7a2def0 ] + +The macro values just don't match the specs. Fix them. + +Fixes: 1482ec00be4a ("drm: Add missing DP DSC extended capability definitions.") +Cc: Vinod Govindapillai +Cc: Stanislav Lisovskiy +Signed-off-by: Jani Nikula +Reviewed-by: Ankit Nautiyal +Link: https://patchwork.freedesktop.org/patch/msgid/20230406134615.1422509-2-jani.nikula@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/drm/display/drm_dp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/drm/display/drm_dp.h b/include/drm/display/drm_dp.h +index 4545ed61..b8b7f990 100644 +--- a/include/drm/display/drm_dp.h ++++ b/include/drm/display/drm_dp.h +@@ -286,8 +286,8 @@ + + #define DP_DSC_MAX_BITS_PER_PIXEL_HI 0x068 /* eDP 1.4 */ + # define DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK (0x3 << 0) +-# define DP_DSC_MAX_BPP_DELTA_VERSION_MASK 0x06 +-# define DP_DSC_MAX_BPP_DELTA_AVAILABILITY 0x08 ++# define DP_DSC_MAX_BPP_DELTA_VERSION_MASK (0x3 << 5) /* eDP 1.5 & DP 2.0 */ ++# define DP_DSC_MAX_BPP_DELTA_AVAILABILITY (1 << 7) /* eDP 1.5 & DP 2.0 */ + + #define DP_DSC_DEC_COLOR_FORMAT_CAP 0x069 + # define DP_DSC_RGB (1 << 0) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-004-drm-nouveau-disp-More-DP_RECEIVER_CAP_SIZE-arra.patch b/patches.kernel.org/6.3.4-004-drm-nouveau-disp-More-DP_RECEIVER_CAP_SIZE-arra.patch new file mode 100644 index 0000000..4bfd2d0 --- /dev/null +++ b/patches.kernel.org/6.3.4-004-drm-nouveau-disp-More-DP_RECEIVER_CAP_SIZE-arra.patch @@ -0,0 +1,107 @@ +From: Kees Cook +Date: Sat, 4 Feb 2023 10:43:10 -0800 +Subject: [PATCH] drm/nouveau/disp: More DP_RECEIVER_CAP_SIZE array fixes +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 25feda6fbd0cfefcb69308fb20d4d4815a107c5e + +[ Upstream commit 25feda6fbd0cfefcb69308fb20d4d4815a107c5e ] + +More arrays (and arguments) for dcpd were set to 16, when it looks like +DP_RECEIVER_CAP_SIZE (15) should be used. Fix the remaining cases, seen +with GCC 13: + +../drivers/gpu/drm/nouveau/nvif/outp.c: In function 'nvif_outp_acquire_dp': +../include/linux/fortify-string.h:57:33: warning: array subscript 'unsigned char[16][0]' is partly outside array bounds of 'u8[15]' {aka 'unsigned char[15]'} [-Warray-bounds=] + 57 | #define __underlying_memcpy __builtin_memcpy + | ^ +... +../drivers/gpu/drm/nouveau/nvif/outp.c:140:9: note: in expansion of macro 'memcpy' + 140 | memcpy(args.dp.dpcd, dpcd, sizeof(args.dp.dpcd)); + | ^~~~~~ +../drivers/gpu/drm/nouveau/nvif/outp.c:130:49: note: object 'dpcd' of size [0, 15] + 130 | nvif_outp_acquire_dp(struct nvif_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], + | ~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 813443721331 ("drm/nouveau/disp: move DP link config into acquire") +Cc: Ben Skeggs +Cc: Lyude Paul +Cc: Karol Herbst +Cc: David Airlie +Cc: Daniel Vetter +Cc: Dave Airlie +Cc: "Gustavo A. R. Silva" +Cc: dri-devel@lists.freedesktop.org +Cc: nouveau@lists.freedesktop.org +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20230204184307.never.825-kees@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/nouveau/include/nvif/if0012.h | 4 +++- + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h | 3 ++- + drivers/gpu/drm/nouveau/nvkm/engine/disp/uoutp.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/include/nvif/if0012.h b/drivers/gpu/drm/nouveau/include/nvif/if0012.h +index eb99d84e..16d4ad50 100644 +--- a/drivers/gpu/drm/nouveau/include/nvif/if0012.h ++++ b/drivers/gpu/drm/nouveau/include/nvif/if0012.h +@@ -2,6 +2,8 @@ + #ifndef __NVIF_IF0012_H__ + #define __NVIF_IF0012_H__ + ++#include ++ + union nvif_outp_args { + struct nvif_outp_v0 { + __u8 version; +@@ -63,7 +65,7 @@ union nvif_outp_acquire_args { + __u8 hda; + __u8 mst; + __u8 pad04[4]; +- __u8 dpcd[16]; ++ __u8 dpcd[DP_RECEIVER_CAP_SIZE]; + } dp; + }; + } v0; +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h +index b7631c1a..4e7f873f 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h +@@ -3,6 +3,7 @@ + #define __NVKM_DISP_OUTP_H__ + #include "priv.h" + ++#include + #include + #include + #include +@@ -42,7 +43,7 @@ struct nvkm_outp { + bool aux_pwr_pu; + u8 lttpr[6]; + u8 lttprs; +- u8 dpcd[16]; ++ u8 dpcd[DP_RECEIVER_CAP_SIZE]; + + struct { + int dpcd; /* -1, or index into SUPPORTED_LINK_RATES table */ +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uoutp.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uoutp.c +index 4f0ca709..fc283a4a 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uoutp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uoutp.c +@@ -146,7 +146,7 @@ nvkm_uoutp_mthd_release(struct nvkm_outp *outp, void *argv, u32 argc) + } + + static int +-nvkm_uoutp_mthd_acquire_dp(struct nvkm_outp *outp, u8 dpcd[16], ++nvkm_uoutp_mthd_acquire_dp(struct nvkm_outp *outp, u8 dpcd[DP_RECEIVER_CAP_SIZE], + u8 link_nr, u8 link_bw, bool hda, bool mst) + { + int ret; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-005-drm-mipi-dsi-Set-the-fwnode-for-mipi_dsi_device.patch b/patches.kernel.org/6.3.4-005-drm-mipi-dsi-Set-the-fwnode-for-mipi_dsi_device.patch new file mode 100644 index 0000000..83738ac --- /dev/null +++ b/patches.kernel.org/6.3.4-005-drm-mipi-dsi-Set-the-fwnode-for-mipi_dsi_device.patch @@ -0,0 +1,49 @@ +From: Saravana Kannan +Date: Thu, 9 Mar 2023 22:39:09 -0800 +Subject: [PATCH] drm/mipi-dsi: Set the fwnode for mipi_dsi_device +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a26cc2934331b57b5a7164bff344f0a2ec245fc0 + +[ Upstream commit a26cc2934331b57b5a7164bff344f0a2ec245fc0 ] + +After commit 3fb16866b51d ("driver core: fw_devlink: Make cycle +detection more robust"), fw_devlink prints an error when consumer +devices don't have their fwnode set. This used to be ignored silently. + +Set the fwnode mipi_dsi_device so fw_devlink can find them and properly +track their dependencies. + +This fixes errors like this: +[ 0.334054] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with regulator-lcd-1v8 +[ 0.346964] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with backlight-dsi + +Reported-by: Martin Kepplinger +Link: https://lore.kernel.org/lkml/2a8e407f4f18c9350f8629a2b5fa18673355b2ae.camel@puri.sm/ +Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") +Signed-off-by: Saravana Kannan +Tested-by: Martin Kepplinger +Link: https://lore.kernel.org/r/20230310063910.2474472-1-saravanak@google.com +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/drm_mipi_dsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index b41aaf2b..7923cc21 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -221,7 +221,7 @@ mipi_dsi_device_register_full(struct mipi_dsi_host *host, + return dsi; + } + +- dsi->dev.of_node = info->node; ++ device_set_node(&dsi->dev, of_fwnode_handle(info->node)); + dsi->channel = info->channel; + strlcpy(dsi->name, info->type, sizeof(dsi->name)); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-006-ARM-9296-1-HP-Jornada-7XX-fix-kernel-doc-warnin.patch b/patches.kernel.org/6.3.4-006-ARM-9296-1-HP-Jornada-7XX-fix-kernel-doc-warnin.patch new file mode 100644 index 0000000..c88eb54 --- /dev/null +++ b/patches.kernel.org/6.3.4-006-ARM-9296-1-HP-Jornada-7XX-fix-kernel-doc-warnin.patch @@ -0,0 +1,70 @@ +From: Randy Dunlap +Date: Sun, 23 Apr 2023 06:48:45 +0100 +Subject: [PATCH] ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 46dd6078dbc7e363a8bb01209da67015a1538929 + +[ Upstream commit 46dd6078dbc7e363a8bb01209da67015a1538929 ] + +Fix kernel-doc warnings from the kernel test robot: + +jornada720_ssp.c:24: warning: Function parameter or member 'jornada_ssp_lock' not described in 'DEFINE_SPINLOCK' +jornada720_ssp.c:24: warning: expecting prototype for arch/arm/mac(). Prototype was for DEFINE_SPINLOCK() instead +jornada720_ssp.c:34: warning: Function parameter or member 'byte' not described in 'jornada_ssp_reverse' +jornada720_ssp.c:57: warning: Function parameter or member 'byte' not described in 'jornada_ssp_byte' +jornada720_ssp.c:85: warning: Function parameter or member 'byte' not described in 'jornada_ssp_inout' + +Link: lore.kernel.org/r/202304210535.tWby3jWF-lkp@intel.com + +Fixes: 69ebb22277a5 ("[ARM] 4506/1: HP Jornada 7XX: Addition of SSP Platform Driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Arnd Bergmann +Cc: Kristoffer Ericson +Cc: patches@armlinux.org.uk +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm/mach-sa1100/jornada720_ssp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-sa1100/jornada720_ssp.c b/arch/arm/mach-sa1100/jornada720_ssp.c +index 1dbe9894..9627c4cf 100644 +--- a/arch/arm/mach-sa1100/jornada720_ssp.c ++++ b/arch/arm/mach-sa1100/jornada720_ssp.c +@@ -1,5 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0-only +-/** ++/* + * arch/arm/mac-sa1100/jornada720_ssp.c + * + * Copyright (C) 2006/2007 Kristoffer Ericson +@@ -26,6 +26,7 @@ static unsigned long jornada_ssp_flags; + + /** + * jornada_ssp_reverse - reverses input byte ++ * @byte: input byte to reverse + * + * we need to reverse all data we receive from the mcu due to its physical location + * returns : 01110111 -> 11101110 +@@ -46,6 +47,7 @@ EXPORT_SYMBOL(jornada_ssp_reverse); + + /** + * jornada_ssp_byte - waits for ready ssp bus and sends byte ++ * @byte: input byte to transmit + * + * waits for fifo buffer to clear and then transmits, if it doesn't then we will + * timeout after rounds. Needs mcu running before its called. +@@ -77,6 +79,7 @@ EXPORT_SYMBOL(jornada_ssp_byte); + + /** + * jornada_ssp_inout - decide if input is command or trading byte ++ * @byte: input byte to send (may be %TXDUMMY) + * + * returns : (jornada_ssp_byte(byte)) on success + * : %-ETIMEDOUT on timeout failure +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-007-net-skb_partial_csum_set-fix-against-transport-.patch b/patches.kernel.org/6.3.4-007-net-skb_partial_csum_set-fix-against-transport-.patch new file mode 100644 index 0000000..da3673b --- /dev/null +++ b/patches.kernel.org/6.3.4-007-net-skb_partial_csum_set-fix-against-transport-.patch @@ -0,0 +1,97 @@ +From: Eric Dumazet +Date: Fri, 5 May 2023 17:06:18 +0000 +Subject: [PATCH] net: skb_partial_csum_set() fix against transport header + magic value +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 424f8416bb39936df6365442d651ee729b283460 + +[ Upstream commit 424f8416bb39936df6365442d651ee729b283460 ] + +skb->transport_header uses the special 0xFFFF value +to mark if the transport header was set or not. + +We must prevent callers to accidentaly set skb->transport_header +to 0xFFFF. Note that only fuzzers can possibly do this today. + +syzbot reported: + +WARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 skb_transport_offset include/linux/skbuff.h:2956 [inline] +WARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103 +Modules linked in: +CPU: 0 PID: 2340 Comm: syz-executor.0 Not tainted 6.3.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:skb_transport_header include/linux/skbuff.h:2847 [inline] +RIP: 0010:skb_transport_offset include/linux/skbuff.h:2956 [inline] +RIP: 0010:virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103 +Code: 41 39 df 0f 82 c3 04 00 00 48 8b 7c 24 10 44 89 e6 e8 08 6e 59 ff 48 85 c0 74 54 e8 ce 36 7e fc e9 37 f8 ff ff e8 c4 36 7e fc <0f> 0b e9 93 f8 ff ff 44 89 f7 44 89 e6 e8 32 38 7e fc 45 39 e6 0f +RSP: 0018:ffffc90004497880 EFLAGS: 00010293 +RAX: ffffffff84fea55c RBX: 000000000000ffff RCX: ffff888120be2100 +RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff +RBP: ffffc90004497990 R08: ffffffff84fe9de5 R09: 0000000000000034 +R10: ffffea00048ebd80 R11: 0000000000000034 R12: ffff88811dc2d9c8 +R13: dffffc0000000000 R14: ffff88811dc2d9ae R15: 1ffff11023b85b35 +FS: 00007f9211a59700(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200002c0 CR3: 00000001215a5000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +packet_snd net/packet/af_packet.c:3076 [inline] +packet_sendmsg+0x4590/0x61a0 net/packet/af_packet.c:3115 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +__sys_sendto+0x472/0x630 net/socket.c:2144 +__do_sys_sendto net/socket.c:2156 [inline] +__se_sys_sendto net/socket.c:2152 [inline] +__x64_sys_sendto+0xe5/0x100 net/socket.c:2152 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f9210c8c169 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9211a59168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007f9210dabf80 RCX: 00007f9210c8c169 +RDX: 000000000000ffed RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 00007f9210ce7ca1 R08: 0000000020000540 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe135d65cf R14: 00007f9211a59300 R15: 0000000000022000 + +Fixes: 66e4c8d95008 ("net: warn if transport header was not set") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/core/skbuff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 14bb41aa..afec5e2c 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5243,7 +5243,7 @@ bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off) + u32 csum_end = (u32)start + (u32)off + sizeof(__sum16); + u32 csum_start = skb_headroom(skb) + (u32)start; + +- if (unlikely(csum_start > U16_MAX || csum_end > skb_headlen(skb))) { ++ if (unlikely(csum_start >= U16_MAX || csum_end > skb_headlen(skb))) { + net_warn_ratelimited("bad partial csum: csum=%u/%u headroom=%u headlen=%u\n", + start, off, skb_headroom(skb), skb_headlen(skb)); + return false; +@@ -5251,7 +5251,7 @@ bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off) + skb->ip_summed = CHECKSUM_PARTIAL; + skb->csum_start = csum_start; + skb->csum_offset = off; +- skb_set_transport_header(skb, start); ++ skb->transport_header = csum_start; + return true; + } + EXPORT_SYMBOL_GPL(skb_partial_csum_set); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-008-net-mdio-mvusb-Fix-an-error-handling-path-in-mv.patch b/patches.kernel.org/6.3.4-008-net-mdio-mvusb-Fix-an-error-handling-path-in-mv.patch new file mode 100644 index 0000000..1040c77 --- /dev/null +++ b/patches.kernel.org/6.3.4-008-net-mdio-mvusb-Fix-an-error-handling-path-in-mv.patch @@ -0,0 +1,56 @@ +From: Christophe JAILLET +Date: Fri, 5 May 2023 20:39:33 +0200 +Subject: [PATCH] net: mdio: mvusb: Fix an error handling path in + mvusb_mdio_probe() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 27c1eaa07283b0c94becf8241f95368267cf558b + +[ Upstream commit 27c1eaa07283b0c94becf8241f95368267cf558b ] + +Should of_mdiobus_register() fail, a previous usb_get_dev() call should be +undone as in the .disconnect function. + +Fixes: 04e37d92fbed ("net: phy: add marvell usb to mdio controller") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/mdio/mdio-mvusb.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/mdio/mdio-mvusb.c b/drivers/net/mdio/mdio-mvusb.c +index 68fc5590..554837c2 100644 +--- a/drivers/net/mdio/mdio-mvusb.c ++++ b/drivers/net/mdio/mdio-mvusb.c +@@ -67,6 +67,7 @@ static int mvusb_mdio_probe(struct usb_interface *interface, + struct device *dev = &interface->dev; + struct mvusb_mdio *mvusb; + struct mii_bus *mdio; ++ int ret; + + mdio = devm_mdiobus_alloc_size(dev, sizeof(*mvusb)); + if (!mdio) +@@ -87,7 +88,15 @@ static int mvusb_mdio_probe(struct usb_interface *interface, + mdio->write = mvusb_mdio_write; + + usb_set_intfdata(interface, mvusb); +- return of_mdiobus_register(mdio, dev->of_node); ++ ret = of_mdiobus_register(mdio, dev->of_node); ++ if (ret) ++ goto put_dev; ++ ++ return 0; ++ ++put_dev: ++ usb_put_dev(mvusb->udev); ++ return ret; + } + + static void mvusb_mdio_disconnect(struct usb_interface *interface) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-009-perf-core-Fix-perf_sample_data-not-properly-ini.patch b/patches.kernel.org/6.3.4-009-perf-core-Fix-perf_sample_data-not-properly-ini.patch new file mode 100644 index 0000000..61c93b9 --- /dev/null +++ b/patches.kernel.org/6.3.4-009-perf-core-Fix-perf_sample_data-not-properly-ini.patch @@ -0,0 +1,109 @@ +From: Yang Jihong +Date: Tue, 25 Apr 2023 10:32:17 +0000 +Subject: [PATCH] perf/core: Fix perf_sample_data not properly initialized for + different swevents in perf_tp_event() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1d1bfe30dad50d4bea83cd38d73c441972ea0173 + +[ Upstream commit 1d1bfe30dad50d4bea83cd38d73c441972ea0173 ] + +data->sample_flags may be modified in perf_prepare_sample(), +in perf_tp_event(), different swevents use the same on-stack +perf_sample_data, the previous swevent may change sample_flags in +perf_prepare_sample(), as a result, some members of perf_sample_data are +not correctly initialized when next swevent_event preparing sample +(for example data->id, the value varies according to swevent). + +A simple scenario triggers this problem is as follows: + + # perf record -e sched:sched_switch --switch-output-event sched:sched_switch -a sleep 1 + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209014396 ] + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209014662 ] + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209014910 ] + [ perf record: Woken up 0 times to write data ] + [ perf record: Dump perf.data.2023041209015164 ] + [ perf record: Captured and wrote 0.069 MB perf.data. ] + # ls -l + total 860 + -rw------- 1 root root 95694 Apr 12 09:01 perf.data.2023041209014396 + -rw------- 1 root root 606430 Apr 12 09:01 perf.data.2023041209014662 + -rw------- 1 root root 82246 Apr 12 09:01 perf.data.2023041209014910 + -rw------- 1 root root 82342 Apr 12 09:01 perf.data.2023041209015164 + # perf script -i perf.data.2023041209014396 + 0x11d58 [0x80]: failed to process type: 9 [Bad address] + +Solution: Re-initialize perf_sample_data after each event is processed. +Note that data->raw->frag.data may be accessed in perf_tp_event_match(). +Therefore, need to init sample_data and then go through swevent hlist to prevent +reference of NULL pointer, reported by [1]. + +After fix: + + # perf record -e sched:sched_switch --switch-output-event sched:sched_switch -a sleep 1 + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209442259 ] + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209442514 ] + [ perf record: dump data: Woken up 0 times ] + [ perf record: Dump perf.data.2023041209442760 ] + [ perf record: Woken up 0 times to write data ] + [ perf record: Dump perf.data.2023041209443003 ] + [ perf record: Captured and wrote 0.069 MB perf.data. ] + # ls -l + total 864 + -rw------- 1 root root 100166 Apr 12 09:44 perf.data.2023041209442259 + -rw------- 1 root root 606438 Apr 12 09:44 perf.data.2023041209442514 + -rw------- 1 root root 82246 Apr 12 09:44 perf.data.2023041209442760 + -rw------- 1 root root 82342 Apr 12 09:44 perf.data.2023041209443003 + # perf script -i perf.data.2023041209442259 | head -n 5 + perf 232 [000] 66.846217: sched:sched_switch: prev_comm=perf prev_pid=232 prev_prio=120 prev_state=D ==> next_comm=perf next_pid=234 next_prio=120 + perf 234 [000] 66.846449: sched:sched_switch: prev_comm=perf prev_pid=234 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=232 next_prio=120 + perf 232 [000] 66.846546: sched:sched_switch: prev_comm=perf prev_pid=232 prev_prio=120 prev_state=R ==> next_comm=perf next_pid=234 next_prio=120 + perf 234 [000] 66.846606: sched:sched_switch: prev_comm=perf prev_pid=234 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=232 next_prio=120 + perf 232 [000] 66.846646: sched:sched_switch: prev_comm=perf prev_pid=232 prev_prio=120 prev_state=R ==> next_comm=perf next_pid=234 next_prio=120 + +[1] Link: https://lore.kernel.org/oe-lkp/202304250929.efef2caa-yujie.liu@intel.com + +Fixes: bb447c27a467 ("perf/core: Set data->sample_flags in perf_prepare_sample()") +Signed-off-by: Yang Jihong +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230425103217.130600-1-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/events/core.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 68baa819..db016e41 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10150,8 +10150,20 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, + perf_trace_buf_update(record, event_type); + + hlist_for_each_entry_rcu(event, head, hlist_entry) { +- if (perf_tp_event_match(event, &data, regs)) ++ if (perf_tp_event_match(event, &data, regs)) { + perf_swevent_event(event, count, &data, regs); ++ ++ /* ++ * Here use the same on-stack perf_sample_data, ++ * some members in data are event-specific and ++ * need to be re-computed for different sweveents. ++ * Re-initialize data->sample_flags safely to avoid ++ * the problem that next event skips preparing data ++ * because data->sample_flags is set. ++ */ ++ perf_sample_data_init(&data, 0, 0); ++ perf_sample_save_raw_data(&data, &raw); ++ } + } + + /* +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-010-scsi-ufs-core-Fix-I-O-hang-that-occurs-when-BKO.patch b/patches.kernel.org/6.3.4-010-scsi-ufs-core-Fix-I-O-hang-that-occurs-when-BKO.patch new file mode 100644 index 0000000..b9c5b09 --- /dev/null +++ b/patches.kernel.org/6.3.4-010-scsi-ufs-core-Fix-I-O-hang-that-occurs-when-BKO.patch @@ -0,0 +1,51 @@ +From: Keoseong Park +Date: Tue, 25 Apr 2023 12:17:21 +0900 +Subject: [PATCH] scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in + W-LUN suspend +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1a7edd041f2d252f251523ba3f2eaead076a8f8d + +[ Upstream commit 1a7edd041f2d252f251523ba3f2eaead076a8f8d ] + +Even when urgent BKOPS fails, the consumer will get stuck in runtime +suspend status. Like commit 1a5665fc8d7a ("scsi: ufs: core: WLUN suspend +SSU/enter hibern8 fail recovery"), trigger the error handler and return +-EBUSY to break the suspend. + +Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun") +Signed-off-by: Keoseong Park +Link: https://lore.kernel.org/r/20230425031721epcms2p5d4de65616478c967d466626e20c42a3a@epcms2p5 +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/ufs/core/ufshcd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 70b11203..8ac2945e 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -9428,8 +9428,16 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op) + * that performance might be impacted. + */ + ret = ufshcd_urgent_bkops(hba); +- if (ret) ++ if (ret) { ++ /* ++ * If return err in suspend flow, IO will hang. ++ * Trigger error handler and break suspend for ++ * error recovery. ++ */ ++ ufshcd_force_error_recovery(hba); ++ ret = -EBUSY; + goto enable_scaling; ++ } + } else { + /* make sure that auto bkops is disabled */ + ufshcd_disable_auto_bkops(hba); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-011-tick-broadcast-Make-broadcast-device-replacemen.patch b/patches.kernel.org/6.3.4-011-tick-broadcast-Make-broadcast-device-replacemen.patch new file mode 100644 index 0000000..ffcb73f --- /dev/null +++ b/patches.kernel.org/6.3.4-011-tick-broadcast-Make-broadcast-device-replacemen.patch @@ -0,0 +1,276 @@ +From: Thomas Gleixner +Date: Sat, 6 May 2023 18:40:57 +0200 +Subject: [PATCH] tick/broadcast: Make broadcast device replacement work + correctly +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f9d36cf445ffff0b913ba187a3eff78028f9b1fb + +[ Upstream commit f9d36cf445ffff0b913ba187a3eff78028f9b1fb ] + +When a tick broadcast clockevent device is initialized for one shot mode +then tick_broadcast_setup_oneshot() OR's the periodic broadcast mode +cpumask into the oneshot broadcast cpumask. + +This is required when switching from periodic broadcast mode to oneshot +broadcast mode to ensure that CPUs which are waiting for periodic +broadcast are woken up on the next tick. + +But it is subtly broken, when an active broadcast device is replaced and +the system is already in oneshot (NOHZ/HIGHRES) mode. Victor observed +this and debugged the issue. + +Then the OR of the periodic broadcast CPU mask is wrong as the periodic +cpumask bits are sticky after tick_broadcast_enable() set it for a CPU +unless explicitly cleared via tick_broadcast_disable(). + +That means that this sets all other CPUs which have tick broadcasting +enabled at that point unconditionally in the oneshot broadcast mask. + +If the affected CPUs were already idle and had their bits set in the +oneshot broadcast mask then this does no harm. But for non idle CPUs +which were not set this corrupts their state. + +On their next invocation of tick_broadcast_enable() they observe the bit +set, which indicates that the broadcast for the CPU is already set up. +As a consequence they fail to update the broadcast event even if their +earliest expiring timer is before the actually programmed broadcast +event. + +If the programmed broadcast event is far in the future, then this can +cause stalls or trigger the hung task detector. + +Avoid this by telling tick_broadcast_setup_oneshot() explicitly whether +this is the initial switch over from periodic to oneshot broadcast which +must take the periodic broadcast mask into account. In the case of +initialization of a replacement device this prevents that the broadcast +oneshot mask is modified. + +There is a second problem with broadcast device replacement in this +function. The broadcast device is only armed when the previous state of +the device was periodic. + +That is correct for the switch from periodic broadcast mode to oneshot +broadcast mode as the underlying broadcast device could operate in +oneshot state already due to lack of periodic state in hardware. In that +case it is already armed to expire at the next tick. + +For the replacement case this is wrong as the device is in shutdown +state. That means that any already pending broadcast event will not be +armed. + +This went unnoticed because any CPU which goes idle will observe that +the broadcast device has an expiry time of KTIME_MAX and therefore any +CPUs next timer event will be earlier and cause a reprogramming of the +broadcast device. But that does not guarantee that the events of the +CPUs which were already in idle are delivered on time. + +Fix this by arming the newly installed device for an immediate event +which will reevaluate the per CPU expiry times and reprogram the +broadcast device accordingly. This is simpler than caching the last +expiry time in yet another place or saving it before the device exchange +and handing it down to the setup function. Replacement of broadcast +devices is not a frequent operation and usually happens once somewhere +late in the boot process. + +Fixes: 9c336c9935cf ("tick/broadcast: Allow late registered device to enter oneshot mode") +Reported-by: Victor Hassan +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87pm7d2z1i.ffs@tglx +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/time/tick-broadcast.c | 120 +++++++++++++++++++++++++---------- + 1 file changed, 88 insertions(+), 32 deletions(-) + +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index 93bf2b4e..771d1e04 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -35,14 +35,15 @@ static __cacheline_aligned_in_smp DEFINE_RAW_SPINLOCK(tick_broadcast_lock); + #ifdef CONFIG_TICK_ONESHOT + static DEFINE_PER_CPU(struct clock_event_device *, tick_oneshot_wakeup_device); + +-static void tick_broadcast_setup_oneshot(struct clock_event_device *bc); ++static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, bool from_periodic); + static void tick_broadcast_clear_oneshot(int cpu); + static void tick_resume_broadcast_oneshot(struct clock_event_device *bc); + # ifdef CONFIG_HOTPLUG_CPU + static void tick_broadcast_oneshot_offline(unsigned int cpu); + # endif + #else +-static inline void tick_broadcast_setup_oneshot(struct clock_event_device *bc) { BUG(); } ++static inline void ++tick_broadcast_setup_oneshot(struct clock_event_device *bc, bool from_periodic) { BUG(); } + static inline void tick_broadcast_clear_oneshot(int cpu) { } + static inline void tick_resume_broadcast_oneshot(struct clock_event_device *bc) { } + # ifdef CONFIG_HOTPLUG_CPU +@@ -264,7 +265,7 @@ int tick_device_uses_broadcast(struct clock_event_device *dev, int cpu) + if (tick_broadcast_device.mode == TICKDEV_MODE_PERIODIC) + tick_broadcast_start_periodic(bc); + else +- tick_broadcast_setup_oneshot(bc); ++ tick_broadcast_setup_oneshot(bc, false); + ret = 1; + } else { + /* +@@ -500,7 +501,7 @@ void tick_broadcast_control(enum tick_broadcast_mode mode) + if (tick_broadcast_device.mode == TICKDEV_MODE_PERIODIC) + tick_broadcast_start_periodic(bc); + else +- tick_broadcast_setup_oneshot(bc); ++ tick_broadcast_setup_oneshot(bc, false); + } + } + out: +@@ -1020,48 +1021,101 @@ static inline ktime_t tick_get_next_period(void) + /** + * tick_broadcast_setup_oneshot - setup the broadcast device + */ +-static void tick_broadcast_setup_oneshot(struct clock_event_device *bc) ++static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, ++ bool from_periodic) + { + int cpu = smp_processor_id(); ++ ktime_t nexttick = 0; + + if (!bc) + return; + +- /* Set it up only once ! */ +- if (bc->event_handler != tick_handle_oneshot_broadcast) { +- int was_periodic = clockevent_state_periodic(bc); +- +- bc->event_handler = tick_handle_oneshot_broadcast; +- ++ /* ++ * When the broadcast device was switched to oneshot by the first ++ * CPU handling the NOHZ change, the other CPUs will reach this ++ * code via hrtimer_run_queues() -> tick_check_oneshot_change() ++ * too. Set up the broadcast device only once! ++ */ ++ if (bc->event_handler == tick_handle_oneshot_broadcast) { + /* +- * We must be careful here. There might be other CPUs +- * waiting for periodic broadcast. We need to set the +- * oneshot_mask bits for those and program the +- * broadcast device to fire. ++ * The CPU which switched from periodic to oneshot mode ++ * set the broadcast oneshot bit for all other CPUs which ++ * are in the general (periodic) broadcast mask to ensure ++ * that CPUs which wait for the periodic broadcast are ++ * woken up. ++ * ++ * Clear the bit for the local CPU as the set bit would ++ * prevent the first tick_broadcast_enter() after this CPU ++ * switched to oneshot state to program the broadcast ++ * device. ++ * ++ * This code can also be reached via tick_broadcast_control(), ++ * but this cannot avoid the tick_broadcast_clear_oneshot() ++ * as that would break the periodic to oneshot transition of ++ * secondary CPUs. But that's harmless as the below only ++ * clears already cleared bits. + */ ++ tick_broadcast_clear_oneshot(cpu); ++ return; ++ } ++ ++ ++ bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event = KTIME_MAX; ++ ++ /* ++ * When the tick mode is switched from periodic to oneshot it must ++ * be ensured that CPUs which are waiting for periodic broadcast ++ * get their wake-up at the next tick. This is achieved by ORing ++ * tick_broadcast_mask into tick_broadcast_oneshot_mask. ++ * ++ * For other callers, e.g. broadcast device replacement, ++ * tick_broadcast_oneshot_mask must not be touched as this would ++ * set bits for CPUs which are already NOHZ, but not idle. Their ++ * next tick_broadcast_enter() would observe the bit set and fail ++ * to update the expiry time and the broadcast event device. ++ */ ++ if (from_periodic) { + cpumask_copy(tmpmask, tick_broadcast_mask); ++ /* Remove the local CPU as it is obviously not idle */ + cpumask_clear_cpu(cpu, tmpmask); +- cpumask_or(tick_broadcast_oneshot_mask, +- tick_broadcast_oneshot_mask, tmpmask); ++ cpumask_or(tick_broadcast_oneshot_mask, tick_broadcast_oneshot_mask, tmpmask); + +- if (was_periodic && !cpumask_empty(tmpmask)) { +- ktime_t nextevt = tick_get_next_period(); ++ /* ++ * Ensure that the oneshot broadcast handler will wake the ++ * CPUs which are still waiting for periodic broadcast. ++ */ ++ nexttick = tick_get_next_period(); ++ tick_broadcast_init_next_event(tmpmask, nexttick); + +- clockevents_switch_state(bc, CLOCK_EVT_STATE_ONESHOT); +- tick_broadcast_init_next_event(tmpmask, nextevt); +- tick_broadcast_set_event(bc, cpu, nextevt); +- } else +- bc->next_event = KTIME_MAX; +- } else { + /* +- * The first cpu which switches to oneshot mode sets +- * the bit for all other cpus which are in the general +- * (periodic) broadcast mask. So the bit is set and +- * would prevent the first broadcast enter after this +- * to program the bc device. ++ * If the underlying broadcast clock event device is ++ * already in oneshot state, then there is nothing to do. ++ * The device was already armed for the next tick ++ * in tick_handle_broadcast_periodic() + */ +- tick_broadcast_clear_oneshot(cpu); ++ if (clockevent_state_oneshot(bc)) ++ return; + } ++ ++ /* ++ * When switching from periodic to oneshot mode arm the broadcast ++ * device for the next tick. ++ * ++ * If the broadcast device has been replaced in oneshot mode and ++ * the oneshot broadcast mask is not empty, then arm it to expire ++ * immediately in order to reevaluate the next expiring timer. ++ * @nexttick is 0 and therefore in the past which will cause the ++ * clockevent code to force an event. ++ * ++ * For both cases the programming can be avoided when the oneshot ++ * broadcast mask is empty. ++ * ++ * tick_broadcast_set_event() implicitly switches the broadcast ++ * device to oneshot state. ++ */ ++ if (!cpumask_empty(tick_broadcast_oneshot_mask)) ++ tick_broadcast_set_event(bc, cpu, nexttick); + } + + /* +@@ -1070,14 +1124,16 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc) + void tick_broadcast_switch_to_oneshot(void) + { + struct clock_event_device *bc; ++ enum tick_device_mode oldmode; + unsigned long flags; + + raw_spin_lock_irqsave(&tick_broadcast_lock, flags); + ++ oldmode = tick_broadcast_device.mode; + tick_broadcast_device.mode = TICKDEV_MODE_ONESHOT; + bc = tick_broadcast_device.evtdev; + if (bc) +- tick_broadcast_setup_oneshot(bc); ++ tick_broadcast_setup_oneshot(bc, oldmode == TICKDEV_MODE_PERIODIC); + + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-012-linux-dim-Do-nothing-if-no-time-delta-between-s.patch b/patches.kernel.org/6.3.4-012-linux-dim-Do-nothing-if-no-time-delta-between-s.patch new file mode 100644 index 0000000..0c7581b --- /dev/null +++ b/patches.kernel.org/6.3.4-012-linux-dim-Do-nothing-if-no-time-delta-between-s.patch @@ -0,0 +1,109 @@ +From: Roy Novich +Date: Sun, 7 May 2023 16:57:43 +0300 +Subject: [PATCH] linux/dim: Do nothing if no time delta between samples +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 162bd18eb55adf464a0fa2b4144b8d61c75ff7c2 + +[ Upstream commit 162bd18eb55adf464a0fa2b4144b8d61c75ff7c2 ] + +Add return value for dim_calc_stats. This is an indication for the +caller if curr_stats was assigned by the function. Avoid using +curr_stats uninitialized over {rdma/net}_dim, when no time delta between +samples. Coverity reported this potential use of an uninitialized +variable. + +Fixes: 4c4dbb4a7363 ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux") +Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing") +Signed-off-by: Roy Novich +Reviewed-by: Aya Levin +Reviewed-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Reviewed-by: Leon Romanovsky +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230507135743.138993-1-tariqt@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/linux/dim.h | 3 ++- + lib/dim/dim.c | 5 +++-- + lib/dim/net_dim.c | 3 ++- + lib/dim/rdma_dim.c | 3 ++- + 4 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/include/linux/dim.h b/include/linux/dim.h +index 6c573398..f343bc9a 100644 +--- a/include/linux/dim.h ++++ b/include/linux/dim.h +@@ -236,8 +236,9 @@ void dim_park_tired(struct dim *dim); + * + * Calculate the delta between two samples (in data rates). + * Takes into consideration counter wrap-around. ++ * Returned boolean indicates whether curr_stats are reliable. + */ +-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, ++bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + struct dim_stats *curr_stats); + + /** +diff --git a/lib/dim/dim.c b/lib/dim/dim.c +index 38045d6d..e89aaf07 100644 +--- a/lib/dim/dim.c ++++ b/lib/dim/dim.c +@@ -54,7 +54,7 @@ void dim_park_tired(struct dim *dim) + } + EXPORT_SYMBOL(dim_park_tired); + +-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, ++bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + struct dim_stats *curr_stats) + { + /* u32 holds up to 71 minutes, should be enough */ +@@ -66,7 +66,7 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + start->comp_ctr); + + if (!delta_us) +- return; ++ return false; + + curr_stats->ppms = DIV_ROUND_UP(npkts * USEC_PER_MSEC, delta_us); + curr_stats->bpms = DIV_ROUND_UP(nbytes * USEC_PER_MSEC, delta_us); +@@ -79,5 +79,6 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end, + else + curr_stats->cpe_ratio = 0; + ++ return true; + } + EXPORT_SYMBOL(dim_calc_stats); +diff --git a/lib/dim/net_dim.c b/lib/dim/net_dim.c +index 53f6b9c6..4e32f7aa 100644 +--- a/lib/dim/net_dim.c ++++ b/lib/dim/net_dim.c +@@ -227,7 +227,8 @@ void net_dim(struct dim *dim, struct dim_sample end_sample) + dim->start_sample.event_ctr); + if (nevents < DIM_NEVENTS) + break; +- dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats); ++ if (!dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats)) ++ break; + if (net_dim_decision(&curr_stats, dim)) { + dim->state = DIM_APPLY_NEW_PROFILE; + schedule_work(&dim->work); +diff --git a/lib/dim/rdma_dim.c b/lib/dim/rdma_dim.c +index 15462d54..88f77948 100644 +--- a/lib/dim/rdma_dim.c ++++ b/lib/dim/rdma_dim.c +@@ -88,7 +88,8 @@ void rdma_dim(struct dim *dim, u64 completions) + nevents = curr_sample->event_ctr - dim->start_sample.event_ctr; + if (nevents < DIM_NEVENTS) + break; +- dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats); ++ if (!dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats)) ++ break; + if (rdma_dim_decision(&curr_stats, dim)) { + dim->state = DIM_APPLY_NEW_PROFILE; + schedule_work(&dim->work); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-013-net-stmmac-Initialize-MAC_ONEUS_TIC_COUNTER-reg.patch b/patches.kernel.org/6.3.4-013-net-stmmac-Initialize-MAC_ONEUS_TIC_COUNTER-reg.patch new file mode 100644 index 0000000..65517c0 --- /dev/null +++ b/patches.kernel.org/6.3.4-013-net-stmmac-Initialize-MAC_ONEUS_TIC_COUNTER-reg.patch @@ -0,0 +1,97 @@ +From: Marek Vasut +Date: Sun, 7 May 2023 01:58:45 +0200 +Subject: [PATCH] net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8efbdbfa99381a017dd2c0f6375a7d80a8118b74 + +[ Upstream commit 8efbdbfa99381a017dd2c0f6375a7d80a8118b74 ] + +Initialize MAC_ONEUS_TIC_COUNTER register with correct value derived +from CSR clock, otherwise EEE is unstable on at least NXP i.MX8M Plus +and Micrel KSZ9131RNX PHY, to the point where not even ARP request can +be sent out. + +i.MX 8M Plus Applications Processor Reference Manual, Rev. 1, 06/2021 +11.7.6.1.34 One-microsecond Reference Timer (MAC_ONEUS_TIC_COUNTER) +defines this register as: +" +This register controls the generation of the Reference time (1 microsecond +tic) for all the LPI timers. This timer has to be programmed by the software +initially. +... +The application must program this counter so that the number of clock cycles +of CSR clock is 1us. (Subtract 1 from the value before programming). +For example if the CSR clock is 100MHz then this field needs to be programmed +to value 100 - 1 = 99 (which is 0x63). +This is required to generate the 1US events that are used to update some of +the EEE related counters. +" + +The reset value is 0x63 on i.MX8M Plus, which means expected CSR clock are +100 MHz. However, the i.MX8M Plus "enet_qos_root_clk" are 266 MHz instead, +which means the LPI timers reach their count much sooner on this platform. + +This is visible using a scope by monitoring e.g. exit from LPI mode on TX_CTL +line from MAC to PHY. This should take 30us per STMMAC_DEFAULT_TWT_LS setting, +during which the TX_CTL line transitions from tristate to low, and 30 us later +from low to high. On i.MX8M Plus, this transition takes 11 us, which matches +the 30us * 100/266 formula for misconfigured MAC_ONEUS_TIC_COUNTER register. + +Configure MAC_ONEUS_TIC_COUNTER based on CSR clock, so that the LPI timers +have correct 1us reference. This then fixes EEE on i.MX8M Plus with Micrel +KSZ9131RNX PHY. + +Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") +Signed-off-by: Marek Vasut +Tested-by: Harald Seiler +Reviewed-by: Francesco Dolcini +Tested-by: Francesco Dolcini # Toradex Verdin iMX8MP +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/20230506235845.246105-1-marex@denx.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4.h | 1 + + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h +index ccd49346..a70b0d8a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h +@@ -181,6 +181,7 @@ enum power_event { + #define GMAC4_LPI_CTRL_STATUS 0xd0 + #define GMAC4_LPI_TIMER_CTRL 0xd4 + #define GMAC4_LPI_ENTRY_TIMER 0xd8 ++#define GMAC4_MAC_ONEUS_TIC_COUNTER 0xdc + + /* LPI control and status defines */ + #define GMAC4_LPI_CTRL_STATUS_LPITCSE BIT(21) /* LPI Tx Clock Stop Enable */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 36251ec2..24d6ec06 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -25,6 +25,7 @@ static void dwmac4_core_init(struct mac_device_info *hw, + struct stmmac_priv *priv = netdev_priv(dev); + void __iomem *ioaddr = hw->pcsr; + u32 value = readl(ioaddr + GMAC_CONFIG); ++ u32 clk_rate; + + value |= GMAC_CORE_INIT; + +@@ -47,6 +48,10 @@ static void dwmac4_core_init(struct mac_device_info *hw, + + writel(value, ioaddr + GMAC_CONFIG); + ++ /* Configure LPI 1us counter to number of CSR clock ticks in 1us - 1 */ ++ clk_rate = clk_get_rate(priv->plat->stmmac_clk); ++ writel((clk_rate / 1000000) - 1, ioaddr + GMAC4_MAC_ONEUS_TIC_COUNTER); ++ + /* Enable GMAC interrupts */ + value = GMAC_INT_DEFAULT_ENABLE; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-014-net-Fix-load-tearing-on-sk-sk_stamp-in-sock_rec.patch b/patches.kernel.org/6.3.4-014-net-Fix-load-tearing-on-sk-sk_stamp-in-sock_rec.patch new file mode 100644 index 0000000..af18b0e --- /dev/null +++ b/patches.kernel.org/6.3.4-014-net-Fix-load-tearing-on-sk-sk_stamp-in-sock_rec.patch @@ -0,0 +1,83 @@ +From: Kuniyuki Iwashima +Date: Mon, 8 May 2023 10:55:43 -0700 +Subject: [PATCH] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dfd9248c071a3710c24365897459538551cb7167 + +[ Upstream commit dfd9248c071a3710c24365897459538551cb7167 ] + +KCSAN found a data race in sock_recv_cmsgs() where the read access +to sk->sk_stamp needs READ_ONCE(). + +BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg + +write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0: + sock_write_timestamp include/net/sock.h:2670 [inline] + sock_recv_cmsgs include/net/sock.h:2722 [inline] + packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:1019 [inline] + sock_recvmsg+0x11a/0x130 net/socket.c:1040 + sock_read_iter+0x176/0x220 net/socket.c:1118 + call_read_iter include/linux/fs.h:1845 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x5e0/0x630 fs/read_write.c:470 + ksys_read+0x163/0x1a0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x41/0x50 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1: + sock_recv_cmsgs include/net/sock.h:2721 [inline] + packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:1019 [inline] + sock_recvmsg+0x11a/0x130 net/socket.c:1040 + sock_read_iter+0x176/0x220 net/socket.c:1118 + call_read_iter include/linux/fs.h:1845 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x5e0/0x630 fs/read_write.c:470 + ksys_read+0x163/0x1a0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x41/0x50 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0xffffffffc4653600 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 6c7c98bad488 ("sock: avoid dirtying sk_stamp, if possible") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230508175543.55756-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 573f2bf7..9cd03542 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2718,7 +2718,7 @@ static inline void sock_recv_cmsgs(struct msghdr *msg, struct sock *sk, + __sock_recv_cmsgs(msg, sk, skb); + else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP))) + sock_write_timestamp(sk, skb->tstamp); +- else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP)) ++ else if (unlikely(sock_read_timestamp(sk) == SK_DEFAULT_STAMP)) + sock_write_timestamp(sk, 0); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-015-net-phy-bcm7xx-Correct-read-from-expansion-regi.patch b/patches.kernel.org/6.3.4-015-net-phy-bcm7xx-Correct-read-from-expansion-regi.patch new file mode 100644 index 0000000..962046d --- /dev/null +++ b/patches.kernel.org/6.3.4-015-net-phy-bcm7xx-Correct-read-from-expansion-regi.patch @@ -0,0 +1,57 @@ +From: Florian Fainelli +Date: Mon, 8 May 2023 16:17:49 -0700 +Subject: [PATCH] net: phy: bcm7xx: Correct read from expansion register +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 582dbb2cc1a0a7427840f5b1e3c65608e511b061 + +[ Upstream commit 582dbb2cc1a0a7427840f5b1e3c65608e511b061 ] + +Since the driver works in the "legacy" addressing mode, we need to write +to the expansion register (0x17) with bits 11:8 set to 0xf to properly +select the expansion register passed as argument. + +Fixes: f68d08c437f9 ("net: phy: bcm7xxx: Add EPHY entry for 72165") +Signed-off-by: Florian Fainelli +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230508231749.1681169-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/phy/bcm-phy-lib.h | 5 +++++ + drivers/net/phy/bcm7xxx.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/bcm-phy-lib.h b/drivers/net/phy/bcm-phy-lib.h +index 9902fb18..729db441 100644 +--- a/drivers/net/phy/bcm-phy-lib.h ++++ b/drivers/net/phy/bcm-phy-lib.h +@@ -40,6 +40,11 @@ static inline int bcm_phy_write_exp_sel(struct phy_device *phydev, + return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val); + } + ++static inline int bcm_phy_read_exp_sel(struct phy_device *phydev, u16 reg) ++{ ++ return bcm_phy_read_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER); ++} ++ + int bcm54xx_auxctl_write(struct phy_device *phydev, u16 regnum, u16 val); + int bcm54xx_auxctl_read(struct phy_device *phydev, u16 regnum); + +diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c +index 75593e7d..6cebf3aa 100644 +--- a/drivers/net/phy/bcm7xxx.c ++++ b/drivers/net/phy/bcm7xxx.c +@@ -487,7 +487,7 @@ static int bcm7xxx_16nm_ephy_afe_config(struct phy_device *phydev) + bcm_phy_write_misc(phydev, 0x0038, 0x0002, 0xede0); + + /* Read CORE_EXPA9 */ +- tmp = bcm_phy_read_exp(phydev, 0x00a9); ++ tmp = bcm_phy_read_exp_sel(phydev, 0x00a9); + /* CORE_EXPA9[6:1] is rcalcode[5:0] */ + rcalcode = (tmp & 0x7e) / 2; + /* Correct RCAL code + 1 is -1% rprogr, LP: +16 */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-016-netfilter-nf_tables-always-release-netdev-hooks.patch b/patches.kernel.org/6.3.4-016-netfilter-nf_tables-always-release-netdev-hooks.patch new file mode 100644 index 0000000..392dbb9 --- /dev/null +++ b/patches.kernel.org/6.3.4-016-netfilter-nf_tables-always-release-netdev-hooks.patch @@ -0,0 +1,78 @@ +From: Florian Westphal +Date: Thu, 4 May 2023 14:20:21 +0200 +Subject: [PATCH] netfilter: nf_tables: always release netdev hooks from + notifier +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dc1c9fd4a8bbe1e06add9053010b652449bfe411 + +[ Upstream commit dc1c9fd4a8bbe1e06add9053010b652449bfe411 ] + +This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". + +The problem is that when a veth device is released, the veth release +callback will also queue the peer netns device for removal. + +Its possible that the peer netns is also slated for removal. In this +case, the device memory is already released before the pre_exit hook of +the peer netns runs: + +BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 +Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 +Workqueue: netns cleanup_net +Call Trace: + nf_hook_entry_head+0x1b8/0x1d0 + __nf_unregister_net_hook+0x76/0x510 + nft_netdev_unregister_hooks+0xa0/0x220 + __nft_release_hook+0x184/0x490 + nf_tables_pre_exit_net+0x12f/0x1b0 + .. + +Order is: +1. First netns is released, veth_dellink() queues peer netns device + for removal +2. peer netns is queued for removal +3. peer netns device is released, unreg event is triggered +4. unreg event is ignored because netns is going down +5. pre_exit hook calls nft_netdev_unregister_hooks but device memory + might be free'd already. + +Fixes: 68a3765c659f ("netfilter: nf_tables: skip netdev events generated on netns removal") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/netfilter/nft_chain_filter.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c +index c3563f0b..680fe557 100644 +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -344,6 +344,12 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, + return; + } + ++ /* UNREGISTER events are also happening on netns exit. ++ * ++ * Although nf_tables core releases all tables/chains, only this event ++ * handler provides guarantee that hook->ops.dev is still accessible, ++ * so we cannot skip exiting net namespaces. ++ */ + __nft_release_basechain(ctx); + } + +@@ -362,9 +368,6 @@ static int nf_tables_netdev_event(struct notifier_block *this, + event != NETDEV_CHANGENAME) + return NOTIFY_DONE; + +- if (!check_net(ctx.net)) +- return NOTIFY_DONE; +- + nft_net = nft_pernet(ctx.net); + mutex_lock(&nft_net->commit_mutex); + list_for_each_entry(table, &nft_net->tables, list) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-017-netfilter-conntrack-fix-possible-bug_on-with-en.patch b/patches.kernel.org/6.3.4-017-netfilter-conntrack-fix-possible-bug_on-with-en.patch new file mode 100644 index 0000000..6be9eec --- /dev/null +++ b/patches.kernel.org/6.3.4-017-netfilter-conntrack-fix-possible-bug_on-with-en.patch @@ -0,0 +1,78 @@ +From: Florian Westphal +Date: Thu, 4 May 2023 14:55:02 +0200 +Subject: [PATCH] netfilter: conntrack: fix possible bug_on with enable_hooks=1 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e72eeab542dbf4f544e389e64fa13b82a1b6d003 + +[ Upstream commit e72eeab542dbf4f544e389e64fa13b82a1b6d003 ] + +I received a bug report (no reproducer so far) where we trip over + +712 rcu_read_lock(); +713 ct_hook = rcu_dereference(nf_ct_hook); +714 BUG_ON(ct_hook == NULL); // here + +In nf_conntrack_destroy(). + +First turn this BUG_ON into a WARN. I think it was triggered +via enable_hooks=1 flag. + +When this flag is turned on, the conntrack hooks are registered +before nf_ct_hook pointer gets assigned. +This opens a short window where packets enter the conntrack machinery, +can have skb->_nfct set up and a subsequent kfree_skb might occur +before nf_ct_hook is set. + +Call nf_conntrack_init_end() to set nf_ct_hook before we register the +pernet ops. + +Fixes: ba3fbe663635 ("netfilter: nf_conntrack: provide modparam to always register conntrack hooks") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/netfilter/core.c | 6 ++++-- + net/netfilter/nf_conntrack_standalone.c | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index 358220b5..edf92074 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -699,9 +699,11 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct) + + rcu_read_lock(); + ct_hook = rcu_dereference(nf_ct_hook); +- BUG_ON(ct_hook == NULL); +- ct_hook->destroy(nfct); ++ if (ct_hook) ++ ct_hook->destroy(nfct); + rcu_read_unlock(); ++ ++ WARN_ON(!ct_hook); + } + EXPORT_SYMBOL(nf_conntrack_destroy); + +diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c +index 57f6724c..169e16fc 100644 +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -1218,11 +1218,12 @@ static int __init nf_conntrack_standalone_init(void) + nf_conntrack_htable_size_user = nf_conntrack_htable_size; + #endif + ++ nf_conntrack_init_end(); ++ + ret = register_pernet_subsys(&nf_conntrack_net_ops); + if (ret < 0) + goto out_pernet; + +- nf_conntrack_init_end(); + return 0; + + out_pernet: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-018-bonding-fix-send_peer_notif-overflow.patch b/patches.kernel.org/6.3.4-018-bonding-fix-send_peer_notif-overflow.patch new file mode 100644 index 0000000..a815635 --- /dev/null +++ b/patches.kernel.org/6.3.4-018-bonding-fix-send_peer_notif-overflow.patch @@ -0,0 +1,100 @@ +From: Hangbin Liu +Date: Tue, 9 May 2023 11:11:57 +0800 +Subject: [PATCH] bonding: fix send_peer_notif overflow +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9949e2efb54eb3001cb2f6512ff3166dddbfb75d + +[ Upstream commit 9949e2efb54eb3001cb2f6512ff3166dddbfb75d ] + +Bonding send_peer_notif was defined as u8. Since commit 07a4ddec3ce9 +("bonding: add an option to specify a delay between peer notifications"). +the bond->send_peer_notif will be num_peer_notif multiplied by +peer_notif_delay, which is u8 * u32. This would cause the send_peer_notif +overflow easily. e.g. + + ip link add bond0 type bond mode 1 miimon 100 num_grat_arp 30 peer_notify_delay 1000 + +To fix the overflow, let's set the send_peer_notif to u32 and limit +peer_notif_delay to 300s. + +Reported-by: Liang Li +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2090053 +Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/bonding/bond_netlink.c | 7 ++++++- + drivers/net/bonding/bond_options.c | 8 +++++++- + include/net/bonding.h | 2 +- + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c +index c2d080fc..27cbe148 100644 +--- a/drivers/net/bonding/bond_netlink.c ++++ b/drivers/net/bonding/bond_netlink.c +@@ -84,6 +84,11 @@ static int bond_fill_slave_info(struct sk_buff *skb, + return -EMSGSIZE; + } + ++/* Limit the max delay range to 300s */ ++static struct netlink_range_validation delay_range = { ++ .max = 300000, ++}; ++ + static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = { + [IFLA_BOND_MODE] = { .type = NLA_U8 }, + [IFLA_BOND_ACTIVE_SLAVE] = { .type = NLA_U32 }, +@@ -114,7 +119,7 @@ static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = { + [IFLA_BOND_AD_ACTOR_SYSTEM] = { .type = NLA_BINARY, + .len = ETH_ALEN }, + [IFLA_BOND_TLB_DYNAMIC_LB] = { .type = NLA_U8 }, +- [IFLA_BOND_PEER_NOTIF_DELAY] = { .type = NLA_U32 }, ++ [IFLA_BOND_PEER_NOTIF_DELAY] = NLA_POLICY_FULL_RANGE(NLA_U32, &delay_range), + [IFLA_BOND_MISSED_MAX] = { .type = NLA_U8 }, + [IFLA_BOND_NS_IP6_TARGET] = { .type = NLA_NESTED }, + }; +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index f71d5517..5310cb48 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -169,6 +169,12 @@ static const struct bond_opt_value bond_num_peer_notif_tbl[] = { + { NULL, -1, 0} + }; + ++static const struct bond_opt_value bond_peer_notif_delay_tbl[] = { ++ { "off", 0, 0}, ++ { "maxval", 300000, BOND_VALFLAG_MAX}, ++ { NULL, -1, 0} ++}; ++ + static const struct bond_opt_value bond_primary_reselect_tbl[] = { + { "always", BOND_PRI_RESELECT_ALWAYS, BOND_VALFLAG_DEFAULT}, + { "better", BOND_PRI_RESELECT_BETTER, 0}, +@@ -488,7 +494,7 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = { + .id = BOND_OPT_PEER_NOTIF_DELAY, + .name = "peer_notif_delay", + .desc = "Delay between each peer notification on failover event, in milliseconds", +- .values = bond_intmax_tbl, ++ .values = bond_peer_notif_delay_tbl, + .set = bond_option_peer_notif_delay_set + } + }; +diff --git a/include/net/bonding.h b/include/net/bonding.h +index c3843239..2d034e07 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -233,7 +233,7 @@ struct bonding { + */ + spinlock_t mode_lock; + spinlock_t stats_lock; +- u8 send_peer_notif; ++ u32 send_peer_notif; + u8 igmp_retrans; + #ifdef CONFIG_PROC_FS + struct proc_dir_entry *proc_entry; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-019-netlink-annotate-accesses-to-nlk-cb_running.patch b/patches.kernel.org/6.3.4-019-netlink-annotate-accesses-to-nlk-cb_running.patch new file mode 100644 index 0000000..fd74775 --- /dev/null +++ b/patches.kernel.org/6.3.4-019-netlink-annotate-accesses-to-nlk-cb_running.patch @@ -0,0 +1,110 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 16:56:34 +0000 +Subject: [PATCH] netlink: annotate accesses to nlk->cb_running +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a939d14919b799e6fff8a9c80296ca229ba2f8a4 + +[ Upstream commit a939d14919b799e6fff8a9c80296ca229ba2f8a4 ] + +Both netlink_recvmsg() and netlink_native_seq_show() read +nlk->cb_running locklessly. Use READ_ONCE() there. + +Add corresponding WRITE_ONCE() to netlink_dump() and +__netlink_dump_start() + +syzbot reported: +BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg + +write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0: +__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399 +netlink_dump_start include/linux/netlink.h:308 [inline] +rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130 +netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577 +rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +sock_write_iter+0x1aa/0x230 net/socket.c:1138 +call_write_iter include/linux/fs.h:1851 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x463/0x760 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1: +netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022 +sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017 +____sys_recvmsg+0x2db/0x310 net/socket.c:2718 +___sys_recvmsg net/socket.c:2762 [inline] +do_recvmmsg+0x2e5/0x710 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00 -> 0x01 + +Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/netlink/af_netlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 9b6eb28e..45d47b39 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1990,7 +1990,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + + skb_free_datagram(sk, skb); + +- if (nlk->cb_running && ++ if (READ_ONCE(nlk->cb_running) && + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { + ret = netlink_dump(sk); + if (ret) { +@@ -2304,7 +2304,7 @@ static int netlink_dump(struct sock *sk) + if (cb->done) + cb->done(cb); + +- nlk->cb_running = false; ++ WRITE_ONCE(nlk->cb_running, false); + module = cb->module; + skb = cb->skb; + mutex_unlock(nlk->cb_mutex); +@@ -2367,7 +2367,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + goto error_put; + } + +- nlk->cb_running = true; ++ WRITE_ONCE(nlk->cb_running, true); + nlk->dump_done_errno = INT_MAX; + + mutex_unlock(nlk->cb_mutex); +@@ -2705,7 +2705,7 @@ static int netlink_native_seq_show(struct seq_file *seq, void *v) + nlk->groups ? (u32)nlk->groups[0] : 0, + sk_rmem_alloc_get(s), + sk_wmem_alloc_get(s), +- nlk->cb_running, ++ READ_ONCE(nlk->cb_running), + refcount_read(&s->sk_refcnt), + atomic_read(&s->sk_drops), + sock_i_ino(s) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-020-net-annotate-sk-sk_err-write-from-do_recvmmsg.patch b/patches.kernel.org/6.3.4-020-net-annotate-sk-sk_err-write-from-do_recvmmsg.patch new file mode 100644 index 0000000..c60258b --- /dev/null +++ b/patches.kernel.org/6.3.4-020-net-annotate-sk-sk_err-write-from-do_recvmmsg.patch @@ -0,0 +1,41 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 16:35:53 +0000 +Subject: [PATCH] net: annotate sk->sk_err write from do_recvmmsg() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e05a5f510f26607616fecdd4ac136310c8bea56b + +[ Upstream commit e05a5f510f26607616fecdd4ac136310c8bea56b ] + +do_recvmmsg() can write to sk->sk_err from multiple threads. + +As said before, many other points reading or writing sk_err +need annotations. + +Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index 9c92c0e6..263fab8e 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2909,7 +2909,7 @@ static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg, + * error to return on the next call or if the + * app asks about it using getsockopt(SO_ERROR). + */ +- sock->sk->sk_err = -err; ++ WRITE_ONCE(sock->sk->sk_err, -err); + } + out_put: + fput_light(sock->file, fput_needed); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-021-net-deal-with-most-data-races-in-sk_wait_event.patch b/patches.kernel.org/6.3.4-021-net-deal-with-most-data-races-in-sk_wait_event.patch new file mode 100644 index 0000000..8c89c9a --- /dev/null +++ b/patches.kernel.org/6.3.4-021-net-deal-with-most-data-races-in-sk_wait_event.patch @@ -0,0 +1,225 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 18:29:48 +0000 +Subject: [PATCH] net: deal with most data-races in sk_wait_event() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d0ac89f6f9879fae316c155de77b5173b3e2c9c9 + +[ Upstream commit d0ac89f6f9879fae316c155de77b5173b3e2c9c9 ] + +__condition is evaluated twice in sk_wait_event() macro. + +First invocation is lockless, and reads can race with writes, +as spotted by syzbot. + +BUG: KCSAN: data-race in sk_stream_wait_connect / tcp_disconnect + +write to 0xffff88812d83d6a0 of 4 bytes by task 9065 on cpu 1: +tcp_disconnect+0x2cd/0xdb0 +inet_shutdown+0x19e/0x1f0 net/ipv4/af_inet.c:911 +__sys_shutdown_sock net/socket.c:2343 [inline] +__sys_shutdown net/socket.c:2355 [inline] +__do_sys_shutdown net/socket.c:2363 [inline] +__se_sys_shutdown+0xf8/0x140 net/socket.c:2361 +__x64_sys_shutdown+0x31/0x40 net/socket.c:2361 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88812d83d6a0 of 4 bytes by task 9040 on cpu 0: +sk_stream_wait_connect+0x1de/0x3a0 net/core/stream.c:75 +tcp_sendmsg_locked+0x2e4/0x2120 net/ipv4/tcp.c:1266 +tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1484 +inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:651 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +__sys_sendto+0x246/0x300 net/socket.c:2142 +__do_sys_sendto net/socket.c:2154 [inline] +__se_sys_sendto net/socket.c:2150 [inline] +__x64_sys_sendto+0x78/0x90 net/socket.c:2150 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00000000 -> 0x00000068 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/core/stream.c | 12 ++++++------ + net/ipv4/tcp_bpf.c | 2 +- + net/llc/af_llc.c | 8 +++++--- + net/smc/smc_close.c | 4 ++-- + net/smc/smc_rx.c | 4 ++-- + net/smc/smc_tx.c | 4 ++-- + net/tipc/socket.c | 4 ++-- + net/tls/tls_main.c | 3 ++- + 8 files changed, 22 insertions(+), 19 deletions(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 434446ab..f5c4e47d 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -73,8 +73,8 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p) + add_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending++; + done = sk_wait_event(sk, timeo_p, +- !sk->sk_err && +- !((1 << sk->sk_state) & ++ !READ_ONCE(sk->sk_err) && ++ !((1 << READ_ONCE(sk->sk_state)) & + ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)), &wait); + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending--; +@@ -87,9 +87,9 @@ EXPORT_SYMBOL(sk_stream_wait_connect); + * sk_stream_closing - Return 1 if we still have things to send in our buffers. + * @sk: socket to verify + */ +-static inline int sk_stream_closing(struct sock *sk) ++static int sk_stream_closing(const struct sock *sk) + { +- return (1 << sk->sk_state) & ++ return (1 << READ_ONCE(sk->sk_state)) & + (TCPF_FIN_WAIT1 | TCPF_CLOSING | TCPF_LAST_ACK); + } + +@@ -142,8 +142,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p) + + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); + sk->sk_write_pending++; +- sk_wait_event(sk, ¤t_timeo, sk->sk_err || +- (sk->sk_shutdown & SEND_SHUTDOWN) || ++ sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) || ++ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) || + (sk_stream_memory_free(sk) && + !vm_wait), &wait); + sk->sk_write_pending--; +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index ebf91751..2e954746 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -168,7 +168,7 @@ static int tcp_msg_wait_data(struct sock *sk, struct sk_psock *psock, + sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); + ret = sk_wait_event(sk, &timeo, + !list_empty(&psock->ingress_msg) || +- !skb_queue_empty(&sk->sk_receive_queue), &wait); ++ !skb_queue_empty_lockless(&sk->sk_receive_queue), &wait); + sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); + remove_wait_queue(sk_sleep(sk), &wait); + return ret; +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index da7fe94b..9ffbc667 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -583,7 +583,8 @@ static int llc_ui_wait_for_disc(struct sock *sk, long timeout) + + add_wait_queue(sk_sleep(sk), &wait); + while (1) { +- if (sk_wait_event(sk, &timeout, sk->sk_state == TCP_CLOSE, &wait)) ++ if (sk_wait_event(sk, &timeout, ++ READ_ONCE(sk->sk_state) == TCP_CLOSE, &wait)) + break; + rc = -ERESTARTSYS; + if (signal_pending(current)) +@@ -603,7 +604,8 @@ static bool llc_ui_wait_for_conn(struct sock *sk, long timeout) + + add_wait_queue(sk_sleep(sk), &wait); + while (1) { +- if (sk_wait_event(sk, &timeout, sk->sk_state != TCP_SYN_SENT, &wait)) ++ if (sk_wait_event(sk, &timeout, ++ READ_ONCE(sk->sk_state) != TCP_SYN_SENT, &wait)) + break; + if (signal_pending(current) || !timeout) + break; +@@ -622,7 +624,7 @@ static int llc_ui_wait_for_busy_core(struct sock *sk, long timeout) + while (1) { + rc = 0; + if (sk_wait_event(sk, &timeout, +- (sk->sk_shutdown & RCV_SHUTDOWN) || ++ (READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN) || + (!llc_data_accept_state(llc->state) && + !llc->remote_busy_flag && + !llc->p_flag), &wait)) +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 31db7438..dbdf03e8 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -67,8 +67,8 @@ static void smc_close_stream_wait(struct smc_sock *smc, long timeout) + + rc = sk_wait_event(sk, &timeout, + !smc_tx_prepared_sends(&smc->conn) || +- sk->sk_err == ECONNABORTED || +- sk->sk_err == ECONNRESET || ++ READ_ONCE(sk->sk_err) == ECONNABORTED || ++ READ_ONCE(sk->sk_err) == ECONNRESET || + smc->conn.killed, + &wait); + if (rc) +diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c +index 4380d32f..9a2f3638 100644 +--- a/net/smc/smc_rx.c ++++ b/net/smc/smc_rx.c +@@ -267,9 +267,9 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo, + sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); + add_wait_queue(sk_sleep(sk), &wait); + rc = sk_wait_event(sk, timeo, +- sk->sk_err || ++ READ_ONCE(sk->sk_err) || + cflags->peer_conn_abort || +- sk->sk_shutdown & RCV_SHUTDOWN || ++ READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN || + conn->killed || + fcrit(conn), + &wait); +diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c +index f4b6a71a..45128443 100644 +--- a/net/smc/smc_tx.c ++++ b/net/smc/smc_tx.c +@@ -113,8 +113,8 @@ static int smc_tx_wait(struct smc_sock *smc, int flags) + break; /* at least 1 byte of free & no urgent data */ + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); + sk_wait_event(sk, &timeo, +- sk->sk_err || +- (sk->sk_shutdown & SEND_SHUTDOWN) || ++ READ_ONCE(sk->sk_err) || ++ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) || + smc_cdc_rxed_any_close(conn) || + (atomic_read(&conn->sndbuf_space) && + !conn->urg_tx_pend), +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 37edfe10..dd73d71c 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -314,9 +314,9 @@ static void tsk_rej_rx_queue(struct sock *sk, int error) + tipc_sk_respond(sk, skb, error); + } + +-static bool tipc_sk_connected(struct sock *sk) ++static bool tipc_sk_connected(const struct sock *sk) + { +- return sk->sk_state == TIPC_ESTABLISHED; ++ return READ_ONCE(sk->sk_state) == TIPC_ESTABLISHED; + } + + /* tipc_sk_type_connectionless - check if the socket is datagram socket +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index b32c1129..f2e7302a 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -111,7 +111,8 @@ int wait_on_pending_writer(struct sock *sk, long *timeo) + break; + } + +- if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait)) ++ if (sk_wait_event(sk, timeo, ++ !READ_ONCE(sk->sk_write_pending), &wait)) + break; + } + remove_wait_queue(sk_sleep(sk), &wait); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-022-net-add-vlan_get_protocol_and_depth-helper.patch b/patches.kernel.org/6.3.4-022-net-add-vlan_get_protocol_and_depth-helper.patch new file mode 100644 index 0000000..b908b89 --- /dev/null +++ b/patches.kernel.org/6.3.4-022-net-add-vlan_get_protocol_and_depth-helper.patch @@ -0,0 +1,175 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 13:18:57 +0000 +Subject: [PATCH] net: add vlan_get_protocol_and_depth() helper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4063384ef762cc5946fc7a3f89879e76c6ec51e2 + +[ Upstream commit 4063384ef762cc5946fc7a3f89879e76c6ec51e2 ] + +Before blamed commit, pskb_may_pull() was used instead +of skb_header_pointer() in __vlan_get_protocol() and friends. + +Few callers depended on skb->head being populated with MAC header, +syzbot caught one of them (skb_mac_gso_segment()) + +Add vlan_get_protocol_and_depth() to make the intent clearer +and use it where sensible. + +This is a more generic fix than commit e9d3f80935b6 +("net/af_packet: make sure to pull mac header") which was +dealing with a similar issue. + +kernel BUG at include/linux/skbuff.h:2655 ! +invalid opcode: 0000 [#1] SMP KASAN +CPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline] +RIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136 +Code: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 +RSP: 0018:ffffc90001bd7520 EFLAGS: 00010286 +RAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9 +R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012 +R13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7 +FS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419 +[] skb_gso_segment include/linux/netdevice.h:4819 [inline] +[] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725 +[] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313 +[] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029 +[] packet_snd net/packet/af_packet.c:3111 [inline] +[] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142 +[] sock_sendmsg_nosec net/socket.c:716 [inline] +[] sock_sendmsg net/socket.c:736 [inline] +[] __sys_sendto+0x472/0x5f0 net/socket.c:2139 +[] __do_sys_sendto net/socket.c:2151 [inline] +[] __se_sys_sendto net/socket.c:2147 [inline] +[] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147 +[] do_syscall_x64 arch/x86/entry/common.c:50 [inline] +[] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80 +[] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 469aceddfa3e ("vlan: consolidate VLAN parsing code and limit max parsing depth") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Toke Høiland-Jørgensen +Cc: Willem de Bruijn +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/tap.c | 4 ++-- + include/linux/if_vlan.h | 17 +++++++++++++++++ + net/bridge/br_forward.c | 2 +- + net/core/dev.c | 2 +- + net/packet/af_packet.c | 6 ++---- + 5 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index 8941aa19..456de9c3 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -739,7 +739,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control, + + /* Move network header to the right position for VLAN tagged packets */ + if (eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + + /* copy skb_ubuf_info for callback when skb has no error */ +@@ -1186,7 +1186,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) + + /* Move network header to the right position for VLAN tagged packets */ + if (eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) + skb_set_network_header(skb, depth); + + rcu_read_lock(); +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 6864b89e..7ad09082 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -628,6 +628,23 @@ static inline __be16 vlan_get_protocol(const struct sk_buff *skb) + return __vlan_get_protocol(skb, skb->protocol, NULL); + } + ++/* This version of __vlan_get_protocol() also pulls mac header in skb->head */ ++static inline __be16 vlan_get_protocol_and_depth(struct sk_buff *skb, ++ __be16 type, int *depth) ++{ ++ int maclen; ++ ++ type = __vlan_get_protocol(skb, type, &maclen); ++ ++ if (type) { ++ if (!pskb_may_pull(skb, maclen)) ++ type = 0; ++ else if (depth) ++ *depth = maclen; ++ } ++ return type; ++} ++ + /* A getter for the SKB protocol field which will handle VLAN tags consistently + * whether VLAN acceleration is enabled or not. + */ +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 02bb620d..bd54f17e 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -42,7 +42,7 @@ int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb + eth_type_vlan(skb->protocol)) { + int depth; + +- if (!__vlan_get_protocol(skb, skb->protocol, &depth)) ++ if (!vlan_get_protocol_and_depth(skb, skb->protocol, &depth)) + goto drop; + + skb_set_network_header(skb, depth); +diff --git a/net/core/dev.c b/net/core/dev.c +index 1488f700..8fbd2418 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3338,7 +3338,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth) + type = eth->h_proto; + } + +- return __vlan_get_protocol(skb, type, depth); ++ return vlan_get_protocol_and_depth(skb, type, depth); + } + + /* openvswitch calls this on rx path, so we need a different check. +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b8c62d88..db9c2fa7 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1935,10 +1935,8 @@ static void packet_parse_headers(struct sk_buff *skb, struct socket *sock) + /* Move network header to the right position for VLAN tagged packets */ + if (likely(skb->dev->type == ARPHRD_ETHER) && + eth_type_vlan(skb->protocol) && +- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) { +- if (pskb_may_pull(skb, depth)) +- skb_set_network_header(skb, depth); +- } ++ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0) ++ skb_set_network_header(skb, depth); + + skb_probe_transport_header(skb); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-023-tcp-add-annotations-around-sk-sk_shutdown-acces.patch b/patches.kernel.org/6.3.4-023-tcp-add-annotations-around-sk-sk_shutdown-acces.patch new file mode 100644 index 0000000..78bd58c --- /dev/null +++ b/patches.kernel.org/6.3.4-023-tcp-add-annotations-around-sk-sk_shutdown-acces.patch @@ -0,0 +1,159 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 20:36:56 +0000 +Subject: [PATCH] tcp: add annotations around sk->sk_shutdown accesses +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e14cadfd80d76f01bfaa1a8d745b1db19b57d6be + +[ Upstream commit e14cadfd80d76f01bfaa1a8d745b1db19b57d6be ] + +Now sk->sk_shutdown is no longer a bitfield, we can add +standard READ_ONCE()/WRITE_ONCE() annotations to silence +KCSAN reports like the following: + +BUG: KCSAN: data-race in tcp_disconnect / tcp_poll + +write to 0xffff88814588582c of 1 bytes by task 3404 on cpu 1: +tcp_disconnect+0x4d6/0xdb0 net/ipv4/tcp.c:3121 +__inet_stream_connect+0x5dd/0x6e0 net/ipv4/af_inet.c:715 +inet_stream_connect+0x48/0x70 net/ipv4/af_inet.c:727 +__sys_connect_file net/socket.c:2001 [inline] +__sys_connect+0x19b/0x1b0 net/socket.c:2018 +__do_sys_connect net/socket.c:2028 [inline] +__se_sys_connect net/socket.c:2025 [inline] +__x64_sys_connect+0x41/0x50 net/socket.c:2025 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88814588582c of 1 bytes by task 3374 on cpu 0: +tcp_poll+0x2e6/0x7d0 net/ipv4/tcp.c:562 +sock_poll+0x253/0x270 net/socket.c:1383 +vfs_poll include/linux/poll.h:88 [inline] +io_poll_check_events io_uring/poll.c:281 [inline] +io_poll_task_func+0x15a/0x820 io_uring/poll.c:333 +handle_tw_list io_uring/io_uring.c:1184 [inline] +tctx_task_work+0x1fe/0x4d0 io_uring/io_uring.c:1246 +task_work_run+0x123/0x160 kernel/task_work.c:179 +get_signal+0xe64/0xff0 kernel/signal.c:2635 +arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:306 +exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168 +exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204 +__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] +syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297 +do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x03 -> 0x00 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 14 ++++++++------ + net/ipv4/tcp_input.c | 4 ++-- + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 8db6747f..70fd769f 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -894,7 +894,7 @@ int inet_shutdown(struct socket *sock, int how) + EPOLLHUP, even on eg. unconnected UDP sockets -- RR */ + fallthrough; + default: +- sk->sk_shutdown |= how; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | how); + if (sk->sk_prot->shutdown) + sk->sk_prot->shutdown(sk, how); + break; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 28869398..6c7c6665 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -498,6 +498,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + __poll_t mask; + struct sock *sk = sock->sk; + const struct tcp_sock *tp = tcp_sk(sk); ++ u8 shutdown; + int state; + + sock_poll_wait(file, sock, wait); +@@ -540,9 +541,10 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + * NOTE. Check for TCP_CLOSE is added. The goal is to prevent + * blocking on fresh not-connected or disconnected socket. --ANK + */ +- if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) ++ shutdown = READ_ONCE(sk->sk_shutdown); ++ if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) + mask |= EPOLLHUP; +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; + + /* Connected or passive Fast Open socket? */ +@@ -559,7 +561,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + if (tcp_stream_is_readable(sk, target)) + mask |= EPOLLIN | EPOLLRDNORM; + +- if (!(sk->sk_shutdown & SEND_SHUTDOWN)) { ++ if (!(shutdown & SEND_SHUTDOWN)) { + if (__sk_stream_is_writeable(sk, 1)) { + mask |= EPOLLOUT | EPOLLWRNORM; + } else { /* send SIGIO later */ +@@ -2866,7 +2868,7 @@ void __tcp_close(struct sock *sk, long timeout) + int data_was_unread = 0; + int state; + +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + + if (sk->sk_state == TCP_LISTEN) { + tcp_set_state(sk, TCP_CLOSE); +@@ -3118,7 +3120,7 @@ int tcp_disconnect(struct sock *sk, int flags) + + inet_bhash2_reset_saddr(sk); + +- sk->sk_shutdown = 0; ++ WRITE_ONCE(sk->sk_shutdown, 0); + sock_reset_flag(sk, SOCK_DONE); + tp->srtt_us = 0; + tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT); +@@ -4648,7 +4650,7 @@ void tcp_done(struct sock *sk) + if (req) + reqsk_fastopen_remove(sk, req, false); + +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + + if (!sock_flag(sk, SOCK_DEAD)) + sk->sk_state_change(sk); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index cc072d2c..10776c54 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4362,7 +4362,7 @@ void tcp_fin(struct sock *sk) + + inet_csk_schedule_ack(sk); + +- sk->sk_shutdown |= RCV_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN); + sock_set_flag(sk, SOCK_DONE); + + switch (sk->sk_state) { +@@ -6597,7 +6597,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + break; + + tcp_set_state(sk, TCP_FIN_WAIT2); +- sk->sk_shutdown |= SEND_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | SEND_SHUTDOWN); + + sk_dst_confirm(sk); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-024-gve-Remove-the-code-of-clearing-PBA-bit.patch b/patches.kernel.org/6.3.4-024-gve-Remove-the-code-of-clearing-PBA-bit.patch new file mode 100644 index 0000000..c352d31 --- /dev/null +++ b/patches.kernel.org/6.3.4-024-gve-Remove-the-code-of-clearing-PBA-bit.patch @@ -0,0 +1,51 @@ +From: Ziwei Xiao +Date: Tue, 9 May 2023 15:51:23 -0700 +Subject: [PATCH] gve: Remove the code of clearing PBA bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f4c2e67c1773d2a2632381ee30e9139c1e744c16 + +[ Upstream commit f4c2e67c1773d2a2632381ee30e9139c1e744c16 ] + +Clearing the PBA bit from the driver is race prone and it may lead to +dropped interrupt events. This could potentially lead to the traffic +being completely halted. + +Fixes: 5e8c5adf95f8 ("gve: DQO: Add core netdev features") +Signed-off-by: Ziwei Xiao +Signed-off-by: Bailey Forrest +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/google/gve/gve_main.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 07111c24..60bf0e3f 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -284,19 +284,6 @@ static int gve_napi_poll_dqo(struct napi_struct *napi, int budget) + bool reschedule = false; + int work_done = 0; + +- /* Clear PCI MSI-X Pending Bit Array (PBA) +- * +- * This bit is set if an interrupt event occurs while the vector is +- * masked. If this bit is set and we reenable the interrupt, it will +- * fire again. Since we're just about to poll the queue state, we don't +- * need it to fire again. +- * +- * Under high softirq load, it's possible that the interrupt condition +- * is triggered twice before we got the chance to process it. +- */ +- gve_write_irq_doorbell_dqo(priv, block, +- GVE_ITR_NO_UPDATE_DQO | GVE_ITR_CLEAR_PBA_BIT_DQO); +- + if (block->tx) + reschedule |= gve_tx_poll_dqo(block, /*do_clean=*/true); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-025-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-.patch b/patches.kernel.org/6.3.4-025-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-.patch new file mode 100644 index 0000000..4ba768a --- /dev/null +++ b/patches.kernel.org/6.3.4-025-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-.patch @@ -0,0 +1,173 @@ +From: "t.feng" +Date: Wed, 10 May 2023 11:50:44 +0800 +Subject: [PATCH] ipvlan:Fix out-of-bounds caused by unclear skb->cb +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 90cbed5247439a966b645b34eb0a2e037836ea8e + +[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ] + +If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which +is actually skb->cb, and IPCB(skb_in)->opt will be used in +__ip_options_echo. It is possible that memcpy is out of bounds and lead +to stack overflow. +We should clear skb->cb before ip_local_out or ip6_local_out. + +v2: +1. clean the stack info +2. use IPCB/IP6CB instead of skb->cb + +crash on stable-5.10(reproduce in kasan kernel). +Stack info: +[ 2203.651571] BUG: KASAN: stack-out-of-bounds in +__ip_options_echo+0x589/0x800 +[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task +swapper/3/0 +[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted +5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 +[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 +[ 2203.655475] Call Trace: +[ 2203.655481] +[ 2203.655501] dump_stack+0x9c/0xd3 +[ 2203.655514] print_address_description.constprop.0+0x19/0x170 +[ 2203.655530] __kasan_report.cold+0x6c/0x84 +[ 2203.655586] kasan_report+0x3a/0x50 +[ 2203.655594] check_memory_region+0xfd/0x1f0 +[ 2203.655601] memcpy+0x39/0x60 +[ 2203.655608] __ip_options_echo+0x589/0x800 +[ 2203.655654] __icmp_send+0x59a/0x960 +[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] +[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] +[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] +[ 2203.655821] nf_hook_slow+0x69/0x100 +[ 2203.655828] __ip_local_out+0x21e/0x2b0 +[ 2203.655857] ip_local_out+0x28/0x90 +[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] +[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] +[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] +[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] +[ 2203.655984] xmit_one.constprop.0+0xe1/0x280 +[ 2203.655992] dev_hard_start_xmit+0x62/0x100 +[ 2203.656000] sch_direct_xmit+0x215/0x640 +[ 2203.656028] __qdisc_run+0x153/0x1f0 +[ 2203.656069] __dev_queue_xmit+0x77f/0x1030 +[ 2203.656173] ip_finish_output2+0x59b/0xc20 +[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 +[ 2203.656312] ip_finish_output+0x168/0x190 +[ 2203.656320] ip_output+0x12d/0x220 +[ 2203.656357] __ip_queue_xmit+0x392/0x880 +[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 +[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 +[ 2203.656505] tcp_retransmit_skb+0x2d/0x190 +[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 +[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 +[ 2203.656529] tcp_write_timer+0x55/0x180 +[ 2203.656542] call_timer_fn+0x3f/0x1d0 +[ 2203.656555] expire_timers+0x160/0x200 +[ 2203.656562] run_timer_softirq+0x1f4/0x480 +[ 2203.656606] __do_softirq+0xfd/0x402 +[ 2203.656613] asm_call_irq_on_stack+0x12/0x20 +[ 2203.656617] +[ 2203.656623] do_softirq_own_stack+0x37/0x50 +[ 2203.656631] irq_exit_rcu+0x134/0x1a0 +[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 +[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 +[ 2203.656654] RIP: 0010:default_idle+0x13/0x20 +[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc +cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb +f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 +[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 +[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: +ffffffffaf290191 +[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: +ffff88811a3c4f60 +[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: +ffff88811a3c4f63 +[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: +0000000000000003 +[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: +0000000000000000 +[ 2203.656729] default_idle_call+0x5a/0x150 +[ 2203.656735] cpuidle_idle_call+0x1c6/0x220 +[ 2203.656780] do_idle+0xab/0x100 +[ 2203.656786] cpu_startup_entry+0x19/0x20 +[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb + +[ 2203.657409] The buggy address belongs to the page: +[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0x11a388 +[ 2203.658665] flags: +0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) +[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 +0000000000000000 +[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff +0000000000000000 +[ 2203.658686] page dumped because: kasan: bad access detected + +To reproduce(ipvlan with IPVLAN_MODE_L3): +Env setting: +======================================================= +modprobe ipvlan ipvlan_default_mode=1 +sysctl net.ipv4.conf.eth0.forwarding=1 +iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j +MASQUERADE +ip link add gw link eth0 type ipvlan +ip -4 addr add 20.0.0.254/24 dev gw +ip netns add net1 +ip link add ipv1 link eth0 type ipvlan +ip link set ipv1 netns net1 +ip netns exec net1 ip link set ipv1 up +ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 +ip netns exec net1 route add default gw 20.0.0.254 +ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% +ifconfig gw up +iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with +icmp-port-unreachable +======================================================= +And then excute the shell(curl any address of eth0 can reach): + +for((i=1;i<=100000;i++)) +do + ip netns exec net1 curl x.x.x.x:8888 +done +======================================================= + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: "t.feng" +Suggested-by: Florian Westphal +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 460b3d4f..ab5133eb 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -436,6 +436,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, &rt->dst); ++ ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +@@ -474,6 +477,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, dst); ++ ++ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-026-net-mscc-ocelot-fix-stat-counter-register-value.patch b/patches.kernel.org/6.3.4-026-net-mscc-ocelot-fix-stat-counter-register-value.patch new file mode 100644 index 0000000..12125a8 --- /dev/null +++ b/patches.kernel.org/6.3.4-026-net-mscc-ocelot-fix-stat-counter-register-value.patch @@ -0,0 +1,63 @@ +From: Colin Foster +Date: Tue, 9 May 2023 21:48:51 -0700 +Subject: [PATCH] net: mscc: ocelot: fix stat counter register values +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: cdc2e28e214fe9315cdd7e069c1c8e2428f93427 + +[ Upstream commit cdc2e28e214fe9315cdd7e069c1c8e2428f93427 ] + +Commit d4c367650704 ("net: mscc: ocelot: keep ocelot_stat_layout by reg +address, not offset") organized the stats counters for Ocelot chips, namely +the VSC7512 and VSC7514. A few of the counter offsets were incorrect, and +were caught by this warning: + +WARNING: CPU: 0 PID: 24 at drivers/net/ethernet/mscc/ocelot_stats.c:909 +ocelot_stats_init+0x1fc/0x2d8 +reg 0x5000078 had address 0x220 but reg 0x5000079 has address 0x214, +bulking broken! + +Fix these register offsets. + +Fixes: d4c367650704 ("net: mscc: ocelot: keep ocelot_stat_layout by reg address, not offset") +Signed-off-by: Colin Foster +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/mscc/vsc7514_regs.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/vsc7514_regs.c b/drivers/net/ethernet/mscc/vsc7514_regs.c +index ef6fd3f6..5595bfe8 100644 +--- a/drivers/net/ethernet/mscc/vsc7514_regs.c ++++ b/drivers/net/ethernet/mscc/vsc7514_regs.c +@@ -307,15 +307,15 @@ static const u32 vsc7514_sys_regmap[] = { + REG(SYS_COUNT_DROP_YELLOW_PRIO_4, 0x000218), + REG(SYS_COUNT_DROP_YELLOW_PRIO_5, 0x00021c), + REG(SYS_COUNT_DROP_YELLOW_PRIO_6, 0x000220), +- REG(SYS_COUNT_DROP_YELLOW_PRIO_7, 0x000214), +- REG(SYS_COUNT_DROP_GREEN_PRIO_0, 0x000218), +- REG(SYS_COUNT_DROP_GREEN_PRIO_1, 0x00021c), +- REG(SYS_COUNT_DROP_GREEN_PRIO_2, 0x000220), +- REG(SYS_COUNT_DROP_GREEN_PRIO_3, 0x000224), +- REG(SYS_COUNT_DROP_GREEN_PRIO_4, 0x000228), +- REG(SYS_COUNT_DROP_GREEN_PRIO_5, 0x00022c), +- REG(SYS_COUNT_DROP_GREEN_PRIO_6, 0x000230), +- REG(SYS_COUNT_DROP_GREEN_PRIO_7, 0x000234), ++ REG(SYS_COUNT_DROP_YELLOW_PRIO_7, 0x000224), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_0, 0x000228), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_1, 0x00022c), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_2, 0x000230), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_3, 0x000234), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_4, 0x000238), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_5, 0x00023c), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_6, 0x000240), ++ REG(SYS_COUNT_DROP_GREEN_PRIO_7, 0x000244), + REG(SYS_RESET_CFG, 0x000508), + REG(SYS_CMID, 0x00050c), + REG(SYS_VLAN_ETYPE_CFG, 0x000510), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-027-drm-sched-Check-scheduler-work-queue-before-cal.patch b/patches.kernel.org/6.3.4-027-drm-sched-Check-scheduler-work-queue-before-cal.patch new file mode 100644 index 0000000..9fb7a01 --- /dev/null +++ b/patches.kernel.org/6.3.4-027-drm-sched-Check-scheduler-work-queue-before-cal.patch @@ -0,0 +1,74 @@ +From: Vitaly Prosyak +Date: Wed, 10 May 2023 09:51:11 -0400 +Subject: [PATCH] drm/sched: Check scheduler work queue before calling timeout + handling +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691 + +[ Upstream commit 2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691 ] + +During an IGT GPU reset test we see again oops despite of +commit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling +timeout handling). + +It uses ready condition whether to call drm_sched_fault which unwind +the TDR leads to GPU reset. +However it looks the ready condition is overloaded with other meanings, +for example, for the following stack is related GPU reset : + +0 gfx_v9_0_cp_gfx_start +1 gfx_v9_0_cp_gfx_resume +2 gfx_v9_0_cp_resume +3 gfx_v9_0_hw_init +4 gfx_v9_0_resume +5 amdgpu_device_ip_resume_phase2 + +does the following: + /* start the ring */ + gfx_v9_0_cp_gfx_start(adev); + ring->sched.ready = true; + +The same approach is for other ASICs as well : +gfx_v8_0_cp_gfx_resume +gfx_v10_0_kiq_resume, etc... + +As a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault +and then drm_sched_fault. However now it depends on whether the interrupt service routine +drm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready +field of the scheduler to true even for uninitialized schedulers and causes oops vs +no fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and +NULL pointer dereference does not occur. + +Use the field timeout_wq to prevent oops for uninitialized schedulers. +The field could be initialized by the work queue of resetting the domain. + +v1: Corrections to commit message (Luben) + +Fixes: 11b3b9f461c5c4 ("drm/sched: Check scheduler ready before calling timeout handling") +Signed-off-by: Vitaly Prosyak +Link: https://lore.kernel.org/r/20230510135111.58631-1-vitaly.prosyak@amd.com +Reviewed-by: Luben Tuikov +Signed-off-by: Luben Tuikov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/scheduler/sched_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c +index 1e08cc5a..78c959ea 100644 +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -308,7 +308,7 @@ static void drm_sched_start_timeout(struct drm_gpu_scheduler *sched) + */ + void drm_sched_fault(struct drm_gpu_scheduler *sched) + { +- if (sched->ready) ++ if (sched->timeout_wq) + mod_delayed_work(sched->timeout_wq, &sched->work_tdr, 0); + } + EXPORT_SYMBOL(drm_sched_fault); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-028-net-datagram-fix-data-races-in-datagram_poll.patch b/patches.kernel.org/6.3.4-028-net-datagram-fix-data-races-in-datagram_poll.patch new file mode 100644 index 0000000..e5fa080 --- /dev/null +++ b/patches.kernel.org/6.3.4-028-net-datagram-fix-data-races-in-datagram_poll.patch @@ -0,0 +1,70 @@ +From: Eric Dumazet +Date: Tue, 9 May 2023 17:31:31 +0000 +Subject: [PATCH] net: datagram: fix data-races in datagram_poll() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5bca1d081f44c9443e61841842ce4e9179d327b6 + +[ Upstream commit 5bca1d081f44c9443e61841842ce4e9179d327b6 ] + +datagram_poll() runs locklessly, we should add READ_ONCE() +annotations while reading sk->sk_err, sk->sk_shutdown and sk->sk_state. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230509173131.3263780-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/core/datagram.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/core/datagram.c b/net/core/datagram.c +index e4ff2db4..8dabb9a7 100644 +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -799,18 +799,21 @@ __poll_t datagram_poll(struct file *file, struct socket *sock, + { + struct sock *sk = sock->sk; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ +- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) ++ if (READ_ONCE(sk->sk_err) || ++ !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= EPOLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); + +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ shutdown = READ_ONCE(sk->sk_shutdown); ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; + + /* readable? */ +@@ -819,10 +822,12 @@ __poll_t datagram_poll(struct file *file, struct socket *sock, + + /* Connection-based need to check for termination and startup */ + if (connection_based(sk)) { +- if (sk->sk_state == TCP_CLOSE) ++ int state = READ_ONCE(sk->sk_state); ++ ++ if (state == TCP_CLOSE) + mask |= EPOLLHUP; + /* connection hasn't started yet? */ +- if (sk->sk_state == TCP_SYN_SENT) ++ if (state == TCP_SYN_SENT) + return mask; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-029-af_unix-Fix-a-data-race-of-sk-sk_receive_queue-.patch b/patches.kernel.org/6.3.4-029-af_unix-Fix-a-data-race-of-sk-sk_receive_queue-.patch new file mode 100644 index 0000000..8adf730 --- /dev/null +++ b/patches.kernel.org/6.3.4-029-af_unix-Fix-a-data-race-of-sk-sk_receive_queue-.patch @@ -0,0 +1,85 @@ +From: Kuniyuki Iwashima +Date: Tue, 9 May 2023 17:34:55 -0700 +Subject: [PATCH] af_unix: Fix a data race of sk->sk_receive_queue->qlen. +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 679ed006d416ea0cecfe24a99d365d1dea69c683 + +[ Upstream commit 679ed006d416ea0cecfe24a99d365d1dea69c683 ] + +KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg() +updates qlen under the queue lock and sendmsg() checks qlen under +unix_state_sock(), not the queue lock, so the reader side needs +READ_ONCE(). + +BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer + +write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0: + __skb_unlink include/linux/skbuff.h:2347 [inline] + __skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197 + __skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263 + __unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452 + unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549 + sock_recvmsg_nosec net/socket.c:1019 [inline] + ____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720 + ___sys_recvmsg+0xc8/0x150 net/socket.c:2764 + do_recvmmsg+0x182/0x560 net/socket.c:2858 + __sys_recvmmsg net/socket.c:2937 [inline] + __do_sys_recvmmsg net/socket.c:2960 [inline] + __se_sys_recvmmsg net/socket.c:2953 [inline] + __x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1: + skb_queue_len include/linux/skbuff.h:2127 [inline] + unix_recvq_full net/unix/af_unix.c:229 [inline] + unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445 + unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x20e/0x620 net/socket.c:2503 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2557 + __sys_sendmmsg+0x11d/0x370 net/socket.c:2643 + __do_sys_sendmmsg net/socket.c:2672 [inline] + __se_sys_sendmmsg net/socket.c:2669 [inline] + __x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x0000000b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0b0f18ec..0a54959e 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1442,7 +1442,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo) + + sched = !sock_flag(other, SOCK_DEAD) && + !(other->sk_shutdown & RCV_SHUTDOWN) && +- unix_recvq_full(other); ++ unix_recvq_full_lockless(other); + + unix_state_unlock(other); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-030-af_unix-Fix-data-races-around-sk-sk_shutdown.patch b/patches.kernel.org/6.3.4-030-af_unix-Fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 0000000..120abfa --- /dev/null +++ b/patches.kernel.org/6.3.4-030-af_unix-Fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,154 @@ +From: Kuniyuki Iwashima +Date: Tue, 9 May 2023 17:34:56 -0700 +Subject: [PATCH] af_unix: Fix data races around sk->sk_shutdown. +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e1d09c2c2f5793474556b60f83900e088d0d366d + +[ Upstream commit e1d09c2c2f5793474556b60f83900e088d0d366d ] + +KCSAN found a data race around sk->sk_shutdown where unix_release_sock() +and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() +and unix_dgram_poll() read it locklessly. + +We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). + +BUG: KCSAN: data-race in unix_poll / unix_release_sock + +write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1042 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1397 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: + unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 + sock_poll+0xcf/0x2b0 net/socket.c:1385 + vfs_poll include/linux/poll.h:88 [inline] + ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 + ep_send_events fs/eventpoll.c:1694 [inline] + ep_poll fs/eventpoll.c:1823 [inline] + do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 + __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] + __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/unix/af_unix.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0a54959e..29c6083a 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -603,7 +603,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + /* Clear state */ + unix_state_lock(sk); + sock_orphan(sk); +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + path = u->path; + u->path.dentry = NULL; + u->path.mnt = NULL; +@@ -628,7 +628,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); + /* No more writes */ +- skpair->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); + if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) + skpair->sk_err = ECONNRESET; + unix_state_unlock(skpair); +@@ -3008,7 +3008,7 @@ static int unix_shutdown(struct socket *sock, int mode) + ++mode; + + unix_state_lock(sk); +- sk->sk_shutdown |= mode; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | mode); + other = unix_peer(sk); + if (other) + sock_hold(other); +@@ -3028,7 +3028,7 @@ static int unix_shutdown(struct socket *sock, int mode) + if (mode&SEND_SHUTDOWN) + peer_mode |= RCV_SHUTDOWN; + unix_state_lock(other); +- other->sk_shutdown |= peer_mode; ++ WRITE_ONCE(other->sk_shutdown, other->sk_shutdown | peer_mode); + unix_state_unlock(other); + other->sk_state_change(other); + if (peer_mode == SHUTDOWN_MASK) +@@ -3160,16 +3160,18 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa + { + struct sock *sk = sock->sk; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; ++ shutdown = READ_ONCE(sk->sk_shutdown); + + /* exceptional events? */ + if (sk->sk_err) + mask |= EPOLLERR; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; + + /* readable? */ +@@ -3203,18 +3205,20 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, + struct sock *sk = sock->sk, *other; + unsigned int writable; + __poll_t mask; ++ u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; ++ shutdown = READ_ONCE(sk->sk_shutdown); + + /* exceptional events? */ + if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= EPOLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); + +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; + + /* readable? */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-031-drm-i915-guc-Don-t-capture-Gen8-regs-on-Xe-devi.patch b/patches.kernel.org/6.3.4-031-drm-i915-guc-Don-t-capture-Gen8-regs-on-Xe-devi.patch new file mode 100644 index 0000000..e45d75c --- /dev/null +++ b/patches.kernel.org/6.3.4-031-drm-i915-guc-Don-t-capture-Gen8-regs-on-Xe-devi.patch @@ -0,0 +1,65 @@ +From: John Harrison +Date: Fri, 28 Apr 2023 11:56:33 -0700 +Subject: [PATCH] drm/i915/guc: Don't capture Gen8 regs on Xe devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 275dac1f7f5e9c2a2e806b34d3b10804eec0ac3c + +[ Upstream commit 275dac1f7f5e9c2a2e806b34d3b10804eec0ac3c ] + +A pair of pre-Xe registers were being included in the Xe capture list. +GuC was rejecting those as being invalid and logging errors about +them. So, stop doing it. + +Signed-off-by: John Harrison +Reviewed-by: Alan Previn +Fixes: dce2bd542337 ("drm/i915/guc: Add Gen9 registers for GuC error state capture.") +Cc: Alan Previn +Cc: Umesh Nerlige Ramappa +Cc: Lucas De Marchi +Cc: John Harrison +Cc: Jani Nikula +Cc: Matt Roper +Cc: Balasubramani Vivekanandan +Cc: Daniele Ceraolo Spurio +Link: https://patchwork.freedesktop.org/patch/msgid/20230428185636.457407-2-John.C.Harrison@Intel.com +(cherry picked from commit b049132d61336f643d8faf2f6574b063667088cf) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c +index 710999d7..8c08899a 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_capture.c +@@ -30,12 +30,14 @@ + { FORCEWAKE_MT, 0, 0, "FORCEWAKE" } + + #define COMMON_GEN9BASE_GLOBAL \ +- { GEN8_FAULT_TLB_DATA0, 0, 0, "GEN8_FAULT_TLB_DATA0" }, \ +- { GEN8_FAULT_TLB_DATA1, 0, 0, "GEN8_FAULT_TLB_DATA1" }, \ + { ERROR_GEN6, 0, 0, "ERROR_GEN6" }, \ + { DONE_REG, 0, 0, "DONE_REG" }, \ + { HSW_GTT_CACHE_EN, 0, 0, "HSW_GTT_CACHE_EN" } + ++#define GEN9_GLOBAL \ ++ { GEN8_FAULT_TLB_DATA0, 0, 0, "GEN8_FAULT_TLB_DATA0" }, \ ++ { GEN8_FAULT_TLB_DATA1, 0, 0, "GEN8_FAULT_TLB_DATA1" } ++ + #define COMMON_GEN12BASE_GLOBAL \ + { GEN12_FAULT_TLB_DATA0, 0, 0, "GEN12_FAULT_TLB_DATA0" }, \ + { GEN12_FAULT_TLB_DATA1, 0, 0, "GEN12_FAULT_TLB_DATA1" }, \ +@@ -141,6 +143,7 @@ static const struct __guc_mmio_reg_descr xe_lpd_gsc_inst_regs[] = { + static const struct __guc_mmio_reg_descr default_global_regs[] = { + COMMON_BASE_GLOBAL, + COMMON_GEN9BASE_GLOBAL, ++ GEN9_GLOBAL, + }; + + static const struct __guc_mmio_reg_descr default_rc_class_regs[] = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-032-drm-i915-Fix-NULL-ptr-deref-by-checking-new_crt.patch b/patches.kernel.org/6.3.4-032-drm-i915-Fix-NULL-ptr-deref-by-checking-new_crt.patch new file mode 100644 index 0000000..29c015c --- /dev/null +++ b/patches.kernel.org/6.3.4-032-drm-i915-Fix-NULL-ptr-deref-by-checking-new_crt.patch @@ -0,0 +1,53 @@ +From: Stanislav Lisovskiy +Date: Fri, 5 May 2023 11:22:12 +0300 +Subject: [PATCH] drm/i915: Fix NULL ptr deref by checking new_crtc_state +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a41d985902c153c31c616fe183cf2ee331e95ecb + +[ Upstream commit a41d985902c153c31c616fe183cf2ee331e95ecb ] + +intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't +obtained previously with intel_atomic_get_crtc_state, so we must check it +for NULLness here, just as in many other places, where we can't guarantee +that intel_atomic_get_crtc_state was called. +We are currently getting NULL ptr deref because of that, so this fix was +confirmed to help. + +Fixes: 74a75dc90869 ("drm/i915/display: move plane prepare/cleanup to intel_atomic_plane.c") +Signed-off-by: Stanislav Lisovskiy +Reviewed-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20230505082212.27089-1-stanislav.lisovskiy@intel.com +(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/i915/display/intel_atomic_plane.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_atomic_plane.c b/drivers/gpu/drm/i915/display/intel_atomic_plane.c +index 1409bcfb..9afba396 100644 +--- a/drivers/gpu/drm/i915/display/intel_atomic_plane.c ++++ b/drivers/gpu/drm/i915/display/intel_atomic_plane.c +@@ -1026,7 +1026,7 @@ intel_prepare_plane_fb(struct drm_plane *_plane, + int ret; + + if (old_obj) { +- const struct intel_crtc_state *crtc_state = ++ const struct intel_crtc_state *new_crtc_state = + intel_atomic_get_new_crtc_state(state, + to_intel_crtc(old_plane_state->hw.crtc)); + +@@ -1041,7 +1041,7 @@ intel_prepare_plane_fb(struct drm_plane *_plane, + * This should only fail upon a hung GPU, in which case we + * can safely continue. + */ +- if (intel_crtc_needs_modeset(crtc_state)) { ++ if (new_crtc_state && intel_crtc_needs_modeset(new_crtc_state)) { + ret = i915_sw_fence_await_reservation(&state->commit_ready, + old_obj->base.resv, + false, 0, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-033-drm-i915-dp-prevent-potential-div-by-zero.patch b/patches.kernel.org/6.3.4-033-drm-i915-dp-prevent-potential-div-by-zero.patch new file mode 100644 index 0000000..f97717b --- /dev/null +++ b/patches.kernel.org/6.3.4-033-drm-i915-dp-prevent-potential-div-by-zero.patch @@ -0,0 +1,51 @@ +From: Nikita Zhandarovich +Date: Tue, 18 Apr 2023 07:04:30 -0700 +Subject: [PATCH] drm/i915/dp: prevent potential div-by-zero +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0ff80028e2702c7c3d78b69705dc47c1ccba8c39 + +[ Upstream commit 0ff80028e2702c7c3d78b69705dc47c1ccba8c39 ] + +drm_dp_dsc_sink_max_slice_count() may return 0 if something goes +wrong on the part of the DSC sink and its DPCD register. This null +value may be later used as a divisor in intel_dsc_compute_params(), +which will lead to an error. +In the unlikely event that this issue occurs, fix it by testing the +return value of drm_dp_dsc_sink_max_slice_count() against zero. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: a4a157777c80 ("drm/i915/dp: Compute DSC pipe config in atomic check") +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20230418140430.69902-1-n.zhandarovich@fintech.ru +(cherry picked from commit 51f7008239de011370c5067bbba07f0207f06b72) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/i915/display/intel_dp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index 62cbab74..c1825f8f 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -1533,6 +1533,11 @@ int intel_dp_dsc_compute_config(struct intel_dp *intel_dp, + pipe_config->dsc.slice_count = + drm_dp_dsc_sink_max_slice_count(intel_dp->dsc_dpcd, + true); ++ if (!pipe_config->dsc.slice_count) { ++ drm_dbg_kms(&dev_priv->drm, "Unsupported Slice Count %d\n", ++ pipe_config->dsc.slice_count); ++ return -EINVAL; ++ } + } else { + u16 dsc_max_output_bpp = 0; + u8 dsc_dp_slice_count; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-034-drm-i915-taint-kernel-when-force-probing-unsupp.patch b/patches.kernel.org/6.3.4-034-drm-i915-taint-kernel-when-force-probing-unsupp.patch new file mode 100644 index 0000000..1e05863 --- /dev/null +++ b/patches.kernel.org/6.3.4-034-drm-i915-taint-kernel-when-force-probing-unsupp.patch @@ -0,0 +1,90 @@ +From: Jani Nikula +Date: Thu, 4 May 2023 13:35:08 +0300 +Subject: [PATCH] drm/i915: taint kernel when force probing unsupported devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 79c901c93562bdf1c84ce6c1b744fbbe4389a6eb + +[ Upstream commit 79c901c93562bdf1c84ce6c1b744fbbe4389a6eb ] + +For development and testing purposes, the i915.force_probe module +parameter and DRM_I915_FORCE_PROBE kconfig option allow probing of +devices that aren't supported by the driver. + +The i915.force_probe module parameter is "unsafe" and setting it taints +the kernel. However, using the kconfig option does not. + +Always taint the kernel when force probing a device that is not +supported. + +v2: Drop "depends on EXPERT" to avoid build breakage (kernel test robot) + +Fixes: 7ef5ef5cdead ("drm/i915: add force_probe module parameter to replace alpha_support") +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: Tvrtko Ursulin +Cc: Daniel Vetter +Cc: Dave Airlie +Acked-by: Daniel Vetter +Reviewed-by: Rodrigo Vivi +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20230504103508.1818540-1-jani.nikula@intel.com +(cherry picked from commit 3312bb4ad09ca6423bd4a5b15a94588a8962fb8e) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/i915/Kconfig | 12 +++++++----- + drivers/gpu/drm/i915/i915_pci.c | 6 ++++++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/i915/Kconfig b/drivers/gpu/drm/i915/Kconfig +index 98f4e449..9c9bb0a0 100644 +--- a/drivers/gpu/drm/i915/Kconfig ++++ b/drivers/gpu/drm/i915/Kconfig +@@ -62,10 +62,11 @@ config DRM_I915_FORCE_PROBE + This is the default value for the i915.force_probe module + parameter. Using the module parameter overrides this option. + +- Force probe the i915 for Intel graphics devices that are +- recognized but not properly supported by this kernel version. It is +- recommended to upgrade to a kernel version with proper support as soon +- as it is available. ++ Force probe the i915 driver for Intel graphics devices that are ++ recognized but not properly supported by this kernel version. Force ++ probing an unsupported device taints the kernel. It is recommended to ++ upgrade to a kernel version with proper support as soon as it is ++ available. + + It can also be used to block the probe of recognized and fully + supported devices. +@@ -75,7 +76,8 @@ config DRM_I915_FORCE_PROBE + Use "[,,...]" to force probe the i915 for listed + devices. For example, "4500" or "4500,4571". + +- Use "*" to force probe the driver for all known devices. ++ Use "*" to force probe the driver for all known devices. Not ++ recommended. + + Use "!" right before the ID to block the probe of the device. For + example, "4500,!4571" forces the probe of 4500 and blocks the probe of +diff --git a/drivers/gpu/drm/i915/i915_pci.c b/drivers/gpu/drm/i915/i915_pci.c +index 125f7ef1..2b5aaea4 100644 +--- a/drivers/gpu/drm/i915/i915_pci.c ++++ b/drivers/gpu/drm/i915/i915_pci.c +@@ -1346,6 +1346,12 @@ static int i915_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + return -ENODEV; + } + ++ if (intel_info->require_force_probe) { ++ dev_info(&pdev->dev, "Force probing unsupported Device ID %04x, tainting kernel\n", ++ pdev->device); ++ add_taint(TAINT_USER, LOCKDEP_STILL_OK); ++ } ++ + /* Only bind to function 0 of the device. Early generations + * used function 1 as a placeholder for multi-head. This causes + * us confusion instead, especially on the systems where both +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-035-fbdev-arcfb-Fix-error-handling-in-arcfb_probe.patch b/patches.kernel.org/6.3.4-035-fbdev-arcfb-Fix-error-handling-in-arcfb_probe.patch new file mode 100644 index 0000000..d84fde9 --- /dev/null +++ b/patches.kernel.org/6.3.4-035-fbdev-arcfb-Fix-error-handling-in-arcfb_probe.patch @@ -0,0 +1,82 @@ +From: Zongjie Li +Date: Tue, 9 May 2023 19:27:26 +0800 +Subject: [PATCH] fbdev: arcfb: Fix error handling in arcfb_probe() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5a6bef734247c7a8c19511664ff77634ab86f45b + +[ Upstream commit 5a6bef734247c7a8c19511664ff77634ab86f45b ] + +Smatch complains that: +arcfb_probe() warn: 'irq' from request_irq() not released on lines: 587. + +Fix error handling in the arcfb_probe() function. If IO addresses are +not provided or framebuffer registration fails, the code will jump to +the err_addr or err_register_fb label to release resources. +If IRQ request fails, previously allocated resources will be freed. + +Fixes: 1154ea7dcd8e ("[PATCH] Framebuffer driver for Arc LCD board") +Signed-off-by: Zongjie Li +Reviewed-by: Dongliang Mu +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/video/fbdev/arcfb.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c +index 45e64016..024d0ee4 100644 +--- a/drivers/video/fbdev/arcfb.c ++++ b/drivers/video/fbdev/arcfb.c +@@ -523,7 +523,7 @@ static int arcfb_probe(struct platform_device *dev) + + info = framebuffer_alloc(sizeof(struct arcfb_par), &dev->dev); + if (!info) +- goto err; ++ goto err_fb_alloc; + + info->screen_base = (char __iomem *)videomemory; + info->fbops = &arcfb_ops; +@@ -535,7 +535,7 @@ static int arcfb_probe(struct platform_device *dev) + + if (!dio_addr || !cio_addr || !c2io_addr) { + printk(KERN_WARNING "no IO addresses supplied\n"); +- goto err1; ++ goto err_addr; + } + par->dio_addr = dio_addr; + par->cio_addr = cio_addr; +@@ -551,12 +551,12 @@ static int arcfb_probe(struct platform_device *dev) + printk(KERN_INFO + "arcfb: Failed req IRQ %d\n", par->irq); + retval = -EBUSY; +- goto err1; ++ goto err_addr; + } + } + retval = register_framebuffer(info); + if (retval < 0) +- goto err1; ++ goto err_register_fb; + platform_set_drvdata(dev, info); + fb_info(info, "Arc frame buffer device, using %dK of video memory\n", + videomemorysize >> 10); +@@ -580,9 +580,12 @@ static int arcfb_probe(struct platform_device *dev) + } + + return 0; +-err1: ++ ++err_register_fb: ++ free_irq(par->irq, info); ++err_addr: + framebuffer_release(info); +-err: ++err_fb_alloc: + vfree(videomemory); + return retval; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-036-ext4-reflect-error-codes-from-ext4_multi_mount_.patch b/patches.kernel.org/6.3.4-036-ext4-reflect-error-codes-from-ext4_multi_mount_.patch new file mode 100644 index 0000000..5682313 --- /dev/null +++ b/patches.kernel.org/6.3.4-036-ext4-reflect-error-codes-from-ext4_multi_mount_.patch @@ -0,0 +1,129 @@ +From: Theodore Ts'o +Date: Thu, 27 Apr 2023 22:49:34 -0400 +Subject: [PATCH] ext4: reflect error codes from ext4_multi_mount_protect() to + its callers +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3b50d5018ed06a647bb26c44bb5ae74e59c903c7 + +[ Upstream commit 3b50d5018ed06a647bb26c44bb5ae74e59c903c7 ] + +This will allow more fine-grained errno codes to be returned by the +mount system call. + +Cc: Andreas Dilger +Signed-off-by: Theodore Ts'o +Stable-dep-of: a44be64bbecb ("ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/mmp.c | 9 ++++++++- + fs/ext4/super.c | 16 +++++++++------- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c +index 46735ce3..0aaf38ff 100644 +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -290,6 +290,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + if (mmp_block < le32_to_cpu(es->s_first_data_block) || + mmp_block >= ext4_blocks_count(es)) { + ext4_warning(sb, "Invalid MMP block in superblock"); ++ retval = -EINVAL; + goto failed; + } + +@@ -315,6 +316,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + + if (seq == EXT4_MMP_SEQ_FSCK) { + dump_mmp_msg(sb, mmp, "fsck is running on the filesystem"); ++ retval = -EBUSY; + goto failed; + } + +@@ -328,6 +330,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + + if (schedule_timeout_interruptible(HZ * wait_time) != 0) { + ext4_warning(sb, "MMP startup interrupted, failing mount\n"); ++ retval = -ETIMEDOUT; + goto failed; + } + +@@ -338,6 +341,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + if (seq != le32_to_cpu(mmp->mmp_seq)) { + dump_mmp_msg(sb, mmp, + "Device is already active on another node."); ++ retval = -EBUSY; + goto failed; + } + +@@ -361,6 +365,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + */ + if (schedule_timeout_interruptible(HZ * wait_time) != 0) { + ext4_warning(sb, "MMP startup interrupted, failing mount"); ++ retval = -ETIMEDOUT; + goto failed; + } + +@@ -371,6 +376,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + if (seq != le32_to_cpu(mmp->mmp_seq)) { + dump_mmp_msg(sb, mmp, + "Device is already active on another node."); ++ retval = -EBUSY; + goto failed; + } + +@@ -390,6 +396,7 @@ int ext4_multi_mount_protect(struct super_block *sb, + EXT4_SB(sb)->s_mmp_tsk = NULL; + ext4_warning(sb, "Unable to create kmmpd thread for %s.", + sb->s_id); ++ retval = -ENOMEM; + goto failed; + } + +@@ -397,5 +404,5 @@ int ext4_multi_mount_protect(struct super_block *sb, + + failed: + brelse(bh); +- return 1; ++ return retval; + } +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index d6ac61f4..7b360893 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5264,9 +5264,11 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + ext4_has_feature_orphan_present(sb) || + ext4_has_feature_journal_needs_recovery(sb)); + +- if (ext4_has_feature_mmp(sb) && !sb_rdonly(sb)) +- if (ext4_multi_mount_protect(sb, le64_to_cpu(es->s_mmp_block))) ++ if (ext4_has_feature_mmp(sb) && !sb_rdonly(sb)) { ++ err = ext4_multi_mount_protect(sb, le64_to_cpu(es->s_mmp_block)); ++ if (err) + goto failed_mount3a; ++ } + + /* + * The first inode we look at is the journal inode. Don't try +@@ -6537,12 +6539,12 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + goto restore_opts; + + sb->s_flags &= ~SB_RDONLY; +- if (ext4_has_feature_mmp(sb)) +- if (ext4_multi_mount_protect(sb, +- le64_to_cpu(es->s_mmp_block))) { +- err = -EROFS; ++ if (ext4_has_feature_mmp(sb)) { ++ err = ext4_multi_mount_protect(sb, ++ le64_to_cpu(es->s_mmp_block)); ++ if (err) + goto restore_opts; +- } ++ } + #ifdef CONFIG_QUOTA + enable_quota = 1; + #endif +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-037-ext4-don-t-clear-SB_RDONLY-when-remounting-r-w-.patch b/patches.kernel.org/6.3.4-037-ext4-don-t-clear-SB_RDONLY-when-remounting-r-w-.patch new file mode 100644 index 0000000..c78178c --- /dev/null +++ b/patches.kernel.org/6.3.4-037-ext4-don-t-clear-SB_RDONLY-when-remounting-r-w-.patch @@ -0,0 +1,78 @@ +From: Theodore Ts'o +Date: Fri, 5 May 2023 21:02:30 -0400 +Subject: [PATCH] ext4: don't clear SB_RDONLY when remounting r/w until quota + is re-enabled +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a44be64bbecb15a452496f60db6eacfee2b59c79 + +[ Upstream commit a44be64bbecb15a452496f60db6eacfee2b59c79 ] + +When a file system currently mounted read/only is remounted +read/write, if we clear the SB_RDONLY flag too early, before the quota +is initialized, and there is another process/thread constantly +attempting to create a directory, it's possible to trigger the + + WARN_ON_ONCE(dquot_initialize_needed(inode)); + +in ext4_xattr_block_set(), with the following stack trace: + + WARNING: CPU: 0 PID: 5338 at fs/ext4/xattr.c:2141 ext4_xattr_block_set+0x2ef2/0x3680 + RIP: 0010:ext4_xattr_block_set+0x2ef2/0x3680 fs/ext4/xattr.c:2141 + Call Trace: + ext4_xattr_set_handle+0xcd4/0x15c0 fs/ext4/xattr.c:2458 + ext4_initxattrs+0xa3/0x110 fs/ext4/xattr_security.c:44 + security_inode_init_security+0x2df/0x3f0 security/security.c:1147 + __ext4_new_inode+0x347e/0x43d0 fs/ext4/ialloc.c:1324 + ext4_mkdir+0x425/0xce0 fs/ext4/namei.c:2992 + vfs_mkdir+0x29d/0x450 fs/namei.c:4038 + do_mkdirat+0x264/0x520 fs/namei.c:4061 + __do_sys_mkdirat fs/namei.c:4076 [inline] + __se_sys_mkdirat fs/namei.c:4074 [inline] + __x64_sys_mkdirat+0x89/0xa0 fs/namei.c:4074 + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-1-tytso@mit.edu +Reported-by: syzbot+6385d7d3065524c5ca6d@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=6513f6cb5cd6b5fc9f37e3bb70d273b94be9c34c +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/super.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 7b360893..7c45ab1d 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6352,6 +6352,7 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + struct ext4_mount_options old_opts; + ext4_group_t g; + int err = 0; ++ int enable_rw = 0; + #ifdef CONFIG_QUOTA + int enable_quota = 0; + int i, j; +@@ -6538,7 +6539,7 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + if (err) + goto restore_opts; + +- sb->s_flags &= ~SB_RDONLY; ++ enable_rw = 1; + if (ext4_has_feature_mmp(sb)) { + err = ext4_multi_mount_protect(sb, + le64_to_cpu(es->s_mmp_block)); +@@ -6597,6 +6598,9 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); + ++ if (enable_rw) ++ sb->s_flags &= ~SB_RDONLY; ++ + if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb)) + ext4_stop_mmpd(sbi); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-038-ext4-allow-to-find-by-goal-if-EXT4_MB_HINT_GOAL.patch b/patches.kernel.org/6.3.4-038-ext4-allow-to-find-by-goal-if-EXT4_MB_HINT_GOAL.patch new file mode 100644 index 0000000..6290521 --- /dev/null +++ b/patches.kernel.org/6.3.4-038-ext4-allow-to-find-by-goal-if-EXT4_MB_HINT_GOAL.patch @@ -0,0 +1,44 @@ +From: Kemeng Shi +Date: Sat, 4 Mar 2023 01:21:02 +0800 +Subject: [PATCH] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 01e4ca29451760b9ac10b4cdc231c52150842643 + +[ Upstream commit 01e4ca29451760b9ac10b4cdc231c52150842643 ] + +If EXT4_MB_HINT_GOAL_ONLY is set, ext4_mb_regular_allocator will only +allocate blocks from ext4_mb_find_by_goal. Allow to find by goal in +ext4_mb_find_by_goal if EXT4_MB_HINT_GOAL_ONLY is set or allocation +with EXT4_MB_HINT_GOAL_ONLY set will always fail. + +EXT4_MB_HINT_GOAL_ONLY is not used at all, so the problem is not +found for now. + +Signed-off-by: Kemeng Shi +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230303172120.3800725-3-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/mballoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 5639a4cf..343cb38e 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2162,7 +2162,7 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac, + struct ext4_group_info *grp = ext4_get_group_info(ac->ac_sb, group); + struct ext4_free_extent ex; + +- if (!(ac->ac_flags & EXT4_MB_HINT_TRY_GOAL)) ++ if (!(ac->ac_flags & (EXT4_MB_HINT_TRY_GOAL | EXT4_MB_HINT_GOAL_ONLY))) + return 0; + if (grp->bb_free == 0) + return 0; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-039-ext4-allow-ext4_get_group_info-to-fail.patch b/patches.kernel.org/6.3.4-039-ext4-allow-ext4_get_group_info-to-fail.patch new file mode 100644 index 0000000..553e80c --- /dev/null +++ b/patches.kernel.org/6.3.4-039-ext4-allow-ext4_get_group_info-to-fail.patch @@ -0,0 +1,427 @@ +From: Theodore Ts'o +Date: Sat, 29 Apr 2023 00:06:28 -0400 +Subject: [PATCH] ext4: allow ext4_get_group_info() to fail +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f + +[ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] + +Previously, ext4_get_group_info() would treat an invalid group number +as BUG(), since in theory it should never happen. However, if a +malicious attaker (or fuzzer) modifies the superblock via the block +device while it is the file system is mounted, it is possible for +s_first_data_block to get set to a very large number. In that case, +when calculating the block group of some block number (such as the +starting block of a preallocation region), could result in an +underflow and very large block group number. Then the BUG_ON check in +ext4_get_group_info() would fire, resutling in a denial of service +attack that can be triggered by root or someone with write access to +the block device. + +For a quality of implementation perspective, it's best that even if +the system administrator does something that they shouldn't, that it +will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() +will call ext4_error and return NULL. We also add fallback code in +all of the callers of ext4_get_group_info() that it might NULL. + +Also, since ext4_get_group_info() was already borderline to be an +inline function, un-inline it. The results in a next reduction of the +compiled text size of ext4 by roughly 2k. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu +Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/balloc.c | 18 ++++++++++++- + fs/ext4/ext4.h | 15 ++--------- + fs/ext4/ialloc.c | 12 ++++++--- + fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++-------- + fs/ext4/super.c | 2 ++ + 5 files changed, 82 insertions(+), 29 deletions(-) + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index f2c415f3..a38aa33a 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -319,6 +319,22 @@ static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb, + return (next_zero_bit < bitmap_size ? next_zero_bit : 0); + } + ++struct ext4_group_info *ext4_get_group_info(struct super_block *sb, ++ ext4_group_t group) ++{ ++ struct ext4_group_info **grp_info; ++ long indexv, indexh; ++ ++ if (unlikely(group >= EXT4_SB(sb)->s_groups_count)) { ++ ext4_error(sb, "invalid group %u", group); ++ return NULL; ++ } ++ indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb)); ++ indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1); ++ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv); ++ return grp_info[indexh]; ++} ++ + /* + * Return the block number which was discovered to be invalid, or 0 if + * the block bitmap is valid. +@@ -393,7 +409,7 @@ static int ext4_validate_block_bitmap(struct super_block *sb, + + if (buffer_verified(bh)) + return 0; +- if (EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) ++ if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) + return -EFSCORRUPTED; + + ext4_lock_group(sb, block_group); +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index df0255b7..68228bd6 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2740,6 +2740,8 @@ extern void ext4_check_blocks_bitmap(struct super_block *); + extern struct ext4_group_desc * ext4_get_group_desc(struct super_block * sb, + ext4_group_t block_group, + struct buffer_head ** bh); ++extern struct ext4_group_info *ext4_get_group_info(struct super_block *sb, ++ ext4_group_t group); + extern int ext4_should_retry_alloc(struct super_block *sb, int *retries); + + extern struct buffer_head *ext4_read_block_bitmap_nowait(struct super_block *sb, +@@ -3347,19 +3349,6 @@ static inline void ext4_isize_set(struct ext4_inode *raw_inode, loff_t i_size) + raw_inode->i_size_high = cpu_to_le32(i_size >> 32); + } + +-static inline +-struct ext4_group_info *ext4_get_group_info(struct super_block *sb, +- ext4_group_t group) +-{ +- struct ext4_group_info **grp_info; +- long indexv, indexh; +- BUG_ON(group >= EXT4_SB(sb)->s_groups_count); +- indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb)); +- indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1); +- grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv); +- return grp_info[indexh]; +-} +- + /* + * Reading s_groups_count requires using smp_rmb() afterwards. See + * the locking protocol documented in the comments of ext4_group_add() +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 15766303..2354538a 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -91,7 +91,7 @@ static int ext4_validate_inode_bitmap(struct super_block *sb, + + if (buffer_verified(bh)) + return 0; +- if (EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ++ if (!grp || EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) + return -EFSCORRUPTED; + + ext4_lock_group(sb, block_group); +@@ -293,7 +293,7 @@ void ext4_free_inode(handle_t *handle, struct inode *inode) + } + if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) { + grp = ext4_get_group_info(sb, block_group); +- if (unlikely(EXT4_MB_GRP_IBITMAP_CORRUPT(grp))) { ++ if (!grp || unlikely(EXT4_MB_GRP_IBITMAP_CORRUPT(grp))) { + fatal = -EFSCORRUPTED; + goto error_return; + } +@@ -1047,7 +1047,7 @@ struct inode *__ext4_new_inode(struct mnt_idmap *idmap, + * Skip groups with already-known suspicious inode + * tables + */ +- if (EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ++ if (!grp || EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) + goto next_group; + } + +@@ -1185,6 +1185,10 @@ struct inode *__ext4_new_inode(struct mnt_idmap *idmap, + + if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) { + grp = ext4_get_group_info(sb, group); ++ if (!grp) { ++ err = -EFSCORRUPTED; ++ goto out; ++ } + down_read(&grp->alloc_sem); /* + * protect vs itable + * lazyinit +@@ -1528,7 +1532,7 @@ int ext4_init_inode_table(struct super_block *sb, ext4_group_t group, + } + + gdp = ext4_get_group_desc(sb, group, &group_desc_bh); +- if (!gdp) ++ if (!gdp || !grp) + goto out; + + /* +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 343cb38e..2a1df157 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -745,6 +745,8 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file, + MB_CHECK_ASSERT(e4b->bd_info->bb_fragments == fragments); + + grp = ext4_get_group_info(sb, e4b->bd_group); ++ if (!grp) ++ return NULL; + list_for_each(cur, &grp->bb_prealloc_list) { + ext4_group_t groupnr; + struct ext4_prealloc_space *pa; +@@ -1060,9 +1062,9 @@ mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp) + + static noinline_for_stack + void ext4_mb_generate_buddy(struct super_block *sb, +- void *buddy, void *bitmap, ext4_group_t group) ++ void *buddy, void *bitmap, ext4_group_t group, ++ struct ext4_group_info *grp) + { +- struct ext4_group_info *grp = ext4_get_group_info(sb, group); + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); + ext4_grpblk_t i = 0; +@@ -1183,6 +1185,8 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp) + break; + + grinfo = ext4_get_group_info(sb, group); ++ if (!grinfo) ++ continue; + /* + * If page is uptodate then we came here after online resize + * which added some new uninitialized group info structs, so +@@ -1248,6 +1252,10 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp) + group, page->index, i * blocksize); + trace_ext4_mb_buddy_bitmap_load(sb, group); + grinfo = ext4_get_group_info(sb, group); ++ if (!grinfo) { ++ err = -EFSCORRUPTED; ++ goto out; ++ } + grinfo->bb_fragments = 0; + memset(grinfo->bb_counters, 0, + sizeof(*grinfo->bb_counters) * +@@ -1258,7 +1266,7 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp) + ext4_lock_group(sb, group); + /* init the buddy */ + memset(data, 0xff, blocksize); +- ext4_mb_generate_buddy(sb, data, incore, group); ++ ext4_mb_generate_buddy(sb, data, incore, group, grinfo); + ext4_unlock_group(sb, group); + incore = NULL; + } else { +@@ -1372,6 +1380,9 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp) + might_sleep(); + mb_debug(sb, "init group %u\n", group); + this_grp = ext4_get_group_info(sb, group); ++ if (!this_grp) ++ return -EFSCORRUPTED; ++ + /* + * This ensures that we don't reinit the buddy cache + * page which map to the group from which we are already +@@ -1446,6 +1457,8 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group, + + blocks_per_page = PAGE_SIZE / sb->s_blocksize; + grp = ext4_get_group_info(sb, group); ++ if (!grp) ++ return -EFSCORRUPTED; + + e4b->bd_blkbits = sb->s_blocksize_bits; + e4b->bd_info = grp; +@@ -2162,6 +2175,8 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac, + struct ext4_group_info *grp = ext4_get_group_info(ac->ac_sb, group); + struct ext4_free_extent ex; + ++ if (!grp) ++ return -EFSCORRUPTED; + if (!(ac->ac_flags & (EXT4_MB_HINT_TRY_GOAL | EXT4_MB_HINT_GOAL_ONLY))) + return 0; + if (grp->bb_free == 0) +@@ -2386,7 +2401,7 @@ static bool ext4_mb_good_group(struct ext4_allocation_context *ac, + + BUG_ON(cr < 0 || cr >= 4); + +- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp))) ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp) || !grp)) + return false; + + free = grp->bb_free; +@@ -2455,6 +2470,8 @@ static int ext4_mb_good_group_nolock(struct ext4_allocation_context *ac, + ext4_grpblk_t free; + int ret = 0; + ++ if (!grp) ++ return -EFSCORRUPTED; + if (sbi->s_mb_stats) + atomic64_inc(&sbi->s_bal_cX_groups_considered[ac->ac_criteria]); + if (should_lock) { +@@ -2535,7 +2552,7 @@ ext4_group_t ext4_mb_prefetch(struct super_block *sb, ext4_group_t group, + * prefetch once, so we avoid getblk() call, which can + * be expensive. + */ +- if (!EXT4_MB_GRP_TEST_AND_SET_READ(grp) && ++ if (gdp && grp && !EXT4_MB_GRP_TEST_AND_SET_READ(grp) && + EXT4_MB_GRP_NEED_INIT(grp) && + ext4_free_group_clusters(sb, gdp) > 0 && + !(ext4_has_group_desc_csum(sb) && +@@ -2579,7 +2596,7 @@ void ext4_mb_prefetch_fini(struct super_block *sb, ext4_group_t group, + group--; + grp = ext4_get_group_info(sb, group); + +- if (EXT4_MB_GRP_NEED_INIT(grp) && ++ if (grp && gdp && EXT4_MB_GRP_NEED_INIT(grp) && + ext4_free_group_clusters(sb, gdp) > 0 && + !(ext4_has_group_desc_csum(sb) && + (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)))) { +@@ -2838,6 +2855,8 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v) + sizeof(struct ext4_group_info); + + grinfo = ext4_get_group_info(sb, group); ++ if (!grinfo) ++ return 0; + /* Load the group info in memory only if not already loaded. */ + if (unlikely(EXT4_MB_GRP_NEED_INIT(grinfo))) { + err = ext4_mb_load_buddy(sb, group, &e4b); +@@ -2848,7 +2867,7 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v) + buddy_loaded = 1; + } + +- memcpy(&sg, ext4_get_group_info(sb, group), i); ++ memcpy(&sg, grinfo, i); + + if (buddy_loaded) + ext4_mb_unload_buddy(&e4b); +@@ -3210,8 +3229,12 @@ static int ext4_mb_init_backend(struct super_block *sb) + + err_freebuddy: + cachep = get_groupinfo_cache(sb->s_blocksize_bits); +- while (i-- > 0) +- kmem_cache_free(cachep, ext4_get_group_info(sb, i)); ++ while (i-- > 0) { ++ struct ext4_group_info *grp = ext4_get_group_info(sb, i); ++ ++ if (grp) ++ kmem_cache_free(cachep, grp); ++ } + i = sbi->s_group_info_size; + rcu_read_lock(); + group_info = rcu_dereference(sbi->s_group_info); +@@ -3525,6 +3548,8 @@ int ext4_mb_release(struct super_block *sb) + for (i = 0; i < ngroups; i++) { + cond_resched(); + grinfo = ext4_get_group_info(sb, i); ++ if (!grinfo) ++ continue; + mb_group_bb_bitmap_free(grinfo); + ext4_lock_group(sb, i); + count = ext4_mb_cleanup_pa(grinfo); +@@ -4454,6 +4479,8 @@ static void ext4_mb_generate_from_freelist(struct super_block *sb, void *bitmap, + struct ext4_free_data *entry; + + grp = ext4_get_group_info(sb, group); ++ if (!grp) ++ return; + n = rb_first(&(grp->bb_free_root)); + + while (n) { +@@ -4481,6 +4508,9 @@ void ext4_mb_generate_from_pa(struct super_block *sb, void *bitmap, + int preallocated = 0; + int len; + ++ if (!grp) ++ return; ++ + /* all form of preallocation discards first load group, + * so the only competing code is preallocation use. + * we don't need any locking here +@@ -4672,6 +4702,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + + ei = EXT4_I(ac->ac_inode); + grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); ++ if (!grp) ++ return; + + pa->pa_obj_lock = &ei->i_prealloc_lock; + pa->pa_inode = ac->ac_inode; +@@ -4725,6 +4757,8 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac) + atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated); + + grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group); ++ if (!grp) ++ return; + lg = ac->ac_lg; + BUG_ON(lg == NULL); + +@@ -4853,6 +4887,8 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + int err; + int free = 0; + ++ if (!grp) ++ return 0; + mb_debug(sb, "discard preallocation for group %u\n", group); + if (list_empty(&grp->bb_prealloc_list)) + goto out_dbg; +@@ -5090,6 +5126,9 @@ static inline void ext4_mb_show_pa(struct super_block *sb) + struct ext4_prealloc_space *pa; + ext4_grpblk_t start; + struct list_head *cur; ++ ++ if (!grp) ++ continue; + ext4_lock_group(sb, i); + list_for_each(cur, &grp->bb_prealloc_list) { + pa = list_entry(cur, struct ext4_prealloc_space, +@@ -5889,6 +5928,7 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + struct buffer_head *bitmap_bh = NULL; + struct super_block *sb = inode->i_sb; + struct ext4_group_desc *gdp; ++ struct ext4_group_info *grp; + unsigned int overflow; + ext4_grpblk_t bit; + struct buffer_head *gd_bh; +@@ -5914,8 +5954,8 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode, + overflow = 0; + ext4_get_group_no_and_offset(sb, block, &block_group, &bit); + +- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT( +- ext4_get_group_info(sb, block_group)))) ++ grp = ext4_get_group_info(sb, block_group); ++ if (unlikely(!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))) + return; + + /* +@@ -6517,6 +6557,8 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + + for (group = first_group; group <= last_group; group++) { + grp = ext4_get_group_info(sb, group); ++ if (!grp) ++ continue; + /* We only do this if the grp has never been initialized */ + if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) { + ret = ext4_mb_init_group(sb, group, GFP_NOFS); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 7c45ab1d..d34afa8e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1048,6 +1048,8 @@ void ext4_mark_group_bitmap_corrupted(struct super_block *sb, + struct ext4_group_desc *gdp = ext4_get_group_desc(sb, group, NULL); + int ret; + ++ if (!grp || !gdp) ++ return; + if (flags & EXT4_GROUP_INFO_BBITMAP_CORRUPT) { + ret = ext4_test_and_set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, + &grp->bb_state); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-040-refscale-Move-shutdown-from-wait_event-to-wait_.patch b/patches.kernel.org/6.3.4-040-refscale-Move-shutdown-from-wait_event-to-wait_.patch new file mode 100644 index 0000000..7bf7751 --- /dev/null +++ b/patches.kernel.org/6.3.4-040-refscale-Move-shutdown-from-wait_event-to-wait_.patch @@ -0,0 +1,44 @@ +From: "Paul E. McKenney" +Date: Tue, 31 Jan 2023 16:12:18 -0800 +Subject: [PATCH] refscale: Move shutdown from wait_event() to + wait_event_idle() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6bc6e6b27524304aadb9c04611ddb1c84dd7617a + +[ Upstream commit 6bc6e6b27524304aadb9c04611ddb1c84dd7617a ] + +The ref_scale_shutdown() kthread/function uses wait_event() to wait for +the refscale test to complete. However, although the read-side tests +are normally extremely fast, there is no law against specifying a very +large value for the refscale.loops module parameter or against having +a slow read-side primitive. Either way, this might well trigger the +hung-task timeout. + +This commit therefore replaces those wait_event() calls with calls to +wait_event_idle(), which do not trigger the hung-task timeout. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/rcu/refscale.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index afa3e1a2..1970ce5f 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -1031,7 +1031,7 @@ ref_scale_cleanup(void) + static int + ref_scale_shutdown(void *arg) + { +- wait_event(shutdown_wq, shutdown_start); ++ wait_event_idle(shutdown_wq, shutdown_start); + + smp_mb(); // Wake before output. + ref_scale_cleanup(); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-041-selftests-cgroup-Add-malloc-failures-checks-in-.patch b/patches.kernel.org/6.3.4-041-selftests-cgroup-Add-malloc-failures-checks-in-.patch new file mode 100644 index 0000000..2305ea1 --- /dev/null +++ b/patches.kernel.org/6.3.4-041-selftests-cgroup-Add-malloc-failures-checks-in-.patch @@ -0,0 +1,70 @@ +From: Ivan Orlov +Date: Sun, 26 Feb 2023 16:16:33 +0300 +Subject: [PATCH] selftests: cgroup: Add 'malloc' failures checks in + test_memcontrol +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c83f320e55a49abd90629f42a72897afd579e0de + +[ Upstream commit c83f320e55a49abd90629f42a72897afd579e0de ] + +There are several 'malloc' calls in test_memcontrol, which can be +unsuccessful. This patch will add 'malloc' failures checking to +give more details about test's fail reasons and avoid possible +undefined behavior during the future null dereference (like the +one in alloc_anon_50M_check_swap function). + +Signed-off-by: Ivan Orlov +Reviewed-by: Muchun Song +Acked-by: Shakeel Butt +Acked-by: Roman Gushchin +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + tools/testing/selftests/cgroup/test_memcontrol.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c +index 1e616a8c..f4f7c0ae 100644 +--- a/tools/testing/selftests/cgroup/test_memcontrol.c ++++ b/tools/testing/selftests/cgroup/test_memcontrol.c +@@ -98,6 +98,11 @@ static int alloc_anon_50M_check(const char *cgroup, void *arg) + int ret = -1; + + buf = malloc(size); ++ if (buf == NULL) { ++ fprintf(stderr, "malloc() failed\n"); ++ return -1; ++ } ++ + for (ptr = buf; ptr < buf + size; ptr += PAGE_SIZE) + *ptr = 0; + +@@ -211,6 +216,11 @@ static int alloc_anon_noexit(const char *cgroup, void *arg) + char *buf, *ptr; + + buf = malloc(size); ++ if (buf == NULL) { ++ fprintf(stderr, "malloc() failed\n"); ++ return -1; ++ } ++ + for (ptr = buf; ptr < buf + size; ptr += PAGE_SIZE) + *ptr = 0; + +@@ -778,6 +788,11 @@ static int alloc_anon_50M_check_swap(const char *cgroup, void *arg) + int ret = -1; + + buf = malloc(size); ++ if (buf == NULL) { ++ fprintf(stderr, "malloc() failed\n"); ++ return -1; ++ } ++ + for (ptr = buf; ptr < buf + size; ptr += PAGE_SIZE) + *ptr = 0; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-042-rcu-Protect-rcu_print_task_exp_stall-exp_tasks-.patch b/patches.kernel.org/6.3.4-042-rcu-Protect-rcu_print_task_exp_stall-exp_tasks-.patch new file mode 100644 index 0000000..5127753 --- /dev/null +++ b/patches.kernel.org/6.3.4-042-rcu-Protect-rcu_print_task_exp_stall-exp_tasks-.patch @@ -0,0 +1,69 @@ +From: Zqiang +Date: Sat, 24 Dec 2022 13:25:53 +0800 +Subject: [PATCH] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3c1566bca3f8349f12b75d0a2d5e4a20ad6262ec + +[ Upstream commit 3c1566bca3f8349f12b75d0a2d5e4a20ad6262ec ] + +For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can +result in a NULL-pointer dereference: + + CPU1 CPU2 +rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall + if (special.b.blocked) READ_ONCE(rnp->exp_tasks) != NULL + raw_spin_lock_rcu_node + np = rcu_next_node_entry(t, rnp) + if (&t->rcu_node_entry == rnp->exp_tasks) + WRITE_ONCE(rnp->exp_tasks, np) + .... + raw_spin_unlock_irqrestore_rcu_node + raw_spin_lock_irqsave_rcu_node + t = list_entry(rnp->exp_tasks->prev, + struct task_struct, rcu_node_entry) + (if rnp->exp_tasks is NULL, this + will dereference a NULL pointer) + +The problem is that CPU2 accesses the rcu_node structure's->exp_tasks +field without holding the rcu_node structure's ->lock and CPU2 did +not observe CPU1's change to rcu_node structure's ->exp_tasks in time. +Therefore, if CPU1 sets rcu_node structure's->exp_tasks pointer to NULL, +then CPU2 might dereference that NULL pointer. + +This commit therefore holds the rcu_node structure's ->lock while +accessing that structure's->exp_tasks field. + +[ paulmck: Apply Frederic Weisbecker feedback. ] + +Acked-by: Joel Fernandes (Google) +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/rcu/tree_exp.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 249c2967..54e8fb25 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -802,9 +802,11 @@ static int rcu_print_task_exp_stall(struct rcu_node *rnp) + int ndetected = 0; + struct task_struct *t; + +- if (!READ_ONCE(rnp->exp_tasks)) +- return 0; + raw_spin_lock_irqsave_rcu_node(rnp, flags); ++ if (!rnp->exp_tasks) { ++ raw_spin_unlock_irqrestore_rcu_node(rnp, flags); ++ return 0; ++ } + t = list_entry(rnp->exp_tasks->prev, + struct task_struct, rcu_node_entry); + list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-043-open-return-EINVAL-for-O_DIRECTORY-O_CREAT.patch b/patches.kernel.org/6.3.4-043-open-return-EINVAL-for-O_DIRECTORY-O_CREAT.patch new file mode 100644 index 0000000..fd300b2 --- /dev/null +++ b/patches.kernel.org/6.3.4-043-open-return-EINVAL-for-O_DIRECTORY-O_CREAT.patch @@ -0,0 +1,197 @@ +From: Christian Brauner +Date: Tue, 21 Mar 2023 09:18:07 +0100 +Subject: [PATCH] open: return EINVAL for O_DIRECTORY | O_CREAT +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 43b450632676fb60e9faeddff285d9fac94a4f58 + +[ Upstream commit 43b450632676fb60e9faeddff285d9fac94a4f58 ] + +After a couple of years and multiple LTS releases we received a report +that the behavior of O_DIRECTORY | O_CREAT changed starting with v5.7. + +On kernels prior to v5.7 combinations of O_DIRECTORY, O_CREAT, O_EXCL +had the following semantics: + +(1) open("/tmp/d", O_DIRECTORY | O_CREAT) + * d doesn't exist: create regular file + * d exists and is a regular file: ENOTDIR + * d exists and is a directory: EISDIR + +(2) open("/tmp/d", O_DIRECTORY | O_CREAT | O_EXCL) + * d doesn't exist: create regular file + * d exists and is a regular file: EEXIST + * d exists and is a directory: EEXIST + +(3) open("/tmp/d", O_DIRECTORY | O_EXCL) + * d doesn't exist: ENOENT + * d exists and is a regular file: ENOTDIR + * d exists and is a directory: open directory + +On kernels since to v5.7 combinations of O_DIRECTORY, O_CREAT, O_EXCL +have the following semantics: + +(1) open("/tmp/d", O_DIRECTORY | O_CREAT) + * d doesn't exist: ENOTDIR (create regular file) + * d exists and is a regular file: ENOTDIR + * d exists and is a directory: EISDIR + +(2) open("/tmp/d", O_DIRECTORY | O_CREAT | O_EXCL) + * d doesn't exist: ENOTDIR (create regular file) + * d exists and is a regular file: EEXIST + * d exists and is a directory: EEXIST + +(3) open("/tmp/d", O_DIRECTORY | O_EXCL) + * d doesn't exist: ENOENT + * d exists and is a regular file: ENOTDIR + * d exists and is a directory: open directory + +This is a fairly substantial semantic change that userspace didn't +notice until Pedro took the time to deliberately figure out corner +cases. Since no one noticed this breakage we can somewhat safely assume +that O_DIRECTORY | O_CREAT combinations are likely unused. + +The v5.7 breakage is especially weird because while ENOTDIR is returned +indicating failure a regular file is actually created. This doesn't make +a lot of sense. + +Time was spent finding potential users of this combination. Searching on +codesearch.debian.net showed that codebases often express semantical +expectations about O_DIRECTORY | O_CREAT which are completely contrary +to what our code has done and currently does. + +The expectation often is that this particular combination would create +and open a directory. This suggests users who tried to use that +combination would stumble upon the counterintuitive behavior no matter +if pre-v5.7 or post v5.7 and quickly realize neither semantics give them +what they want. For some examples see the code examples in [1] to [3] +and the discussion in [4]. + +There are various ways to address this issue. The lazy/simple option +would be to restore the pre-v5.7 behavior and to just live with that bug +forever. But since there's a real chance that the O_DIRECTORY | O_CREAT +quirk isn't relied upon we should try to get away with murder(ing bad +semantics) first. If we need to Frankenstein pre-v5.7 behavior later so +be it. + +So let's simply return EINVAL categorically for O_DIRECTORY | O_CREAT +combinations. In addition to cleaning up the old bug this also opens up +the possiblity to make that flag combination do something more intuitive +in the future. + +Starting with this commit the following semantics apply: + +(1) open("/tmp/d", O_DIRECTORY | O_CREAT) + * d doesn't exist: EINVAL + * d exists and is a regular file: EINVAL + * d exists and is a directory: EINVAL + +(2) open("/tmp/d", O_DIRECTORY | O_CREAT | O_EXCL) + * d doesn't exist: EINVAL + * d exists and is a regular file: EINVAL + * d exists and is a directory: EINVAL + +(3) open("/tmp/d", O_DIRECTORY | O_EXCL) + * d doesn't exist: ENOENT + * d exists and is a regular file: ENOTDIR + * d exists and is a directory: open directory + +One additional note, O_TMPFILE is implemented as: + + #define __O_TMPFILE 020000000 + #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) + #define O_TMPFILE_MASK (__O_TMPFILE | O_DIRECTORY | O_CREAT) + +For older kernels it was important to return an explicit error when +O_TMPFILE wasn't supported. So O_TMPFILE requires that O_DIRECTORY is +raised alongside __O_TMPFILE. It also enforced that O_CREAT wasn't +specified. Since O_DIRECTORY | O_CREAT could be used to create a regular +allowing that combination together with __O_TMPFILE would've meant that +false positives were possible, i.e., that a regular file was created +instead of a O_TMPFILE. This could've been used to trick userspace into +thinking it operated on a O_TMPFILE when it wasn't. + +Now that we block O_DIRECTORY | O_CREAT completely the check for O_CREAT +in the __O_TMPFILE branch via if ((flags & O_TMPFILE_MASK) != O_TMPFILE) +can be dropped. Instead we can simply check verify that O_DIRECTORY is +raised via if (!(flags & O_DIRECTORY)) and explain this in two comments. + +As Aleksa pointed out O_PATH is unaffected by this change since it +always returned EINVAL if O_CREAT was specified - with or without +O_DIRECTORY. + +Link: https://lore.kernel.org/lkml/20230320071442.172228-1-pedro.falcato@gmail.com +Link: https://sources.debian.org/src/flatpak/1.14.4-1/subprojects/libglnx/glnx-dirfd.c/?hl=324#L324 [1] +Link: https://sources.debian.org/src/flatpak-builder/1.2.3-1/subprojects/libglnx/glnx-shutil.c/?hl=251#L251 [2] +Link: https://sources.debian.org/src/ostree/2022.7-2/libglnx/glnx-dirfd.c/?hl=324#L324 [3] +Link: https://www.openwall.com/lists/oss-security/2014/11/26/14 [4] +Reported-by: Pedro Falcato +Cc: Aleksa Sarai +Signed-off-by: Linus Torvalds +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/open.c | 18 +++++++++++++----- + include/uapi/asm-generic/fcntl.h | 1 - + tools/include/uapi/asm-generic/fcntl.h | 1 - + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/fs/open.c b/fs/open.c +index 4401a73d..4478adcc4 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -1196,13 +1196,21 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op) + } + + /* +- * In order to ensure programs get explicit errors when trying to use +- * O_TMPFILE on old kernels, O_TMPFILE is implemented such that it +- * looks like (O_DIRECTORY|O_RDWR & ~O_CREAT) to old kernels. But we +- * have to require userspace to explicitly set it. ++ * Block bugs where O_DIRECTORY | O_CREAT created regular files. ++ * Note, that blocking O_DIRECTORY | O_CREAT here also protects ++ * O_TMPFILE below which requires O_DIRECTORY being raised. + */ ++ if ((flags & (O_DIRECTORY | O_CREAT)) == (O_DIRECTORY | O_CREAT)) ++ return -EINVAL; ++ ++ /* Now handle the creative implementation of O_TMPFILE. */ + if (flags & __O_TMPFILE) { +- if ((flags & O_TMPFILE_MASK) != O_TMPFILE) ++ /* ++ * In order to ensure programs get explicit errors when trying ++ * to use O_TMPFILE on old kernels we enforce that O_DIRECTORY ++ * is raised alongside __O_TMPFILE. ++ */ ++ if (!(flags & O_DIRECTORY)) + return -EINVAL; + if (!(acc_mode & MAY_WRITE)) + return -EINVAL; +diff --git a/include/uapi/asm-generic/fcntl.h b/include/uapi/asm-generic/fcntl.h +index 1ecdb911..80f37a0d 100644 +--- a/include/uapi/asm-generic/fcntl.h ++++ b/include/uapi/asm-generic/fcntl.h +@@ -91,7 +91,6 @@ + + /* a horrid kludge trying to make sure that this will fail on old kernels */ + #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) +-#define O_TMPFILE_MASK (__O_TMPFILE | O_DIRECTORY | O_CREAT) + + #ifndef O_NDELAY + #define O_NDELAY O_NONBLOCK +diff --git a/tools/include/uapi/asm-generic/fcntl.h b/tools/include/uapi/asm-generic/fcntl.h +index b02c8e0f..1c7a0f66 100644 +--- a/tools/include/uapi/asm-generic/fcntl.h ++++ b/tools/include/uapi/asm-generic/fcntl.h +@@ -91,7 +91,6 @@ + + /* a horrid kludge trying to make sure that this will fail on old kernels */ + #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) +-#define O_TMPFILE_MASK (__O_TMPFILE | O_DIRECTORY | O_CREAT) + + #ifndef O_NDELAY + #define O_NDELAY O_NONBLOCK +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-044-fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-rea.patch b/patches.kernel.org/6.3.4-044-fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-rea.patch new file mode 100644 index 0000000..fdd1921 --- /dev/null +++ b/patches.kernel.org/6.3.4-044-fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-rea.patch @@ -0,0 +1,112 @@ +From: Tetsuo Handa +Date: Tue, 11 Apr 2023 19:57:33 +0900 +Subject: [PATCH] fs: hfsplus: remove WARN_ON() from + hfsplus_cat_{read,write}_inode() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 81b21c0f0138ff5a499eafc3eb0578ad2a99622c + +[ Upstream commit 81b21c0f0138ff5a499eafc3eb0578ad2a99622c ] + +syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for +crafted filesystem image can contain bogus length. There conditions are +not kernel bugs that can justify kernel to panic. + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=e2787430e752a92b8750 +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=4913dca2ea6e4d43f3f1 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Message-Id: <15308173-5252-d6a3-ae3b-e96d46cb6f41@I-love.SAKURA.ne.jp> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/hfsplus/inode.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c +index abb91f5f..b2166047 100644 +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -511,7 +511,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + if (type == HFSPLUS_FOLDER) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_folder)); + hfsplus_get_perms(inode, &folder->permissions, 1); +@@ -531,7 +535,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + } else if (type == HFSPLUS_FILE) { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_file)); + +@@ -562,6 +570,7 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + pr_err("bad catalog entry used to create inode\n"); + res = -EIO; + } ++out: + return res; + } + +@@ -570,6 +579,7 @@ int hfsplus_cat_write_inode(struct inode *inode) + struct inode *main_inode = inode; + struct hfs_find_data fd; + hfsplus_cat_entry entry; ++ int res = 0; + + if (HFSPLUS_IS_RSRC(inode)) + main_inode = HFSPLUS_I(inode)->rsrc_inode; +@@ -588,7 +598,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + if (S_ISDIR(main_inode->i_mode)) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_folder)); + /* simple node checks? */ +@@ -613,7 +627,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + } else { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_file)); + hfsplus_inode_write_fork(inode, &file->data_fork); +@@ -634,7 +652,7 @@ int hfsplus_cat_write_inode(struct inode *inode) + set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags); + out: + hfs_find_exit(&fd); +- return 0; ++ return res; + } + + int hfsplus_fileattr_get(struct dentry *dentry, struct fileattr *fa) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-045-drm-displayid-add-displayid_get_header-and-chec.patch b/patches.kernel.org/6.3.4-045-drm-displayid-add-displayid_get_header-and-chec.patch new file mode 100644 index 0000000..67b275f --- /dev/null +++ b/patches.kernel.org/6.3.4-045-drm-displayid-add-displayid_get_header-and-chec.patch @@ -0,0 +1,64 @@ +From: Jani Nikula +Date: Thu, 16 Feb 2023 22:44:58 +0200 +Subject: [PATCH] drm/displayid: add displayid_get_header() and check bounds + better +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5bacecc3c56131c31f18b23d366f2184328fd9cf + +[ Upstream commit 5bacecc3c56131c31f18b23d366f2184328fd9cf ] + +Add a helper to get a pointer to struct displayid_header. To be +pedantic, add buffer overflow checks to not touch the base if that +itself would overflow. + +Cc: Iaroslav Boliukin +Cc: Dmitry Osipenko +Signed-off-by: Jani Nikula +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/4a03b3a5132642d3cdb6d4c2641422955a917292.1676580180.git.jani.nikula@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/drm_displayid.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_displayid.c b/drivers/gpu/drm/drm_displayid.c +index 38ea8203..7d03159d 100644 +--- a/drivers/gpu/drm/drm_displayid.c ++++ b/drivers/gpu/drm/drm_displayid.c +@@ -7,13 +7,28 @@ + #include + #include + ++static const struct displayid_header * ++displayid_get_header(const u8 *displayid, int length, int index) ++{ ++ const struct displayid_header *base; ++ ++ if (sizeof(*base) > length - index) ++ return ERR_PTR(-EINVAL); ++ ++ base = (const struct displayid_header *)&displayid[index]; ++ ++ return base; ++} ++ + static int validate_displayid(const u8 *displayid, int length, int idx) + { + int i, dispid_length; + u8 csum = 0; + const struct displayid_header *base; + +- base = (const struct displayid_header *)&displayid[idx]; ++ base = displayid_get_header(displayid, length, idx); ++ if (IS_ERR(base)) ++ return PTR_ERR(base); + + DRM_DEBUG_KMS("base revision 0x%x, length %d, %d %d\n", + base->rev, base->bytes, base->prod_id, base->ext_count); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-046-drm-amd-display-populate-subvp-cmd-info-only-fo.patch b/patches.kernel.org/6.3.4-046-drm-amd-display-populate-subvp-cmd-info-only-fo.patch new file mode 100644 index 0000000..b904560 --- /dev/null +++ b/patches.kernel.org/6.3.4-046-drm-amd-display-populate-subvp-cmd-info-only-fo.patch @@ -0,0 +1,48 @@ +From: Ayush Gupta +Date: Fri, 10 Feb 2023 13:02:09 -0500 +Subject: [PATCH] drm/amd/display: populate subvp cmd info only for the top + pipe +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 + +[ Upstream commit 9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 ] + +[Why] +System restart observed while changing the display resolution +to 8k with extended mode. Sytem restart was caused by a page fault. + +[How] +When the driver populates subvp info it did it for both the pipes using +vblank which caused an outof bounds array access causing the page fault. +added checks to allow the top pipe only to fix this issue. + +Co-authored-by: Ayush Gupta +Reviewed-by: Alvin Lee +Acked-by: Qingqing Zhuo +Signed-off-by: Ayush Gupta +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +index c2092775..7f27e29f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c ++++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +@@ -750,7 +750,8 @@ void dc_dmub_setup_subvp_dmub_command(struct dc *dc, + !pipe->top_pipe && !pipe->prev_odm_pipe && + pipe->stream->mall_stream_config.type == SUBVP_MAIN) { + populate_subvp_cmd_pipe_info(dc, context, &cmd, pipe, cmd_pipe_index++); +- } else if (pipe->plane_state && pipe->stream->mall_stream_config.type == SUBVP_NONE) { ++ } else if (pipe->plane_state && pipe->stream->mall_stream_config.type == SUBVP_NONE && ++ !pipe->top_pipe && !pipe->prev_odm_pipe) { + // Don't need to check for ActiveDRAMClockChangeMargin < 0, not valid in cases where + // we run through DML without calculating "natural" P-state support + populate_subvp_cmd_vblank_pipe_info(dc, context, &cmd, pipe, cmd_pipe_index++); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-047-drm-amd-display-Correct-DML-calculation-to-alig.patch b/patches.kernel.org/6.3.4-047-drm-amd-display-Correct-DML-calculation-to-alig.patch new file mode 100644 index 0000000..5666cbd --- /dev/null +++ b/patches.kernel.org/6.3.4-047-drm-amd-display-Correct-DML-calculation-to-alig.patch @@ -0,0 +1,676 @@ +From: Paul Hsieh +Date: Fri, 10 Feb 2023 12:00:16 +0800 +Subject: [PATCH] drm/amd/display: Correct DML calculation to align HW formula +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 26a9f53198c955b15161da48cdb51041a38d5325 + +[ Upstream commit 26a9f53198c955b15161da48cdb51041a38d5325 ] + +[Why] +In 2560x1440@240p eDP panel, some use cases will enable MPC +combine with RGB MPO then underflow happened. This case is +not allowed from HW formula.  + +[How] +Correct eDP, DP and DP2 output bpp calculation to align HW +formula. + +Reviewed-by: Nicholas Kazlauskas +Acked-by: Qingqing Zhuo +Signed-off-by: Paul Hsieh +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../dc/dml/dcn31/display_mode_vba_31.c | 298 ++++++++++++------ + .../dc/dml/dcn314/display_mode_vba_314.c | 298 ++++++++++++------ + 2 files changed, 392 insertions(+), 204 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c +index 2b57f5b2..536a6362 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c +@@ -4307,11 +4307,11 @@ void dml31_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + v->AudioSampleRate[k], + v->AudioSampleLayout[k], + v->ODMCombineEnablePerState[i][k]); +- } else if (v->Output[k] == dm_dp || v->Output[k] == dm_edp) { ++ } else if (v->Output[k] == dm_dp || v->Output[k] == dm_edp || v->Output[k] == dm_dp2p0) { + if (v->DSCEnable[k] == true) { + v->RequiresDSC[i][k] = true; + v->LinkDSCEnable = true; +- if (v->Output[k] == dm_dp) { ++ if (v->Output[k] == dm_dp || v->Output[k] == dm_dp2p0) { + v->RequiresFEC[i][k] = true; + } else { + v->RequiresFEC[i][k] = false; +@@ -4319,107 +4319,201 @@ void dml31_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + } else { + v->RequiresDSC[i][k] = false; + v->LinkDSCEnable = false; +- v->RequiresFEC[i][k] = false; +- } +- +- v->Outbpp = BPP_INVALID; +- if (v->PHYCLKPerState[i] >= 270.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 2700, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 540.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 5400, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR2" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 810.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 8100, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR3" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[i] >= 10000.0 / 18) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 10000, +- 4, +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- //v->OutputTypeAndRatePerState[i][k] = v->Output[k] & "10x4"; ++ if (v->Output[k] == dm_dp2p0) { ++ v->RequiresFEC[i][k] = true; ++ } else { ++ v->RequiresFEC[i][k] = false; ++ } + } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[i] >= 12000.0 / 18) { +- v->Outbpp = TruncToValidBPP( +- 12000, +- 4, +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- //v->OutputTypeAndRatePerState[i][k] = v->Output[k] & "12x4"; ++ if (v->Output[k] == dm_dp2p0) { ++ v->Outbpp = BPP_INVALID; ++ if ((v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr10) && ++ v->PHYCLKD18PerState[k] >= 10000.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 10000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[k] < 13500.0 / 18.0 && ++ v->DSCEnable[k] == true && v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 10000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR10" ++ } ++ if (v->Outbpp == BPP_INVALID && ++ (v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr13p5) && ++ v->PHYCLKD18PerState[k] >= 13500.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 13500, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[k] < 20000.0 / 18.0 && ++ v->DSCEnable[k] == true && v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 13500, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR13p5" ++ } ++ if (v->Outbpp == BPP_INVALID && ++ (v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr20) && ++ v->PHYCLKD18PerState[k] >= 20000.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 20000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->DSCEnable[k] == true && ++ v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 20000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR20" ++ } ++ } else { ++ v->Outbpp = BPP_INVALID; ++ if (v->PHYCLKPerState[i] >= 270.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 2700, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR" ++ } ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 540.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 5400, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR2" ++ } ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 810.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 8100, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR3" ++ } + } + } + } else { +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c b/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c +index 461ab6d2..daf31937 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c +@@ -4405,11 +4405,11 @@ void dml314_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_ + v->AudioSampleRate[k], + v->AudioSampleLayout[k], + v->ODMCombineEnablePerState[i][k]); +- } else if (v->Output[k] == dm_dp || v->Output[k] == dm_edp) { ++ } else if (v->Output[k] == dm_dp || v->Output[k] == dm_edp || v->Output[k] == dm_dp2p0) { + if (v->DSCEnable[k] == true) { + v->RequiresDSC[i][k] = true; + v->LinkDSCEnable = true; +- if (v->Output[k] == dm_dp) { ++ if (v->Output[k] == dm_dp || v->Output[k] == dm_dp2p0) { + v->RequiresFEC[i][k] = true; + } else { + v->RequiresFEC[i][k] = false; +@@ -4417,107 +4417,201 @@ void dml314_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_ + } else { + v->RequiresDSC[i][k] = false; + v->LinkDSCEnable = false; +- v->RequiresFEC[i][k] = false; +- } +- +- v->Outbpp = BPP_INVALID; +- if (v->PHYCLKPerState[i] >= 270.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 2700, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 540.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 5400, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR2" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 810.0) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 8100, +- v->OutputLinkDPLanes[k], +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- // TODO: Need some other way to handle this nonsense +- // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR3" +- } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[i] >= 10000.0 / 18) { +- v->Outbpp = TruncToValidBPP( +- (1.0 - v->Downspreading / 100.0) * 10000, +- 4, +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- //v->OutputTypeAndRatePerState[i][k] = v->Output[k] & "10x4"; ++ if (v->Output[k] == dm_dp2p0) { ++ v->RequiresFEC[i][k] = true; ++ } else { ++ v->RequiresFEC[i][k] = false; ++ } + } +- if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[i] >= 12000.0 / 18) { +- v->Outbpp = TruncToValidBPP( +- 12000, +- 4, +- v->HTotal[k], +- v->HActive[k], +- v->PixelClockBackEnd[k], +- v->ForcedOutputLinkBPP[k], +- v->LinkDSCEnable, +- v->Output[k], +- v->OutputFormat[k], +- v->DSCInputBitPerComponent[k], +- v->NumberOfDSCSlices[k], +- v->AudioSampleRate[k], +- v->AudioSampleLayout[k], +- v->ODMCombineEnablePerState[i][k]); +- v->OutputBppPerState[i][k] = v->Outbpp; +- //v->OutputTypeAndRatePerState[i][k] = v->Output[k] & "12x4"; ++ if (v->Output[k] == dm_dp2p0) { ++ v->Outbpp = BPP_INVALID; ++ if ((v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr10) && ++ v->PHYCLKD18PerState[k] >= 10000.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 10000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[k] < 13500.0 / 18.0 && ++ v->DSCEnable[k] == true && v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 10000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR10" ++ } ++ if (v->Outbpp == BPP_INVALID && ++ (v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr13p5) && ++ v->PHYCLKD18PerState[k] >= 13500.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 13500, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKD18PerState[k] < 20000.0 / 18.0 && ++ v->DSCEnable[k] == true && v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 13500, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR13p5" ++ } ++ if (v->Outbpp == BPP_INVALID && ++ (v->OutputLinkDPRate[k] == dm_dp_rate_na || v->OutputLinkDPRate[k] == dm_dp_rate_uhbr20) && ++ v->PHYCLKD18PerState[k] >= 20000.0 / 18.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 20000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ if (v->Outbpp == BPP_INVALID && v->DSCEnable[k] == true && ++ v->ForcedOutputLinkBPP[k] == 0) { ++ v->RequiresDSC[i][k] = true; ++ v->LinkDSCEnable = true; ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 20000, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ } ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " UHBR20" ++ } ++ } else { ++ v->Outbpp = BPP_INVALID; ++ if (v->PHYCLKPerState[i] >= 270.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 2700, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR" ++ } ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 540.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 5400, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR2" ++ } ++ if (v->Outbpp == BPP_INVALID && v->PHYCLKPerState[i] >= 810.0) { ++ v->Outbpp = TruncToValidBPP( ++ (1.0 - v->Downspreading / 100.0) * 8100, ++ v->OutputLinkDPLanes[k], ++ v->HTotal[k], ++ v->HActive[k], ++ v->PixelClockBackEnd[k], ++ v->ForcedOutputLinkBPP[k], ++ v->LinkDSCEnable, ++ v->Output[k], ++ v->OutputFormat[k], ++ v->DSCInputBitPerComponent[k], ++ v->NumberOfDSCSlices[k], ++ v->AudioSampleRate[k], ++ v->AudioSampleLayout[k], ++ v->ODMCombineEnablePerState[i][k]); ++ v->OutputBppPerState[i][k] = v->Outbpp; ++ // TODO: Need some other way to handle this nonsense ++ // v->OutputTypeAndRatePerState[i][k] = v->Output[k] & " HBR3" ++ } + } + } + } else { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-048-drm-amd-display-enable-DPG-when-disabling-plane.patch b/patches.kernel.org/6.3.4-048-drm-amd-display-enable-DPG-when-disabling-plane.patch new file mode 100644 index 0000000..da4f63d --- /dev/null +++ b/patches.kernel.org/6.3.4-048-drm-amd-display-enable-DPG-when-disabling-plane.patch @@ -0,0 +1,105 @@ +From: Samson Tam +Date: Fri, 27 Jan 2023 18:30:08 -0500 +Subject: [PATCH] drm/amd/display: enable DPG when disabling plane for phantom + pipe +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f3f8f16b10f8258f1836e1110099097490a1d6c1 + +[ Upstream commit f3f8f16b10f8258f1836e1110099097490a1d6c1 ] + +[Why] +In disable_dangling_plane, for phantom pipes, we enable OTG so +disable programming gets the double buffer update. But this +causes an underflow to occur. + +[How] +Enable DPG prior to enabling OTG. + +Reviewed-by: Alvin Lee +Acked-by: Qingqing Zhuo +Signed-off-by: Samson Tam +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 47 +++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index d406d7b7..d4a1670a 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -73,6 +73,8 @@ + + #include "dc_trace.h" + ++#include "hw_sequencer_private.h" ++ + #include "dce/dmub_outbox.h" + + #define CTX \ +@@ -1056,6 +1058,44 @@ static void apply_ctx_interdependent_lock(struct dc *dc, struct dc_state *contex + } + } + ++static void phantom_pipe_blank( ++ struct dc *dc, ++ struct timing_generator *tg, ++ int width, ++ int height) ++{ ++ struct dce_hwseq *hws = dc->hwseq; ++ enum dc_color_space color_space; ++ struct tg_color black_color = {0}; ++ struct output_pixel_processor *opp = NULL; ++ uint32_t num_opps, opp_id_src0, opp_id_src1; ++ uint32_t otg_active_width, otg_active_height; ++ ++ /* program opp dpg blank color */ ++ color_space = COLOR_SPACE_SRGB; ++ color_space_to_black_color(dc, color_space, &black_color); ++ ++ otg_active_width = width; ++ otg_active_height = height; ++ ++ /* get the OPTC source */ ++ tg->funcs->get_optc_source(tg, &num_opps, &opp_id_src0, &opp_id_src1); ++ ASSERT(opp_id_src0 < dc->res_pool->res_cap->num_opp); ++ opp = dc->res_pool->opps[opp_id_src0]; ++ ++ opp->funcs->opp_set_disp_pattern_generator( ++ opp, ++ CONTROLLER_DP_TEST_PATTERN_SOLID_COLOR, ++ CONTROLLER_DP_COLOR_SPACE_UDEFINED, ++ COLOR_DEPTH_UNDEFINED, ++ &black_color, ++ otg_active_width, ++ otg_active_height, ++ 0); ++ ++ hws->funcs.wait_for_blank_complete(opp); ++} ++ + static void disable_dangling_plane(struct dc *dc, struct dc_state *context) + { + int i, j; +@@ -1114,8 +1154,13 @@ static void disable_dangling_plane(struct dc *dc, struct dc_state *context) + * again for different use. + */ + if (old_stream->mall_stream_config.type == SUBVP_PHANTOM) { +- if (tg->funcs->enable_crtc) ++ if (tg->funcs->enable_crtc) { ++ int main_pipe_width, main_pipe_height; ++ main_pipe_width = old_stream->mall_stream_config.paired_stream->dst.width; ++ main_pipe_height = old_stream->mall_stream_config.paired_stream->dst.height; ++ phantom_pipe_blank(dc, tg, main_pipe_width, main_pipe_height); + tg->funcs->enable_crtc(tg); ++ } + } + dc_rem_all_planes_for_stream(dc, old_stream, dangling_context); + disable_all_writeback_pipes_for_stream(dc, old_stream, dangling_context); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-049-platform-x86-x86-android-tablets-Add-Acer-Iconi.patch b/patches.kernel.org/6.3.4-049-platform-x86-x86-android-tablets-Add-Acer-Iconi.patch new file mode 100644 index 0000000..7d30da8 --- /dev/null +++ b/patches.kernel.org/6.3.4-049-platform-x86-x86-android-tablets-Add-Acer-Iconi.patch @@ -0,0 +1,158 @@ +From: Hans de Goede +Date: Mon, 13 Feb 2023 21:35:53 +0100 +Subject: [PATCH] platform/x86: x86-android-tablets: Add Acer Iconia One 7 + B1-750 data +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2f0cf1e85ddb5ae17284050dc1adafb89e4f1d8f + +[ Upstream commit 2f0cf1e85ddb5ae17284050dc1adafb89e4f1d8f ] + +The Acer Iconia One 7 B1-750 is a x86 ACPI tablet which ships with Android +x86 as factory OS. Its DSDT contains a bunch of I2C devices which are not +actually there, causing various resource conflicts. Enumeration of these +is skipped through the acpi_quirk_skip_i2c_client_enumeration(). + +Add support for manually instantiating the I2C + other devices which are +actually present on this tablet by adding the necessary device info to +the x86-android-tablets module. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230301092331.7038-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/platform/x86/x86-android-tablets.c | 101 +++++++++++++++++++-- + 1 file changed, 91 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c +index 111b0076..8405e1c5 100644 +--- a/drivers/platform/x86/x86-android-tablets.c ++++ b/drivers/platform/x86/x86-android-tablets.c +@@ -265,6 +265,88 @@ static struct gpiod_lookup_table int3496_gpo2_pin22_gpios = { + }, + }; + ++static struct gpiod_lookup_table int3496_reference_gpios = { ++ .dev_id = "intel-int3496", ++ .table = { ++ GPIO_LOOKUP("INT33FC:01", 15, "vbus", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("INT33FC:02", 1, "mux", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("INT33FC:02", 18, "id", GPIO_ACTIVE_HIGH), ++ { } ++ }, ++}; ++ ++/* Acer Iconia One 7 B1-750 has an Android factory img with everything hardcoded */ ++static const char * const acer_b1_750_mount_matrix[] = { ++ "-1", "0", "0", ++ "0", "1", "0", ++ "0", "0", "1" ++}; ++ ++static const struct property_entry acer_b1_750_bma250e_props[] = { ++ PROPERTY_ENTRY_STRING_ARRAY("mount-matrix", acer_b1_750_mount_matrix), ++ { } ++}; ++ ++static const struct software_node acer_b1_750_bma250e_node = { ++ .properties = acer_b1_750_bma250e_props, ++}; ++ ++static const struct x86_i2c_client_info acer_b1_750_i2c_clients[] __initconst = { ++ { ++ /* Novatek NVT-ts touchscreen */ ++ .board_info = { ++ .type = "NVT-ts", ++ .addr = 0x34, ++ .dev_name = "NVT-ts", ++ }, ++ .adapter_path = "\\_SB_.I2C4", ++ .irq_data = { ++ .type = X86_ACPI_IRQ_TYPE_GPIOINT, ++ .chip = "INT33FC:02", ++ .index = 3, ++ .trigger = ACPI_EDGE_SENSITIVE, ++ .polarity = ACPI_ACTIVE_LOW, ++ }, ++ }, { ++ /* BMA250E accelerometer */ ++ .board_info = { ++ .type = "bma250e", ++ .addr = 0x18, ++ .swnode = &acer_b1_750_bma250e_node, ++ }, ++ .adapter_path = "\\_SB_.I2C3", ++ .irq_data = { ++ .type = X86_ACPI_IRQ_TYPE_GPIOINT, ++ .chip = "INT33FC:02", ++ .index = 25, ++ .trigger = ACPI_LEVEL_SENSITIVE, ++ .polarity = ACPI_ACTIVE_HIGH, ++ }, ++ }, ++}; ++ ++static struct gpiod_lookup_table acer_b1_750_goodix_gpios = { ++ .dev_id = "i2c-NVT-ts", ++ .table = { ++ GPIO_LOOKUP("INT33FC:01", 26, "reset", GPIO_ACTIVE_LOW), ++ { } ++ }, ++}; ++ ++static struct gpiod_lookup_table * const acer_b1_750_gpios[] = { ++ &acer_b1_750_goodix_gpios, ++ &int3496_reference_gpios, ++ NULL ++}; ++ ++static const struct x86_dev_info acer_b1_750_info __initconst = { ++ .i2c_client_info = acer_b1_750_i2c_clients, ++ .i2c_client_count = ARRAY_SIZE(acer_b1_750_i2c_clients), ++ .pdev_info = int3496_pdevs, ++ .pdev_count = ARRAY_SIZE(int3496_pdevs), ++ .gpiod_lookup_tables = acer_b1_750_gpios, ++}; ++ + /* + * Advantech MICA-071 + * This is a standard Windows tablet, but it has an extra "quick launch" button +@@ -1298,17 +1380,8 @@ static const struct x86_i2c_client_info nextbook_ares8_i2c_clients[] __initconst + }, + }; + +-static struct gpiod_lookup_table nextbook_ares8_int3496_gpios = { +- .dev_id = "intel-int3496", +- .table = { +- GPIO_LOOKUP("INT33FC:02", 1, "mux", GPIO_ACTIVE_HIGH), +- GPIO_LOOKUP("INT33FC:02", 18, "id", GPIO_ACTIVE_HIGH), +- { } +- }, +-}; +- + static struct gpiod_lookup_table * const nextbook_ares8_gpios[] = { +- &nextbook_ares8_int3496_gpios, ++ &int3496_reference_gpios, + NULL + }; + +@@ -1435,6 +1508,14 @@ static const struct x86_dev_info xiaomi_mipad2_info __initconst = { + }; + + static const struct dmi_system_id x86_android_tablet_ids[] __initconst = { ++ { ++ /* Acer Iconia One 7 B1-750 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "VESPA2"), ++ }, ++ .driver_data = (void *)&acer_b1_750_info, ++ }, + { + /* Advantech MICA-071 */ + .matches = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-050-drm-amd-display-Enable-HostVM-based-on-rIOMMU-a.patch b/patches.kernel.org/6.3.4-050-drm-amd-display-Enable-HostVM-based-on-rIOMMU-a.patch new file mode 100644 index 0000000..5aee906 --- /dev/null +++ b/patches.kernel.org/6.3.4-050-drm-amd-display-Enable-HostVM-based-on-rIOMMU-a.patch @@ -0,0 +1,48 @@ +From: Gabe Teeger +Date: Thu, 23 Feb 2023 11:30:31 -0500 +Subject: [PATCH] drm/amd/display: Enable HostVM based on rIOMMU active +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 97fa4dfa66fdd52ad3d0c9fadeaaa1e87605bac7 + +[ Upstream commit 97fa4dfa66fdd52ad3d0c9fadeaaa1e87605bac7 ] + +[Why] +There is underflow and flickering occuring. The +underflow stops when hostvm is forced to active. +According to policy, hostvm should be enabled if riommu +is active, but this is not taken into account when +deciding whether to enable hostvm. + +[What] +For DCN314, set hostvm to true if riommu is active. + +Reviewed-by: Nicholas Kazlauskas +Acked-by: Qingqing Zhuo +Signed-off-by: Gabe Teeger +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c +index 3bbc46a6..28163f7a 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c +@@ -308,6 +308,10 @@ int dcn314_populate_dml_pipes_from_context_fpu(struct dc *dc, struct dc_state *c + pipe->plane_state->src_rect.width < pipe->plane_state->dst_rect.width)) + upscaled = true; + ++ /* Apply HostVM policy - either based on hypervisor globally enabled, or rIOMMU active */ ++ if (dc->debug.dml_hostvm_override == DML_HOSTVM_NO_OVERRIDE) ++ pipes[i].pipe.src.hostvm = dc->vm_pa_config.is_hvm_enabled || dc->res_pool->hubbub->riommu_active; ++ + /* + * Immediate flip can be set dynamically after enabling the plane. + * We need to require support for immediate flip or underflow can be +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-051-drm-amd-display-Use-DC_LOG_DC-in-the-trasform-p.patch b/patches.kernel.org/6.3.4-051-drm-amd-display-Use-DC_LOG_DC-in-the-trasform-p.patch new file mode 100644 index 0000000..0a8ab72 --- /dev/null +++ b/patches.kernel.org/6.3.4-051-drm-amd-display-Use-DC_LOG_DC-in-the-trasform-p.patch @@ -0,0 +1,110 @@ +From: Rodrigo Siqueira +Date: Tue, 1 Nov 2022 10:20:09 -0400 +Subject: [PATCH] drm/amd/display: Use DC_LOG_DC in the trasform pixel function +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7222f5841ff49709ca666b05ff336776e0664a20 + +[ Upstream commit 7222f5841ff49709ca666b05ff336776e0664a20 ] + +[Why & How] +DC now uses a new commit sequence which is more robust since it +addresses cases where we need to reorganize pipes based on planes and +other parameters. As a result, this new commit sequence reset the DC +state by cleaning plane states and re-creating them accordingly with the +need. For this reason, the dce_transform_set_pixel_storage_depth can be +invoked after a plane state is destroyed and before its re-creation. In +this situation and on DCE devices, DC will hit a condition that will +trigger a dmesg log that looks like this: + +Console: switching to colour frame buffer device 240x67 +------------[ cut here ]------------ +[..] +Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 5603 07/28/2020 +RIP: 0010:dce_transform_set_pixel_storage_depth+0x3f8/0x480 [amdgpu] +[..] +RSP: 0018:ffffc9000202b850 EFLAGS: 00010293 +RAX: ffffffffa081d100 RBX: ffff888110790000 RCX: 000000000000000c +RDX: ffff888100bedbf8 RSI: 0000000000001a50 RDI: ffff88810463c900 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000007 +R10: 0000000000000001 R11: 0000000000000f00 R12: ffff88810f500010 +R13: ffff888100bedbf8 R14: ffff88810f515688 R15: 0000000000000000 +FS: 00007ff0159249c0(0000) GS:ffff88840e940000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ff01528e550 CR3: 0000000002a10000 CR4: 00000000003506e0 +Call Trace: + + ? dm_write_reg_func+0x21/0x80 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + dc_stream_set_dither_option+0xfb/0x130 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + amdgpu_dm_crtc_configure_crc_source+0x10b/0x190 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + amdgpu_dm_atomic_commit_tail+0x20a8/0x2a90 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + ? free_unref_page_commit+0x98/0x170 + ? free_unref_page+0xcc/0x150 + commit_tail+0x94/0x120 + drm_atomic_helper_commit+0x10f/0x140 + drm_atomic_commit+0x94/0xc0 + ? drm_plane_get_damage_clips.cold+0x1c/0x1c + drm_client_modeset_commit_atomic+0x203/0x250 + drm_client_modeset_commit_locked+0x56/0x150 + drm_client_modeset_commit+0x21/0x40 + drm_fb_helper_lastclose+0x42/0x70 + amdgpu_driver_lastclose_kms+0xa/0x10 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + drm_release+0xda/0x110 + __fput+0x89/0x240 + task_work_run+0x5c/0x90 + do_exit+0x333/0xae0 + do_group_exit+0x2d/0x90 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x5b/0x80 + ? exit_to_user_mode_prepare+0x1e/0x140 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7ff016ceaca1 +Code: Unable to access opcode bytes at RIP 0x7ff016ceac77. +RSP: 002b:00007ffe7a2357e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007ff016e15a00 RCX: 00007ff016ceaca1 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 +RBP: 0000000000000000 R08: ffffffffffffff78 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff016e15a00 +R13: 0000000000000000 R14: 00007ff016e1aee8 R15: 00007ff016e1af00 + + +Since this issue only happens in a transition state on DC, this commit +replace BREAK_TO_DEBUGGER with DC_LOG_DC. + +Reviewed-by: Harry Wentland +Acked-by: Qingqing Zhuo +Signed-off-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c +index d9fd4ec6..670d5ab9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c +@@ -1009,7 +1009,7 @@ static void dce_transform_set_pixel_storage_depth( + color_depth = COLOR_DEPTH_101010; + pixel_depth = 0; + expan_mode = 1; +- BREAK_TO_DEBUGGER(); ++ DC_LOG_DC("The pixel depth %d is not valid, set COLOR_DEPTH_101010 instead.", depth); + break; + } + +@@ -1023,8 +1023,7 @@ static void dce_transform_set_pixel_storage_depth( + if (!(xfm_dce->lb_pixel_depth_supported & depth)) { + /*we should use unsupported capabilities + * unless it is required by w/a*/ +- DC_LOG_WARNING("%s: Capability not supported", +- __func__); ++ DC_LOG_DC("%s: Capability not supported", __func__); + } + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-052-regmap-cache-Return-error-in-cache-sync-operati.patch b/patches.kernel.org/6.3.4-052-regmap-cache-Return-error-in-cache-sync-operati.patch new file mode 100644 index 0000000..6e1ff25 --- /dev/null +++ b/patches.kernel.org/6.3.4-052-regmap-cache-Return-error-in-cache-sync-operati.patch @@ -0,0 +1,50 @@ +From: Alexander Stein +Date: Mon, 13 Mar 2023 08:18:11 +0100 +Subject: [PATCH] regmap: cache: Return error in cache sync operations for + REGCACHE_NONE +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fd883d79e4dcd2417c2b80756f22a2ff03b0f6e0 + +[ Upstream commit fd883d79e4dcd2417c2b80756f22a2ff03b0f6e0 ] + +There is no sense in doing a cache sync on REGCACHE_NONE regmaps. +Instead of panicking the kernel due to missing cache_ops, return an error +to client driver. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20230313071812.13577-1-alexander.stein@ew.tq-group.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/base/regmap/regcache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index 362e043e..8031007b 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -349,6 +349,9 @@ int regcache_sync(struct regmap *map) + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +@@ -418,6 +421,9 @@ int regcache_sync_region(struct regmap *map, unsigned int min, + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-053-remoteproc-imx_dsp_rproc-Add-custom-memory-copy.patch b/patches.kernel.org/6.3.4-053-remoteproc-imx_dsp_rproc-Add-custom-memory-copy.patch new file mode 100644 index 0000000..5248a77 --- /dev/null +++ b/patches.kernel.org/6.3.4-053-remoteproc-imx_dsp_rproc-Add-custom-memory-copy.patch @@ -0,0 +1,234 @@ +From: Iuliana Prodan +Date: Tue, 21 Feb 2023 19:03:56 +0200 +Subject: [PATCH] remoteproc: imx_dsp_rproc: Add custom memory copy + implementation for i.MX DSP Cores +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 408ec1ff0caa340c57eecf4cbd14ef0132036a50 + +[ Upstream commit 408ec1ff0caa340c57eecf4cbd14ef0132036a50 ] + +The IRAM is part of the HiFi DSP. +According to hardware specification only 32-bits write are allowed +otherwise we get a Kernel panic. + +Therefore add a custom memory copy and memset functions to deal with +the above restriction. + +Signed-off-by: Iuliana Prodan +Link: https://lore.kernel.org/r/20230221170356.27923-1-iuliana.prodan@oss.nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/remoteproc/imx_dsp_rproc.c | 187 ++++++++++++++++++++++++++++- + 1 file changed, 186 insertions(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/imx_dsp_rproc.c b/drivers/remoteproc/imx_dsp_rproc.c +index 506ec956..e8e23f6b 100644 +--- a/drivers/remoteproc/imx_dsp_rproc.c ++++ b/drivers/remoteproc/imx_dsp_rproc.c +@@ -721,6 +721,191 @@ static void imx_dsp_rproc_kick(struct rproc *rproc, int vqid) + dev_err(dev, "%s: failed (%d, err:%d)\n", __func__, vqid, err); + } + ++/* ++ * Custom memory copy implementation for i.MX DSP Cores ++ * ++ * The IRAM is part of the HiFi DSP. ++ * According to hw specs only 32-bits writes are allowed. ++ */ ++static int imx_dsp_rproc_memcpy(void *dest, const void *src, size_t size) ++{ ++ const u8 *src_byte = src; ++ const u32 *source = src; ++ u32 affected_mask; ++ u32 *dst = dest; ++ int i, q, r; ++ u32 tmp; ++ ++ /* destination must be 32bit aligned */ ++ if (!IS_ALIGNED((uintptr_t)dest, 4)) ++ return -EINVAL; ++ ++ q = size / 4; ++ r = size % 4; ++ ++ /* copy data in units of 32 bits at a time */ ++ for (i = 0; i < q; i++) ++ writel(source[i], &dst[i]); ++ ++ if (r) { ++ affected_mask = GENMASK(8 * r, 0); ++ ++ /* ++ * first read the 32bit data of dest, then change affected ++ * bytes, and write back to dest. ++ * For unaffected bytes, it should not be changed ++ */ ++ tmp = readl(dest + q * 4); ++ tmp &= ~affected_mask; ++ ++ /* avoid reading after end of source */ ++ for (i = 0; i < r; i++) ++ tmp |= (src_byte[q * 4 + i] << (8 * i)); ++ ++ writel(tmp, dest + q * 4); ++ } ++ ++ return 0; ++} ++ ++/* ++ * Custom memset implementation for i.MX DSP Cores ++ * ++ * The IRAM is part of the HiFi DSP. ++ * According to hw specs only 32-bits writes are allowed. ++ */ ++static int imx_dsp_rproc_memset(void *addr, u8 value, size_t size) ++{ ++ u32 tmp_val = value; ++ u32 *tmp_dst = addr; ++ u32 affected_mask; ++ int q, r; ++ u32 tmp; ++ ++ /* destination must be 32bit aligned */ ++ if (!IS_ALIGNED((uintptr_t)addr, 4)) ++ return -EINVAL; ++ ++ tmp_val |= tmp_val << 8; ++ tmp_val |= tmp_val << 16; ++ ++ q = size / 4; ++ r = size % 4; ++ ++ while (q--) ++ writel(tmp_val, tmp_dst++); ++ ++ if (r) { ++ affected_mask = GENMASK(8 * r, 0); ++ ++ /* ++ * first read the 32bit data of addr, then change affected ++ * bytes, and write back to addr. ++ * For unaffected bytes, it should not be changed ++ */ ++ tmp = readl(tmp_dst); ++ tmp &= ~affected_mask; ++ ++ tmp |= (tmp_val & affected_mask); ++ writel(tmp, tmp_dst); ++ } ++ ++ return 0; ++} ++ ++/* ++ * imx_dsp_rproc_elf_load_segments() - load firmware segments to memory ++ * @rproc: remote processor which will be booted using these fw segments ++ * @fw: the ELF firmware image ++ * ++ * This function loads the firmware segments to memory, where the remote ++ * processor expects them. ++ * ++ * Return: 0 on success and an appropriate error code otherwise ++ */ ++static int imx_dsp_rproc_elf_load_segments(struct rproc *rproc, const struct firmware *fw) ++{ ++ struct device *dev = &rproc->dev; ++ const void *ehdr, *phdr; ++ int i, ret = 0; ++ u16 phnum; ++ const u8 *elf_data = fw->data; ++ u8 class = fw_elf_get_class(fw); ++ u32 elf_phdr_get_size = elf_size_of_phdr(class); ++ ++ ehdr = elf_data; ++ phnum = elf_hdr_get_e_phnum(class, ehdr); ++ phdr = elf_data + elf_hdr_get_e_phoff(class, ehdr); ++ ++ /* go through the available ELF segments */ ++ for (i = 0; i < phnum; i++, phdr += elf_phdr_get_size) { ++ u64 da = elf_phdr_get_p_paddr(class, phdr); ++ u64 memsz = elf_phdr_get_p_memsz(class, phdr); ++ u64 filesz = elf_phdr_get_p_filesz(class, phdr); ++ u64 offset = elf_phdr_get_p_offset(class, phdr); ++ u32 type = elf_phdr_get_p_type(class, phdr); ++ void *ptr; ++ ++ if (type != PT_LOAD || !memsz) ++ continue; ++ ++ dev_dbg(dev, "phdr: type %d da 0x%llx memsz 0x%llx filesz 0x%llx\n", ++ type, da, memsz, filesz); ++ ++ if (filesz > memsz) { ++ dev_err(dev, "bad phdr filesz 0x%llx memsz 0x%llx\n", ++ filesz, memsz); ++ ret = -EINVAL; ++ break; ++ } ++ ++ if (offset + filesz > fw->size) { ++ dev_err(dev, "truncated fw: need 0x%llx avail 0x%zx\n", ++ offset + filesz, fw->size); ++ ret = -EINVAL; ++ break; ++ } ++ ++ if (!rproc_u64_fit_in_size_t(memsz)) { ++ dev_err(dev, "size (%llx) does not fit in size_t type\n", ++ memsz); ++ ret = -EOVERFLOW; ++ break; ++ } ++ ++ /* grab the kernel address for this device address */ ++ ptr = rproc_da_to_va(rproc, da, memsz, NULL); ++ if (!ptr) { ++ dev_err(dev, "bad phdr da 0x%llx mem 0x%llx\n", da, ++ memsz); ++ ret = -EINVAL; ++ break; ++ } ++ ++ /* put the segment where the remote processor expects it */ ++ if (filesz) { ++ ret = imx_dsp_rproc_memcpy(ptr, elf_data + offset, filesz); ++ if (ret) { ++ dev_err(dev, "memory copy failed for da 0x%llx memsz 0x%llx\n", ++ da, memsz); ++ break; ++ } ++ } ++ ++ /* zero out remaining memory for this segment */ ++ if (memsz > filesz) { ++ ret = imx_dsp_rproc_memset(ptr + filesz, 0, memsz - filesz); ++ if (ret) { ++ dev_err(dev, "memset failed for da 0x%llx memsz 0x%llx\n", ++ da, memsz); ++ break; ++ } ++ } ++ } ++ ++ return ret; ++} ++ + static int imx_dsp_rproc_parse_fw(struct rproc *rproc, const struct firmware *fw) + { + if (rproc_elf_load_rsc_table(rproc, fw)) +@@ -735,7 +920,7 @@ static const struct rproc_ops imx_dsp_rproc_ops = { + .start = imx_dsp_rproc_start, + .stop = imx_dsp_rproc_stop, + .kick = imx_dsp_rproc_kick, +- .load = rproc_elf_load_segments, ++ .load = imx_dsp_rproc_elf_load_segments, + .parse_fw = imx_dsp_rproc_parse_fw, + .sanity_check = rproc_elf_sanity_check, + .get_boot_addr = rproc_elf_get_boot_addr, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-054-arm64-dts-qcom-msm8996-Add-missing-DWC3-quirks.patch b/patches.kernel.org/6.3.4-054-arm64-dts-qcom-msm8996-Add-missing-DWC3-quirks.patch new file mode 100644 index 0000000..8207af5 --- /dev/null +++ b/patches.kernel.org/6.3.4-054-arm64-dts-qcom-msm8996-Add-missing-DWC3-quirks.patch @@ -0,0 +1,40 @@ +From: Konrad Dybcio +Date: Thu, 2 Mar 2023 02:18:49 +0100 +Subject: [PATCH] arm64: dts: qcom: msm8996: Add missing DWC3 quirks +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d0af0537e28f6eace02deed63b585396de939213 + +[ Upstream commit d0af0537e28f6eace02deed63b585396de939213 ] + +Add missing dwc3 quirks from msm-3.18. Unfortunately, none of them +make `dwc3-qcom 6af8800.usb: HS-PHY not in L2` go away. + +Signed-off-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230302011849.1873056-1-konrad.dybcio@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 66af9526..73da1a4d 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -3006,8 +3006,11 @@ usb3_dwc3: usb@6a00000 { + interrupts = <0 131 IRQ_TYPE_LEVEL_HIGH>; + phys = <&hsusb_phy1>, <&ssusb_phy_0>; + phy-names = "usb2-phy", "usb3-phy"; ++ snps,hird-threshold = /bits/ 8 <0>; + snps,dis_u2_susphy_quirk; + snps,dis_enblslpm_quirk; ++ snps,is-utmi-l1-suspend; ++ tx-fifo-resize; + }; + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-055-accel-habanalabs-postpone-mem_mgr-IDR-destructi.patch b/patches.kernel.org/6.3.4-055-accel-habanalabs-postpone-mem_mgr-IDR-destructi.patch new file mode 100644 index 0000000..dcb1e81 --- /dev/null +++ b/patches.kernel.org/6.3.4-055-accel-habanalabs-postpone-mem_mgr-IDR-destructi.patch @@ -0,0 +1,125 @@ +From: Tomer Tayar +Date: Wed, 1 Mar 2023 17:45:58 +0200 +Subject: [PATCH] accel/habanalabs: postpone mem_mgr IDR destruction to + hpriv_release() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2e8e9a895c4589f124a37fc84d123b5114406e94 + +[ Upstream commit 2e8e9a895c4589f124a37fc84d123b5114406e94 ] + +The memory manager IDR is currently destroyed when user releases the +file descriptor. +However, at this point the user context might be still held, and memory +buffers might be still in use. +Later on, calls to release those buffers will fail due to not finding +their handles in the IDR, leading to a memory leak. +To avoid this leak, split the IDR destruction from the memory manager +fini, and postpone it to hpriv_release() when there is no user context +and no buffers are used. + +Signed-off-by: Tomer Tayar +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/accel/habanalabs/common/device.c | 9 +++++++++ + drivers/accel/habanalabs/common/habanalabs.h | 1 + + drivers/accel/habanalabs/common/habanalabs_drv.c | 1 + + drivers/accel/habanalabs/common/memory_mgr.c | 13 ++++++++++++- + 4 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/accel/habanalabs/common/device.c b/drivers/accel/habanalabs/common/device.c +index 9933e585..c9143660 100644 +--- a/drivers/accel/habanalabs/common/device.c ++++ b/drivers/accel/habanalabs/common/device.c +@@ -423,6 +423,9 @@ static void hpriv_release(struct kref *ref) + mutex_destroy(&hpriv->ctx_lock); + mutex_destroy(&hpriv->restore_phase_mutex); + ++ /* There should be no memory buffers at this point and handles IDR can be destroyed */ ++ hl_mem_mgr_idr_destroy(&hpriv->mem_mgr); ++ + /* Device should be reset if reset-upon-device-release is enabled, or if there is a pending + * reset that waits for device release. + */ +@@ -514,6 +517,10 @@ static int hl_device_release(struct inode *inode, struct file *filp) + } + + hl_ctx_mgr_fini(hdev, &hpriv->ctx_mgr); ++ ++ /* Memory buffers might be still in use at this point and thus the handles IDR destruction ++ * is postponed to hpriv_release(). ++ */ + hl_mem_mgr_fini(&hpriv->mem_mgr); + + hdev->compute_ctx_in_release = 1; +@@ -887,6 +894,7 @@ static int device_early_init(struct hl_device *hdev) + + free_cb_mgr: + hl_mem_mgr_fini(&hdev->kernel_mem_mgr); ++ hl_mem_mgr_idr_destroy(&hdev->kernel_mem_mgr); + free_chip_info: + kfree(hdev->hl_chip_info); + free_prefetch_wq: +@@ -930,6 +938,7 @@ static void device_early_fini(struct hl_device *hdev) + mutex_destroy(&hdev->clk_throttling.lock); + + hl_mem_mgr_fini(&hdev->kernel_mem_mgr); ++ hl_mem_mgr_idr_destroy(&hdev->kernel_mem_mgr); + + kfree(hdev->hl_chip_info); + +diff --git a/drivers/accel/habanalabs/common/habanalabs.h b/drivers/accel/habanalabs/common/habanalabs.h +index fa05e76d..829b30ab 100644 +--- a/drivers/accel/habanalabs/common/habanalabs.h ++++ b/drivers/accel/habanalabs/common/habanalabs.h +@@ -3861,6 +3861,7 @@ const char *hl_sync_engine_to_string(enum hl_sync_engine_type engine_type); + + void hl_mem_mgr_init(struct device *dev, struct hl_mem_mgr *mmg); + void hl_mem_mgr_fini(struct hl_mem_mgr *mmg); ++void hl_mem_mgr_idr_destroy(struct hl_mem_mgr *mmg); + int hl_mem_mgr_mmap(struct hl_mem_mgr *mmg, struct vm_area_struct *vma, + void *args); + struct hl_mmap_mem_buf *hl_mmap_mem_buf_get(struct hl_mem_mgr *mmg, +diff --git a/drivers/accel/habanalabs/common/habanalabs_drv.c b/drivers/accel/habanalabs/common/habanalabs_drv.c +index 03dae57d..e3781cfe 100644 +--- a/drivers/accel/habanalabs/common/habanalabs_drv.c ++++ b/drivers/accel/habanalabs/common/habanalabs_drv.c +@@ -237,6 +237,7 @@ int hl_device_open(struct inode *inode, struct file *filp) + out_err: + mutex_unlock(&hdev->fpriv_list_lock); + hl_mem_mgr_fini(&hpriv->mem_mgr); ++ hl_mem_mgr_idr_destroy(&hpriv->mem_mgr); + hl_ctx_mgr_fini(hpriv->hdev, &hpriv->ctx_mgr); + filp->private_data = NULL; + mutex_destroy(&hpriv->ctx_lock); +diff --git a/drivers/accel/habanalabs/common/memory_mgr.c b/drivers/accel/habanalabs/common/memory_mgr.c +index 0f2759e2..f8e8261c 100644 +--- a/drivers/accel/habanalabs/common/memory_mgr.c ++++ b/drivers/accel/habanalabs/common/memory_mgr.c +@@ -341,8 +341,19 @@ void hl_mem_mgr_fini(struct hl_mem_mgr *mmg) + "%s: Buff handle %u for CTX is still alive\n", + topic, id); + } ++} + +- /* TODO: can it happen that some buffer is still in use at this point? */ ++/** ++ * hl_mem_mgr_idr_destroy() - destroy memory manager IDR. ++ * @mmg: parent unified memory manager ++ * ++ * Destroy the memory manager IDR. ++ * Shall be called when IDR is empty and no memory buffers are in use. ++ */ ++void hl_mem_mgr_idr_destroy(struct hl_mem_mgr *mmg) ++{ ++ if (!idr_is_empty(&mmg->handles)) ++ dev_crit(mmg->dev, "memory manager IDR is destroyed while it is not empty!\n"); + + idr_destroy(&mmg->handles); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-056-drm-amd-display-reallocate-DET-for-dual-display.patch b/patches.kernel.org/6.3.4-056-drm-amd-display-reallocate-DET-for-dual-display.patch new file mode 100644 index 0000000..58166aa --- /dev/null +++ b/patches.kernel.org/6.3.4-056-drm-amd-display-reallocate-DET-for-dual-display.patch @@ -0,0 +1,119 @@ +From: Samson Tam +Date: Tue, 28 Feb 2023 14:33:00 -0500 +Subject: [PATCH] drm/amd/display: reallocate DET for dual displays with high + pixel rate ratio +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5f3401eeb064fab5ce50728cce46532cce7a85c5 + +[ Upstream commit 5f3401eeb064fab5ce50728cce46532cce7a85c5 ] + +[Why] +For dual displays where pixel rate is much higher on one display, +we may get underflow when DET is evenly allocated. + +[How] +Allocate less DET segments for the lower pixel rate display and +more DET segments for the higher pixel rate display + +Reviewed-by: Alvin Lee +Acked-by: Qingqing Zhuo +Signed-off-by: Samson Tam +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../display/dc/dcn32/dcn32_resource_helpers.c | 43 ++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource_helpers.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource_helpers.c +index 3a2d7bcc..8310bcf6 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource_helpers.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource_helpers.c +@@ -261,6 +261,8 @@ bool dcn32_is_psr_capable(struct pipe_ctx *pipe) + return psr_capable; + } + ++#define DCN3_2_NEW_DET_OVERRIDE_MIN_MULTIPLIER 7 ++ + /** + * ******************************************************************************************* + * dcn32_determine_det_override: Determine DET allocation for each pipe +@@ -272,7 +274,6 @@ bool dcn32_is_psr_capable(struct pipe_ctx *pipe) + * If there is a plane that's driven by more than 1 pipe (i.e. pipe split), then the + * number of DET for that given plane will be split among the pipes driving that plane. + * +- * + * High level algorithm: + * 1. Split total DET among number of streams + * 2. For each stream, split DET among the planes +@@ -280,6 +281,18 @@ bool dcn32_is_psr_capable(struct pipe_ctx *pipe) + * among those pipes. + * 4. Assign the DET override to the DML pipes. + * ++ * Special cases: ++ * ++ * For two displays that have a large difference in pixel rate, we may experience ++ * underflow on the larger display when we divide the DET equally. For this, we ++ * will implement a modified algorithm to assign more DET to larger display. ++ * ++ * 1. Calculate difference in pixel rates ( multiplier ) between two displays ++ * 2. If the multiplier exceeds DCN3_2_NEW_DET_OVERRIDE_MIN_MULTIPLIER, then ++ * implement the modified DET override algorithm. ++ * 3. Assign smaller DET size for lower pixel display and higher DET size for ++ * higher pixel display ++ * + * @param [in]: dc: Current DC state + * @param [in]: context: New DC state to be programmed + * @param [in]: pipes: Array of DML pipes +@@ -299,18 +312,46 @@ void dcn32_determine_det_override(struct dc *dc, + struct dc_plane_state *current_plane = NULL; + uint8_t stream_count = 0; + ++ int phy_pix_clk_mult, lower_mode_stream_index; ++ int phy_pix_clk[MAX_PIPES] = {0}; ++ bool use_new_det_override_algorithm = false; ++ + for (i = 0; i < context->stream_count; i++) { + /* Don't count SubVP streams for DET allocation */ + if (context->streams[i]->mall_stream_config.type != SUBVP_PHANTOM) { ++ phy_pix_clk[i] = context->streams[i]->phy_pix_clk; + stream_count++; + } + } + ++ /* Check for special case with two displays, one with much higher pixel rate */ ++ if (stream_count == 2) { ++ ASSERT(!phy_pix_clk[0] || !phy_pix_clk[1]); ++ if (phy_pix_clk[0] < phy_pix_clk[1]) { ++ lower_mode_stream_index = 0; ++ phy_pix_clk_mult = phy_pix_clk[1] / phy_pix_clk[0]; ++ } else { ++ lower_mode_stream_index = 1; ++ phy_pix_clk_mult = phy_pix_clk[0] / phy_pix_clk[1]; ++ } ++ ++ if (phy_pix_clk_mult >= DCN3_2_NEW_DET_OVERRIDE_MIN_MULTIPLIER) ++ use_new_det_override_algorithm = true; ++ } ++ + if (stream_count > 0) { + stream_segments = 18 / stream_count; + for (i = 0; i < context->stream_count; i++) { + if (context->streams[i]->mall_stream_config.type == SUBVP_PHANTOM) + continue; ++ ++ if (use_new_det_override_algorithm) { ++ if (i == lower_mode_stream_index) ++ stream_segments = 4; ++ else ++ stream_segments = 14; ++ } ++ + if (context->stream_status[i].plane_count > 0) + plane_segments = stream_segments / context->stream_status[i].plane_count; + else +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-057-media-imx-jpeg-Bounds-check-sizeimage-access.patch b/patches.kernel.org/6.3.4-057-media-imx-jpeg-Bounds-check-sizeimage-access.patch new file mode 100644 index 0000000..698fd4b --- /dev/null +++ b/patches.kernel.org/6.3.4-057-media-imx-jpeg-Bounds-check-sizeimage-access.patch @@ -0,0 +1,77 @@ +From: Kees Cook +Date: Sat, 4 Feb 2023 19:38:05 +0100 +Subject: [PATCH] media: imx-jpeg: Bounds check sizeimage access +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 474acc639fc8671fa4c1919d9e03253c82b6d321 + +[ Upstream commit 474acc639fc8671fa4c1919d9e03253c82b6d321 ] + +The call of mxc_jpeg_get_plane_size() from mxc_jpeg_dec_irq() sets +plane_no argument to 1. The compiler sees that it's possible to end up +with an access beyond the bounds of sizeimage, if mem_planes was too +large: + + if (plane_no >= fmt->mem_planes) // mem_planes = 2+ + return 0; + + if (fmt->mem_planes == fmt->comp_planes) // comp_planes != mem_planes + return q_data->sizeimage[plane_no]; + + if (plane_no < fmt->mem_planes - 1) // mem_planes = 2 + return q_data->sizeimage[plane_no]; + +comp_planes == 0 or 1 is safe. comp_planes > 2 would be out of bounds. + +(This isn't currently possible given the contents of mxc_formats, though.) + +Silence the warning by bounds checking comp_planes for future +robustness. Seen with GCC 13: + +In function 'mxc_jpeg_get_plane_size', + inlined from 'mxc_jpeg_dec_irq' at ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:729:14: +../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:42: warning: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Warray-bounds=] + 641 | size += q_data->sizeimage[i]; + | ~~~~~~~~~~~~~~~~~^~~ +In file included from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h:112, + from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:63: +../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h: In function 'mxc_jpeg_dec_irq': +../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h:84:41: note: while referencing 'sizeimage' + 84 | u32 sizeimage[MXC_JPEG_MAX_PLANES]; + | ^~~~~~~~~ + +Cc: Mirela Rabulea +Cc: NXP Linux Team +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +index f085f14d..c898116b 100644 +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -637,6 +637,11 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no) + return q_data->sizeimage[plane_no]; + + size = q_data->sizeimage[fmt->mem_planes - 1]; ++ ++ /* Should be impossible given mxc_formats. */ ++ if (WARN_ON_ONCE(fmt->comp_planes > ARRAY_SIZE(q_data->sizeimage))) ++ return size; ++ + for (i = fmt->mem_planes; i < fmt->comp_planes; i++) + size += q_data->sizeimage[i]; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-058-media-cx23885-Fix-a-null-ptr-deref-bug-in-buffe.patch b/patches.kernel.org/6.3.4-058-media-cx23885-Fix-a-null-ptr-deref-bug-in-buffe.patch new file mode 100644 index 0000000..fc60611 --- /dev/null +++ b/patches.kernel.org/6.3.4-058-media-cx23885-Fix-a-null-ptr-deref-bug-in-buffe.patch @@ -0,0 +1,111 @@ +From: harperchen +Date: Thu, 2 Mar 2023 13:39:05 +0100 +Subject: [PATCH] media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() + and buffer_finish() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 47e8b73bc35d7c54642f78e498697692f6358996 + +[ Upstream commit 47e8b73bc35d7c54642f78e498697692f6358996 ] + +When the driver calls cx23885_risc_buffer() to prepare the buffer, the +function call dma_alloc_coherent may fail, resulting in a empty buffer +risc->cpu. Later when we free the buffer or access the buffer, null ptr +deref is triggered. + +This bug is similar to the following one: +https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71. + +We believe the bug can be also dynamically triggered from user side. +Similarly, we fix this by checking the return value of cx23885_risc_buffer() +and the value of risc->cpu before buffer free. + +Signed-off-by: harperchen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/pci/cx23885/cx23885-core.c | 4 +++- + drivers/media/pci/cx23885/cx23885-video.c | 13 +++++++------ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c +index 9232a966..2ce29145 100644 +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -1325,7 +1325,9 @@ void cx23885_free_buffer(struct cx23885_dev *dev, struct cx23885_buffer *buf) + { + struct cx23885_riscmem *risc = &buf->risc; + +- dma_free_coherent(&dev->pci->dev, risc->size, risc->cpu, risc->dma); ++ if (risc->cpu) ++ dma_free_coherent(&dev->pci->dev, risc->size, risc->cpu, risc->dma); ++ memset(risc, 0, sizeof(*risc)); + } + + static void cx23885_tsport_reg_dump(struct cx23885_tsport *port) +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index 3d03f5e9..671fc058 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -342,6 +342,7 @@ static int queue_setup(struct vb2_queue *q, + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx23885_dev *dev = vb->vb2_queue->drv_priv; + struct cx23885_buffer *buf = +@@ -358,12 +359,12 @@ static int buffer_prepare(struct vb2_buffer *vb) + + switch (dev->field) { + case V4L2_FIELD_TOP: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, 0, UNSET, + buf->bpl, 0, dev->height); + break; + case V4L2_FIELD_BOTTOM: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, UNSET, 0, + buf->bpl, 0, dev->height); + break; +@@ -391,21 +392,21 @@ static int buffer_prepare(struct vb2_buffer *vb) + line0_offset = 0; + line1_offset = buf->bpl; + } +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, line0_offset, + line1_offset, + buf->bpl, buf->bpl, + dev->height >> 1); + break; + case V4L2_FIELD_SEQ_TB: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, + 0, buf->bpl * (dev->height >> 1), + buf->bpl, 0, + dev->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, + buf->bpl * (dev->height >> 1), 0, + buf->bpl, 0, +@@ -418,7 +419,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + buf, buf->vb.vb2_buf.index, + dev->width, dev->height, dev->fmt->depth, dev->fmt->fourcc, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-059-media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-pr.patch b/patches.kernel.org/6.3.4-059-media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-pr.patch new file mode 100644 index 0000000..20ef167 --- /dev/null +++ b/patches.kernel.org/6.3.4-059-media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-pr.patch @@ -0,0 +1,93 @@ +From: harperchen +Date: Fri, 3 Mar 2023 16:30:11 +0100 +Subject: [PATCH] media: pci: tw68: Fix null-ptr-deref bug in buf prepare and + finish +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1634b7adcc5bef645b3666fdd564e5952a9e24e0 + +[ Upstream commit 1634b7adcc5bef645b3666fdd564e5952a9e24e0 ] + +When the driver calls tw68_risc_buffer() to prepare the buffer, the +function call dma_alloc_coherent may fail, resulting in a empty buffer +buf->cpu. Later when we free the buffer or access the buffer, null ptr +deref is triggered. + +This bug is similar to the following one: +https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71. + +We believe the bug can be also dynamically triggered from user side. +Similarly, we fix this by checking the return value of tw68_risc_buffer() +and the value of buf->cpu before buffer free. + +Signed-off-by: harperchen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/pci/tw68/tw68-video.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/pci/tw68/tw68-video.c b/drivers/media/pci/tw68/tw68-video.c +index 0cbc5b03..773a1870 100644 +--- a/drivers/media/pci/tw68/tw68-video.c ++++ b/drivers/media/pci/tw68/tw68-video.c +@@ -437,6 +437,7 @@ static void tw68_buf_queue(struct vb2_buffer *vb) + */ + static int tw68_buf_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct vb2_queue *vq = vb->vb2_queue; + struct tw68_dev *dev = vb2_get_drv_priv(vq); +@@ -452,30 +453,30 @@ static int tw68_buf_prepare(struct vb2_buffer *vb) + bpl = (dev->width * dev->fmt->depth) >> 3; + switch (dev->field) { + case V4L2_FIELD_TOP: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, UNSET, bpl, 0, dev->height); + break; + case V4L2_FIELD_BOTTOM: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + UNSET, 0, bpl, 0, dev->height); + break; + case V4L2_FIELD_SEQ_TB: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl * (dev->height >> 1), + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + bpl * (dev->height >> 1), 0, + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl, bpl, bpl, dev->height >> 1); + break; + } +- return 0; ++ return ret; + } + + static void tw68_buf_finish(struct vb2_buffer *vb) +@@ -485,7 +486,8 @@ static void tw68_buf_finish(struct vb2_buffer *vb) + struct tw68_dev *dev = vb2_get_drv_priv(vq); + struct tw68_buf *buf = container_of(vbuf, struct tw68_buf, vb); + +- dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); ++ if (buf->cpu) ++ dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); + } + + static int tw68_start_streaming(struct vb2_queue *q, unsigned int count) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-060-media-pvrusb2-VIDEO_PVRUSB2-depends-on-DVB_CORE.patch b/patches.kernel.org/6.3.4-060-media-pvrusb2-VIDEO_PVRUSB2-depends-on-DVB_CORE.patch new file mode 100644 index 0000000..826c27f --- /dev/null +++ b/patches.kernel.org/6.3.4-060-media-pvrusb2-VIDEO_PVRUSB2-depends-on-DVB_CORE.patch @@ -0,0 +1,46 @@ +From: Tom Rix +Date: Sat, 11 Mar 2023 14:48:47 +0100 +Subject: [PATCH] media: pvrusb2: VIDEO_PVRUSB2 depends on DVB_CORE to use + dvb_* symbols +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1107283b3351bef138cd12dbda1f999891cab7db + +[ Upstream commit 1107283b3351bef138cd12dbda1f999891cab7db ] + +A rand config causes this link error +vmlinux.o: In function `pvr2_dvb_create': +(.text+0x8af1d2): undefined reference to `dvb_register_adapter' + +The rand config has +CONFIG_VIDEO_PVRUSB2=y +CONFIG_VIDEO_DEV=y +CONFIG_DVB_CORE=m + +VIDEO_PVRUSB2 should also depend on DVB_CORE. + +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/usb/pvrusb2/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pvrusb2/Kconfig b/drivers/media/usb/pvrusb2/Kconfig +index f2b64e49..9501b10b 100644 +--- a/drivers/media/usb/pvrusb2/Kconfig ++++ b/drivers/media/usb/pvrusb2/Kconfig +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + config VIDEO_PVRUSB2 + tristate "Hauppauge WinTV-PVR USB2 support" +- depends on VIDEO_DEV && I2C ++ depends on VIDEO_DEV && I2C && DVB_CORE + select VIDEO_TUNER + select VIDEO_TVEEPROM + select VIDEO_CX2341X +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-061-platform-x86-intel-vsec-Explicitly-enable-capab.patch b/patches.kernel.org/6.3.4-061-platform-x86-intel-vsec-Explicitly-enable-capab.patch new file mode 100644 index 0000000..c8117db --- /dev/null +++ b/patches.kernel.org/6.3.4-061-platform-x86-intel-vsec-Explicitly-enable-capab.patch @@ -0,0 +1,198 @@ +From: "David E. Box" +Date: Thu, 16 Mar 2023 15:46:28 -0700 +Subject: [PATCH] platform/x86/intel: vsec: Explicitly enable capabilities +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3f95ecf2a3e4db09e58d307932037e8f1210d6e7 + +[ Upstream commit 3f95ecf2a3e4db09e58d307932037e8f1210d6e7 ] + +Discovered Intel VSEC/DVSEC capabilities are enabled by default and only +get disabled by quirk. Instead, remove such quirks and only enable support +for capabilities that have been explicitly added to a new capabilities +field. While here, also reorder the device info structures alphabetically. + +Signed-off-by: David E. Box +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230316224628.2855884-1-david.e.box@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/platform/x86/intel/vsec.c | 69 ++++++++++++++----------------- + drivers/platform/x86/intel/vsec.h | 9 +++- + 2 files changed, 38 insertions(+), 40 deletions(-) + +diff --git a/drivers/platform/x86/intel/vsec.c b/drivers/platform/x86/intel/vsec.c +index 2311c16c..91be391b 100644 +--- a/drivers/platform/x86/intel/vsec.c ++++ b/drivers/platform/x86/intel/vsec.c +@@ -67,14 +67,6 @@ enum intel_vsec_id { + VSEC_ID_TPMI = 66, + }; + +-static enum intel_vsec_id intel_vsec_allow_list[] = { +- VSEC_ID_TELEMETRY, +- VSEC_ID_WATCHER, +- VSEC_ID_CRASHLOG, +- VSEC_ID_SDSI, +- VSEC_ID_TPMI, +-}; +- + static const char *intel_vsec_name(enum intel_vsec_id id) + { + switch (id) { +@@ -98,26 +90,19 @@ static const char *intel_vsec_name(enum intel_vsec_id id) + } + } + +-static bool intel_vsec_allowed(u16 id) +-{ +- int i; +- +- for (i = 0; i < ARRAY_SIZE(intel_vsec_allow_list); i++) +- if (intel_vsec_allow_list[i] == id) +- return true; +- +- return false; +-} +- +-static bool intel_vsec_disabled(u16 id, unsigned long quirks) ++static bool intel_vsec_supported(u16 id, unsigned long caps) + { + switch (id) { ++ case VSEC_ID_TELEMETRY: ++ return !!(caps & VSEC_CAP_TELEMETRY); + case VSEC_ID_WATCHER: +- return !!(quirks & VSEC_QUIRK_NO_WATCHER); +- ++ return !!(caps & VSEC_CAP_WATCHER); + case VSEC_ID_CRASHLOG: +- return !!(quirks & VSEC_QUIRK_NO_CRASHLOG); +- ++ return !!(caps & VSEC_CAP_CRASHLOG); ++ case VSEC_ID_SDSI: ++ return !!(caps & VSEC_CAP_SDSI); ++ case VSEC_ID_TPMI: ++ return !!(caps & VSEC_CAP_TPMI); + default: + return false; + } +@@ -206,7 +191,7 @@ static int intel_vsec_add_dev(struct pci_dev *pdev, struct intel_vsec_header *he + unsigned long quirks = info->quirks; + int i; + +- if (!intel_vsec_allowed(header->id) || intel_vsec_disabled(header->id, quirks)) ++ if (!intel_vsec_supported(header->id, info->caps)) + return -EINVAL; + + if (!header->num_entries) { +@@ -261,14 +246,14 @@ static int intel_vsec_add_dev(struct pci_dev *pdev, struct intel_vsec_header *he + static bool intel_vsec_walk_header(struct pci_dev *pdev, + struct intel_vsec_platform_info *info) + { +- struct intel_vsec_header **header = info->capabilities; ++ struct intel_vsec_header **header = info->headers; + bool have_devices = false; + int ret; + + for ( ; *header; header++) { + ret = intel_vsec_add_dev(pdev, *header, info); + if (ret) +- dev_info(&pdev->dev, "Could not add device for DVSEC id %d\n", ++ dev_info(&pdev->dev, "Could not add device for VSEC id %d\n", + (*header)->id); + else + have_devices = true; +@@ -403,14 +388,8 @@ static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id + return 0; + } + +-/* TGL info */ +-static const struct intel_vsec_platform_info tgl_info = { +- .quirks = VSEC_QUIRK_NO_WATCHER | VSEC_QUIRK_NO_CRASHLOG | +- VSEC_QUIRK_TABLE_SHIFT | VSEC_QUIRK_EARLY_HW, +-}; +- + /* DG1 info */ +-static struct intel_vsec_header dg1_telemetry = { ++static struct intel_vsec_header dg1_header = { + .length = 0x10, + .id = 2, + .num_entries = 1, +@@ -419,19 +398,31 @@ static struct intel_vsec_header dg1_telemetry = { + .offset = 0x466000, + }; + +-static struct intel_vsec_header *dg1_capabilities[] = { +- &dg1_telemetry, ++static struct intel_vsec_header *dg1_headers[] = { ++ &dg1_header, + NULL + }; + + static const struct intel_vsec_platform_info dg1_info = { +- .capabilities = dg1_capabilities, ++ .caps = VSEC_CAP_TELEMETRY, ++ .headers = dg1_headers, + .quirks = VSEC_QUIRK_NO_DVSEC | VSEC_QUIRK_EARLY_HW, + }; + + /* MTL info */ + static const struct intel_vsec_platform_info mtl_info = { +- .quirks = VSEC_QUIRK_NO_WATCHER | VSEC_QUIRK_NO_CRASHLOG, ++ .caps = VSEC_CAP_TELEMETRY, ++}; ++ ++/* OOBMSM info */ ++static const struct intel_vsec_platform_info oobmsm_info = { ++ .caps = VSEC_CAP_TELEMETRY | VSEC_CAP_SDSI | VSEC_CAP_TPMI, ++}; ++ ++/* TGL info */ ++static const struct intel_vsec_platform_info tgl_info = { ++ .caps = VSEC_CAP_TELEMETRY, ++ .quirks = VSEC_QUIRK_TABLE_SHIFT | VSEC_QUIRK_EARLY_HW, + }; + + #define PCI_DEVICE_ID_INTEL_VSEC_ADL 0x467d +@@ -446,7 +437,7 @@ static const struct pci_device_id intel_vsec_pci_ids[] = { + { PCI_DEVICE_DATA(INTEL, VSEC_DG1, &dg1_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_MTL_M, &mtl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_MTL_S, &mtl_info) }, +- { PCI_DEVICE_DATA(INTEL, VSEC_OOBMSM, &(struct intel_vsec_platform_info) {}) }, ++ { PCI_DEVICE_DATA(INTEL, VSEC_OOBMSM, &oobmsm_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_RPL, &tgl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_TGL, &tgl_info) }, + { } +diff --git a/drivers/platform/x86/intel/vsec.h b/drivers/platform/x86/intel/vsec.h +index ae8fe92c..0fd042c1 100644 +--- a/drivers/platform/x86/intel/vsec.h ++++ b/drivers/platform/x86/intel/vsec.h +@@ -5,6 +5,12 @@ + #include + #include + ++#define VSEC_CAP_TELEMETRY BIT(0) ++#define VSEC_CAP_WATCHER BIT(1) ++#define VSEC_CAP_CRASHLOG BIT(2) ++#define VSEC_CAP_SDSI BIT(3) ++#define VSEC_CAP_TPMI BIT(4) ++ + struct pci_dev; + struct resource; + +@@ -27,7 +33,8 @@ enum intel_vsec_quirks { + + /* Platform specific data */ + struct intel_vsec_platform_info { +- struct intel_vsec_header **capabilities; ++ struct intel_vsec_header **headers; ++ unsigned long caps; + unsigned long quirks; + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-062-ACPI-processor-Check-for-null-return-of-devm_kz.patch b/patches.kernel.org/6.3.4-062-ACPI-processor-Check-for-null-return-of-devm_kz.patch new file mode 100644 index 0000000..905b0d2 --- /dev/null +++ b/patches.kernel.org/6.3.4-062-ACPI-processor-Check-for-null-return-of-devm_kz.patch @@ -0,0 +1,38 @@ +From: Kang Chen +Date: Sun, 26 Feb 2023 13:54:27 +0800 +Subject: [PATCH] ACPI: processor: Check for null return of devm_kzalloc() in + fch_misc_setup() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4dea41775d951ff1f7b472a346a8ca3ae7e74455 + +[ Upstream commit 4dea41775d951ff1f7b472a346a8ca3ae7e74455 ] + +devm_kzalloc() may fail, clk_data->name might be NULL and will +cause a NULL pointer dereference later. + +Signed-off-by: Kang Chen +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/acpi/acpi_apd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/acpi_apd.c b/drivers/acpi/acpi_apd.c +index 3bbe2276..80f945cb 100644 +--- a/drivers/acpi/acpi_apd.c ++++ b/drivers/acpi/acpi_apd.c +@@ -83,6 +83,8 @@ static int fch_misc_setup(struct apd_private_data *pdata) + if (!acpi_dev_get_property(adev, "clk-name", ACPI_TYPE_STRING, &obj)) { + clk_data->name = devm_kzalloc(&adev->dev, obj->string.length, + GFP_KERNEL); ++ if (!clk_data->name) ++ return -ENOMEM; + + strcpy(clk_data->name, obj->string.pointer); + } else { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-063-drm-rockchip-dw_hdmi-cleanup-drm-encoder-during.patch b/patches.kernel.org/6.3.4-063-drm-rockchip-dw_hdmi-cleanup-drm-encoder-during.patch new file mode 100644 index 0000000..99933cd --- /dev/null +++ b/patches.kernel.org/6.3.4-063-drm-rockchip-dw_hdmi-cleanup-drm-encoder-during.patch @@ -0,0 +1,41 @@ +From: Toby Chen +Date: Thu, 16 Mar 2023 17:51:26 -0700 +Subject: [PATCH] drm/rockchip: dw_hdmi: cleanup drm encoder during unbind +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b5af48eedcb53491c02ded55d5991e03d6da6dbf + +[ Upstream commit b5af48eedcb53491c02ded55d5991e03d6da6dbf ] + +This fixes a use-after-free crash during rmmod. + +The DRM encoder is embedded inside the larger rockchip_hdmi, +which is allocated with the component. The component memory +gets freed before the main drm device is destroyed. Fix it +by running encoder cleanup before tearing down its container. + +Signed-off-by: Toby Chen +[moved encoder cleanup above clk_disable, similar to bind-error-path] +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230317005126.496-1-tobyc@nvidia.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +index 2f4b8f64..ae857bf8 100644 +--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +@@ -640,6 +640,7 @@ static void dw_hdmi_rockchip_unbind(struct device *dev, struct device *master, + struct rockchip_hdmi *hdmi = dev_get_drvdata(dev); + + dw_hdmi_unbind(hdmi->hdmi); ++ drm_encoder_cleanup(&hdmi->encoder.encoder); + clk_disable_unprepare(hdmi->ref_clk); + + regulator_disable(hdmi->avdd_1v8); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-064-memstick-r592-Fix-UAF-bug-in-r592_remove-due-to.patch b/patches.kernel.org/6.3.4-064-memstick-r592-Fix-UAF-bug-in-r592_remove-due-to.patch new file mode 100644 index 0000000..f4fddd1 --- /dev/null +++ b/patches.kernel.org/6.3.4-064-memstick-r592-Fix-UAF-bug-in-r592_remove-due-to.patch @@ -0,0 +1,55 @@ +From: Zheng Wang +Date: Wed, 8 Mar 2023 00:43:38 +0800 +Subject: [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race + condition +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 63264422785021704c39b38f65a78ab9e4a186d7 + +[ Upstream commit 63264422785021704c39b38f65a78ab9e4a186d7 ] + +In r592_probe, dev->detect_timer was bound with r592_detect_timer. +In r592_irq function, the timer function will be invoked by mod_timer. + +If we remove the module which will call hantro_release to make cleanup, +there may be a unfinished work. The possible sequence is as follows, +which will cause a typical UAF bug. + +Fix it by canceling the work before cleanup in r592_remove. + +CPU0 CPU1 + + |r592_detect_timer +r592_remove | + memstick_free_host| + put_device; | + kfree(host); | + | + | queue_work + | &host->media_checker //use + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/memstick/host/r592.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index 1d35d147..42bfc468 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) + /* Stop the processing thread. + That ensures that we won't take any more requests */ + kthread_stop(dev->io_thread); +- ++ del_timer_sync(&dev->detect_timer); + r592_enable_device(dev, false); + + while (!error && dev->req) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-065-arm64-dts-imx8mq-librem5-Remove-dis_u3_susphy_q.patch b/patches.kernel.org/6.3.4-065-arm64-dts-imx8mq-librem5-Remove-dis_u3_susphy_q.patch new file mode 100644 index 0000000..470d6e5 --- /dev/null +++ b/patches.kernel.org/6.3.4-065-arm64-dts-imx8mq-librem5-Remove-dis_u3_susphy_q.patch @@ -0,0 +1,36 @@ +From: Sebastian Krzyszkowiak +Date: Thu, 9 Mar 2023 21:46:05 +0100 +Subject: [PATCH] arm64: dts: imx8mq-librem5: Remove dis_u3_susphy_quirk from + usb_dwc3_0 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: cfe9de291bd2bbce18c5cd79e1dd582cbbacdb4f + +[ Upstream commit cfe9de291bd2bbce18c5cd79e1dd582cbbacdb4f ] + +This reduces power consumption in system suspend by about 10%. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +index 6895bcc1..de0dde01 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -1299,7 +1299,6 @@ &usb_dwc3_0 { + #address-cells = <1>; + #size-cells = <0>; + dr_mode = "otg"; +- snps,dis_u3_susphy_quirk; + usb-role-switch; + status = "okay"; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-066-firmware-arm_sdei-Fix-sleep-from-invalid-contex.patch b/patches.kernel.org/6.3.4-066-firmware-arm_sdei-Fix-sleep-from-invalid-contex.patch new file mode 100644 index 0000000..b404be0 --- /dev/null +++ b/patches.kernel.org/6.3.4-066-firmware-arm_sdei-Fix-sleep-from-invalid-contex.patch @@ -0,0 +1,237 @@ +From: Pierre Gondois +Date: Thu, 16 Feb 2023 09:49:19 +0100 +Subject: [PATCH] firmware: arm_sdei: Fix sleep from invalid context BUG +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d2c48b2387eb89e0bf2a2e06e30987cf410acad4 + +[ Upstream commit d2c48b2387eb89e0bf2a2e06e30987cf410acad4 ] + +Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra +triggers: + + BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 + in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 + preempt_count: 0, expected: 0 + RCU nest depth: 0, expected: 0 + 3 locks held by cpuhp/0/24: + #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 + #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 + #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130 + irq event stamp: 36 + hardirqs last enabled at (35): [] finish_task_switch+0xb4/0x2b0 + hardirqs last disabled at (36): [] cpuhp_thread_fun+0x21c/0x248 + softirqs last enabled at (0): [] copy_process+0x63c/0x1ac0 + softirqs last disabled at (0): [<0000000000000000>] 0x0 + CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...] + Hardware name: WIWYNN Mt.Jade Server [...] + Call trace: + dump_backtrace+0x114/0x120 + show_stack+0x20/0x70 + dump_stack_lvl+0x9c/0xd8 + dump_stack+0x18/0x34 + __might_resched+0x188/0x228 + rt_spin_lock+0x70/0x120 + sdei_cpuhp_up+0x3c/0x130 + cpuhp_invoke_callback+0x250/0xf08 + cpuhp_thread_fun+0x120/0x248 + smpboot_thread_fn+0x280/0x320 + kthread+0x130/0x140 + ret_from_fork+0x10/0x20 + +sdei_cpuhp_up() is called in the STARTING hotplug section, +which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry +instead to execute the cpuhp cb later, with preemption enabled. + +SDEI originally got its own cpuhp slot to allow interacting +with perf. It got superseded by pNMI and this early slot is not +relevant anymore. [1] + +Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the +calling CPU. It is checked that preemption is disabled for them. +_ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'. +Preemption is enabled in those threads, but their cpumask is limited +to 1 CPU. +Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb +don't trigger them. + +Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call +which acts on the calling CPU. + +[1]: +https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/ + +Suggested-by: James Morse +Signed-off-by: Pierre Gondois +Reviewed-by: James Morse +Link: https://lore.kernel.org/r/20230216084920.144064-1-pierre.gondois@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- + include/linux/cpuhotplug.h | 1 - + 2 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index 1e1a5151..f9040bd6 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -43,6 +43,8 @@ static asmlinkage void (*sdei_firmware_call)(unsigned long function_id, + /* entry point from firmware to arch asm code */ + static unsigned long sdei_entry_point; + ++static int sdei_hp_state; ++ + struct sdei_event { + /* These three are protected by the sdei_list_lock */ + struct list_head list; +@@ -301,8 +303,6 @@ int sdei_mask_local_cpu(void) + { + int err; + +- WARN_ON_ONCE(preemptible()); +- + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_MASK, 0, 0, 0, 0, 0, NULL); + if (err && err != -EIO) { + pr_warn_once("failed to mask CPU[%u]: %d\n", +@@ -315,6 +315,7 @@ int sdei_mask_local_cpu(void) + + static void _ipi_mask_cpu(void *ignored) + { ++ WARN_ON_ONCE(preemptible()); + sdei_mask_local_cpu(); + } + +@@ -322,8 +323,6 @@ int sdei_unmask_local_cpu(void) + { + int err; + +- WARN_ON_ONCE(preemptible()); +- + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_UNMASK, 0, 0, 0, 0, 0, NULL); + if (err && err != -EIO) { + pr_warn_once("failed to unmask CPU[%u]: %d\n", +@@ -336,6 +335,7 @@ int sdei_unmask_local_cpu(void) + + static void _ipi_unmask_cpu(void *ignored) + { ++ WARN_ON_ONCE(preemptible()); + sdei_unmask_local_cpu(); + } + +@@ -343,6 +343,8 @@ static void _ipi_private_reset(void *ignored) + { + int err; + ++ WARN_ON_ONCE(preemptible()); ++ + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PRIVATE_RESET, 0, 0, 0, 0, 0, + NULL); + if (err && err != -EIO) +@@ -389,8 +391,6 @@ static void _local_event_enable(void *data) + int err; + struct sdei_crosscall_args *arg = data; + +- WARN_ON_ONCE(preemptible()); +- + err = sdei_api_event_enable(arg->event->event_num); + + sdei_cross_call_return(arg, err); +@@ -479,8 +479,6 @@ static void _local_event_unregister(void *data) + int err; + struct sdei_crosscall_args *arg = data; + +- WARN_ON_ONCE(preemptible()); +- + err = sdei_api_event_unregister(arg->event->event_num); + + sdei_cross_call_return(arg, err); +@@ -561,8 +559,6 @@ static void _local_event_register(void *data) + struct sdei_registered_event *reg; + struct sdei_crosscall_args *arg = data; + +- WARN_ON(preemptible()); +- + reg = per_cpu_ptr(arg->event->private_registered, smp_processor_id()); + err = sdei_api_event_register(arg->event->event_num, sdei_entry_point, + reg, 0, 0); +@@ -717,6 +713,8 @@ static int sdei_pm_notifier(struct notifier_block *nb, unsigned long action, + { + int rv; + ++ WARN_ON_ONCE(preemptible()); ++ + switch (action) { + case CPU_PM_ENTER: + rv = sdei_mask_local_cpu(); +@@ -765,7 +763,7 @@ static int sdei_device_freeze(struct device *dev) + int err; + + /* unregister private events */ +- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING); ++ cpuhp_remove_state(sdei_entry_point); + + err = sdei_unregister_shared(); + if (err) +@@ -786,12 +784,15 @@ static int sdei_device_thaw(struct device *dev) + return err; + } + +- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI", ++ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI", + &sdei_cpuhp_up, &sdei_cpuhp_down); +- if (err) ++ if (err < 0) { + pr_warn("Failed to re-register CPU hotplug notifier...\n"); ++ return err; ++ } + +- return err; ++ sdei_hp_state = err; ++ return 0; + } + + static int sdei_device_restore(struct device *dev) +@@ -823,7 +824,7 @@ static int sdei_reboot_notifier(struct notifier_block *nb, unsigned long action, + * We are going to reset the interface, after this there is no point + * doing work when we take CPUs offline. + */ +- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING); ++ cpuhp_remove_state(sdei_hp_state); + + sdei_platform_reset(); + +@@ -1003,13 +1004,15 @@ static int sdei_probe(struct platform_device *pdev) + goto remove_cpupm; + } + +- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI", ++ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI", + &sdei_cpuhp_up, &sdei_cpuhp_down); +- if (err) { ++ if (err < 0) { + pr_warn("Failed to register CPU hotplug notifier...\n"); + goto remove_reboot; + } + ++ sdei_hp_state = err; ++ + return 0; + + remove_reboot: +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 5b2f8147..0f1001dc 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -163,7 +163,6 @@ enum cpuhp_state { + CPUHP_AP_PERF_X86_CSTATE_STARTING, + CPUHP_AP_PERF_XTENSA_STARTING, + CPUHP_AP_MIPS_OP_LOONGSON3_STARTING, +- CPUHP_AP_ARM_SDEI_STARTING, + CPUHP_AP_ARM_VFP_STARTING, + CPUHP_AP_ARM64_DEBUG_MONITORS_STARTING, + CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-067-ACPI-EC-Fix-oops-when-removing-custom-query-han.patch b/patches.kernel.org/6.3.4-067-ACPI-EC-Fix-oops-when-removing-custom-query-han.patch new file mode 100644 index 0000000..5012ea4 --- /dev/null +++ b/patches.kernel.org/6.3.4-067-ACPI-EC-Fix-oops-when-removing-custom-query-han.patch @@ -0,0 +1,41 @@ +From: Armin Wolf +Date: Fri, 24 Mar 2023 21:26:27 +0100 +Subject: [PATCH] ACPI: EC: Fix oops when removing custom query handlers +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e5b492c6bb900fcf9722e05f4a10924410e170c1 + +[ Upstream commit e5b492c6bb900fcf9722e05f4a10924410e170c1 ] + +When removing custom query handlers, the handler might still +be used inside the EC query workqueue, causing a kernel oops +if the module holding the callback function was already unloaded. + +Fix this by flushing the EC query workqueue when removing +custom query handlers. + +Tested on a Acer Travelmate 4002WLMi + +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/acpi/ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 105d2e79..9658e348 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1122,6 +1122,7 @@ static void acpi_ec_remove_query_handlers(struct acpi_ec *ec, + void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) + { + acpi_ec_remove_query_handlers(ec, false, query_bit); ++ flush_workqueue(ec_query_wq); + } + EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-068-drm-amd-display-fixed-dcn30-underflow-issue.patch b/patches.kernel.org/6.3.4-068-drm-amd-display-fixed-dcn30-underflow-issue.patch new file mode 100644 index 0000000..5f3ff97 --- /dev/null +++ b/patches.kernel.org/6.3.4-068-drm-amd-display-fixed-dcn30-underflow-issue.patch @@ -0,0 +1,76 @@ +From: Ayush Gupta +Date: Thu, 16 Mar 2023 15:57:30 -0400 +Subject: [PATCH] drm/amd/display: fixed dcn30+ underflow issue +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 37403ced9f2873fab7f39ab4ac963bbb33fb0bc0 + +[ Upstream commit 37403ced9f2873fab7f39ab4ac963bbb33fb0bc0 ] + +[Why] +Observing underflow on dcn30+ system config at 4k144hz + +[How] +We set the UCLK hardmax on AC/DC switch if softmax is enabled +and also on boot. While booting up the UCLK Hardmax is set +to softmax before the init sequence and the init sequence +resets the hardmax to UCLK max which enables P-state switching. +Just added a conditional check to avoid setting hardmax on init. + +Reviewed-by: Alvin Lee +Reviewed-by: Martin Leung +Acked-by: Qingqing Zhuo +Signed-off-by: Ayush Gupta +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 ++- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c | 2 +- + drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +index b4df540c..36fa413f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -629,7 +629,8 @@ void dcn30_init_hw(struct dc *dc) + if (dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); + +- if (dc->clk_mgr->funcs->set_hard_max_memclk) ++ //if softmax is enabled then hardmax will be set by a different call ++ if (dc->clk_mgr->funcs->set_hard_max_memclk && !dc->clk_mgr->dc_mode_softmax_enabled) + dc->clk_mgr->funcs->set_hard_max_memclk(dc->clk_mgr); + + if (dc->res_pool->hubbub->funcs->force_pstate_change_control) +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c +index d13e46ee..6d3f2335 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c +@@ -285,7 +285,7 @@ void dcn31_init_hw(struct dc *dc) + if (dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); + +- if (dc->clk_mgr->funcs->set_hard_max_memclk) ++ if (dc->clk_mgr->funcs->set_hard_max_memclk && !dc->clk_mgr->dc_mode_softmax_enabled) + dc->clk_mgr->funcs->set_hard_max_memclk(dc->clk_mgr); + + if (dc->res_pool->hubbub->funcs->force_pstate_change_control) +diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c +index 823f29c2..184310fa 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c +@@ -895,7 +895,7 @@ void dcn32_init_hw(struct dc *dc) + if (dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); + +- if (dc->clk_mgr->funcs->set_hard_max_memclk) ++ if (dc->clk_mgr->funcs->set_hard_max_memclk && !dc->clk_mgr->dc_mode_softmax_enabled) + dc->clk_mgr->funcs->set_hard_max_memclk(dc->clk_mgr); + + if (dc->res_pool->hubbub->funcs->force_pstate_change_control) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-069-remoteproc-stm32_rproc-Add-mutex-protection-for.patch b/patches.kernel.org/6.3.4-069-remoteproc-stm32_rproc-Add-mutex-protection-for.patch new file mode 100644 index 0000000..7d8a74a --- /dev/null +++ b/patches.kernel.org/6.3.4-069-remoteproc-stm32_rproc-Add-mutex-protection-for.patch @@ -0,0 +1,59 @@ +From: Arnaud Pouliquen +Date: Fri, 31 Mar 2023 18:06:34 +0200 +Subject: [PATCH] remoteproc: stm32_rproc: Add mutex protection for workqueue +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 35bdafda40cc343ad2ba2cce105eba03a70241cc + +[ Upstream commit 35bdafda40cc343ad2ba2cce105eba03a70241cc ] + +The workqueue may execute late even after remoteproc is stopped or +stopping, some resources (rpmsg device and endpoint) have been +released in rproc_stop_subdevices(), then rproc_vq_interrupt() +accessing these resources will cause kernel dump. + +Call trace: +virtqueue_add_inbuf +virtqueue_add_inbuf +rpmsg_recv_single +rpmsg_recv_done +vring_interrupt +stm32_rproc_mb_vq_work +process_one_work +worker_thread +kthread + +Suggested-by: Mathieu Poirier +Signed-off-by: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20230331160634.3113031-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/remoteproc/stm32_rproc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/remoteproc/stm32_rproc.c b/drivers/remoteproc/stm32_rproc.c +index 23c1690b..8746cbb1 100644 +--- a/drivers/remoteproc/stm32_rproc.c ++++ b/drivers/remoteproc/stm32_rproc.c +@@ -291,8 +291,16 @@ static void stm32_rproc_mb_vq_work(struct work_struct *work) + struct stm32_mbox *mb = container_of(work, struct stm32_mbox, vq_work); + struct rproc *rproc = dev_get_drvdata(mb->client.dev); + ++ mutex_lock(&rproc->lock); ++ ++ if (rproc->state != RPROC_RUNNING) ++ goto unlock_mutex; ++ + if (rproc_vq_interrupt(rproc, mb->vq_id) == IRQ_NONE) + dev_dbg(&rproc->dev, "no message found in vq%d\n", mb->vq_id); ++ ++unlock_mutex: ++ mutex_unlock(&rproc->lock); + } + + static void stm32_rproc_mb_callback(struct mbox_client *cl, void *data) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-070-accel-ivpu-Remove-D3hot-delay-for-Meteorlake.patch b/patches.kernel.org/6.3.4-070-accel-ivpu-Remove-D3hot-delay-for-Meteorlake.patch new file mode 100644 index 0000000..e733660 --- /dev/null +++ b/patches.kernel.org/6.3.4-070-accel-ivpu-Remove-D3hot-delay-for-Meteorlake.patch @@ -0,0 +1,49 @@ +From: Karol Wachowski +Date: Mon, 3 Apr 2023 14:15:45 +0200 +Subject: [PATCH] accel/ivpu: Remove D3hot delay for Meteorlake +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: cb949ce504e829193234e26cb3042bb448465d52 + +[ Upstream commit cb949ce504e829193234e26cb3042bb448465d52 ] + +VPU on MTL has hardware optimizations and does not require 10ms +D0 - D3hot transition delay imposed by PCI specification (PCIe +r6.0, sec 5.9.) . + +The delay removal is traditionally done by adding PCI ID to +quirk_remove_d3hot_delay() in drivers/pci/quirks.c . But since +we do not need that optimization before driver probe and we +can better specify in the ivpu driver on what (future) hardware +use the optimization, we do not use quirk_remove_d3hot_delay() +for that. + +Signed-off-by: Karol Wachowski +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Jeffrey Hugo +Signed-off-by: Jacek Lawrynowicz +Link: https://patchwork.freedesktop.org/patch/msgid/20230403121545.2995279-1-stanislaw.gruszka@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/accel/ivpu/ivpu_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c +index 6a320a73..8396db2b 100644 +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -437,6 +437,10 @@ static int ivpu_pci_init(struct ivpu_device *vdev) + /* Clear any pending errors */ + pcie_capability_clear_word(pdev, PCI_EXP_DEVSTA, 0x3f); + ++ /* VPU MTL does not require PCI spec 10m D3hot delay */ ++ if (ivpu_is_mtl(vdev)) ++ pdev->d3hot_delay = 0; ++ + ret = pcim_enable_device(pdev); + if (ret) { + ivpu_err(vdev, "Failed to enable PCI device: %d\n", ret); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-071-drm-tegra-Avoid-potential-32-bit-integer-overfl.patch b/patches.kernel.org/6.3.4-071-drm-tegra-Avoid-potential-32-bit-integer-overfl.patch new file mode 100644 index 0000000..d0b6860 --- /dev/null +++ b/patches.kernel.org/6.3.4-071-drm-tegra-Avoid-potential-32-bit-integer-overfl.patch @@ -0,0 +1,38 @@ +From: Nur Hussein +Date: Thu, 6 Apr 2023 04:25:59 +0800 +Subject: [PATCH] drm/tegra: Avoid potential 32-bit integer overflow +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2429b3c529da29d4277d519bd66d034842dcd70c + +[ Upstream commit 2429b3c529da29d4277d519bd66d034842dcd70c ] + +In tegra_sor_compute_config(), the 32-bit value mode->clock is +multiplied by 1000, and assigned to the u64 variable pclk. We can avoid +a potential 32-bit integer overflow by casting mode->clock to u64 before +we do the arithmetic and assignment. + +Signed-off-by: Nur Hussein +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/tegra/sor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c +index 8af63274..77723d5f 100644 +--- a/drivers/gpu/drm/tegra/sor.c ++++ b/drivers/gpu/drm/tegra/sor.c +@@ -1153,7 +1153,7 @@ static int tegra_sor_compute_config(struct tegra_sor *sor, + struct drm_dp_link *link) + { + const u64 f = 100000, link_rate = link->rate * 1000; +- const u64 pclk = mode->clock * 1000; ++ const u64 pclk = (u64)mode->clock * 1000; + u64 input, output, watermark, num; + struct tegra_sor_params params; + u32 num_syms_per_line; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-072-drm-msm-dp-Clean-up-handling-of-DP-AUX-interrup.patch b/patches.kernel.org/6.3.4-072-drm-msm-dp-Clean-up-handling-of-DP-AUX-interrup.patch new file mode 100644 index 0000000..00523f8 --- /dev/null +++ b/patches.kernel.org/6.3.4-072-drm-msm-dp-Clean-up-handling-of-DP-AUX-interrup.patch @@ -0,0 +1,211 @@ +From: Douglas Anderson +Date: Thu, 26 Jan 2023 17:09:12 -0800 +Subject: [PATCH] drm/msm/dp: Clean up handling of DP AUX interrupts +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b20566cdef05cd40d95f10869d2a7646f48b1bbe + +[ Upstream commit b20566cdef05cd40d95f10869d2a7646f48b1bbe ] + +The DP AUX interrupt handling was a bit of a mess. +* There were two functions (one for "native" transfers and one for + "i2c" transfers) that were quite similar. It was hard to say how + many of the differences between the two functions were on purpose + and how many of them were just an accident of how they were coded. +* Each function sometimes used "else if" to test for error bits and + sometimes didn't and again it was hard to say if this was on purpose + or just an accident. +* The two functions wouldn't notice whether "unknown" bits were + set. For instance, there seems to be a bit "DP_INTR_PLL_UNLOCKED" + and if it was set there would be no indication. +* The two functions wouldn't notice if more than one error was set. + +Let's fix this by being more consistent / explicit about what we're +doing. + +By design this could cause different handling for AUX transfers, +though I'm not actually aware of any bug fixed as a result of +this patch (this patch was created because we simply noticed how odd +the old code was by code inspection). Specific notes here: +1. In the old native transfer case if we got "done + wrong address" + we'd ignore the "wrong address" (because of the "else if"). Now we + won't. +2. In the old native transfer case if we got "done + timeout" we'd + ignore the "timeout" (because of the "else if"). Now we won't. +3. In the old native transfer case we'd see "nack_defer" and translate + it to the error number for "nack". This differed from the i2c + transfer case where "nack_defer" was given the error number for + "nack_defer". This 100% can't matter because the only user of this + error number treats "nack defer" the same as "nack", so it's clear + that the difference between the "native" and "i2c" was pointless + here. +4. In the old i2c transfer case if we got "done" plus any error + besides "nack" or "defer" then we'd ignore the error. Now we don't. +5. If there is more than one error signaled by the hardware it's + possible that we'll report a different one than we used to. I don't + know if this matters. If someone is aware of a case this matters we + should document it and change the code to make it explicit. +6. One quirk we keep (I don't know if this is important) is that in + the i2c transfer case if we see "done + defer" we report that as a + "nack". That seemed too intentional in the old code to just drop. + +After this change we will add extra logging, including: +* A warning if we see more than one error bit set. +* A warning if we see an unexpected interrupt. +* A warning if we get an AUX transfer interrupt when shouldn't. + +It actually turns out that as a result of this change then at boot we +sometimes see an error: + [drm:dp_aux_isr] *ERROR* Unexpected DP AUX IRQ 0x01000000 when not busy +That means that, during init, we are seeing DP_INTR_PLL_UNLOCKED. For +now I'm going to say that leaving this error reported in the logs is +OK-ish and hopefully it will encourage someone to track down what's +going on at init time. + +One last note here is that this change renames one of the interrupt +bits. The bit named "i2c done" clearly was used for native transfers +being done too, so I renamed it to indicate this. + +Signed-off-by: Douglas Anderson +Tested-by: Kuogee Hsieh +Reviewed-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/520658/ +Link: https://lore.kernel.org/r/20230126170745.v2.1.I90ffed3ddd21e818ae534f820cb4d6d8638859ab@changeid +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 80 ++++++++++++----------------- + drivers/gpu/drm/msm/dp/dp_catalog.c | 2 +- + drivers/gpu/drm/msm/dp/dp_catalog.h | 2 +- + 3 files changed, 36 insertions(+), 48 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index cc3efed5..84f9e3e5 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -162,47 +162,6 @@ static ssize_t dp_aux_cmd_fifo_rx(struct dp_aux_private *aux, + return i; + } + +-static void dp_aux_native_handler(struct dp_aux_private *aux, u32 isr) +-{ +- if (isr & DP_INTR_AUX_I2C_DONE) +- aux->aux_error_num = DP_AUX_ERR_NONE; +- else if (isr & DP_INTR_WRONG_ADDR) +- aux->aux_error_num = DP_AUX_ERR_ADDR; +- else if (isr & DP_INTR_TIMEOUT) +- aux->aux_error_num = DP_AUX_ERR_TOUT; +- if (isr & DP_INTR_NACK_DEFER) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- if (isr & DP_INTR_AUX_ERROR) { +- aux->aux_error_num = DP_AUX_ERR_PHY; +- dp_catalog_aux_clear_hw_interrupts(aux->catalog); +- } +-} +- +-static void dp_aux_i2c_handler(struct dp_aux_private *aux, u32 isr) +-{ +- if (isr & DP_INTR_AUX_I2C_DONE) { +- if (isr & (DP_INTR_I2C_NACK | DP_INTR_I2C_DEFER)) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- else +- aux->aux_error_num = DP_AUX_ERR_NONE; +- } else { +- if (isr & DP_INTR_WRONG_ADDR) +- aux->aux_error_num = DP_AUX_ERR_ADDR; +- else if (isr & DP_INTR_TIMEOUT) +- aux->aux_error_num = DP_AUX_ERR_TOUT; +- if (isr & DP_INTR_NACK_DEFER) +- aux->aux_error_num = DP_AUX_ERR_NACK_DEFER; +- if (isr & DP_INTR_I2C_NACK) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- if (isr & DP_INTR_I2C_DEFER) +- aux->aux_error_num = DP_AUX_ERR_DEFER; +- if (isr & DP_INTR_AUX_ERROR) { +- aux->aux_error_num = DP_AUX_ERR_PHY; +- dp_catalog_aux_clear_hw_interrupts(aux->catalog); +- } +- } +-} +- + static void dp_aux_update_offset_and_segment(struct dp_aux_private *aux, + struct drm_dp_aux_msg *input_msg) + { +@@ -427,13 +386,42 @@ void dp_aux_isr(struct drm_dp_aux *dp_aux) + if (!isr) + return; + +- if (!aux->cmd_busy) ++ if (!aux->cmd_busy) { ++ DRM_ERROR("Unexpected DP AUX IRQ %#010x when not busy\n", isr); + return; ++ } + +- if (aux->native) +- dp_aux_native_handler(aux, isr); +- else +- dp_aux_i2c_handler(aux, isr); ++ /* ++ * The logic below assumes only one error bit is set (other than "done" ++ * which can apparently be set at the same time as some of the other ++ * bits). Warn if more than one get set so we know we need to improve ++ * the logic. ++ */ ++ if (hweight32(isr & ~DP_INTR_AUX_XFER_DONE) > 1) ++ DRM_WARN("Some DP AUX interrupts unhandled: %#010x\n", isr); ++ ++ if (isr & DP_INTR_AUX_ERROR) { ++ aux->aux_error_num = DP_AUX_ERR_PHY; ++ dp_catalog_aux_clear_hw_interrupts(aux->catalog); ++ } else if (isr & DP_INTR_NACK_DEFER) { ++ aux->aux_error_num = DP_AUX_ERR_NACK_DEFER; ++ } else if (isr & DP_INTR_WRONG_ADDR) { ++ aux->aux_error_num = DP_AUX_ERR_ADDR; ++ } else if (isr & DP_INTR_TIMEOUT) { ++ aux->aux_error_num = DP_AUX_ERR_TOUT; ++ } else if (!aux->native && (isr & DP_INTR_I2C_NACK)) { ++ aux->aux_error_num = DP_AUX_ERR_NACK; ++ } else if (!aux->native && (isr & DP_INTR_I2C_DEFER)) { ++ if (isr & DP_INTR_AUX_XFER_DONE) ++ aux->aux_error_num = DP_AUX_ERR_NACK; ++ else ++ aux->aux_error_num = DP_AUX_ERR_DEFER; ++ } else if (isr & DP_INTR_AUX_XFER_DONE) { ++ aux->aux_error_num = DP_AUX_ERR_NONE; ++ } else { ++ DRM_WARN("Unexpected interrupt: %#010x\n", isr); ++ return; ++ } + + complete(&aux->comp); + } +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c +index 676279d0..42139175 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.c ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c +@@ -27,7 +27,7 @@ + #define DP_INTF_CONFIG_DATABUS_WIDEN BIT(4) + + #define DP_INTERRUPT_STATUS1 \ +- (DP_INTR_AUX_I2C_DONE| \ ++ (DP_INTR_AUX_XFER_DONE| \ + DP_INTR_WRONG_ADDR | DP_INTR_TIMEOUT | \ + DP_INTR_NACK_DEFER | DP_INTR_WRONG_DATA_CNT | \ + DP_INTR_I2C_NACK | DP_INTR_I2C_DEFER | \ +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.h b/drivers/gpu/drm/msm/dp/dp_catalog.h +index 1f717f45..f36b7b37 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.h ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.h +@@ -13,7 +13,7 @@ + + /* interrupts */ + #define DP_INTR_HPD BIT(0) +-#define DP_INTR_AUX_I2C_DONE BIT(3) ++#define DP_INTR_AUX_XFER_DONE BIT(3) + #define DP_INTR_WRONG_ADDR BIT(6) + #define DP_INTR_TIMEOUT BIT(9) + #define DP_INTR_NACK_DEFER BIT(12) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-073-ACPICA-Avoid-undefined-behavior-applying-zero-o.patch b/patches.kernel.org/6.3.4-073-ACPICA-Avoid-undefined-behavior-applying-zero-o.patch new file mode 100644 index 0000000..d0c9701 --- /dev/null +++ b/patches.kernel.org/6.3.4-073-ACPICA-Avoid-undefined-behavior-applying-zero-o.patch @@ -0,0 +1,69 @@ +From: Tamir Duberstein +Date: Wed, 5 Apr 2023 15:42:43 +0200 +Subject: [PATCH] ACPICA: Avoid undefined behavior: applying zero offset to + null pointer +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 05bb0167c80b8f93c6a4e0451b7da9b96db990c2 + +[ Upstream commit 05bb0167c80b8f93c6a4e0451b7da9b96db990c2 ] + +ACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e + +Before this change we see the following UBSAN stack trace in Fuchsia: + + #0 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #1.2 0x000020d0f660777f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 +0x3d77f + #1.1 0x000020d0f660777f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 +0x3d77f + #1 0x000020d0f660777f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 +0x3d77f + #2 0x000020d0f660b96d in handlepointer_overflow_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:809 +0x4196d + #3 0x000020d0f660b50d in compiler-rt/lib/ubsan/ubsan_handlers.cpp:815 +0x4150d + #4 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #5 0x000021e4213e2369 in acpi_ds_call_control_method(struct acpi_thread_state*, struct acpi_walk_state*, union acpi_parse_object*) ../../third_party/acpica/source/components/dispatcher/dsmethod.c:605 +0x262369 + #6 0x000021e421437fac in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:550 +0x2b7fac + #7 0x000021e4214464d2 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 +0x2c64d2 + #8 0x000021e4213aa052 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 +0x22a052 + #9 0x000021e421413dd8 in acpi_ns_init_one_device(acpi_handle, u32, void*, void**) ../../third_party/acpica/source/components/namespace/nsinit.c:735 +0x293dd8 + #10 0x000021e421429e98 in acpi_ns_walk_namespace(acpi_object_type, acpi_handle, u32, u32, acpi_walk_callback, acpi_walk_callback, void*, void**) ../../third_party/acpica/source/components/namespace/nswalk.c:298 +0x2a9e98 + #11 0x000021e4214131ac in acpi_ns_initialize_devices(u32) ../../third_party/acpica/source/components/namespace/nsinit.c:268 +0x2931ac + #12 0x000021e42147c40d in acpi_initialize_objects(u32) ../../third_party/acpica/source/components/utilities/utxfinit.c:304 +0x2fc40d + #13 0x000021e42126d603 in acpi::acpi_impl::initialize_acpi(acpi::acpi_impl*) ../../src/devices/board/lib/acpi/acpi-impl.cc:224 +0xed603 + +Add a simple check that avoids incrementing a pointer by zero, but +otherwise behaves as before. Note that our findings are against ACPICA +20221020, but the same code exists on master. + +Link: https://github.com/acpica/acpica/commit/770653e3 +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/acpi/acpica/dswstate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c +index 0aa735d3..77076da2 100644 +--- a/drivers/acpi/acpica/dswstate.c ++++ b/drivers/acpi/acpica/dswstate.c +@@ -576,9 +576,14 @@ acpi_ds_init_aml_walk(struct acpi_walk_state *walk_state, + ACPI_FUNCTION_TRACE(ds_init_aml_walk); + + walk_state->parser_state.aml = +- walk_state->parser_state.aml_start = aml_start; +- walk_state->parser_state.aml_end = +- walk_state->parser_state.pkg_end = aml_start + aml_length; ++ walk_state->parser_state.aml_start = ++ walk_state->parser_state.aml_end = ++ walk_state->parser_state.pkg_end = aml_start; ++ /* Avoid undefined behavior: applying zero offset to null pointer */ ++ if (aml_length != 0) { ++ walk_state->parser_state.aml_end += aml_length; ++ walk_state->parser_state.pkg_end += aml_length; ++ } + + /* The next_op of the next_walk will be the beginning of the method */ + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-074-ACPICA-ACPICA-check-null-return-of-ACPI_ALLOCAT.patch b/patches.kernel.org/6.3.4-074-ACPICA-ACPICA-check-null-return-of-ACPI_ALLOCAT.patch new file mode 100644 index 0000000..9d4cf87 --- /dev/null +++ b/patches.kernel.org/6.3.4-074-ACPICA-ACPICA-check-null-return-of-ACPI_ALLOCAT.patch @@ -0,0 +1,41 @@ +From: void0red <30990023+void0red@users.noreply.github.com> +Date: Wed, 5 Apr 2023 15:57:57 +0200 +Subject: [PATCH] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in + acpi_db_display_objects +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ae5a0eccc85fc960834dd66e3befc2728284b86c + +[ Upstream commit ae5a0eccc85fc960834dd66e3befc2728284b86c ] + +ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 + +ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause +null pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/0d5f467d +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/acpi/acpica/dbnames.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c +index 3615e1a6..b91155ea 100644 +--- a/drivers/acpi/acpica/dbnames.c ++++ b/drivers/acpi/acpica/dbnames.c +@@ -652,6 +652,9 @@ acpi_status acpi_db_display_objects(char *obj_type_arg, char *display_count_arg) + object_info = + ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_object_info)); + ++ if (!object_info) ++ return (AE_NO_MEMORY); ++ + /* Walk the namespace from the root */ + + (void)acpi_walk_namespace(ACPI_TYPE_ANY, ACPI_ROOT_OBJECT, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-075-arm64-dts-qcom-sdm845-polaris-Drop-inexistent-p.patch b/patches.kernel.org/6.3.4-075-arm64-dts-qcom-sdm845-polaris-Drop-inexistent-p.patch new file mode 100644 index 0000000..0ab567a --- /dev/null +++ b/patches.kernel.org/6.3.4-075-arm64-dts-qcom-sdm845-polaris-Drop-inexistent-p.patch @@ -0,0 +1,37 @@ +From: Konrad Dybcio +Date: Thu, 6 Apr 2023 14:55:45 +0200 +Subject: [PATCH] arm64: dts: qcom: sdm845-polaris: Drop inexistent properties +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fbc3a1df2866608ca43e7e6d602f66208a5afd88 + +[ Upstream commit fbc3a1df2866608ca43e7e6d602f66208a5afd88 ] + +Drop the qcom,snoc-host-cap-skip-quirk that was never introduced to +solve schema warnings. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230406-topic-ath10k_bindings-v3-2-00895afc7764@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts +index 1b7fdbae..56f2d855 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts +@@ -712,7 +712,5 @@ &wifi { + vdd-1.3-rfa-supply = <&vreg_l17a_1p3>; + vdd-3.3-ch0-supply = <&vreg_l25a_3p3>; + vdd-3.3-ch1-supply = <&vreg_l23a_3p3>; +- +- qcom,snoc-host-cap-skip-quirk; + status = "okay"; + }; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-076-arm64-dts-qcom-sm6115-j606f-Add-ramoops-node.patch b/patches.kernel.org/6.3.4-076-arm64-dts-qcom-sm6115-j606f-Add-ramoops-node.patch new file mode 100644 index 0000000..ed650cd --- /dev/null +++ b/patches.kernel.org/6.3.4-076-arm64-dts-qcom-sm6115-j606f-Add-ramoops-node.patch @@ -0,0 +1,45 @@ +From: Konrad Dybcio +Date: Fri, 7 Apr 2023 21:54:41 +0200 +Subject: [PATCH] arm64: dts: qcom: sm6115-j606f: Add ramoops node +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8b0ac59c2da69aaf8e65c6bd648a06b755975302 + +[ Upstream commit 8b0ac59c2da69aaf8e65c6bd648a06b755975302 ] + +Add a ramoops node to enable retrieving crash logs. + +Signed-off-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230406-topic-lenovo_features-v2-1-625d7cb4a944@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm64/boot/dts/qcom/sm6115p-lenovo-j606f.dts | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sm6115p-lenovo-j606f.dts b/arch/arm64/boot/dts/qcom/sm6115p-lenovo-j606f.dts +index 4ce2d905..42d89bab 100644 +--- a/arch/arm64/boot/dts/qcom/sm6115p-lenovo-j606f.dts ++++ b/arch/arm64/boot/dts/qcom/sm6115p-lenovo-j606f.dts +@@ -52,6 +52,17 @@ key-volume-up { + gpio-key,wakeup; + }; + }; ++ ++ reserved-memory { ++ ramoops@ffc00000 { ++ compatible = "ramoops"; ++ reg = <0x0 0xffc00000 0x0 0x100000>; ++ record-size = <0x1000>; ++ console-size = <0x40000>; ++ ftrace-size = <0x20000>; ++ ecc-size = <16>; ++ }; ++ }; + }; + + &dispcc { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-077-irqchip-gicv3-Workaround-for-NVIDIA-erratum-T24.patch b/patches.kernel.org/6.3.4-077-irqchip-gicv3-Workaround-for-NVIDIA-erratum-T24.patch new file mode 100644 index 0000000..f39fa69 --- /dev/null +++ b/patches.kernel.org/6.3.4-077-irqchip-gicv3-Workaround-for-NVIDIA-erratum-T24.patch @@ -0,0 +1,460 @@ +From: Shanker Donthineni +Date: Sat, 18 Mar 2023 21:43:14 -0500 +Subject: [PATCH] irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 35727af2b15d98a2dd2811d631d3a3886111312e + +[ Upstream commit 35727af2b15d98a2dd2811d631d3a3886111312e ] + +The T241 platform suffers from the T241-FABRIC-4 erratum which causes +unexpected behavior in the GIC when multiple transactions are received +simultaneously from different sources. This hardware issue impacts +NVIDIA server platforms that use more than two T241 chips +interconnected. Each chip has support for 320 {E}SPIs. + +This issue occurs when multiple packets from different GICs are +incorrectly interleaved at the target chip. The erratum text below +specifies exactly what can cause multiple transfer packets susceptible +to interleaving and GIC state corruption. GIC state corruption can +lead to a range of problems, including kernel panics, and unexpected +behavior. + +>From the erratum text: + "In some cases, inter-socket AXI4 Stream packets with multiple + transfers, may be interleaved by the fabric when presented to ARM + Generic Interrupt Controller. GIC expects all transfers of a packet + to be delivered without any interleaving. + + The following GICv3 commands may result in multiple transfer packets + over inter-socket AXI4 Stream interface: + - Register reads from GICD_I* and GICD_N* + - Register writes to 64-bit GICD registers other than GICD_IROUTERn* + - ITS command MOVALL + + Multiple commands in GICv4+ utilize multiple transfer packets, + including VMOVP, VMOVI, VMAPP, and 64-bit register accesses." + + This issue impacts system configurations with more than 2 sockets, + that require multi-transfer packets to be sent over inter-socket + AXI4 Stream interface between GIC instances on different sockets. + GICv4 cannot be supported. GICv3 SW model can only be supported + with the workaround. Single and Dual socket configurations are not + impacted by this issue and support GICv3 and GICv4." + +Link: https://developer.nvidia.com/docs/t241-fabric-4/nvidia-t241-fabric-4-errata.pdf + +Writing to the chip alias region of the GICD_In{E} registers except +GICD_ICENABLERn has an equivalent effect as writing to the global +distributor. The SPI interrupt deactivate path is not impacted by +the erratum. + +To fix this problem, implement a workaround that ensures read accesses +to the GICD_In{E} registers are directed to the chip that owns the +SPI, and disable GICv4.x features. To simplify code changes, the +gic_configure_irq() function uses the same alias region for both read +and write operations to GICD_ICFGR. + +Co-developed-by: Vikram Sethi +Signed-off-by: Vikram Sethi +Signed-off-by: Shanker Donthineni +Acked-by: Sudeep Holla (for SMCCC/SOC ID bits) +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230319024314.3540573-2-sdonthineni@nvidia.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + Documentation/arm64/silicon-errata.rst | 2 + + drivers/firmware/smccc/smccc.c | 26 ++++++ + drivers/firmware/smccc/soc_id.c | 28 ++---- + drivers/irqchip/Kconfig | 1 + + drivers/irqchip/irq-gic-v3.c | 115 ++++++++++++++++++++++--- + include/linux/arm-smccc.h | 18 ++++ + 6 files changed, 156 insertions(+), 34 deletions(-) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index ec5f889d..e31f6c06 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -172,6 +172,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM | + +----------------+-----------------+-----------------+-----------------------------+ ++| NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Freescale/NXP | LS2080A/LS1043A | A-008585 | FSL_ERRATUM_A008585 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/drivers/firmware/smccc/smccc.c b/drivers/firmware/smccc/smccc.c +index 60ccf3e9..db818f9d 100644 +--- a/drivers/firmware/smccc/smccc.c ++++ b/drivers/firmware/smccc/smccc.c +@@ -17,9 +17,13 @@ static enum arm_smccc_conduit smccc_conduit = SMCCC_CONDUIT_NONE; + + bool __ro_after_init smccc_trng_available = false; + u64 __ro_after_init smccc_has_sve_hint = false; ++s32 __ro_after_init smccc_soc_id_version = SMCCC_RET_NOT_SUPPORTED; ++s32 __ro_after_init smccc_soc_id_revision = SMCCC_RET_NOT_SUPPORTED; + + void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit) + { ++ struct arm_smccc_res res; ++ + smccc_version = version; + smccc_conduit = conduit; + +@@ -27,6 +31,18 @@ void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit) + if (IS_ENABLED(CONFIG_ARM64_SVE) && + smccc_version >= ARM_SMCCC_VERSION_1_3) + smccc_has_sve_hint = true; ++ ++ if ((smccc_version >= ARM_SMCCC_VERSION_1_2) && ++ (smccc_conduit != SMCCC_CONDUIT_NONE)) { ++ arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, ++ ARM_SMCCC_ARCH_SOC_ID, &res); ++ if ((s32)res.a0 >= 0) { ++ arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_SOC_ID, 0, &res); ++ smccc_soc_id_version = (s32)res.a0; ++ arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_SOC_ID, 1, &res); ++ smccc_soc_id_revision = (s32)res.a0; ++ } ++ } + } + + enum arm_smccc_conduit arm_smccc_1_1_get_conduit(void) +@@ -44,6 +60,16 @@ u32 arm_smccc_get_version(void) + } + EXPORT_SYMBOL_GPL(arm_smccc_get_version); + ++s32 arm_smccc_get_soc_id_version(void) ++{ ++ return smccc_soc_id_version; ++} ++ ++s32 arm_smccc_get_soc_id_revision(void) ++{ ++ return smccc_soc_id_revision; ++} ++ + static int __init smccc_devices_init(void) + { + struct platform_device *pdev; +diff --git a/drivers/firmware/smccc/soc_id.c b/drivers/firmware/smccc/soc_id.c +index dd7c3d5e..890eb454 100644 +--- a/drivers/firmware/smccc/soc_id.c ++++ b/drivers/firmware/smccc/soc_id.c +@@ -42,41 +42,23 @@ static int __init smccc_soc_init(void) + if (arm_smccc_get_version() < ARM_SMCCC_VERSION_1_2) + return 0; + +- if (arm_smccc_1_1_get_conduit() == SMCCC_CONDUIT_NONE) { +- pr_err("%s: invalid SMCCC conduit\n", __func__); +- return -EOPNOTSUPP; +- } +- +- arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, +- ARM_SMCCC_ARCH_SOC_ID, &res); +- +- if ((int)res.a0 == SMCCC_RET_NOT_SUPPORTED) { ++ soc_id_version = arm_smccc_get_soc_id_version(); ++ if (soc_id_version == SMCCC_RET_NOT_SUPPORTED) { + pr_info("ARCH_SOC_ID not implemented, skipping ....\n"); + return 0; + } + +- if ((int)res.a0 < 0) { +- pr_info("ARCH_FEATURES(ARCH_SOC_ID) returned error: %lx\n", +- res.a0); +- return -EINVAL; +- } +- +- arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_SOC_ID, 0, &res); +- if ((int)res.a0 < 0) { ++ if (soc_id_version < 0) { + pr_err("ARCH_SOC_ID(0) returned error: %lx\n", res.a0); + return -EINVAL; + } + +- soc_id_version = res.a0; +- +- arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_SOC_ID, 1, &res); +- if ((int)res.a0 < 0) { ++ soc_id_rev = arm_smccc_get_soc_id_revision(); ++ if (soc_id_rev < 0) { + pr_err("ARCH_SOC_ID(1) returned error: %lx\n", res.a0); + return -EINVAL; + } + +- soc_id_rev = res.a0; +- + soc_dev_attr = kzalloc(sizeof(*soc_dev_attr), GFP_KERNEL); + if (!soc_dev_attr) + return -ENOMEM; +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 7dc990eb..9efb383f 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -35,6 +35,7 @@ config ARM_GIC_V3 + select IRQ_DOMAIN_HIERARCHY + select PARTITION_PERCPU + select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP ++ select HAVE_ARM_SMCCC_DISCOVERY + + config ARM_GIC_V3_ITS + bool +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index fd134e1f..6fcee221 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -24,6 +24,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include + #include +@@ -47,6 +50,7 @@ struct redist_region { + + struct gic_chip_data { + struct fwnode_handle *fwnode; ++ phys_addr_t dist_phys_base; + void __iomem *dist_base; + struct redist_region *redist_regions; + struct rdists rdists; +@@ -59,6 +63,10 @@ struct gic_chip_data { + struct partition_desc **ppi_descs; + }; + ++#define T241_CHIPS_MAX 4 ++static void __iomem *t241_dist_base_alias[T241_CHIPS_MAX] __read_mostly; ++static DEFINE_STATIC_KEY_FALSE(gic_nvidia_t241_erratum); ++ + static struct gic_chip_data gic_data __read_mostly; + static DEFINE_STATIC_KEY_TRUE(supports_deactivate_key); + +@@ -179,6 +187,39 @@ static inline bool gic_irq_in_rdist(struct irq_data *d) + } + } + ++static inline void __iomem *gic_dist_base_alias(struct irq_data *d) ++{ ++ if (static_branch_unlikely(&gic_nvidia_t241_erratum)) { ++ irq_hw_number_t hwirq = irqd_to_hwirq(d); ++ u32 chip; ++ ++ /* ++ * For the erratum T241-FABRIC-4, read accesses to GICD_In{E} ++ * registers are directed to the chip that owns the SPI. The ++ * the alias region can also be used for writes to the ++ * GICD_In{E} except GICD_ICENABLERn. Each chip has support ++ * for 320 {E}SPIs. Mappings for all 4 chips: ++ * Chip0 = 32-351 ++ * Chip1 = 352-671 ++ * Chip2 = 672-991 ++ * Chip3 = 4096-4415 ++ */ ++ switch (__get_intid_range(hwirq)) { ++ case SPI_RANGE: ++ chip = (hwirq - 32) / 320; ++ break; ++ case ESPI_RANGE: ++ chip = 3; ++ break; ++ default: ++ unreachable(); ++ } ++ return t241_dist_base_alias[chip]; ++ } ++ ++ return gic_data.dist_base; ++} ++ + static inline void __iomem *gic_dist_base(struct irq_data *d) + { + switch (get_intid_range(d)) { +@@ -337,7 +378,7 @@ static int gic_peek_irq(struct irq_data *d, u32 offset) + if (gic_irq_in_rdist(d)) + base = gic_data_rdist_sgi_base(); + else +- base = gic_data.dist_base; ++ base = gic_dist_base_alias(d); + + return !!(readl_relaxed(base + offset + (index / 32) * 4) & mask); + } +@@ -588,7 +629,7 @@ static int gic_set_type(struct irq_data *d, unsigned int type) + if (gic_irq_in_rdist(d)) + base = gic_data_rdist_sgi_base(); + else +- base = gic_data.dist_base; ++ base = gic_dist_base_alias(d); + + offset = convert_offset_index(d, GICD_ICFGR, &index); + +@@ -1708,6 +1749,43 @@ static bool gic_enable_quirk_hip06_07(void *data) + return false; + } + ++#define T241_CHIPN_MASK GENMASK_ULL(45, 44) ++#define T241_CHIP_GICDA_OFFSET 0x1580000 ++#define SMCCC_SOC_ID_T241 0x036b0241 ++ ++static bool gic_enable_quirk_nvidia_t241(void *data) ++{ ++ s32 soc_id = arm_smccc_get_soc_id_version(); ++ unsigned long chip_bmask = 0; ++ phys_addr_t phys; ++ u32 i; ++ ++ /* Check JEP106 code for NVIDIA T241 chip (036b:0241) */ ++ if ((soc_id < 0) || (soc_id != SMCCC_SOC_ID_T241)) ++ return false; ++ ++ /* Find the chips based on GICR regions PHYS addr */ ++ for (i = 0; i < gic_data.nr_redist_regions; i++) { ++ chip_bmask |= BIT(FIELD_GET(T241_CHIPN_MASK, ++ (u64)gic_data.redist_regions[i].phys_base)); ++ } ++ ++ if (hweight32(chip_bmask) < 3) ++ return false; ++ ++ /* Setup GICD alias regions */ ++ for (i = 0; i < ARRAY_SIZE(t241_dist_base_alias); i++) { ++ if (chip_bmask & BIT(i)) { ++ phys = gic_data.dist_phys_base + T241_CHIP_GICDA_OFFSET; ++ phys |= FIELD_PREP(T241_CHIPN_MASK, i); ++ t241_dist_base_alias[i] = ioremap(phys, SZ_64K); ++ WARN_ON_ONCE(!t241_dist_base_alias[i]); ++ } ++ } ++ static_branch_enable(&gic_nvidia_t241_erratum); ++ return true; ++} ++ + static const struct gic_quirk gic_quirks[] = { + { + .desc = "GICv3: Qualcomm MSM8996 broken firmware", +@@ -1739,6 +1817,12 @@ static const struct gic_quirk gic_quirks[] = { + .mask = 0xe8f00fff, + .init = gic_enable_quirk_cavium_38539, + }, ++ { ++ .desc = "GICv3: NVIDIA erratum T241-FABRIC-4", ++ .iidr = 0x0402043b, ++ .mask = 0xffffffff, ++ .init = gic_enable_quirk_nvidia_t241, ++ }, + { + } + }; +@@ -1798,7 +1882,8 @@ static void gic_enable_nmi_support(void) + gic_chip.flags |= IRQCHIP_SUPPORTS_NMI; + } + +-static int __init gic_init_bases(void __iomem *dist_base, ++static int __init gic_init_bases(phys_addr_t dist_phys_base, ++ void __iomem *dist_base, + struct redist_region *rdist_regs, + u32 nr_redist_regions, + u64 redist_stride, +@@ -1814,6 +1899,7 @@ static int __init gic_init_bases(void __iomem *dist_base, + pr_info("GIC: Using split EOI/Deactivate mode\n"); + + gic_data.fwnode = handle; ++ gic_data.dist_phys_base = dist_phys_base; + gic_data.dist_base = dist_base; + gic_data.redist_regions = rdist_regs; + gic_data.nr_redist_regions = nr_redist_regions; +@@ -1841,10 +1927,13 @@ static int __init gic_init_bases(void __iomem *dist_base, + gic_data.domain = irq_domain_create_tree(handle, &gic_irq_domain_ops, + &gic_data); + gic_data.rdists.rdist = alloc_percpu(typeof(*gic_data.rdists.rdist)); +- gic_data.rdists.has_rvpeid = true; +- gic_data.rdists.has_vlpis = true; +- gic_data.rdists.has_direct_lpi = true; +- gic_data.rdists.has_vpend_valid_dirty = true; ++ if (!static_branch_unlikely(&gic_nvidia_t241_erratum)) { ++ /* Disable GICv4.x features for the erratum T241-FABRIC-4 */ ++ gic_data.rdists.has_rvpeid = true; ++ gic_data.rdists.has_vlpis = true; ++ gic_data.rdists.has_direct_lpi = true; ++ gic_data.rdists.has_vpend_valid_dirty = true; ++ } + + if (WARN_ON(!gic_data.domain) || WARN_ON(!gic_data.rdists.rdist)) { + err = -ENOMEM; +@@ -2050,6 +2139,7 @@ static void __iomem *gic_of_iomap(struct device_node *node, int idx, + + static int __init gic_of_init(struct device_node *node, struct device_node *parent) + { ++ phys_addr_t dist_phys_base; + void __iomem *dist_base; + struct redist_region *rdist_regs; + struct resource res; +@@ -2063,6 +2153,8 @@ static int __init gic_of_init(struct device_node *node, struct device_node *pare + return PTR_ERR(dist_base); + } + ++ dist_phys_base = res.start; ++ + err = gic_validate_dist_version(dist_base); + if (err) { + pr_err("%pOF: no distributor detected, giving up\n", node); +@@ -2094,8 +2186,8 @@ static int __init gic_of_init(struct device_node *node, struct device_node *pare + + gic_enable_of_quirks(node, gic_quirks, &gic_data); + +- err = gic_init_bases(dist_base, rdist_regs, nr_redist_regions, +- redist_stride, &node->fwnode); ++ err = gic_init_bases(dist_phys_base, dist_base, rdist_regs, ++ nr_redist_regions, redist_stride, &node->fwnode); + if (err) + goto out_unmap_rdist; + +@@ -2411,8 +2503,9 @@ gic_acpi_init(union acpi_subtable_headers *header, const unsigned long end) + goto out_redist_unmap; + } + +- err = gic_init_bases(acpi_data.dist_base, acpi_data.redist_regs, +- acpi_data.nr_redist_regions, 0, gsi_domain_handle); ++ err = gic_init_bases(dist->base_address, acpi_data.dist_base, ++ acpi_data.redist_regs, acpi_data.nr_redist_regions, ++ 0, gsi_domain_handle); + if (err) + goto out_fwhandle_free; + +diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h +index 220c8c60..f196c19f 100644 +--- a/include/linux/arm-smccc.h ++++ b/include/linux/arm-smccc.h +@@ -226,6 +226,24 @@ void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit); + + extern u64 smccc_has_sve_hint; + ++/** ++ * arm_smccc_get_soc_id_version() ++ * ++ * Returns the SOC ID version. ++ * ++ * When ARM_SMCCC_ARCH_SOC_ID is not present, returns SMCCC_RET_NOT_SUPPORTED. ++ */ ++s32 arm_smccc_get_soc_id_version(void); ++ ++/** ++ * arm_smccc_get_soc_id_revision() ++ * ++ * Returns the SOC ID revision. ++ * ++ * When ARM_SMCCC_ARCH_SOC_ID is not present, returns SMCCC_RET_NOT_SUPPORTED. ++ */ ++s32 arm_smccc_get_soc_id_revision(void); ++ + /** + * struct arm_smccc_res - Result from SMC/HVC call + * @a0-a3 result values from registers 0 to 3 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-078-media-ipu3-cio2-support-multiple-sensors-and-VC.patch b/patches.kernel.org/6.3.4-078-media-ipu3-cio2-support-multiple-sensors-and-VC.patch new file mode 100644 index 0000000..7e50837 --- /dev/null +++ b/patches.kernel.org/6.3.4-078-media-ipu3-cio2-support-multiple-sensors-and-VC.patch @@ -0,0 +1,101 @@ +From: Bingbu Cao +Date: Fri, 10 Mar 2023 23:19:10 +0800 +Subject: [PATCH] media: ipu3-cio2: support multiple sensors and VCMs with same + HID +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 567f97bd381fd79fa8563808118fc757cb6fa4ff + +[ Upstream commit 567f97bd381fd79fa8563808118fc757cb6fa4ff ] + +In current cio2-bridge, it is using the hid name to register software +node and software node will create kobject and sysfs entry according to +the node name, if there are multiple sensors and VCMs which are sharing +same HID name, it will cause the software nodes registration failure: + +sysfs: cannot create duplicate filename '/kernel/software_nodes/dw9714' +... +Call Trace: +software_node_register_nodes +cio2_bridge_init +... +kobject_add_internal failed for dw9714 with -EEXIST, +don't try to register things with the same name in the same directory. + +One solution is appending the sensor link(Mipi Port) in SSDB as suffix +of the node name to fix this problem. + +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/pci/intel/ipu3/cio2-bridge.c | 15 +++++++++++---- + drivers/media/pci/intel/ipu3/cio2-bridge.h | 3 ++- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/intel/ipu3/cio2-bridge.c b/drivers/media/pci/intel/ipu3/cio2-bridge.c +index dfefe0d8..45427a3a 100644 +--- a/drivers/media/pci/intel/ipu3/cio2-bridge.c ++++ b/drivers/media/pci/intel/ipu3/cio2-bridge.c +@@ -212,6 +212,7 @@ static void cio2_bridge_create_connection_swnodes(struct cio2_bridge *bridge, + struct cio2_sensor *sensor) + { + struct software_node *nodes = sensor->swnodes; ++ char vcm_name[ACPI_ID_LEN + 4]; + + cio2_bridge_init_swnode_names(sensor); + +@@ -229,9 +230,13 @@ static void cio2_bridge_create_connection_swnodes(struct cio2_bridge *bridge, + sensor->node_names.endpoint, + &nodes[SWNODE_CIO2_PORT], + sensor->cio2_properties); +- if (sensor->ssdb.vcmtype) +- nodes[SWNODE_VCM] = +- NODE_VCM(cio2_vcm_types[sensor->ssdb.vcmtype - 1]); ++ if (sensor->ssdb.vcmtype) { ++ /* append ssdb.link to distinguish VCM nodes with same HID */ ++ snprintf(vcm_name, sizeof(vcm_name), "%s-%u", ++ cio2_vcm_types[sensor->ssdb.vcmtype - 1], ++ sensor->ssdb.link); ++ nodes[SWNODE_VCM] = NODE_VCM(vcm_name); ++ } + + cio2_bridge_init_swnode_group(sensor); + } +@@ -295,7 +300,6 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg, + } + + sensor = &bridge->sensors[bridge->n_sensors]; +- strscpy(sensor->name, cfg->hid, sizeof(sensor->name)); + + ret = cio2_bridge_read_acpi_buffer(adev, "SSDB", + &sensor->ssdb, +@@ -303,6 +307,9 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg, + if (ret) + goto err_put_adev; + ++ snprintf(sensor->name, sizeof(sensor->name), "%s-%u", ++ cfg->hid, sensor->ssdb.link); ++ + if (sensor->ssdb.vcmtype > ARRAY_SIZE(cio2_vcm_types)) { + dev_warn(&adev->dev, "Unknown VCM type %d\n", + sensor->ssdb.vcmtype); +diff --git a/drivers/media/pci/intel/ipu3/cio2-bridge.h b/drivers/media/pci/intel/ipu3/cio2-bridge.h +index b93b749c..b76ed8a6 100644 +--- a/drivers/media/pci/intel/ipu3/cio2-bridge.h ++++ b/drivers/media/pci/intel/ipu3/cio2-bridge.h +@@ -113,7 +113,8 @@ struct cio2_sensor_config { + }; + + struct cio2_sensor { +- char name[ACPI_ID_LEN]; ++ /* append ssdb.link(u8) in "-%u" format as suffix of HID */ ++ char name[ACPI_ID_LEN + 4]; + struct acpi_device *adev; + struct i2c_client *vcm_i2c_client; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-079-ACPI-video-Remove-desktops-without-backlight-DM.patch b/patches.kernel.org/6.3.4-079-ACPI-video-Remove-desktops-without-backlight-DM.patch new file mode 100644 index 0000000..7dbe257 --- /dev/null +++ b/patches.kernel.org/6.3.4-079-ACPI-video-Remove-desktops-without-backlight-DM.patch @@ -0,0 +1,85 @@ +From: Hans de Goede +Date: Tue, 4 Apr 2023 13:02:51 +0200 +Subject: [PATCH] ACPI: video: Remove desktops without backlight DMI quirks +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: abe4f5ae5efa6a63c7d5abfa07eb02bb56b4654e + +[ Upstream commit abe4f5ae5efa6a63c7d5abfa07eb02bb56b4654e ] + +After the recent backlight changes acpi_video# backlight devices are only +registered when explicitly requested from the cmdline, by DMI quirk or by +the GPU driver. + +This means that we no longer get false-positive backlight control support +advertised on desktop boards. + +Remove the 3 DMI quirks for desktop boards where the false-positive issue +was fixed through quirks before. Note many more desktop boards were +affected but we never build a full quirk list for this. + +Reviewed-by: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/acpi/video_detect.c | 35 ----------------------------------- + 1 file changed, 35 deletions(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 295744fe..bcc25d45 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -130,12 +130,6 @@ static int video_detect_force_native(const struct dmi_system_id *d) + return 0; + } + +-static int video_detect_force_none(const struct dmi_system_id *d) +-{ +- acpi_backlight_dmi = acpi_backlight_none; +- return 0; +-} +- + static const struct dmi_system_id video_detect_dmi_table[] = { + /* + * Models which should use the vendor backlight interface, +@@ -754,35 +748,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 15 3535"), + }, + }, +- +- /* +- * Desktops which falsely report a backlight and which our heuristics +- * for this do not catch. +- */ +- { +- .callback = video_detect_force_none, +- /* Dell OptiPlex 9020M */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 9020M"), +- }, +- }, +- { +- .callback = video_detect_force_none, +- /* GIGABYTE GB-BXBT-2807 */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), +- DMI_MATCH(DMI_PRODUCT_NAME, "GB-BXBT-2807"), +- }, +- }, +- { +- .callback = video_detect_force_none, +- /* MSI MS-7721 */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MSI"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MS-7721"), +- }, +- }, + { }, + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-080-drm-amd-display-Correct-DML-calculation-to-foll.patch b/patches.kernel.org/6.3.4-080-drm-amd-display-Correct-DML-calculation-to-foll.patch new file mode 100644 index 0000000..e1fa385 --- /dev/null +++ b/patches.kernel.org/6.3.4-080-drm-amd-display-Correct-DML-calculation-to-foll.patch @@ -0,0 +1,88 @@ +From: Paul Hsieh +Date: Wed, 22 Mar 2023 17:46:31 +0800 +Subject: [PATCH] drm/amd/display: Correct DML calculation to follow HW SPEC +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 385c3e4c29e1d4ce8f68687a8c84621e4c0e0416 + +[ Upstream commit 385c3e4c29e1d4ce8f68687a8c84621e4c0e0416 ] + +[Why] +In 2560x1600@240p eDP panel, driver use lowest voltage level +to play 1080p video cause underflow. According to HW SPEC, +the senario should use high voltage level. + +[How] +ChromaPre value is zero when bandwidth validation. +Correct ChromaPre calculation. + +Reviewed-by: Nicholas Kazlauskas +Reviewed-by: Jun Lei +Acked-by: Qingqing Zhuo +Signed-off-by: Paul Hsieh +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c | 2 +- + drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c | 2 +- + .../gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c | 2 +- + drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index 899105da..111eb978 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -4865,7 +4865,7 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + v->DETBufferSizeCThisState[k], + &v->UrgentBurstFactorCursorPre[k], + &v->UrgentBurstFactorLumaPre[k], +- &v->UrgentBurstFactorChroma[k], ++ &v->UrgentBurstFactorChromaPre[k], + &v->NoUrgentLatencyHidingPre[k]); + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c +index 536a6362..bd674dc3 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c +@@ -5191,7 +5191,7 @@ void dml31_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + v->DETBufferSizeCThisState[k], + &v->UrgentBurstFactorCursorPre[k], + &v->UrgentBurstFactorLumaPre[k], +- &v->UrgentBurstFactorChroma[k], ++ &v->UrgentBurstFactorChromaPre[k], + &v->NotUrgentLatencyHidingPre[k]); + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c b/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c +index daf31937..7eb2173b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn314/display_mode_vba_314.c +@@ -5288,7 +5288,7 @@ void dml314_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_ + v->DETBufferSizeCThisState[k], + &v->UrgentBurstFactorCursorPre[k], + &v->UrgentBurstFactorLumaPre[k], +- &v->UrgentBurstFactorChroma[k], ++ &v->UrgentBurstFactorChromaPre[k], + &v->NotUrgentLatencyHidingPre[k]); + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c +index 02d99b6b..705748a9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c +@@ -3353,7 +3353,7 @@ void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + /* Output */ + &mode_lib->vba.UrgentBurstFactorCursorPre[k], + &mode_lib->vba.UrgentBurstFactorLumaPre[k], +- &mode_lib->vba.UrgentBurstFactorChroma[k], ++ &mode_lib->vba.UrgentBurstFactorChromaPre[k], + &mode_lib->vba.NotUrgentLatencyHidingPre[k]); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-081-drm-amd-Fix-an-out-of-bounds-error-in-BIOS-pars.patch b/patches.kernel.org/6.3.4-081-drm-amd-Fix-an-out-of-bounds-error-in-BIOS-pars.patch new file mode 100644 index 0000000..150e66e --- /dev/null +++ b/patches.kernel.org/6.3.4-081-drm-amd-Fix-an-out-of-bounds-error-in-BIOS-pars.patch @@ -0,0 +1,50 @@ +From: Mario Limonciello +Date: Thu, 23 Mar 2023 14:07:06 -0500 +Subject: [PATCH] drm/amd: Fix an out of bounds error in BIOS parser +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d116db180decec1b21bba31d2ff495ac4d8e1b83 + +[ Upstream commit d116db180decec1b21bba31d2ff495ac4d8e1b83 ] + +The array is hardcoded to 8 in atomfirmware.h, but firmware provides +a bigger one sometimes. Deferencing the larger array causes an out +of bounds error. + +commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error +in bios parser") fixed some of this, but there are two other cases +not covered by it. Fix those as well. + +Reported-by: erhard_f@mailbox.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214853 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2473 +Signed-off-by: Mario Limonciello +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +index e381de24..ae3783a7 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -515,11 +515,8 @@ static enum bp_result get_gpio_i2c_info( + info->i2c_slave_address = record->i2c_slave_addr; + + /* TODO: check how to get register offset for en, Y, etc. */ +- info->gpio_info.clk_a_register_index = +- le16_to_cpu( +- header->gpio_pin[table_index].data_a_reg_index); +- info->gpio_info.clk_a_shift = +- header->gpio_pin[table_index].gpio_bitshift; ++ info->gpio_info.clk_a_register_index = le16_to_cpu(pin->data_a_reg_index); ++ info->gpio_info.clk_a_shift = pin->gpio_bitshift; + + return BP_RESULT_OK; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-082-drm-amdgpu-Fix-sdma-v4-sw-fini-error.patch b/patches.kernel.org/6.3.4-082-drm-amdgpu-Fix-sdma-v4-sw-fini-error.patch new file mode 100644 index 0000000..9192db9 --- /dev/null +++ b/patches.kernel.org/6.3.4-082-drm-amdgpu-Fix-sdma-v4-sw-fini-error.patch @@ -0,0 +1,48 @@ +From: lyndonli +Date: Thu, 6 Apr 2023 15:30:34 +0800 +Subject: [PATCH] drm/amdgpu: Fix sdma v4 sw fini error +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5e08e9c742a00384e5abe74bd40cf4dc15cb3a2e + +[ Upstream commit 5e08e9c742a00384e5abe74bd40cf4dc15cb3a2e ] + +Fix sdma v4 sw fini error for sdma 4.2.2 to +solve the following general protection fault + +[ +0.108196] general protection fault, probably for non-canonical +address 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI +[ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70 +[ +0.000022] Call Trace: +[ +0.000012] +[ +0.000011] release_firmware+0x55/0x80 +[ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu] +[ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu] +[ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu] + +Signed-off-by: lyndonli +Reviewed-by: Likun Gao +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +index 8b8ddf05..a4d84e3f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -1870,7 +1870,7 @@ static int sdma_v4_0_sw_fini(void *handle) + amdgpu_ring_fini(&adev->sdma.instance[i].page); + } + +- if (adev->ip_versions[SDMA0_HWIP][0] == IP_VERSION(4, 2, 0) || ++ if (adev->ip_versions[SDMA0_HWIP][0] == IP_VERSION(4, 2, 2) || + adev->ip_versions[SDMA0_HWIP][0] == IP_VERSION(4, 4, 0)) + amdgpu_sdma_destroy_inst_ctx(adev, true); + else +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-083-media-Prefer-designated-initializers-over-memse.patch b/patches.kernel.org/6.3.4-083-media-Prefer-designated-initializers-over-memse.patch new file mode 100644 index 0000000..4a9bdee --- /dev/null +++ b/patches.kernel.org/6.3.4-083-media-Prefer-designated-initializers-over-memse.patch @@ -0,0 +1,367 @@ +From: Laurent Pinchart +Date: Wed, 15 Feb 2023 17:18:39 +0200 +Subject: [PATCH] media: Prefer designated initializers over memset for subdev + pad ops +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e3a69496a1cde364c74a600d7a370179b58aed29 + +[ Upstream commit e3a69496a1cde364c74a600d7a370179b58aed29 ] + +Structures passed to subdev pad operations are all zero-initialized, but +not always with the same kind of code constructs. While most drivers +used designated initializers, which zero all the fields that are not +specified, when declaring variables, some use memset(). Those two +methods lead to the same end result, and, depending on compiler +optimizations, may even be completely equivalent, but they're not +consistent. + +Improve coding style consistency by using designated initializers +instead of calling memset(). Where applicable, also move the variables +to inner scopes of for loops to ensure correct initialization in all +iterations. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Lad Prabhakar # For am437x +Acked-by: Sakari Ailus +Reviewed-by: Tomi Valkeinen +Reviewed-by: Kieran Bingham +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/platform/renesas/vsp1/vsp1_drm.c | 18 +++++++++--------- + .../media/platform/renesas/vsp1/vsp1_entity.c | 11 +++++------ + .../platform/samsung/exynos4-is/fimc-capture.c | 7 ++++--- + drivers/media/platform/ti/am437x/am437x-vpfe.c | 15 ++++++++------- + drivers/media/platform/ti/cal/cal-video.c | 8 ++++---- + drivers/media/usb/dvb-usb/cxusb-analog.c | 14 +++++++------- + drivers/staging/media/imx/imx-media-capture.c | 12 ++++++------ + drivers/staging/media/imx/imx-media-utils.c | 8 ++++---- + drivers/staging/media/omap4iss/iss_video.c | 6 +++--- + 9 files changed, 50 insertions(+), 49 deletions(-) + +diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drm.c b/drivers/media/platform/renesas/vsp1/vsp1_drm.c +index c6f25200..7fe375b6 100644 +--- a/drivers/media/platform/renesas/vsp1/vsp1_drm.c ++++ b/drivers/media/platform/renesas/vsp1/vsp1_drm.c +@@ -66,7 +66,9 @@ static int vsp1_du_insert_uif(struct vsp1_device *vsp1, + struct vsp1_entity *prev, unsigned int prev_pad, + struct vsp1_entity *next, unsigned int next_pad) + { +- struct v4l2_subdev_format format; ++ struct v4l2_subdev_format format = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + int ret; + + if (!uif) { +@@ -82,8 +84,6 @@ static int vsp1_du_insert_uif(struct vsp1_device *vsp1, + prev->sink = uif; + prev->sink_pad = UIF_PAD_SINK; + +- memset(&format, 0, sizeof(format)); +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + format.pad = prev_pad; + + ret = v4l2_subdev_call(&prev->subdev, pad, get_fmt, NULL, &format); +@@ -118,8 +118,12 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + struct vsp1_entity *uif, + unsigned int brx_input) + { +- struct v4l2_subdev_selection sel; +- struct v4l2_subdev_format format; ++ struct v4l2_subdev_selection sel = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; ++ struct v4l2_subdev_format format = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + const struct v4l2_rect *crop; + int ret; + +@@ -129,8 +133,6 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + */ + crop = &vsp1->drm->inputs[rpf->entity.index].crop; + +- memset(&format, 0, sizeof(format)); +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + format.pad = RWPF_PAD_SINK; + format.format.width = crop->width + crop->left; + format.format.height = crop->height + crop->top; +@@ -147,8 +149,6 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + __func__, format.format.width, format.format.height, + format.format.code, rpf->entity.index); + +- memset(&sel, 0, sizeof(sel)); +- sel.which = V4L2_SUBDEV_FORMAT_ACTIVE; + sel.pad = RWPF_PAD_SINK; + sel.target = V4L2_SEL_TGT_CROP; + sel.r = *crop; +diff --git a/drivers/media/platform/renesas/vsp1/vsp1_entity.c b/drivers/media/platform/renesas/vsp1/vsp1_entity.c +index 4c3bd2b1..c31f05a8 100644 +--- a/drivers/media/platform/renesas/vsp1/vsp1_entity.c ++++ b/drivers/media/platform/renesas/vsp1/vsp1_entity.c +@@ -184,15 +184,14 @@ vsp1_entity_get_pad_selection(struct vsp1_entity *entity, + int vsp1_entity_init_cfg(struct v4l2_subdev *subdev, + struct v4l2_subdev_state *sd_state) + { +- struct v4l2_subdev_format format; + unsigned int pad; + + for (pad = 0; pad < subdev->entity.num_pads - 1; ++pad) { +- memset(&format, 0, sizeof(format)); +- +- format.pad = pad; +- format.which = sd_state ? V4L2_SUBDEV_FORMAT_TRY +- : V4L2_SUBDEV_FORMAT_ACTIVE; ++ struct v4l2_subdev_format format = { ++ .pad = pad, ++ .which = sd_state ? V4L2_SUBDEV_FORMAT_TRY ++ : V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + + v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &format); + } +diff --git a/drivers/media/platform/samsung/exynos4-is/fimc-capture.c b/drivers/media/platform/samsung/exynos4-is/fimc-capture.c +index e3b95a2b..beaee54e 100644 +--- a/drivers/media/platform/samsung/exynos4-is/fimc-capture.c ++++ b/drivers/media/platform/samsung/exynos4-is/fimc-capture.c +@@ -763,7 +763,10 @@ static int fimc_pipeline_try_format(struct fimc_ctx *ctx, + struct fimc_dev *fimc = ctx->fimc_dev; + struct fimc_pipeline *p = to_fimc_pipeline(fimc->vid_cap.ve.pipe); + struct v4l2_subdev *sd = p->subdevs[IDX_SENSOR]; +- struct v4l2_subdev_format sfmt; ++ struct v4l2_subdev_format sfmt = { ++ .which = set ? V4L2_SUBDEV_FORMAT_ACTIVE ++ : V4L2_SUBDEV_FORMAT_TRY, ++ }; + struct v4l2_mbus_framefmt *mf = &sfmt.format; + struct media_entity *me; + struct fimc_fmt *ffmt; +@@ -774,9 +777,7 @@ static int fimc_pipeline_try_format(struct fimc_ctx *ctx, + if (WARN_ON(!sd || !tfmt)) + return -EINVAL; + +- memset(&sfmt, 0, sizeof(sfmt)); + sfmt.format = *tfmt; +- sfmt.which = set ? V4L2_SUBDEV_FORMAT_ACTIVE : V4L2_SUBDEV_FORMAT_TRY; + + me = fimc_pipeline_get_head(&sd->entity); + +diff --git a/drivers/media/platform/ti/am437x/am437x-vpfe.c b/drivers/media/platform/ti/am437x/am437x-vpfe.c +index 2dfae9bc..dffac89c 100644 +--- a/drivers/media/platform/ti/am437x/am437x-vpfe.c ++++ b/drivers/media/platform/ti/am437x/am437x-vpfe.c +@@ -1499,7 +1499,9 @@ static int vpfe_enum_size(struct file *file, void *priv, + struct v4l2_frmsizeenum *fsize) + { + struct vpfe_device *vpfe = video_drvdata(file); +- struct v4l2_subdev_frame_size_enum fse; ++ struct v4l2_subdev_frame_size_enum fse = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + struct v4l2_subdev *sd = vpfe->current_subdev->sd; + struct vpfe_fmt *fmt; + int ret; +@@ -1514,11 +1516,9 @@ static int vpfe_enum_size(struct file *file, void *priv, + + memset(fsize->reserved, 0x0, sizeof(fsize->reserved)); + +- memset(&fse, 0x0, sizeof(fse)); + fse.index = fsize->index; + fse.pad = 0; + fse.code = fmt->code; +- fse.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(sd, pad, enum_frame_size, NULL, &fse); + if (ret) + return ret; +@@ -2146,7 +2146,6 @@ vpfe_async_bound(struct v4l2_async_notifier *notifier, + { + struct vpfe_device *vpfe = container_of(notifier->v4l2_dev, + struct vpfe_device, v4l2_dev); +- struct v4l2_subdev_mbus_code_enum mbus_code; + struct vpfe_subdev_info *sdinfo; + struct vpfe_fmt *fmt; + int ret = 0; +@@ -2173,9 +2172,11 @@ vpfe_async_bound(struct v4l2_async_notifier *notifier, + + vpfe->num_active_fmt = 0; + for (j = 0, i = 0; (ret != -EINVAL); ++j) { +- memset(&mbus_code, 0, sizeof(mbus_code)); +- mbus_code.index = j; +- mbus_code.which = V4L2_SUBDEV_FORMAT_ACTIVE; ++ struct v4l2_subdev_mbus_code_enum mbus_code = { ++ .index = j, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; ++ + ret = v4l2_subdev_call(subdev, pad, enum_mbus_code, + NULL, &mbus_code); + if (ret) +diff --git a/drivers/media/platform/ti/cal/cal-video.c b/drivers/media/platform/ti/cal/cal-video.c +index 4eade409d..bbfd2719 100644 +--- a/drivers/media/platform/ti/cal/cal-video.c ++++ b/drivers/media/platform/ti/cal/cal-video.c +@@ -811,7 +811,6 @@ static const struct v4l2_file_operations cal_fops = { + + static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx) + { +- struct v4l2_subdev_mbus_code_enum mbus_code; + struct v4l2_mbus_framefmt mbus_fmt; + const struct cal_format_info *fmtinfo; + unsigned int i, j, k; +@@ -826,10 +825,11 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx) + ctx->num_active_fmt = 0; + + for (j = 0, i = 0; ; ++j) { ++ struct v4l2_subdev_mbus_code_enum mbus_code = { ++ .index = j, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + +- memset(&mbus_code, 0, sizeof(mbus_code)); +- mbus_code.index = j; +- mbus_code.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(ctx->phy->source, pad, enum_mbus_code, + NULL, &mbus_code); + if (ret == -EINVAL) +diff --git a/drivers/media/usb/dvb-usb/cxusb-analog.c b/drivers/media/usb/dvb-usb/cxusb-analog.c +index e93183dd..deba5224 100644 +--- a/drivers/media/usb/dvb-usb/cxusb-analog.c ++++ b/drivers/media/usb/dvb-usb/cxusb-analog.c +@@ -1014,7 +1014,10 @@ static int cxusb_medion_try_s_fmt_vid_cap(struct file *file, + { + struct dvb_usb_device *dvbdev = video_drvdata(file); + struct cxusb_medion_dev *cxdev = dvbdev->priv; +- struct v4l2_subdev_format subfmt; ++ struct v4l2_subdev_format subfmt = { ++ .which = isset ? V4L2_SUBDEV_FORMAT_ACTIVE : ++ V4L2_SUBDEV_FORMAT_TRY, ++ }; + u32 field; + int ret; + +@@ -1024,9 +1027,6 @@ static int cxusb_medion_try_s_fmt_vid_cap(struct file *file, + field = vb2_start_streaming_called(&cxdev->videoqueue) ? + cxdev->field_order : cxusb_medion_field_order(cxdev); + +- memset(&subfmt, 0, sizeof(subfmt)); +- subfmt.which = isset ? V4L2_SUBDEV_FORMAT_ACTIVE : +- V4L2_SUBDEV_FORMAT_TRY; + subfmt.format.width = f->fmt.pix.width & ~1; + subfmt.format.height = f->fmt.pix.height & ~1; + subfmt.format.code = MEDIA_BUS_FMT_FIXED; +@@ -1464,7 +1464,9 @@ int cxusb_medion_analog_init(struct dvb_usb_device *dvbdev) + .buf = tuner_analog_msg_data, + .len = + sizeof(tuner_analog_msg_data) }; +- struct v4l2_subdev_format subfmt; ++ struct v4l2_subdev_format subfmt = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + int ret; + + /* switch tuner to analog mode so IF demod will become accessible */ +@@ -1507,8 +1509,6 @@ int cxusb_medion_analog_init(struct dvb_usb_device *dvbdev) + v4l2_subdev_call(cxdev->tuner, video, s_std, cxdev->norm); + v4l2_subdev_call(cxdev->cx25840, video, s_std, cxdev->norm); + +- memset(&subfmt, 0, sizeof(subfmt)); +- subfmt.which = V4L2_SUBDEV_FORMAT_ACTIVE; + subfmt.format.width = cxdev->width; + subfmt.format.height = cxdev->height; + subfmt.format.code = MEDIA_BUS_FMT_FIXED; +diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c +index 93ba0923..5cc67786 100644 +--- a/drivers/staging/media/imx/imx-media-capture.c ++++ b/drivers/staging/media/imx/imx-media-capture.c +@@ -501,14 +501,14 @@ static int capture_legacy_g_parm(struct file *file, void *fh, + struct v4l2_streamparm *a) + { + struct capture_priv *priv = video_drvdata(file); +- struct v4l2_subdev_frame_interval fi; ++ struct v4l2_subdev_frame_interval fi = { ++ .pad = priv->src_sd_pad, ++ }; + int ret; + + if (a->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) + return -EINVAL; + +- memset(&fi, 0, sizeof(fi)); +- fi.pad = priv->src_sd_pad; + ret = v4l2_subdev_call(priv->src_sd, video, g_frame_interval, &fi); + if (ret < 0) + return ret; +@@ -523,14 +523,14 @@ static int capture_legacy_s_parm(struct file *file, void *fh, + struct v4l2_streamparm *a) + { + struct capture_priv *priv = video_drvdata(file); +- struct v4l2_subdev_frame_interval fi; ++ struct v4l2_subdev_frame_interval fi = { ++ .pad = priv->src_sd_pad, ++ }; + int ret; + + if (a->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) + return -EINVAL; + +- memset(&fi, 0, sizeof(fi)); +- fi.pad = priv->src_sd_pad; + fi.interval = a->parm.capture.timeperframe; + ret = v4l2_subdev_call(priv->src_sd, video, s_frame_interval, &fi); + if (ret < 0) +diff --git a/drivers/staging/media/imx/imx-media-utils.c b/drivers/staging/media/imx/imx-media-utils.c +index 411e907b..b545750c 100644 +--- a/drivers/staging/media/imx/imx-media-utils.c ++++ b/drivers/staging/media/imx/imx-media-utils.c +@@ -432,15 +432,15 @@ int imx_media_init_cfg(struct v4l2_subdev *sd, + struct v4l2_subdev_state *sd_state) + { + struct v4l2_mbus_framefmt *mf_try; +- struct v4l2_subdev_format format; + unsigned int pad; + int ret; + + for (pad = 0; pad < sd->entity.num_pads; pad++) { +- memset(&format, 0, sizeof(format)); ++ struct v4l2_subdev_format format = { ++ .pad = pad, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + +- format.pad = pad; +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &format); + if (ret) + continue; +diff --git a/drivers/staging/media/omap4iss/iss_video.c b/drivers/staging/media/omap4iss/iss_video.c +index 05548eab..74fb0d18 100644 +--- a/drivers/staging/media/omap4iss/iss_video.c ++++ b/drivers/staging/media/omap4iss/iss_video.c +@@ -237,7 +237,9 @@ static int + __iss_video_get_format(struct iss_video *video, + struct v4l2_mbus_framefmt *format) + { +- struct v4l2_subdev_format fmt; ++ struct v4l2_subdev_format fmt = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + struct v4l2_subdev *subdev; + u32 pad; + int ret; +@@ -246,9 +248,7 @@ __iss_video_get_format(struct iss_video *video, + if (!subdev) + return -EINVAL; + +- memset(&fmt, 0, sizeof(fmt)); + fmt.pad = pad; +- fmt.which = V4L2_SUBDEV_FORMAT_ACTIVE; + + mutex_lock(&video->mutex); + ret = v4l2_subdev_call(subdev, pad, get_fmt, NULL, &fmt); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-084-drm-amdgpu-Enable-IH-retry-CAM-on-GFX9.patch b/patches.kernel.org/6.3.4-084-drm-amdgpu-Enable-IH-retry-CAM-on-GFX9.patch new file mode 100644 index 0000000..272672a --- /dev/null +++ b/patches.kernel.org/6.3.4-084-drm-amdgpu-Enable-IH-retry-CAM-on-GFX9.patch @@ -0,0 +1,292 @@ +From: Mukul Joshi +Date: Tue, 11 Apr 2023 16:32:29 -0400 +Subject: [PATCH] drm/amdgpu: Enable IH retry CAM on GFX9 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 318e431b306e966d2ee99e900a11bdc9a701ee83 + +[ Upstream commit 318e431b306e966d2ee99e900a11bdc9a701ee83 ] + +This patch enables the IH retry CAM on GFX9 series cards. This +retry filter is used to prevent sending lots of retry interrupts +in a short span of time and overflowing the IH ring buffer. This +will also help reduce CPU interrupt workload. + +Signed-off-by: Mukul Joshi +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.h | 2 + + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 51 +++++++++++------ + drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c | 2 +- + drivers/gpu/drm/amd/amdgpu/vega20_ih.c | 55 +++++++++---------- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 10 +++- + .../asic_reg/oss/osssys_4_2_0_offset.h | 6 ++ + .../asic_reg/oss/osssys_4_2_0_sh_mask.h | 11 ++++ + 7 files changed, 88 insertions(+), 49 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.h +index e9f2c11e..be243adf 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.h +@@ -98,6 +98,8 @@ struct amdgpu_irq { + struct irq_domain *domain; /* GPU irq controller domain */ + unsigned virq[AMDGPU_MAX_IRQ_SRC_ID]; + uint32_t srbm_soft_reset; ++ u32 retry_cam_doorbell_index; ++ bool retry_cam_enabled; + }; + + void amdgpu_irq_disable_all(struct amdgpu_device *adev); +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 83d22dd8..bc8b4e40 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -553,32 +553,49 @@ static int gmc_v9_0_process_interrupt(struct amdgpu_device *adev, + const char *mmhub_cid; + const char *hub_name; + u64 addr; ++ uint32_t cam_index = 0; ++ int ret; + + addr = (u64)entry->src_data[0] << 12; + addr |= ((u64)entry->src_data[1] & 0xf) << 44; + + if (retry_fault) { +- /* Returning 1 here also prevents sending the IV to the KFD */ ++ if (adev->irq.retry_cam_enabled) { ++ /* Delegate it to a different ring if the hardware hasn't ++ * already done it. ++ */ ++ if (entry->ih == &adev->irq.ih) { ++ amdgpu_irq_delegate(adev, entry, 8); ++ return 1; ++ } ++ ++ cam_index = entry->src_data[2] & 0x3ff; + +- /* Process it onyl if it's the first fault for this address */ +- if (entry->ih != &adev->irq.ih_soft && +- amdgpu_gmc_filter_faults(adev, entry->ih, addr, entry->pasid, ++ ret = amdgpu_vm_handle_fault(adev, entry->pasid, addr, write_fault); ++ WDOORBELL32(adev->irq.retry_cam_doorbell_index, cam_index); ++ if (ret) ++ return 1; ++ } else { ++ /* Process it onyl if it's the first fault for this address */ ++ if (entry->ih != &adev->irq.ih_soft && ++ amdgpu_gmc_filter_faults(adev, entry->ih, addr, entry->pasid, + entry->timestamp)) +- return 1; ++ return 1; + +- /* Delegate it to a different ring if the hardware hasn't +- * already done it. +- */ +- if (entry->ih == &adev->irq.ih) { +- amdgpu_irq_delegate(adev, entry, 8); +- return 1; +- } ++ /* Delegate it to a different ring if the hardware hasn't ++ * already done it. ++ */ ++ if (entry->ih == &adev->irq.ih) { ++ amdgpu_irq_delegate(adev, entry, 8); ++ return 1; ++ } + +- /* Try to handle the recoverable page faults by filling page +- * tables +- */ +- if (amdgpu_vm_handle_fault(adev, entry->pasid, addr, write_fault)) +- return 1; ++ /* Try to handle the recoverable page faults by filling page ++ * tables ++ */ ++ if (amdgpu_vm_handle_fault(adev, entry->pasid, addr, write_fault)) ++ return 1; ++ } + } + + if (!printk_ratelimit()) +diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c +index 19455a72..685abf57 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c ++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c +@@ -238,7 +238,7 @@ static void nbio_v7_4_ih_doorbell_range(struct amdgpu_device *adev, + + if (use_doorbell) { + ih_doorbell_range = REG_SET_FIELD(ih_doorbell_range, BIF_IH_DOORBELL_RANGE, OFFSET, doorbell_index); +- ih_doorbell_range = REG_SET_FIELD(ih_doorbell_range, BIF_IH_DOORBELL_RANGE, SIZE, 4); ++ ih_doorbell_range = REG_SET_FIELD(ih_doorbell_range, BIF_IH_DOORBELL_RANGE, SIZE, 8); + } else + ih_doorbell_range = REG_SET_FIELD(ih_doorbell_range, BIF_IH_DOORBELL_RANGE, SIZE, 0); + +diff --git a/drivers/gpu/drm/amd/amdgpu/vega20_ih.c b/drivers/gpu/drm/amd/amdgpu/vega20_ih.c +index 1706081d..6a8fb1fb 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vega20_ih.c ++++ b/drivers/gpu/drm/amd/amdgpu/vega20_ih.c +@@ -38,6 +38,11 @@ + #define mmIH_CHICKEN_ALDEBARAN 0x18d + #define mmIH_CHICKEN_ALDEBARAN_BASE_IDX 0 + ++#define mmIH_RETRY_INT_CAM_CNTL_ALDEBARAN 0x00ea ++#define mmIH_RETRY_INT_CAM_CNTL_ALDEBARAN_BASE_IDX 0 ++#define IH_RETRY_INT_CAM_CNTL_ALDEBARAN__ENABLE__SHIFT 0x10 ++#define IH_RETRY_INT_CAM_CNTL_ALDEBARAN__ENABLE_MASK 0x00010000L ++ + static void vega20_ih_set_interrupt_funcs(struct amdgpu_device *adev); + + /** +@@ -251,36 +256,14 @@ static int vega20_ih_enable_ring(struct amdgpu_device *adev, + return 0; + } + +-/** +- * vega20_ih_reroute_ih - reroute VMC/UTCL2 ih to an ih ring +- * +- * @adev: amdgpu_device pointer +- * +- * Reroute VMC and UMC interrupts on primary ih ring to +- * ih ring 1 so they won't lose when bunches of page faults +- * interrupts overwhelms the interrupt handler(VEGA20) +- */ +-static void vega20_ih_reroute_ih(struct amdgpu_device *adev) ++static uint32_t vega20_setup_retry_doorbell(u32 doorbell_index) + { +- uint32_t tmp; ++ u32 val = 0; + +- /* vega20 ih reroute will go through psp this +- * function is used for newer asics starting arcturus +- */ +- if (adev->ip_versions[OSSSYS_HWIP][0] >= IP_VERSION(4, 2, 1)) { +- /* Reroute to IH ring 1 for VMC */ +- WREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_INDEX, 0x12); +- tmp = RREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_DATA); +- tmp = REG_SET_FIELD(tmp, IH_CLIENT_CFG_DATA, CLIENT_TYPE, 1); +- tmp = REG_SET_FIELD(tmp, IH_CLIENT_CFG_DATA, RING_ID, 1); +- WREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_DATA, tmp); +- +- /* Reroute IH ring 1 for UTCL2 */ +- WREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_INDEX, 0x1B); +- tmp = RREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_DATA); +- tmp = REG_SET_FIELD(tmp, IH_CLIENT_CFG_DATA, RING_ID, 1); +- WREG32_SOC15(OSSSYS, 0, mmIH_CLIENT_CFG_DATA, tmp); +- } ++ val = REG_SET_FIELD(val, IH_DOORBELL_RPTR, OFFSET, doorbell_index); ++ val = REG_SET_FIELD(val, IH_DOORBELL_RPTR, ENABLE, 1); ++ ++ return val; + } + + /** +@@ -332,8 +315,6 @@ static int vega20_ih_irq_init(struct amdgpu_device *adev) + + for (i = 0; i < ARRAY_SIZE(ih); i++) { + if (ih[i]->ring_size) { +- if (i == 1) +- vega20_ih_reroute_ih(adev); + ret = vega20_ih_enable_ring(adev, ih[i]); + if (ret) + return ret; +@@ -346,6 +327,20 @@ static int vega20_ih_irq_init(struct amdgpu_device *adev) + + pci_set_master(adev->pdev); + ++ /* Allocate the doorbell for IH Retry CAM */ ++ adev->irq.retry_cam_doorbell_index = (adev->doorbell_index.ih + 3) << 1; ++ WREG32_SOC15(OSSSYS, 0, mmIH_DOORBELL_RETRY_CAM, ++ vega20_setup_retry_doorbell(adev->irq.retry_cam_doorbell_index)); ++ ++ /* Enable IH Retry CAM */ ++ if (adev->ip_versions[OSSSYS_HWIP][0] == IP_VERSION(4, 4, 0)) ++ WREG32_FIELD15(OSSSYS, 0, IH_RETRY_INT_CAM_CNTL_ALDEBARAN, ++ ENABLE, 1); ++ else ++ WREG32_FIELD15(OSSSYS, 0, IH_RETRY_INT_CAM_CNTL, ENABLE, 1); ++ ++ adev->irq.retry_cam_enabled = true; ++ + /* enable interrupts */ + ret = vega20_ih_toggle_interrupts(adev, true); + if (ret) +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index dc6fd696..96a138a3 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -2172,7 +2172,15 @@ static void svm_range_drain_retry_fault(struct svm_range_list *svms) + pr_debug("drain retry fault gpu %d svms %p\n", i, svms); + + amdgpu_ih_wait_on_checkpoint_process_ts(pdd->dev->adev, +- &pdd->dev->adev->irq.ih1); ++ pdd->dev->adev->irq.retry_cam_enabled ? ++ &pdd->dev->adev->irq.ih : ++ &pdd->dev->adev->irq.ih1); ++ ++ if (pdd->dev->adev->irq.retry_cam_enabled) ++ amdgpu_ih_wait_on_checkpoint_process_ts(pdd->dev->adev, ++ &pdd->dev->adev->irq.ih_soft); ++ ++ + pr_debug("drain retry fault gpu %d svms 0x%p done\n", i, svms); + } + if (atomic_cmpxchg(&svms->drain_pagefaults, drain, 0) != drain) +diff --git a/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_offset.h b/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_offset.h +index bd129266..a84a7cfa 100644 +--- a/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_offset.h ++++ b/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_offset.h +@@ -135,6 +135,8 @@ + #define mmIH_RB_WPTR_ADDR_LO_BASE_IDX 0 + #define mmIH_DOORBELL_RPTR 0x0087 + #define mmIH_DOORBELL_RPTR_BASE_IDX 0 ++#define mmIH_DOORBELL_RETRY_CAM 0x0088 ++#define mmIH_DOORBELL_RETRY_CAM_BASE_IDX 0 + #define mmIH_RB_CNTL_RING1 0x008c + #define mmIH_RB_CNTL_RING1_BASE_IDX 0 + #define mmIH_RB_BASE_RING1 0x008d +@@ -159,6 +161,8 @@ + #define mmIH_RB_WPTR_RING2_BASE_IDX 0 + #define mmIH_DOORBELL_RPTR_RING2 0x009f + #define mmIH_DOORBELL_RPTR_RING2_BASE_IDX 0 ++#define mmIH_RETRY_CAM_ACK 0x00a4 ++#define mmIH_RETRY_CAM_ACK_BASE_IDX 0 + #define mmIH_VERSION 0x00a5 + #define mmIH_VERSION_BASE_IDX 0 + #define mmIH_CNTL 0x00c0 +@@ -235,6 +239,8 @@ + #define mmIH_MMHUB_ERROR_BASE_IDX 0 + #define mmIH_MEM_POWER_CTRL 0x00e8 + #define mmIH_MEM_POWER_CTRL_BASE_IDX 0 ++#define mmIH_RETRY_INT_CAM_CNTL 0x00e9 ++#define mmIH_RETRY_INT_CAM_CNTL_BASE_IDX 0 + #define mmIH_REGISTER_LAST_PART2 0x00ff + #define mmIH_REGISTER_LAST_PART2_BASE_IDX 0 + #define mmSEM_CLK_CTRL 0x0100 +diff --git a/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_sh_mask.h b/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_sh_mask.h +index 3ea83ea9..75c04fc2 100644 +--- a/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_sh_mask.h ++++ b/drivers/gpu/drm/amd/include/asic_reg/oss/osssys_4_2_0_sh_mask.h +@@ -349,6 +349,17 @@ + #define IH_DOORBELL_RPTR_RING2__ENABLE__SHIFT 0x1c + #define IH_DOORBELL_RPTR_RING2__OFFSET_MASK 0x03FFFFFFL + #define IH_DOORBELL_RPTR_RING2__ENABLE_MASK 0x10000000L ++//IH_RETRY_INT_CAM_CNTL ++#define IH_RETRY_INT_CAM_CNTL__CAM_SIZE__SHIFT 0x0 ++#define IH_RETRY_INT_CAM_CNTL__BACK_PRESSURE_SKID_VALUE__SHIFT 0x8 ++#define IH_RETRY_INT_CAM_CNTL__ENABLE__SHIFT 0x10 ++#define IH_RETRY_INT_CAM_CNTL__BACK_PRESSURE_ENABLE__SHIFT 0x11 ++#define IH_RETRY_INT_CAM_CNTL__PER_VF_ENTRY_SIZE__SHIFT 0x14 ++#define IH_RETRY_INT_CAM_CNTL__CAM_SIZE_MASK 0x0000001FL ++#define IH_RETRY_INT_CAM_CNTL__BACK_PRESSURE_SKID_VALUE_MASK 0x00003F00L ++#define IH_RETRY_INT_CAM_CNTL__ENABLE_MASK 0x00010000L ++#define IH_RETRY_INT_CAM_CNTL__BACK_PRESSURE_ENABLE_MASK 0x00020000L ++#define IH_RETRY_INT_CAM_CNTL__PER_VF_ENTRY_SIZE_MASK 0x00300000L + //IH_VERSION + #define IH_VERSION__MINVER__SHIFT 0x0 + #define IH_VERSION__MAJVER__SHIFT 0x8 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-085-media-mediatek-vcodec-Fix-potential-array-out-o.patch b/patches.kernel.org/6.3.4-085-media-mediatek-vcodec-Fix-potential-array-out-o.patch new file mode 100644 index 0000000..3a7084e --- /dev/null +++ b/patches.kernel.org/6.3.4-085-media-mediatek-vcodec-Fix-potential-array-out-o.patch @@ -0,0 +1,47 @@ +From: Wei Chen +Date: Wed, 29 Mar 2023 09:05:13 +0100 +Subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in + decoder queue_setup +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8fbcf730cb89c3647f3365226fe7014118fa93c7 + +[ Upstream commit 8fbcf730cb89c3647f3365226fe7014118fa93c7 ] + +variable *nplanes is provided by user via system call argument. The +possible value of q_data->fmt->num_planes is 1-3, while the value +of *nplanes can be 1-8. The array access by index i can cause array +out-of-bounds. + +Fix this bug by checking *nplanes against the array size. + +Signed-off-by: Wei Chen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c +index c9970568..93fcea82 100644 +--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c ++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c +@@ -735,6 +735,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, + } + + if (*nplanes) { ++ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { ++ if (*nplanes != q_data->fmt->num_planes) ++ return -EINVAL; ++ } else { ++ if (*nplanes != 1) ++ return -EINVAL; ++ } + for (i = 0; i < *nplanes; i++) { + if (sizes[i] < q_data->sizeimage[i]) + return -EINVAL; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-086-platform-x86-amd-pmc-Fix-memory-leak-in-amd_pmc.patch b/patches.kernel.org/6.3.4-086-platform-x86-amd-pmc-Fix-memory-leak-in-amd_pmc.patch new file mode 100644 index 0000000..f26be55 --- /dev/null +++ b/patches.kernel.org/6.3.4-086-platform-x86-amd-pmc-Fix-memory-leak-in-amd_pmc.patch @@ -0,0 +1,40 @@ +From: Feng Jiang +Date: Wed, 12 Apr 2023 17:37:34 +0800 +Subject: [PATCH] platform/x86/amd: pmc: Fix memory leak in + amd_pmc_stb_debugfs_open_v2() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7 + +[ Upstream commit f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7 ] + +Function amd_pmc_stb_debugfs_open_v2() may be called when the STB +debug mechanism enabled. + +When amd_pmc_send_cmd() fails, the 'buf' needs to be released. + +Signed-off-by: Feng Jiang +Link: https://lore.kernel.org/r/20230412093734.1126410-1-jiangfeng@kylinos.cn +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/platform/x86/amd/pmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/amd/pmc.c b/drivers/platform/x86/amd/pmc.c +index 69f30549..73dedc99 100644 +--- a/drivers/platform/x86/amd/pmc.c ++++ b/drivers/platform/x86/amd/pmc.c +@@ -265,6 +265,7 @@ static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp) + dev->msg_port = 0; + if (ret) { + dev_err(dev->dev, "error: S2D_NUM_SAMPLES not supported : %d\n", ret); ++ kfree(buf); + return ret; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-087-hwmon-nzxt-smart2-add-another-USB-ID.patch b/patches.kernel.org/6.3.4-087-hwmon-nzxt-smart2-add-another-USB-ID.patch new file mode 100644 index 0000000..d193d28 --- /dev/null +++ b/patches.kernel.org/6.3.4-087-hwmon-nzxt-smart2-add-another-USB-ID.patch @@ -0,0 +1,47 @@ +From: Aleksandr Mezin +Date: Sun, 19 Feb 2023 12:59:19 +0200 +Subject: [PATCH] hwmon: (nzxt-smart2) add another USB ID +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4a148e9b1ee04e608263fa9536a96214d5561220 + +[ Upstream commit 4a148e9b1ee04e608263fa9536a96214d5561220 ] + +This seems to be a new revision of the device. RGB controls have changed, +but this driver doesn't touch them anyway. + +Fan speed control reported to be working with existing userspace (hidraw) +software, so I assume it's compatible. Fan channel count is the same. + +Recently added (0x1e71, 0x2019) seems to be the same device. + +Discovered in liquidctl project: + +https://github.com/liquidctl/liquidctl/issues/541 + +Signed-off-by: Aleksandr Mezin +Link: https://lore.kernel.org/r/20230219105924.333007-1-mezin.alexander@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hwmon/nzxt-smart2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nzxt-smart2.c b/drivers/hwmon/nzxt-smart2.c +index 2b93ba89..a8e72d8f 100644 +--- a/drivers/hwmon/nzxt-smart2.c ++++ b/drivers/hwmon/nzxt-smart2.c +@@ -791,7 +791,8 @@ static const struct hid_device_id nzxt_smart2_hid_id_table[] = { + { HID_USB_DEVICE(0x1e71, 0x2009) }, /* NZXT RGB & Fan Controller */ + { HID_USB_DEVICE(0x1e71, 0x200e) }, /* NZXT RGB & Fan Controller */ + { HID_USB_DEVICE(0x1e71, 0x2010) }, /* NZXT RGB & Fan Controller */ +- { HID_USB_DEVICE(0x1e71, 0x2019) }, /* NZXT RGB & Fan Controller */ ++ { HID_USB_DEVICE(0x1e71, 0x2011) }, /* NZXT RGB & Fan Controller (6 RGB) */ ++ { HID_USB_DEVICE(0x1e71, 0x2019) }, /* NZXT RGB & Fan Controller (6 RGB) */ + {}, + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-088-wifi-ath-Silence-memcpy-run-time-false-positive.patch b/patches.kernel.org/6.3.4-088-wifi-ath-Silence-memcpy-run-time-false-positive.patch new file mode 100644 index 0000000..1bc2398 --- /dev/null +++ b/patches.kernel.org/6.3.4-088-wifi-ath-Silence-memcpy-run-time-false-positive.patch @@ -0,0 +1,74 @@ +From: Kees Cook +Date: Wed, 15 Feb 2023 20:31:38 +0200 +Subject: [PATCH] wifi: ath: Silence memcpy run-time false positive warning +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bfcc8ba45eb87bfaaff900bbad2b87b204899d41 + +[ Upstream commit bfcc8ba45eb87bfaaff900bbad2b87b204899d41 ] + +The memcpy() in ath_key_config() was attempting to write across +neighboring struct members in struct ath_keyval. Introduce a wrapping +struct_group, kv_values, to be the addressable target of the memcpy +without overflowing an individual member. Silences the false positive +run-time warning: + + memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16) + +Link: https://bbs.archlinux.org/viewtopic.php?id=282254 +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230210054310.never.554-kees@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath.h | 12 +++++++----- + drivers/net/wireless/ath/key.c | 2 +- + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h +index f083fb90..f02a308a 100644 +--- a/drivers/net/wireless/ath/ath.h ++++ b/drivers/net/wireless/ath/ath.h +@@ -96,11 +96,13 @@ struct ath_keyval { + u8 kv_type; + u8 kv_pad; + u16 kv_len; +- u8 kv_val[16]; /* TK */ +- u8 kv_mic[8]; /* Michael MIC key */ +- u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware +- * supports both MIC keys in the same key cache entry; +- * in that case, kv_mic is the RX key) */ ++ struct_group(kv_values, ++ u8 kv_val[16]; /* TK */ ++ u8 kv_mic[8]; /* Michael MIC key */ ++ u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware ++ * supports both MIC keys in the same key cache entry; ++ * in that case, kv_mic is the RX key) */ ++ ); + }; + + enum ath_cipher { +diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c +index 61b59a80..b7b61d4f 100644 +--- a/drivers/net/wireless/ath/key.c ++++ b/drivers/net/wireless/ath/key.c +@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common, + + hk.kv_len = key->keylen; + if (key->keylen) +- memcpy(hk.kv_val, key->key, key->keylen); ++ memcpy(&hk.kv_values, key->key, key->keylen); + + if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) { + switch (vif->type) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-089-wifi-ath12k-Handle-lock-during-peer_id-find.patch b/patches.kernel.org/6.3.4-089-wifi-ath12k-Handle-lock-during-peer_id-find.patch new file mode 100644 index 0000000..3109331 --- /dev/null +++ b/patches.kernel.org/6.3.4-089-wifi-ath12k-Handle-lock-during-peer_id-find.patch @@ -0,0 +1,82 @@ +From: Ramya Gnanasekar +Date: Sun, 22 Jan 2023 07:19:36 +0530 +Subject: [PATCH] wifi: ath12k: Handle lock during peer_id find +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 95a389e2ff3212d866cc51c77d682d2934074eb8 + +[ Upstream commit 95a389e2ff3212d866cc51c77d682d2934074eb8 ] + +ath12k_peer_find_by_id() requires that the caller hold the +ab->base_lock. Currently the WBM error path does not hold +the lock and calling that function, leads to the +following lockdep_assert()in QCN9274: + +[105162.160893] ------------[ cut here ]------------ +[105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k] +[105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)] +[105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3 +[105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019 +[105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k] +[105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00 +[105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246 +[105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000 +[105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7 +[105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000 +[105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0 +[105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040 +[105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000 +[105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0 +[105162.161041] Call Trace: +[105162.161046] +[105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k] +[105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k] +[105162.161084] ? __lock_acquire+0x4ca/0x1a60 +[105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k] +[105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k] +[105162.161133] __napi_poll+0x22/0x260 +[105162.161141] net_rx_action+0x2f8/0x380 +[105162.161153] __do_softirq+0xd0/0x4c9 +[105162.161162] irq_exit_rcu+0x88/0xe0 +[105162.161169] common_interrupt+0xa5/0xc0 +[105162.161174] +[105162.161179] +[105162.161184] asm_common_interrupt+0x22/0x40 + +Handle spin lock/unlock in WBM error path to hold the necessary lock +expected by ath12k_peer_find_by_id(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Ramya Gnanasekar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230122014936.3594-1-quic_rgnanase@quicinc.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index 83a43ad4..de9a4ca6 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -3494,11 +3494,14 @@ static int ath12k_dp_rx_h_null_q_desc(struct ath12k *ar, struct sk_buff *msdu, + msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc); + peer_id = ath12k_dp_rx_h_peer_id(ab, desc); + ++ spin_lock(&ab->base_lock); + if (!ath12k_peer_find_by_id(ab, peer_id)) { ++ spin_unlock(&ab->base_lock); + ath12k_dbg(ab, ATH12K_DBG_DATA, "invalid peer id received in wbm err pkt%d\n", + peer_id); + return -EINVAL; + } ++ spin_unlock(&ab->base_lock); + + if (!rxcb->is_frag && ((msdu_len + hal_rx_desc_sz) > DP_RX_BUFFER_SIZE)) { + /* First buffer will be freed by the caller, so deduct it's length */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-090-wifi-ath12k-PCI-ops-for-wakeup-release-MHI.patch b/patches.kernel.org/6.3.4-090-wifi-ath12k-PCI-ops-for-wakeup-release-MHI.patch new file mode 100644 index 0000000..348f445 --- /dev/null +++ b/patches.kernel.org/6.3.4-090-wifi-ath12k-PCI-ops-for-wakeup-release-MHI.patch @@ -0,0 +1,199 @@ +From: Ramya Gnanasekar +Date: Mon, 23 Jan 2023 15:21:41 +0530 +Subject: [PATCH] wifi: ath12k: PCI ops for wakeup/release MHI +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 80e396586d0a94c42015dd9472176d89a3b0e4ca + +[ Upstream commit 80e396586d0a94c42015dd9472176d89a3b0e4ca ] + +Wakeup/release MHI is not needed before pci_read/write for QCN9274. +Since wakeup & release MHI is enabled for all QCN9274 and +WCN7850, below MHI assert is seen in QCN9274 + +[ 784.906613] BUG: sleeping function called from invalid context at drivers/bus/mhi/host/pm.c:989 +[ 784.906633] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/3 +[ 784.906637] preempt_count: 503, expected: 0 +[ 784.906641] RCU nest depth: 0, expected: 0 +[ 784.906644] 2 locks held by swapper/3/0: +[ 784.906646] #0: ffff8ed348e429e0 (&ab->ce.ce_lock){+.-.}-{2:2}, at: ath12k_ce_recv_process_cb+0xb3/0x2f0 [ath12k] +[ 784.906664] #1: ffff8ed348e491f0 (&srng->lock_key#3){+.-.}-{2:2}, at: ath12k_ce_recv_process_cb+0xfb/0x2f0 [ath12k] +[ 784.906678] Preemption disabled at: +[ 784.906680] [<0000000000000000>] 0x0 +[ 784.906686] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3 +[ 784.906688] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019 +[ 784.906690] Call Trace: +[ 784.906691] +[ 784.906693] dump_stack_lvl+0x56/0x7b +[ 784.906698] __might_resched+0x21c/0x270 +[ 784.906704] __mhi_device_get_sync+0x7d/0x1c0 [mhi] +[ 784.906714] mhi_device_get_sync+0xd/0x20 [mhi] +[ 784.906719] ath12k_pci_write32+0x75/0x170 [ath12k] +[ 784.906729] ath12k_hal_srng_access_end+0x55/0xc0 [ath12k] +[ 784.906737] ath12k_ce_recv_process_cb+0x1f3/0x2f0 [ath12k] +[ 784.906776] ? ath12k_pci_ce_tasklet+0x11/0x30 [ath12k] +[ 784.906788] ath12k_pci_ce_tasklet+0x11/0x30 [ath12k] +[ 784.906813] tasklet_action_common.isra.18+0xb7/0xe0 +[ 784.906820] __do_softirq+0xd0/0x4c9 +[ 784.906826] irq_exit_rcu+0x88/0xe0 +[ 784.906828] common_interrupt+0xa5/0xc0 +[ 784.906831] +[ 784.906832] + +Adding function callbacks for MHI wakeup and release operations. +QCN9274 does not need wakeup/release, function callbacks are initialized +to NULL. In case of WCN7850, shadow registers are used to access rings. +Since, shadow register's offset is less than ACCESS_ALWAYS_OFF, +mhi_device_get_sync() or mhi_device_put() to wakeup +and release mhi will not be called during service ring accesses. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 + +Signed-off-by: Ramya Gnanasekar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230123095141.5310-1-quic_rgnanase@quicinc.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath12k/pci.c | 47 ++++++++++++++++++++++----- + drivers/net/wireless/ath/ath12k/pci.h | 6 ++++ + 2 files changed, 44 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index f523aa15..00b0080d 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -119,6 +119,30 @@ static const char *irq_name[ATH12K_IRQ_NUM_MAX] = { + "tcl2host-status-ring", + }; + ++static int ath12k_pci_bus_wake_up(struct ath12k_base *ab) ++{ ++ struct ath12k_pci *ab_pci = ath12k_pci_priv(ab); ++ ++ return mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev); ++} ++ ++static void ath12k_pci_bus_release(struct ath12k_base *ab) ++{ ++ struct ath12k_pci *ab_pci = ath12k_pci_priv(ab); ++ ++ mhi_device_put(ab_pci->mhi_ctrl->mhi_dev); ++} ++ ++static const struct ath12k_pci_ops ath12k_pci_ops_qcn9274 = { ++ .wakeup = NULL, ++ .release = NULL, ++}; ++ ++static const struct ath12k_pci_ops ath12k_pci_ops_wcn7850 = { ++ .wakeup = ath12k_pci_bus_wake_up, ++ .release = ath12k_pci_bus_release, ++}; ++ + static void ath12k_pci_select_window(struct ath12k_pci *ab_pci, u32 offset) + { + struct ath12k_base *ab = ab_pci->ab; +@@ -989,13 +1013,14 @@ u32 ath12k_pci_read32(struct ath12k_base *ab, u32 offset) + { + struct ath12k_pci *ab_pci = ath12k_pci_priv(ab); + u32 val, window_start; ++ int ret = 0; + + /* for offset beyond BAR + 4K - 32, may + * need to wakeup MHI to access. + */ + if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) && +- offset >= ACCESS_ALWAYS_OFF) +- mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev); ++ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->wakeup) ++ ret = ab_pci->pci_ops->wakeup(ab); + + if (offset < WINDOW_START) { + val = ioread32(ab->mem + offset); +@@ -1023,9 +1048,9 @@ u32 ath12k_pci_read32(struct ath12k_base *ab, u32 offset) + } + + if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) && +- offset >= ACCESS_ALWAYS_OFF) +- mhi_device_put(ab_pci->mhi_ctrl->mhi_dev); +- ++ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->release && ++ !ret) ++ ab_pci->pci_ops->release(ab); + return val; + } + +@@ -1033,13 +1058,14 @@ void ath12k_pci_write32(struct ath12k_base *ab, u32 offset, u32 value) + { + struct ath12k_pci *ab_pci = ath12k_pci_priv(ab); + u32 window_start; ++ int ret = 0; + + /* for offset beyond BAR + 4K - 32, may + * need to wakeup MHI to access. + */ + if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) && +- offset >= ACCESS_ALWAYS_OFF) +- mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev); ++ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->wakeup) ++ ret = ab_pci->pci_ops->wakeup(ab); + + if (offset < WINDOW_START) { + iowrite32(value, ab->mem + offset); +@@ -1067,8 +1093,9 @@ void ath12k_pci_write32(struct ath12k_base *ab, u32 offset, u32 value) + } + + if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) && +- offset >= ACCESS_ALWAYS_OFF) +- mhi_device_put(ab_pci->mhi_ctrl->mhi_dev); ++ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->release && ++ !ret) ++ ab_pci->pci_ops->release(ab); + } + + int ath12k_pci_power_up(struct ath12k_base *ab) +@@ -1182,6 +1209,7 @@ static int ath12k_pci_probe(struct pci_dev *pdev, + case QCN9274_DEVICE_ID: + ab_pci->msi_config = &ath12k_msi_config[0]; + ab->static_window_map = true; ++ ab_pci->pci_ops = &ath12k_pci_ops_qcn9274; + ath12k_pci_read_hw_version(ab, &soc_hw_version_major, + &soc_hw_version_minor); + switch (soc_hw_version_major) { +@@ -1203,6 +1231,7 @@ static int ath12k_pci_probe(struct pci_dev *pdev, + ab_pci->msi_config = &ath12k_msi_config[0]; + ab->static_window_map = false; + ab->hw_rev = ATH12K_HW_WCN7850_HW20; ++ ab_pci->pci_ops = &ath12k_pci_ops_wcn7850; + break; + + default: +diff --git a/drivers/net/wireless/ath/ath12k/pci.h b/drivers/net/wireless/ath/ath12k/pci.h +index 0d9e40ab..0f24fd93 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.h ++++ b/drivers/net/wireless/ath/ath12k/pci.h +@@ -86,6 +86,11 @@ enum ath12k_pci_flags { + ATH12K_PCI_ASPM_RESTORE, + }; + ++struct ath12k_pci_ops { ++ int (*wakeup)(struct ath12k_base *ab); ++ void (*release)(struct ath12k_base *ab); ++}; ++ + struct ath12k_pci { + struct pci_dev *pdev; + struct ath12k_base *ab; +@@ -103,6 +108,7 @@ struct ath12k_pci { + /* enum ath12k_pci_flags */ + unsigned long flags; + u16 link_ctl; ++ const struct ath12k_pci_ops *pci_ops; + }; + + static inline struct ath12k_pci *ath12k_pci_priv(struct ath12k_base *ab) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-091-bpf-Annotate-data-races-in-bpf_local_storage.patch b/patches.kernel.org/6.3.4-091-bpf-Annotate-data-races-in-bpf_local_storage.patch new file mode 100644 index 0000000..2fa9fcd --- /dev/null +++ b/patches.kernel.org/6.3.4-091-bpf-Annotate-data-races-in-bpf_local_storage.patch @@ -0,0 +1,84 @@ +From: Kumar Kartikeya Dwivedi +Date: Tue, 21 Feb 2023 21:06:42 +0100 +Subject: [PATCH] bpf: Annotate data races in bpf_local_storage +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0a09a2f933c73dc76ab0b72da6855f44342a8903 + +[ Upstream commit 0a09a2f933c73dc76ab0b72da6855f44342a8903 ] + +There are a few cases where hlist_node is checked to be unhashed without +holding the lock protecting its modification. In this case, one must use +hlist_unhashed_lockless to avoid load tearing and KCSAN reports. Fix +this by using lockless variant in places not protected by the lock. + +Since this is not prompted by any actual KCSAN reports but only from +code review, I have not included a fixes tag. + +Cc: Martin KaFai Lau +Cc: KP Singh +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230221200646.2500777-4-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/bpf/bpf_local_storage.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c +index 35f4138a..58da17ae 100644 +--- a/kernel/bpf/bpf_local_storage.c ++++ b/kernel/bpf/bpf_local_storage.c +@@ -51,11 +51,21 @@ owner_storage(struct bpf_local_storage_map *smap, void *owner) + return map->ops->map_owner_storage_ptr(owner); + } + ++static bool selem_linked_to_storage_lockless(const struct bpf_local_storage_elem *selem) ++{ ++ return !hlist_unhashed_lockless(&selem->snode); ++} ++ + static bool selem_linked_to_storage(const struct bpf_local_storage_elem *selem) + { + return !hlist_unhashed(&selem->snode); + } + ++static bool selem_linked_to_map_lockless(const struct bpf_local_storage_elem *selem) ++{ ++ return !hlist_unhashed_lockless(&selem->map_node); ++} ++ + static bool selem_linked_to_map(const struct bpf_local_storage_elem *selem) + { + return !hlist_unhashed(&selem->map_node); +@@ -174,7 +184,7 @@ static void __bpf_selem_unlink_storage(struct bpf_local_storage_elem *selem, + bool free_local_storage = false; + unsigned long flags; + +- if (unlikely(!selem_linked_to_storage(selem))) ++ if (unlikely(!selem_linked_to_storage_lockless(selem))) + /* selem has already been unlinked from sk */ + return; + +@@ -208,7 +218,7 @@ void bpf_selem_unlink_map(struct bpf_local_storage_elem *selem) + struct bpf_local_storage_map_bucket *b; + unsigned long flags; + +- if (unlikely(!selem_linked_to_map(selem))) ++ if (unlikely(!selem_linked_to_map_lockless(selem))) + /* selem has already be unlinked from smap */ + return; + +@@ -420,7 +430,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap, + err = check_flags(old_sdata, map_flags); + if (err) + return ERR_PTR(err); +- if (old_sdata && selem_linked_to_storage(SELEM(old_sdata))) { ++ if (old_sdata && selem_linked_to_storage_lockless(SELEM(old_sdata))) { + copy_map_value_locked(&smap->map, old_sdata->data, + value, false); + return old_sdata; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-092-wifi-brcmfmac-pcie-Provide-a-buffer-of-random-b.patch b/patches.kernel.org/6.3.4-092-wifi-brcmfmac-pcie-Provide-a-buffer-of-random-b.patch new file mode 100644 index 0000000..968df48 --- /dev/null +++ b/patches.kernel.org/6.3.4-092-wifi-brcmfmac-pcie-Provide-a-buffer-of-random-b.patch @@ -0,0 +1,89 @@ +From: Hector Martin +Date: Tue, 14 Feb 2023 17:00:34 +0900 +Subject: [PATCH] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the + device +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 91918ce88d9fef408bb12c46a27c73d79b604c20 + +[ Upstream commit 91918ce88d9fef408bb12c46a27c73d79b604c20 ] + +Newer Apple firmwares on chipsets without a hardware RNG require the +host to provide a buffer of 256 random bytes to the device on +initialization. This buffer is present immediately before NVRAM, +suffixed by a footer containing a magic number and the buffer length. + +This won't affect chips/firmwares that do not use this feature, so do it +unconditionally for all Apple platforms (those with an Apple OTP). + +Reviewed-by: Linus Walleij +Signed-off-by: Hector Martin +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230214080034.3828-3-marcan@marcan.st +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../broadcom/brcm80211/brcmfmac/pcie.c | 32 +++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index a9b9b2dc..2835ef4e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -1653,6 +1654,13 @@ brcmf_pcie_init_share_ram_info(struct brcmf_pciedev_info *devinfo, + return 0; + } + ++struct brcmf_random_seed_footer { ++ __le32 length; ++ __le32 magic; ++}; ++ ++#define BRCMF_RANDOM_SEED_MAGIC 0xfeedc0de ++#define BRCMF_RANDOM_SEED_LENGTH 0x100 + + static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + const struct firmware *fw, void *nvram, +@@ -1689,6 +1697,30 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, + nvram_len; + memcpy_toio(devinfo->tcm + address, nvram, nvram_len); + brcmf_fw_nvram_free(nvram); ++ ++ if (devinfo->otp.valid) { ++ size_t rand_len = BRCMF_RANDOM_SEED_LENGTH; ++ struct brcmf_random_seed_footer footer = { ++ .length = cpu_to_le32(rand_len), ++ .magic = cpu_to_le32(BRCMF_RANDOM_SEED_MAGIC), ++ }; ++ void *randbuf; ++ ++ /* Some Apple chips/firmwares expect a buffer of random ++ * data to be present before NVRAM ++ */ ++ brcmf_dbg(PCIE, "Download random seed\n"); ++ ++ address -= sizeof(footer); ++ memcpy_toio(devinfo->tcm + address, &footer, ++ sizeof(footer)); ++ ++ address -= rand_len; ++ randbuf = kzalloc(rand_len, GFP_KERNEL); ++ get_random_bytes(randbuf, rand_len); ++ memcpy_toio(devinfo->tcm + address, randbuf, rand_len); ++ kfree(randbuf); ++ } + } else { + brcmf_dbg(PCIE, "No matching NVRAM file found %s\n", + devinfo->nvram_name); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-093-wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-i.patch b/patches.kernel.org/6.3.4-093-wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-i.patch new file mode 100644 index 0000000..92be9f5 --- /dev/null +++ b/patches.kernel.org/6.3.4-093-wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-i.patch @@ -0,0 +1,59 @@ +From: Hector Martin +Date: Tue, 14 Feb 2023 18:24:19 +0900 +Subject: [PATCH] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of + hex +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 89b89e52153fda2733562776c7c9d9d3ebf8dd6d + +[ Upstream commit 89b89e52153fda2733562776c7c9d9d3ebf8dd6d ] + +Apparently the hex passphrase mechanism does not work on newer +chips/firmware (e.g. BCM4387). It seems there was a simple way of +passing it in binary all along, so use that and avoid the hexification. + +OpenBSD has been doing it like this from the beginning, so this should +work on all chips. + +Also clear the structure before setting the PMK. This was leaking +uninitialized stack contents to the device. + +Reviewed-by: Linus Walleij +Reviewed-by: Arend van Spriel +Signed-off-by: Hector Martin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230214092423.15175-6-marcan@marcan.st +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 3d33e687..06c362e0 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1617,13 +1617,14 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) + { + struct brcmf_pub *drvr = ifp->drvr; + struct brcmf_wsec_pmk_le pmk; +- int i, err; ++ int err; ++ ++ memset(&pmk, 0, sizeof(pmk)); + +- /* convert to firmware key format */ +- pmk.key_len = cpu_to_le16(pmk_len << 1); +- pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE); +- for (i = 0; i < pmk_len; i++) +- snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]); ++ /* pass pmk directly */ ++ pmk.key_len = cpu_to_le16(pmk_len); ++ pmk.flags = cpu_to_le16(0); ++ memcpy(pmk.key, pmk_data, pmk_len); + + /* store psk in firmware */ + err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-094-wifi-brcmfmac-pcie-Add-IDs-properties-for-BCM43.patch b/patches.kernel.org/6.3.4-094-wifi-brcmfmac-pcie-Add-IDs-properties-for-BCM43.patch new file mode 100644 index 0000000..4efe5eb --- /dev/null +++ b/patches.kernel.org/6.3.4-094-wifi-brcmfmac-pcie-Add-IDs-properties-for-BCM43.patch @@ -0,0 +1,105 @@ +From: Hector Martin +Date: Tue, 14 Feb 2023 18:24:20 +0900 +Subject: [PATCH] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 117ace4014cce3fb78b40eb8028bb0f4fc37dd6f + +[ Upstream commit 117ace4014cce3fb78b40eb8028bb0f4fc37dd6f ] + +This chip is present on Apple M1 Pro/Max (t600x) platforms: + +* maldives (apple,j314s): MacBook Pro (14-inch, M1 Pro, 2021) +* maldives (apple,j314c): MacBook Pro (14-inch, M1 Max, 2021) +* madagascar (apple,j316s): MacBook Pro (16-inch, M1 Pro, 2021) +* madagascar (apple,j316c): MacBook Pro (16-inch, M1 Max, 2021) + +Reviewed-by: Linus Walleij +Reviewed-by: Arend van Spriel +Signed-off-by: Hector Martin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230214092423.15175-7-marcan@marcan.st +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 2 ++ + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 8 ++++++++ + .../net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 2 ++ + 3 files changed, 12 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c +index 8073f31b..9cdbd8d4 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c +@@ -737,6 +737,8 @@ static u32 brcmf_chip_tcm_rambase(struct brcmf_chip_priv *ci) + return 0x170000; + case BRCM_CC_4378_CHIP_ID: + return 0x352000; ++ case BRCM_CC_4387_CHIP_ID: ++ return 0x740000; + default: + brcmf_err("unknown chip: %s\n", ci->pub.name); + break; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index 2835ef4e..d2dad541 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -67,6 +67,7 @@ BRCMF_FW_DEF(4366C, "brcmfmac4366c-pcie"); + BRCMF_FW_DEF(4371, "brcmfmac4371-pcie"); + BRCMF_FW_CLM_DEF(4377B3, "brcmfmac4377b3-pcie"); + BRCMF_FW_CLM_DEF(4378B1, "brcmfmac4378b1-pcie"); ++BRCMF_FW_CLM_DEF(4387C2, "brcmfmac4387c2-pcie"); + + /* firmware config files */ + MODULE_FIRMWARE(BRCMF_FW_DEFAULT_PATH "brcmfmac*-pcie.txt"); +@@ -101,6 +102,7 @@ static const struct brcmf_firmware_mapping brcmf_pcie_fwnames[] = { + BRCMF_FW_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371), + BRCMF_FW_ENTRY(BRCM_CC_4377_CHIP_ID, 0xFFFFFFFF, 4377B3), /* revision ID 4 */ + BRCMF_FW_ENTRY(BRCM_CC_4378_CHIP_ID, 0xFFFFFFFF, 4378B1), /* revision ID 3 */ ++ BRCMF_FW_ENTRY(BRCM_CC_4387_CHIP_ID, 0xFFFFFFFF, 4387C2), /* revision ID 7 */ + }; + + #define BRCMF_PCIE_FW_UP_TIMEOUT 5000 /* msec */ +@@ -2048,6 +2050,11 @@ static int brcmf_pcie_read_otp(struct brcmf_pciedev_info *devinfo) + base = 0x1120; + words = 0x170; + break; ++ case BRCM_CC_4387_CHIP_ID: ++ coreid = BCMA_CORE_GCI; ++ base = 0x113c; ++ words = 0x170; ++ break; + default: + /* OTP not supported on this chip */ + return 0; +@@ -2662,6 +2669,7 @@ static const struct pci_device_id brcmf_pcie_devid_table[] = { + BRCMF_PCIE_DEVICE(BRCM_PCIE_43596_DEVICE_ID, CYW), + BRCMF_PCIE_DEVICE(BRCM_PCIE_4377_DEVICE_ID, WCC), + BRCMF_PCIE_DEVICE(BRCM_PCIE_4378_DEVICE_ID, WCC), ++ BRCMF_PCIE_DEVICE(BRCM_PCIE_4387_DEVICE_ID, WCC), + + { /* end: all zeroes */ } + }; +diff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h +index 896615f5..44684bf1 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h ++++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h +@@ -54,6 +54,7 @@ + #define BRCM_CC_4371_CHIP_ID 0x4371 + #define BRCM_CC_4377_CHIP_ID 0x4377 + #define BRCM_CC_4378_CHIP_ID 0x4378 ++#define BRCM_CC_4387_CHIP_ID 0x4387 + #define CY_CC_4373_CHIP_ID 0x4373 + #define CY_CC_43012_CHIP_ID 43012 + #define CY_CC_43439_CHIP_ID 43439 +@@ -95,6 +96,7 @@ + #define BRCM_PCIE_43596_DEVICE_ID 0x4415 + #define BRCM_PCIE_4377_DEVICE_ID 0x4488 + #define BRCM_PCIE_4378_DEVICE_ID 0x4425 ++#define BRCM_PCIE_4387_DEVICE_ID 0x4433 + + /* brcmsmac IDs */ + #define BCM4313_D11N2G_ID 0x4727 /* 4313 802.11n 2.4G device */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-095-ext2-Check-block-size-validity-during-mount.patch b/patches.kernel.org/6.3.4-095-ext2-Check-block-size-validity-during-mount.patch new file mode 100644 index 0000000..91510f9 --- /dev/null +++ b/patches.kernel.org/6.3.4-095-ext2-Check-block-size-validity-during-mount.patch @@ -0,0 +1,55 @@ +From: Jan Kara +Date: Wed, 1 Mar 2023 11:59:39 +0100 +Subject: [PATCH] ext2: Check block size validity during mount +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 62aeb94433fcec80241754b70d0d1836d5926b0a + +[ Upstream commit 62aeb94433fcec80241754b70d0d1836d5926b0a ] + +Check that log of block size stored in the superblock has sensible +value. Otherwise the shift computing the block size can overflow leading +to undefined behavior. + +Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext2/ext2.h | 1 + + fs/ext2/super.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/fs/ext2/ext2.h b/fs/ext2/ext2.h +index cb78d7dc..c60cb900 100644 +--- a/fs/ext2/ext2.h ++++ b/fs/ext2/ext2.h +@@ -180,6 +180,7 @@ static inline struct ext2_sb_info *EXT2_SB(struct super_block *sb) + #define EXT2_MIN_BLOCK_SIZE 1024 + #define EXT2_MAX_BLOCK_SIZE 4096 + #define EXT2_MIN_BLOCK_LOG_SIZE 10 ++#define EXT2_MAX_BLOCK_LOG_SIZE 16 + #define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize) + #define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32)) + #define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits) +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 69c88fac..f342f347 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -945,6 +945,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount; + } + ++ if (le32_to_cpu(es->s_log_block_size) > ++ (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) { ++ ext2_msg(sb, KERN_ERR, ++ "Invalid log block size: %u", ++ le32_to_cpu(es->s_log_block_size)); ++ goto failed_mount; ++ } + blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); + + if (test_opt(sb, DAX)) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-096-scsi-lpfc-Prevent-lpfc_debugfs_lockstat_write-b.patch b/patches.kernel.org/6.3.4-096-scsi-lpfc-Prevent-lpfc_debugfs_lockstat_write-b.patch new file mode 100644 index 0000000..01acf43 --- /dev/null +++ b/patches.kernel.org/6.3.4-096-scsi-lpfc-Prevent-lpfc_debugfs_lockstat_write-b.patch @@ -0,0 +1,58 @@ +From: Justin Tee +Date: Wed, 1 Mar 2023 15:16:17 -0800 +Subject: [PATCH] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer + overflow +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c6087b82a9146826564a55c5ca0164cac40348f5 + +[ Upstream commit c6087b82a9146826564a55c5ca0164cac40348f5 ] + +A static code analysis tool flagged the possibility of buffer overflow when +using copy_from_user() for a debugfs entry. + +Currently, it is possible that copy_from_user() copies more bytes than what +would fit in the mybuf char array. Add a min() restriction check between +sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect +against buffer overflow. + +Link: https://lore.kernel.org/r/20230301231626.9621-2-justintee8345@gmail.com +Signed-off-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index f5252e45..3e365e5e 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2157,10 +2157,13 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf, + char mybuf[64]; + char *pbuf; + int i; ++ size_t bsize; + + memset(mybuf, 0, sizeof(mybuf)); + +- if (copy_from_user(mybuf, buf, nbytes)) ++ bsize = min(nbytes, (sizeof(mybuf) - 1)); ++ ++ if (copy_from_user(mybuf, buf, bsize)) + return -EFAULT; + pbuf = &mybuf[0]; + +@@ -2181,7 +2184,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf, + qp->lock_conflict.wq_access = 0; + } + } +- return nbytes; ++ return bsize; + } + #endif + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-097-scsi-lpfc-Correct-used_rpi-count-when-devloss-t.patch b/patches.kernel.org/6.3.4-097-scsi-lpfc-Correct-used_rpi-count-when-devloss-t.patch new file mode 100644 index 0000000..c0cbe0d --- /dev/null +++ b/patches.kernel.org/6.3.4-097-scsi-lpfc-Correct-used_rpi-count-when-devloss-t.patch @@ -0,0 +1,72 @@ +From: Justin Tee +Date: Wed, 1 Mar 2023 15:16:22 -0800 +Subject: [PATCH] scsi: lpfc: Correct used_rpi count when devloss tmo fires + with no recovery +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: db651ec22524eb8f9c854fbb4d9acd5d7e5be9e4 + +[ Upstream commit db651ec22524eb8f9c854fbb4d9acd5d7e5be9e4 ] + +A fabric controller can sometimes send an RDP request right before a link +down event. Because of this outstanding RDP request, the driver does not +remove the last reference count on its ndlp causing a potential leak of RPI +resources when devloss tmo fires. + +In lpfc_cmpl_els_rsp(), modify the NPIV clause to always allow the +lpfc_drop_node() routine to execute when not registered with SCSI +transport. + +This relaxes the contraint that an NPIV ndlp must be in a specific state in +order to call lpfc_drop node. Logic is revised such that the +lpfc_drop_node() routine is always called to ensure the last ndlp decrement +occurs. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20230301231626.9621-7-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/scsi/lpfc/lpfc_els.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 35b252f1..62d2ca68 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -5455,18 +5455,20 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + * these conditions and release the RPI. + */ + if (phba->sli_rev == LPFC_SLI_REV4 && +- (vport && vport->port_type == LPFC_NPIV_PORT) && +- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD) && +- ndlp->nlp_flag & NLP_RELEASE_RPI) { +- if (ndlp->nlp_state != NLP_STE_PLOGI_ISSUE && +- ndlp->nlp_state != NLP_STE_REG_LOGIN_ISSUE) { +- lpfc_sli4_free_rpi(phba, ndlp->nlp_rpi); +- spin_lock_irq(&ndlp->lock); +- ndlp->nlp_rpi = LPFC_RPI_ALLOC_ERROR; +- ndlp->nlp_flag &= ~NLP_RELEASE_RPI; +- spin_unlock_irq(&ndlp->lock); +- lpfc_drop_node(vport, ndlp); ++ vport && vport->port_type == LPFC_NPIV_PORT && ++ !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { ++ if (ndlp->nlp_flag & NLP_RELEASE_RPI) { ++ if (ndlp->nlp_state != NLP_STE_PLOGI_ISSUE && ++ ndlp->nlp_state != NLP_STE_REG_LOGIN_ISSUE) { ++ lpfc_sli4_free_rpi(phba, ndlp->nlp_rpi); ++ spin_lock_irq(&ndlp->lock); ++ ndlp->nlp_rpi = LPFC_RPI_ALLOC_ERROR; ++ ndlp->nlp_flag &= ~NLP_RELEASE_RPI; ++ spin_unlock_irq(&ndlp->lock); ++ } + } ++ ++ lpfc_drop_node(vport, ndlp); + } + + /* Release the originating I/O reference. */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-098-wifi-rtw88-fix-memory-leak-in-rtw_usb_probe.patch b/patches.kernel.org/6.3.4-098-wifi-rtw88-fix-memory-leak-in-rtw_usb_probe.patch new file mode 100644 index 0000000..8e9e800 --- /dev/null +++ b/patches.kernel.org/6.3.4-098-wifi-rtw88-fix-memory-leak-in-rtw_usb_probe.patch @@ -0,0 +1,40 @@ +From: Dongliang Mu +Date: Thu, 9 Mar 2023 10:16:36 +0800 +Subject: [PATCH] wifi: rtw88: fix memory leak in rtw_usb_probe() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 48181d285623198c33bb9698992502687b258efa + +[ Upstream commit 48181d285623198c33bb9698992502687b258efa ] + +drivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe() +warn: 'hw' from ieee80211_alloc_hw() not released on lines: 811 + +Fix this by modifying return to a goto statement. + +Signed-off-by: Dongliang Mu +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230309021636.528601-1-dzm91@hust.edu.cn +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/realtek/rtw88/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c +index a10d6fef..8e2c99f9 100644 +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -832,7 +832,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + + ret = rtw_usb_alloc_rx_bufs(rtwusb); + if (ret) +- return ret; ++ goto err_release_hw; + + ret = rtw_core_init(rtwdev); + if (ret) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-099-bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch b/patches.kernel.org/6.3.4-099-bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch new file mode 100644 index 0000000..0fd4482 --- /dev/null +++ b/patches.kernel.org/6.3.4-099-bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch @@ -0,0 +1,43 @@ +From: Maxim Korotkov +Date: Thu, 9 Mar 2023 20:43:47 +0300 +Subject: [PATCH] bnxt: avoid overflow in bnxt_get_nvram_directory() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7c6dddc239abe660598c49ec95ea0ed6399a4b2a + +[ Upstream commit 7c6dddc239abe660598c49ec95ea0ed6399a4b2a ] + +The value of an arithmetic expression is subject +of possible overflow due to a failure to cast operands to a larger data +type before performing arithmetic. Used macro for multiplication instead +operator for avoiding overflow. + +Found by Security Code and Linux Verification +Center (linuxtesting.org) with SVACE. + +Signed-off-by: Maxim Korotkov +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230309174347.3515-1-korotkov.maxim.s@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 6bd18eb5..2dd8ee4a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2864,7 +2864,7 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc) + return rc; + +- buflen = dir_entries * entry_length; ++ buflen = mul_u32_u32(dir_entries, entry_length); + buf = hwrm_req_dma_slice(bp, req, buflen, &dma_handle); + if (!buf) { + hwrm_req_drop(bp, req); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-100-net-pasemi-Fix-return-type-of-pasemi_mac_start_.patch b/patches.kernel.org/6.3.4-100-net-pasemi-Fix-return-type-of-pasemi_mac_start_.patch new file mode 100644 index 0000000..2ba13b8 --- /dev/null +++ b/patches.kernel.org/6.3.4-100-net-pasemi-Fix-return-type-of-pasemi_mac_start_.patch @@ -0,0 +1,55 @@ +From: Nathan Chancellor +Date: Sun, 19 Mar 2023 16:41:08 -0700 +Subject: [PATCH] net: pasemi: Fix return type of pasemi_mac_start_tx() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c8384d4a51e7cb0e6587f3143f29099f202c5de1 + +[ Upstream commit c8384d4a51e7cb0e6587f3143f29099f202c5de1 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +warning in clang aims to catch these at compile time, which reveals: + + drivers/net/ethernet/pasemi/pasemi_mac.c:1665:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = pasemi_mac_start_tx, + ^~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of +pasemi_mac_start_tx() to match the prototype's to resolve the warning. +While PowerPC does not currently implement support for kCFI, it could in +the future, which means this warning becomes a fatal CFI failure at run +time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Horatiu Vultur +Link: https://lore.kernel.org/r/20230319-pasemi-incompatible-pointer-types-strict-v1-1-1b9459d8aef0@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/pasemi/pasemi_mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pasemi/pasemi_mac.c b/drivers/net/ethernet/pasemi/pasemi_mac.c +index aaab590e..ed7dd0a0 100644 +--- a/drivers/net/ethernet/pasemi/pasemi_mac.c ++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c +@@ -1423,7 +1423,7 @@ static void pasemi_mac_queue_csdesc(const struct sk_buff *skb, + write_dma_reg(PAS_DMA_TXCHAN_INCR(txring->chan.chno), 2); + } + +-static int pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) + { + struct pasemi_mac * const mac = netdev_priv(dev); + struct pasemi_mac_txring * const txring = tx_ring(mac); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-101-wifi-ath12k-fix-memory-leak-in-ath12k_qmi_drive.patch b/patches.kernel.org/6.3.4-101-wifi-ath12k-fix-memory-leak-in-ath12k_qmi_drive.patch new file mode 100644 index 0000000..6ce6a7d --- /dev/null +++ b/patches.kernel.org/6.3.4-101-wifi-ath12k-fix-memory-leak-in-ath12k_qmi_drive.patch @@ -0,0 +1,52 @@ +From: Rajat Soni +Date: Wed, 15 Mar 2023 14:36:32 +0530 +Subject: [PATCH] wifi: ath12k: fix memory leak in + ath12k_qmi_driver_event_work() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 960412bee0ea75f6b3c2dca4a3535795ee84c47a + +[ Upstream commit 960412bee0ea75f6b3c2dca4a3535795ee84c47a ] + +Currently the buffer pointed by event is not freed in case +ATH12K_FLAG_UNREGISTERING bit is set, this causes memory leak. + +Add a goto skip instead of return, to ensure event and all the +list entries are freed properly. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Rajat Soni +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230315090632.15065-1-quic_rajson@quicinc.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath12k/qmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c +index 979a63f2..03ba245f 100644 +--- a/drivers/net/wireless/ath/ath12k/qmi.c ++++ b/drivers/net/wireless/ath/ath12k/qmi.c +@@ -2991,7 +2991,7 @@ static void ath12k_qmi_driver_event_work(struct work_struct *work) + spin_unlock(&qmi->event_lock); + + if (test_bit(ATH12K_FLAG_UNREGISTERING, &ab->dev_flags)) +- return; ++ goto skip; + + switch (event->type) { + case ATH12K_QMI_EVENT_SERVER_ARRIVE: +@@ -3032,6 +3032,8 @@ static void ath12k_qmi_driver_event_work(struct work_struct *work) + ath12k_warn(ab, "invalid event type: %d", event->type); + break; + } ++ ++skip: + kfree(event); + spin_lock(&qmi->event_lock); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-102-net-Catch-invalid-index-in-XPS-mapping.patch b/patches.kernel.org/6.3.4-102-net-Catch-invalid-index-in-XPS-mapping.patch new file mode 100644 index 0000000..cfd42a7 --- /dev/null +++ b/patches.kernel.org/6.3.4-102-net-Catch-invalid-index-in-XPS-mapping.patch @@ -0,0 +1,44 @@ +From: Nick Child +Date: Tue, 21 Mar 2023 10:07:24 -0500 +Subject: [PATCH] net: Catch invalid index in XPS mapping +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5dd0dfd55baec0742ba8f5625a0dd064aca7db16 + +[ Upstream commit 5dd0dfd55baec0742ba8f5625a0dd064aca7db16 ] + +When setting the XPS value of a TX queue, warn the user once if the +index of the queue is greater than the number of allocated TX queues. + +Previously, this scenario went uncaught. In the best case, it resulted +in unnecessary allocations. In the worst case, it resulted in +out-of-bounds memory references through calls to `netdev_get_tx_queue( +dev, index)`. Therefore, it is important to inform the user but not +worth returning an error and risk downing the netdevice. + +Signed-off-by: Nick Child +Reviewed-by: Piotr Raczynski +Link: https://lore.kernel.org/r/20230321150725.127229-1-nnac123@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 8fbd2418..b3d8e74f 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2535,6 +2535,8 @@ int __netif_set_xps_queue(struct net_device *dev, const unsigned long *mask, + struct xps_map *map, *new_map; + unsigned int nr_ids; + ++ WARN_ON_ONCE(index >= dev->num_tx_queues); ++ + if (dev->num_tc) { + /* Do not allow XPS on subordinate device directly */ + num_tc = dev->num_tc; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-103-netdev-Enforce-index-cap-in-netdev_get_tx_queue.patch b/patches.kernel.org/6.3.4-103-netdev-Enforce-index-cap-in-netdev_get_tx_queue.patch new file mode 100644 index 0000000..bc3640a --- /dev/null +++ b/patches.kernel.org/6.3.4-103-netdev-Enforce-index-cap-in-netdev_get_tx_queue.patch @@ -0,0 +1,41 @@ +From: Nick Child +Date: Tue, 21 Mar 2023 10:07:25 -0500 +Subject: [PATCH] netdev: Enforce index cap in netdev_get_tx_queue +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1cc6571f562774f1d928dc8b3cff50829b86e970 + +[ Upstream commit 1cc6571f562774f1d928dc8b3cff50829b86e970 ] + +When requesting a TX queue at a given index, warn on out-of-bounds +referencing if the index is greater than the allocated number of +queues. + +Specifically, since this function is used heavily in the networking +stack use DEBUG_NET_WARN_ON_ONCE to avoid executing a new branch on +every packet. + +Signed-off-by: Nick Child +Link: https://lore.kernel.org/r/20230321150725.127229-2-nnac123@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/linux/netdevice.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index c35f04f6..7db9f960 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2463,6 +2463,7 @@ static inline + struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev, + unsigned int index) + { ++ DEBUG_NET_WARN_ON_ONCE(index >= dev->num_tx_queues); + return &dev->_tx[index]; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-104-scsi-target-iscsit-Free-cmds-before-session-fre.patch b/patches.kernel.org/6.3.4-104-scsi-target-iscsit-Free-cmds-before-session-fre.patch new file mode 100644 index 0000000..64a71e4 --- /dev/null +++ b/patches.kernel.org/6.3.4-104-scsi-target-iscsit-Free-cmds-before-session-fre.patch @@ -0,0 +1,65 @@ +From: Dmitry Bogdanov +Date: Sat, 18 Mar 2023 20:56:17 -0500 +Subject: [PATCH] scsi: target: iscsit: Free cmds before session free +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d8990b5a4d065f38f35d69bcd627ec5a7f8330ca + +[ Upstream commit d8990b5a4d065f38f35d69bcd627ec5a7f8330ca ] + +Commands from recovery entries are freed after session has been closed. +That leads to use-after-free at command free or NPE with such call trace: + +Time2Retain timer expired for SID: 1, cleaning up iSCSI session. +BUG: kernel NULL pointer dereference, address: 0000000000000140 +RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 +Call Trace: + target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] + transport_generic_free_cmd+0xd1/0x180 [target_core_mod] + iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] + iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] + iscsit_close_session+0x13a/0x140 [iscsi_target_mod] + iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] + call_timer_fn+0x24/0x140 + +Move cleanup of recovery enrties to before session freeing. + +Reported-by: Forza +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Mike Christie +Link: https://lore.kernel.org/r/20230319015620.96006-7-michael.christie@oracle.com +Reviewed-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 3f7a9f7f..07e196b4 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4531,6 +4531,9 @@ int iscsit_close_session(struct iscsit_session *sess, bool can_sleep) + iscsit_stop_time2retain_timer(sess); + spin_unlock_bh(&se_tpg->session_lock); + ++ if (sess->sess_ops->ErrorRecoveryLevel == 2) ++ iscsit_free_connection_recovery_entries(sess); ++ + /* + * transport_deregister_session_configfs() will clear the + * struct se_node_acl->nacl_sess pointer now as a iscsi_np process context +@@ -4554,9 +4557,6 @@ int iscsit_close_session(struct iscsit_session *sess, bool can_sleep) + + transport_deregister_session(sess->se_sess); + +- if (sess->sess_ops->ErrorRecoveryLevel == 2) +- iscsit_free_connection_recovery_entries(sess); +- + iscsit_free_all_ooo_cmdsns(sess); + + spin_lock_bh(&se_tpg->session_lock); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-105-lib-cpu_rmap-Avoid-use-after-free-on-rmap-obj-a.patch b/patches.kernel.org/6.3.4-105-lib-cpu_rmap-Avoid-use-after-free-on-rmap-obj-a.patch new file mode 100644 index 0000000..e1e6036 --- /dev/null +++ b/patches.kernel.org/6.3.4-105-lib-cpu_rmap-Avoid-use-after-free-on-rmap-obj-a.patch @@ -0,0 +1,69 @@ +From: Eli Cohen +Date: Wed, 8 Feb 2023 07:51:02 +0200 +Subject: [PATCH] lib: cpu_rmap: Avoid use after free on rmap->obj array + entries +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4e0473f1060aa49621d40a113afde24818101d37 + +[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ] + +When calling irq_set_affinity_notifier() with NULL at the notify +argument, it will cause freeing of the glue pointer in the +corresponding array entry but will leave the pointer in the array. A +subsequent call to free_irq_cpu_rmap() will try to free this entry again +leading to possible use after free. + +Fix that by setting NULL to the array entry and checking that we have +non-zero at the array entry when iterating over the array in +free_irq_cpu_rmap(). + +The current code does not suffer from this since there are no cases +where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the +notify arg) is called, followed by a call to free_irq_cpu_rmap() so we +don't hit and issue. Subsequent patches in this series excersize this +flow, hence the required fix. + +Cc: Thomas Gleixner +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Reviewed-by: Jacob Keller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + lib/cpu_rmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c +index f08d9c56..e77f12bb 100644 +--- a/lib/cpu_rmap.c ++++ b/lib/cpu_rmap.c +@@ -232,7 +232,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap) + + for (index = 0; index < rmap->used; index++) { + glue = rmap->obj[index]; +- irq_set_affinity_notifier(glue->notify.irq, NULL); ++ if (glue) ++ irq_set_affinity_notifier(glue->notify.irq, NULL); + } + + cpu_rmap_put(rmap); +@@ -268,6 +269,7 @@ static void irq_cpu_rmap_release(struct kref *ref) + container_of(ref, struct irq_glue, notify.kref); + + cpu_rmap_put(glue->rmap); ++ glue->rmap->obj[glue->index] = NULL; + kfree(glue); + } + +@@ -297,6 +299,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq) + rc = irq_set_affinity_notifier(irq, &glue->notify); + if (rc) { + cpu_rmap_put(glue->rmap); ++ rmap->obj[glue->index] = NULL; + kfree(glue); + } + return rc; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-106-scsi-message-mptlan-Fix-use-after-free-bug-in-m.patch b/patches.kernel.org/6.3.4-106-scsi-message-mptlan-Fix-use-after-free-bug-in-m.patch new file mode 100644 index 0000000..d5979cd --- /dev/null +++ b/patches.kernel.org/6.3.4-106-scsi-message-mptlan-Fix-use-after-free-bug-in-m.patch @@ -0,0 +1,56 @@ +From: Zheng Wang +Date: Sat, 18 Mar 2023 16:16:35 +0800 +Subject: [PATCH] scsi: message: mptlan: Fix use after free bug in + mptlan_remove() due to race condition +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f486893288f3e9b171b836f43853a6426515d800 + +[ Upstream commit f486893288f3e9b171b836f43853a6426515d800 ] + +mptlan_probe() calls mpt_register_lan_device() which initializes the +&priv->post_buckets_task workqueue. A call to +mpt_lan_wake_post_buckets_task() will subsequently start the work. + +During driver unload in mptlan_remove() the following race may occur: + +CPU0 CPU1 + + |mpt_lan_post_receive_buckets_work() +mptlan_remove() | + free_netdev() | + kfree(dev); | + | + | dev->mtu + | //use + +Fix this by finishing the work prior to cleaning up in mptlan_remove(). + +[mkp: we really should remove mptlan instead of attempting to fix it] + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230318081635.796479-1-zyytlz.wz@163.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/message/fusion/mptlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/message/fusion/mptlan.c b/drivers/message/fusion/mptlan.c +index 142eb5d5..de2e7bcf 100644 +--- a/drivers/message/fusion/mptlan.c ++++ b/drivers/message/fusion/mptlan.c +@@ -1433,7 +1433,9 @@ mptlan_remove(struct pci_dev *pdev) + { + MPT_ADAPTER *ioc = pci_get_drvdata(pdev); + struct net_device *dev = ioc->netdev; ++ struct mpt_lan_priv *priv = netdev_priv(dev); + ++ cancel_delayed_work_sync(&priv->post_buckets_task); + if(dev != NULL) { + unregister_netdev(dev); + free_netdev(dev); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-107-gfs2-Fix-inode-height-consistency-check.patch b/patches.kernel.org/6.3.4-107-gfs2-Fix-inode-height-consistency-check.patch new file mode 100644 index 0000000..9f2fa1d --- /dev/null +++ b/patches.kernel.org/6.3.4-107-gfs2-Fix-inode-height-consistency-check.patch @@ -0,0 +1,50 @@ +From: Andreas Gruenbacher +Date: Tue, 28 Mar 2023 00:43:16 +0200 +Subject: [PATCH] gfs2: Fix inode height consistency check +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: cfcdb5bad34f600aed7613c3c1a5e618111f77b7 + +[ Upstream commit cfcdb5bad34f600aed7613c3c1a5e618111f77b7 ] + +The maximum allowed height of an inode's metadata tree depends on the +filesystem block size; it is lower for bigger-block filesystems. When +reading in an inode, make sure that the height doesn't exceed the +maximum allowed height. + +Arrays like sd_heightsize are sized to be big enough for any filesystem +block size; they will often be slightly bigger than what's needed for a +specific filesystem. + +Reported-by: syzbot+45d4691b1ed3c48eba05@syzkaller.appspotmail.com +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/gfs2/glops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 4d99cc77..b65950e7 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -396,6 +396,7 @@ static int inode_go_demote_ok(const struct gfs2_glock *gl) + + static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + { ++ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + const struct gfs2_dinode *str = buf; + struct timespec64 atime; + u16 height, depth; +@@ -442,7 +443,7 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + /* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */ + gfs2_set_inode_flags(inode); + height = be16_to_cpu(str->di_height); +- if (unlikely(height > GFS2_MAX_META_HEIGHT)) ++ if (unlikely(height > sdp->sd_max_height)) + goto corrupt; + ip->i_height = (u8)height; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-108-scsi-ufs-ufs-pci-Add-support-for-Intel-Lunar-La.patch b/patches.kernel.org/6.3.4-108-scsi-ufs-ufs-pci-Add-support-for-Intel-Lunar-La.patch new file mode 100644 index 0000000..7684be7 --- /dev/null +++ b/patches.kernel.org/6.3.4-108-scsi-ufs-ufs-pci-Add-support-for-Intel-Lunar-La.patch @@ -0,0 +1,35 @@ +From: Adrian Hunter +Date: Tue, 28 Mar 2023 13:58:32 +0300 +Subject: [PATCH] scsi: ufs: ufs-pci: Add support for Intel Lunar Lake +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0a07d3c7a1d205b47d9f3608ff4e9d1065d63b6d + +[ Upstream commit 0a07d3c7a1d205b47d9f3608ff4e9d1065d63b6d ] + +Add PCI ID to support Intel Lunar Lake, same as MTL. + +Signed-off-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230328105832.3495-1-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/ufs/host/ufshcd-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ufs/host/ufshcd-pci.c b/drivers/ufs/host/ufshcd-pci.c +index 1c91f43e..9c911787 100644 +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -607,6 +607,7 @@ static const struct pci_device_id ufshcd_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x51FF), (kernel_ulong_t)&ufs_intel_adl_hba_vops }, + { PCI_VDEVICE(INTEL, 0x54FF), (kernel_ulong_t)&ufs_intel_adl_hba_vops }, + { PCI_VDEVICE(INTEL, 0x7E47), (kernel_ulong_t)&ufs_intel_mtl_hba_vops }, ++ { PCI_VDEVICE(INTEL, 0xA847), (kernel_ulong_t)&ufs_intel_mtl_hba_vops }, + { } /* terminate list */ + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-109-scsi-hisi_sas-Grab-sas_dev-lock-when-traversing.patch b/patches.kernel.org/6.3.4-109-scsi-hisi_sas-Grab-sas_dev-lock-when-traversing.patch new file mode 100644 index 0000000..f8400ea --- /dev/null +++ b/patches.kernel.org/6.3.4-109-scsi-hisi_sas-Grab-sas_dev-lock-when-traversing.patch @@ -0,0 +1,249 @@ +From: Xingui Yang +Date: Mon, 20 Mar 2023 11:34:22 +0800 +Subject: [PATCH] scsi: hisi_sas: Grab sas_dev lock when traversing the members + of sas_dev.list +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 71fb36b5ff113a7674710b9d6063241eada84ff7 + +[ Upstream commit 71fb36b5ff113a7674710b9d6063241eada84ff7 ] + +When freeing slots in function slot_complete_v3_hw(), it is possible that +sas_dev.list is being traversed elsewhere, and it may trigger a NULL +pointer exception, such as follows: + +==>cq thread ==>scsi_eh_6 + + ==>scsi_error_handler() + ==>sas_eh_handle_sas_errors() + ==>sas_scsi_find_task() + ==>lldd_abort_task() +==>slot_complete_v3_hw() ==>hisi_sas_abort_task() + ==>hisi_sas_slot_task_free() ==>dereg_device_v3_hw() + ==>list_del_init() ==>list_for_each_entry_safe() + +[ 7165.434918] sas: Enter sas_scsi_recover_host busy: 32 failed: 32 +[ 7165.434926] sas: trying to find task 0x00000000769b5ba5 +[ 7165.434927] sas: sas_scsi_find_task: aborting task 0x00000000769b5ba5 +[ 7165.434940] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000769b5ba5) aborted +[ 7165.434964] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000c9f7aa07) ignored +[ 7165.434965] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000e2a1cf01) ignored +[ 7165.434968] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 7165.434972] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000022d52d93) ignored +[ 7165.434975] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000066a7516c) ignored +[ 7165.434976] Mem abort info: +[ 7165.434982] ESR = 0x96000004 +[ 7165.434991] Exception class = DABT (current EL), IL = 32 bits +[ 7165.434992] SET = 0, FnV = 0 +[ 7165.434993] EA = 0, S1PTW = 0 +[ 7165.434994] Data abort info: +[ 7165.434994] ISV = 0, ISS = 0x00000004 +[ 7165.434995] CM = 0, WnR = 0 +[ 7165.434997] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f29543f2 +[ 7165.434998] [0000000000000000] pgd=0000000000000000 +[ 7165.435003] Internal error: Oops: 96000004 [#1] SMP +[ 7165.439863] Process scsi_eh_6 (pid: 4109, stack limit = 0x00000000c43818d5) +[ 7165.468862] pstate: 00c00009 (nzcv daif +PAN +UAO) +[ 7165.473637] pc : dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw] +[ 7165.479443] lr : dereg_device_v3_hw+0x2c/0xa8 [hisi_sas_v3_hw] +[ 7165.485247] sp : ffff00001d623bc0 +[ 7165.488546] x29: ffff00001d623bc0 x28: ffffa027d03b9508 +[ 7165.493835] x27: ffff80278ed50af0 x26: ffffa027dd31e0a8 +[ 7165.499123] x25: ffffa027d9b27f88 x24: ffffa027d9b209f8 +[ 7165.504411] x23: ffffa027c45b0d60 x22: ffff80278ec07c00 +[ 7165.509700] x21: 0000000000000008 x20: ffffa027d9b209f8 +[ 7165.514988] x19: ffffa027d9b27f88 x18: ffffffffffffffff +[ 7165.520276] x17: 0000000000000000 x16: 0000000000000000 +[ 7165.525564] x15: ffff0000091d9708 x14: ffff0000093b7dc8 +[ 7165.530852] x13: ffff0000093b7a23 x12: 6e7265746e692067 +[ 7165.536140] x11: 0000000000000000 x10: 0000000000000bb0 +[ 7165.541429] x9 : ffff00001d6238f0 x8 : ffffa027d877af00 +[ 7165.546718] x7 : ffffa027d6329600 x6 : ffff7e809f58ca00 +[ 7165.552006] x5 : 0000000000001f8a x4 : 000000000000088e +[ 7165.557295] x3 : ffffa027d9b27fa8 x2 : 0000000000000000 +[ 7165.562583] x1 : 0000000000000000 x0 : 000000003000188e +[ 7165.567872] Call trace: +[ 7165.570309] dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw] +[ 7165.575775] hisi_sas_abort_task+0x248/0x358 [hisi_sas_main] +[ 7165.581415] sas_eh_handle_sas_errors+0x258/0x8e0 [libsas] +[ 7165.586876] sas_scsi_recover_host+0x134/0x458 [libsas] +[ 7165.592082] scsi_error_handler+0xb4/0x488 +[ 7165.596163] kthread+0x134/0x138 +[ 7165.599380] ret_from_fork+0x10/0x18 +[ 7165.602940] Code: d5033e9f b9000040 aa0103e2 eb03003f (f9400021) +[ 7165.609004] kernel fault(0x1) notification starting on CPU 75 +[ 7165.700728] ---[ end trace fc042cbbea224efc ]--- +[ 7165.705326] Kernel panic - not syncing: Fatal exception + +To fix the issue, grab sas_dev lock when traversing the members of +sas_dev.list in dereg_device_v3_hw() and hisi_sas_release_tasks() to avoid +concurrency of adding and deleting member. When function +hisi_sas_release_tasks() calls hisi_sas_do_release_task() to free slot, the +lock cannot be grabbed again in hisi_sas_slot_task_free(), then a bool +parameter need_lock is added. + +Signed-off-by: Xingui Yang +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1679283265-115066-2-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/scsi/hisi_sas/hisi_sas.h | 3 ++- + drivers/scsi/hisi_sas/hisi_sas_main.c | 25 ++++++++++++++++--------- + drivers/scsi/hisi_sas/hisi_sas_v1_hw.c | 2 +- + drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 2 +- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 4 +++- + 5 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas.h b/drivers/scsi/hisi_sas/hisi_sas.h +index 6f8a52a1..423af1dc 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas.h ++++ b/drivers/scsi/hisi_sas/hisi_sas.h +@@ -653,7 +653,8 @@ extern void hisi_sas_phy_down(struct hisi_hba *hisi_hba, int phy_no, int rdy, + extern void hisi_sas_phy_bcast(struct hisi_sas_phy *phy); + extern void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, + struct sas_task *task, +- struct hisi_sas_slot *slot); ++ struct hisi_sas_slot *slot, ++ bool need_lock); + extern void hisi_sas_init_mem(struct hisi_hba *hisi_hba); + extern void hisi_sas_rst_work_handler(struct work_struct *work); + extern void hisi_sas_sync_rst_work_handler(struct work_struct *work); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 8c038ccf..2093c1e8 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -205,7 +205,7 @@ static int hisi_sas_slot_index_alloc(struct hisi_hba *hisi_hba, + } + + void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, struct sas_task *task, +- struct hisi_sas_slot *slot) ++ struct hisi_sas_slot *slot, bool need_lock) + { + int device_id = slot->device_id; + struct hisi_sas_device *sas_dev = &hisi_hba->devices[device_id]; +@@ -239,9 +239,13 @@ void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, struct sas_task *task, + } + } + +- spin_lock(&sas_dev->lock); +- list_del_init(&slot->entry); +- spin_unlock(&sas_dev->lock); ++ if (need_lock) { ++ spin_lock(&sas_dev->lock); ++ list_del_init(&slot->entry); ++ spin_unlock(&sas_dev->lock); ++ } else { ++ list_del_init(&slot->entry); ++ } + + memset(slot, 0, offsetof(struct hisi_sas_slot, buf)); + +@@ -1021,7 +1025,7 @@ static void hisi_sas_port_notify_formed(struct asd_sas_phy *sas_phy) + } + + static void hisi_sas_do_release_task(struct hisi_hba *hisi_hba, struct sas_task *task, +- struct hisi_sas_slot *slot) ++ struct hisi_sas_slot *slot, bool need_lock) + { + if (task) { + unsigned long flags; +@@ -1038,7 +1042,7 @@ static void hisi_sas_do_release_task(struct hisi_hba *hisi_hba, struct sas_task + spin_unlock_irqrestore(&task->task_state_lock, flags); + } + +- hisi_sas_slot_task_free(hisi_hba, task, slot); ++ hisi_sas_slot_task_free(hisi_hba, task, slot, need_lock); + } + + static void hisi_sas_release_task(struct hisi_hba *hisi_hba, +@@ -1047,8 +1051,11 @@ static void hisi_sas_release_task(struct hisi_hba *hisi_hba, + struct hisi_sas_slot *slot, *slot2; + struct hisi_sas_device *sas_dev = device->lldd_dev; + ++ spin_lock(&sas_dev->lock); + list_for_each_entry_safe(slot, slot2, &sas_dev->list, entry) +- hisi_sas_do_release_task(hisi_hba, slot->task, slot); ++ hisi_sas_do_release_task(hisi_hba, slot->task, slot, false); ++ ++ spin_unlock(&sas_dev->lock); + } + + void hisi_sas_release_tasks(struct hisi_hba *hisi_hba) +@@ -1574,7 +1581,7 @@ static int hisi_sas_abort_task(struct sas_task *task) + */ + if (rc == TMF_RESP_FUNC_COMPLETE && rc2 != TMF_RESP_FUNC_SUCC) { + if (task->lldd_task) +- hisi_sas_do_release_task(hisi_hba, task, slot); ++ hisi_sas_do_release_task(hisi_hba, task, slot, true); + } + } else if (task->task_proto & SAS_PROTOCOL_SATA || + task->task_proto & SAS_PROTOCOL_STP) { +@@ -1594,7 +1601,7 @@ static int hisi_sas_abort_task(struct sas_task *task) + */ + if ((sas_dev->dev_status == HISI_SAS_DEV_NCQ_ERR) && + qc && qc->scsicmd) { +- hisi_sas_do_release_task(hisi_hba, task, slot); ++ hisi_sas_do_release_task(hisi_hba, task, slot, true); + rc = TMF_RESP_FUNC_COMPLETE; + } else { + rc = hisi_sas_softreset_ata_disk(device); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c +index 70c24377..76176b1f 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v1_hw.c +@@ -1310,7 +1310,7 @@ static void slot_complete_v1_hw(struct hisi_hba *hisi_hba, + } + + out: +- hisi_sas_slot_task_free(hisi_hba, task, slot); ++ hisi_sas_slot_task_free(hisi_hba, task, slot, true); + + if (task->task_done) + task->task_done(task); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +index 02575d81..746e4d77 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +@@ -2466,7 +2466,7 @@ static void slot_complete_v2_hw(struct hisi_hba *hisi_hba, + } + task->task_state_flags |= SAS_TASK_STATE_DONE; + spin_unlock_irqrestore(&task->task_state_lock, flags); +- hisi_sas_slot_task_free(hisi_hba, task, slot); ++ hisi_sas_slot_task_free(hisi_hba, task, slot, true); + + if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) { + spin_lock_irqsave(&device->done_lock, flags); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 9afc23e3..71820a11 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -883,6 +883,7 @@ static void dereg_device_v3_hw(struct hisi_hba *hisi_hba, + + cfg_abt_set_query_iptt = hisi_sas_read32(hisi_hba, + CFG_ABT_SET_QUERY_IPTT); ++ spin_lock(&sas_dev->lock); + list_for_each_entry_safe(slot, slot2, &sas_dev->list, entry) { + cfg_abt_set_query_iptt &= ~CFG_SET_ABORTED_IPTT_MSK; + cfg_abt_set_query_iptt |= (1 << CFG_SET_ABORTED_EN_OFF) | +@@ -890,6 +891,7 @@ static void dereg_device_v3_hw(struct hisi_hba *hisi_hba, + hisi_sas_write32(hisi_hba, CFG_ABT_SET_QUERY_IPTT, + cfg_abt_set_query_iptt); + } ++ spin_unlock(&sas_dev->lock); + cfg_abt_set_query_iptt &= ~(1 << CFG_SET_ABORTED_EN_OFF); + hisi_sas_write32(hisi_hba, CFG_ABT_SET_QUERY_IPTT, + cfg_abt_set_query_iptt); +@@ -2378,7 +2380,7 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + } + task->task_state_flags |= SAS_TASK_STATE_DONE; + spin_unlock_irqrestore(&task->task_state_lock, flags); +- hisi_sas_slot_task_free(hisi_hba, task, slot); ++ hisi_sas_slot_task_free(hisi_hba, task, slot, true); + + if (!is_internal && (task->task_proto != SAS_PROTOCOL_SMP)) { + spin_lock_irqsave(&device->done_lock, flags); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-110-ext4-set-goal-start-correctly-in-ext4_mb_normal.patch b/patches.kernel.org/6.3.4-110-ext4-set-goal-start-correctly-in-ext4_mb_normal.patch new file mode 100644 index 0000000..de74b36 --- /dev/null +++ b/patches.kernel.org/6.3.4-110-ext4-set-goal-start-correctly-in-ext4_mb_normal.patch @@ -0,0 +1,73 @@ +From: Kemeng Shi +Date: Sat, 4 Mar 2023 01:21:01 +0800 +Subject: [PATCH] ext4: set goal start correctly in ext4_mb_normalize_request +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b07ffe6927c75d99af534d685282ea188d9f71a6 + +[ Upstream commit b07ffe6927c75d99af534d685282ea188d9f71a6 ] + +We need to set ac_g_ex to notify the goal start used in +ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in +ext4_mb_normalize_request. +Besides we should assure goal start is in range [first_data_block, +blocks_count) as ext4_mb_initialize_context does. + +[ Added a check to make sure size is less than ar->pright; otherwise + we could end up passing an underflowed value of ar->pright - size to + ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. + - TYT ] + +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230303172120.3800725-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/mballoc.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 2a1df157..90daeca1 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4018,6 +4018,7 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + struct ext4_allocation_request *ar) + { + struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb); ++ struct ext4_super_block *es = sbi->s_es; + int bsbits, max; + ext4_lblk_t end; + loff_t size, start_off; +@@ -4213,18 +4214,21 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + ac->ac_g_ex.fe_len = EXT4_NUM_B2C(sbi, size); + + /* define goal start in order to merge */ +- if (ar->pright && (ar->lright == (start + size))) { ++ if (ar->pright && (ar->lright == (start + size)) && ++ ar->pright >= size && ++ ar->pright - size >= le32_to_cpu(es->s_first_data_block)) { + /* merge to the right */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pright - size, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } +- if (ar->pleft && (ar->lleft + 1 == start)) { ++ if (ar->pleft && (ar->lleft + 1 == start) && ++ ar->pleft + 1 < ext4_blocks_count(es)) { + /* merge to the left */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pleft + 1, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-111-ext4-Fix-best-extent-lstart-adjustment-logic-in.patch b/patches.kernel.org/6.3.4-111-ext4-Fix-best-extent-lstart-adjustment-logic-in.patch new file mode 100644 index 0000000..a859ede --- /dev/null +++ b/patches.kernel.org/6.3.4-111-ext4-Fix-best-extent-lstart-adjustment-logic-in.patch @@ -0,0 +1,130 @@ +From: Ojaswin Mujoo +Date: Sat, 25 Mar 2023 13:43:39 +0530 +Subject: [PATCH] ext4: Fix best extent lstart adjustment logic in + ext4_mb_new_inode_pa() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 + +[ Upstream commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 ] + +When the length of best extent found is less than the length of goal extent +we need to make sure that the best extent atleast covers the start of the +original request. This is done by adjusting the ac_b_ex.fe_logical (logical +start) of the extent. + +While doing so, the current logic sometimes results in the best extent's +logical range overflowing the goal extent. Since this best extent is later +added to the inode preallocation list, we have a possibility of introducing +overlapping preallocations. This is discussed in detail here [1]. + +As per Jan's suggestion, to fix this, replace the existing logic with the +below logic for adjusting best extent as it keeps fragmentation in check +while ensuring logical range of best extent doesn't overflow out of goal +extent: + +1. Check if best extent can be kept at end of goal range and still cover + original start. +2. Else, check if best extent can be kept at start of goal range and still + cover original start. +3. Else, keep the best extent at start of original request. + +Also, add a few extra BUG_ONs that might help catch errors faster. + +[1] https://lore.kernel.org/r/Y+OGkVvzPN0RMv0O@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com + +Suggested-by: Jan Kara +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Ritesh Harjani (IBM) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f96aca6d415b36d1f90db86c1a8cd7e2e9d7ab0e.1679731817.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ext4/mballoc.c | 49 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 90daeca1..9d495cd6 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4321,6 +4321,7 @@ static void ext4_mb_use_inode_pa(struct ext4_allocation_context *ac, + BUG_ON(start < pa->pa_pstart); + BUG_ON(end > pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len)); + BUG_ON(pa->pa_free < len); ++ BUG_ON(ac->ac_b_ex.fe_len <= 0); + pa->pa_free -= len; + + mb_debug(ac->ac_sb, "use %llu/%d from inode pa %p\n", start, len, pa); +@@ -4650,10 +4651,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + pa = ac->ac_pa; + + if (ac->ac_b_ex.fe_len < ac->ac_g_ex.fe_len) { +- int winl; +- int wins; +- int win; +- int offs; ++ int new_bex_start; ++ int new_bex_end; + + /* we can't allocate as much as normalizer wants. + * so, found space must get proper lstart +@@ -4661,26 +4660,40 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + BUG_ON(ac->ac_g_ex.fe_logical > ac->ac_o_ex.fe_logical); + BUG_ON(ac->ac_g_ex.fe_len < ac->ac_o_ex.fe_len); + +- /* we're limited by original request in that +- * logical block must be covered any way +- * winl is window we can move our chunk within */ +- winl = ac->ac_o_ex.fe_logical - ac->ac_g_ex.fe_logical; ++ /* ++ * Use the below logic for adjusting best extent as it keeps ++ * fragmentation in check while ensuring logical range of best ++ * extent doesn't overflow out of goal extent: ++ * ++ * 1. Check if best ex can be kept at end of goal and still ++ * cover original start ++ * 2. Else, check if best ex can be kept at start of goal and ++ * still cover original start ++ * 3. Else, keep the best ex at start of original request. ++ */ ++ new_bex_end = ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len); ++ new_bex_start = new_bex_end - EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical >= new_bex_start) ++ goto adjust_bex; + +- /* also, we should cover whole original request */ +- wins = EXT4_C2B(sbi, ac->ac_b_ex.fe_len - ac->ac_o_ex.fe_len); ++ new_bex_start = ac->ac_g_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical < new_bex_end) ++ goto adjust_bex; + +- /* the smallest one defines real window */ +- win = min(winl, wins); ++ new_bex_start = ac->ac_o_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); + +- offs = ac->ac_o_ex.fe_logical % +- EXT4_C2B(sbi, ac->ac_b_ex.fe_len); +- if (offs && offs < win) +- win = offs; ++adjust_bex: ++ ac->ac_b_ex.fe_logical = new_bex_start; + +- ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical - +- EXT4_NUM_B2C(sbi, win); + BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical); + BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len); ++ BUG_ON(new_bex_end > (ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len))); + } + + /* preallocation can change ac_b_ex, thus we store actually +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-112-crypto-jitter-permanent-and-intermittent-health.patch b/patches.kernel.org/6.3.4-112-crypto-jitter-permanent-and-intermittent-health.patch new file mode 100644 index 0000000..0afe352 --- /dev/null +++ b/patches.kernel.org/6.3.4-112-crypto-jitter-permanent-and-intermittent-health.patch @@ -0,0 +1,397 @@ +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Mon, 27 Mar 2023 09:03:52 +0200 +Subject: [PATCH] crypto: jitter - permanent and intermittent health errors +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3fde2fe99aa6dacd4151c87382b07ce7f30f0a52 + +[ Upstream commit 3fde2fe99aa6dacd4151c87382b07ce7f30f0a52 ] + +According to SP800-90B, two health failures are allowed: the intermittend +and the permanent failure. So far, only the intermittent failure was +implemented. The permanent failure was achieved by resetting the entire +entropy source including its health test state and waiting for two or +more back-to-back health errors. + +This approach is appropriate for RCT, but not for APT as APT has a +non-linear cutoff value. Thus, this patch implements 2 cutoff values +for both RCT/APT. This implies that the health state is left untouched +when an intermittent failure occurs. The noise source is reset +and a new APT powerup-self test is performed. Yet, whith the unchanged +health test state, the counting of failures continues until a permanent +failure is reached. + +Any non-failing raw entropy value causes the health tests to reset. + +The intermittent error has an unchanged significance level of 2^-30. +The permanent error has a significance level of 2^-60. Considering that +this level also indicates a false-positive rate (see SP800-90B section 4.2) +a false-positive must only be incurred with a low probability when +considering a fleet of Linux kernels as a whole. Hitting the permanent +error may cause a panic(), the following calculation applies: Assuming +that a fleet of 10^9 Linux kernels run concurrently with this patch in +FIPS mode and on each kernel 2 health tests are performed every minute +for one year, the chances of a false positive is about 1:1000 +based on the binomial distribution. + +In addition, any power-up health test errors triggered with +jent_entropy_init are treated as permanent errors. + +A permanent failure causes the entire entropy source to permanently +return an error. This implies that a caller can only remedy the situation +by re-allocating a new instance of the Jitter RNG. In a subsequent +patch, a transparent re-allocation will be provided which also changes +the implied heuristic entropy assessment. + +In addition, when the kernel is booted with fips=1, the Jitter RNG +is defined to be part of a FIPS module. The permanent error of the +Jitter RNG is translated as a FIPS module error. In this case, the entire +FIPS module must cease operation. This is implemented in the kernel by +invoking panic(). + +The patch also fixes an off-by-one in the RCT cutoff value which is now +set to 30 instead of 31. This is because the counting of the values +starts with 0. + +Reviewed-by: Vladis Dronov +Signed-off-by: Stephan Mueller +Reviewed-by: Marcelo Henrique Cerri +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + crypto/jitterentropy-kcapi.c | 51 ++++++------- + crypto/jitterentropy.c | 144 +++++++++++++---------------------- + crypto/jitterentropy.h | 1 - + 3 files changed, 76 insertions(+), 120 deletions(-) + +diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c +index 2d115bec..b9edfaa5 100644 +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -37,6 +37,7 @@ + * DAMAGE. + */ + ++#include + #include + #include + #include +@@ -59,11 +60,6 @@ void jent_zfree(void *ptr) + kfree_sensitive(ptr); + } + +-void jent_panic(char *s) +-{ +- panic("%s", s); +-} +- + void jent_memcpy(void *dest, const void *src, unsigned int n) + { + memcpy(dest, src, n); +@@ -102,7 +98,6 @@ void jent_get_nstime(__u64 *out) + struct jitterentropy { + spinlock_t jent_lock; + struct rand_data *entropy_collector; +- unsigned int reset_cnt; + }; + + static int jent_kcapi_init(struct crypto_tfm *tfm) +@@ -138,32 +133,30 @@ static int jent_kcapi_random(struct crypto_rng *tfm, + + spin_lock(&rng->jent_lock); + +- /* Return a permanent error in case we had too many resets in a row. */ +- if (rng->reset_cnt > (1<<10)) { +- ret = -EFAULT; +- goto out; +- } +- + ret = jent_read_entropy(rng->entropy_collector, rdata, dlen); + +- /* Reset RNG in case of health failures */ +- if (ret < -1) { +- pr_warn_ratelimited("Reset Jitter RNG due to health test failure: %s failure\n", +- (ret == -2) ? "Repetition Count Test" : +- "Adaptive Proportion Test"); +- +- rng->reset_cnt++; +- ++ if (ret == -3) { ++ /* Handle permanent health test error */ ++ /* ++ * If the kernel was booted with fips=1, it implies that ++ * the entire kernel acts as a FIPS 140 module. In this case ++ * an SP800-90B permanent health test error is treated as ++ * a FIPS module error. ++ */ ++ if (fips_enabled) ++ panic("Jitter RNG permanent health test failure\n"); ++ ++ pr_err("Jitter RNG permanent health test failure\n"); ++ ret = -EFAULT; ++ } else if (ret == -2) { ++ /* Handle intermittent health test error */ ++ pr_warn_ratelimited("Reset Jitter RNG due to intermittent health test failure\n"); + ret = -EAGAIN; +- } else { +- rng->reset_cnt = 0; +- +- /* Convert the Jitter RNG error into a usable error code */ +- if (ret == -1) +- ret = -EINVAL; ++ } else if (ret == -1) { ++ /* Handle other errors */ ++ ret = -EINVAL; + } + +-out: + spin_unlock(&rng->jent_lock); + + return ret; +@@ -197,6 +190,10 @@ static int __init jent_mod_init(void) + + ret = jent_entropy_init(); + if (ret) { ++ /* Handle permanent health test error */ ++ if (fips_enabled) ++ panic("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); ++ + pr_info("jitterentropy: Initialization failed with host not compliant with requirements: %d\n", ret); + return -EFAULT; + } +diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c +index 93bff321..22f48bf4 100644 +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -85,10 +85,14 @@ struct rand_data { + * bit generation */ + + /* Repetition Count Test */ +- int rct_count; /* Number of stuck values */ ++ unsigned int rct_count; /* Number of stuck values */ + +- /* Adaptive Proportion Test for a significance level of 2^-30 */ ++ /* Intermittent health test failure threshold of 2^-30 */ ++#define JENT_RCT_CUTOFF 30 /* Taken from SP800-90B sec 4.4.1 */ + #define JENT_APT_CUTOFF 325 /* Taken from SP800-90B sec 4.4.2 */ ++ /* Permanent health test failure threshold of 2^-60 */ ++#define JENT_RCT_CUTOFF_PERMANENT 60 ++#define JENT_APT_CUTOFF_PERMANENT 355 + #define JENT_APT_WINDOW_SIZE 512 /* Data window size */ + /* LSB of time stamp to process */ + #define JENT_APT_LSB 16 +@@ -97,8 +101,6 @@ struct rand_data { + unsigned int apt_count; /* APT counter */ + unsigned int apt_base; /* APT base reference */ + unsigned int apt_base_set:1; /* APT base reference set? */ +- +- unsigned int health_failure:1; /* Permanent health failure */ + }; + + /* Flags that can be used to initialize the RNG */ +@@ -169,19 +171,26 @@ static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked) + return; + } + +- if (delta_masked == ec->apt_base) { ++ if (delta_masked == ec->apt_base) + ec->apt_count++; + +- if (ec->apt_count >= JENT_APT_CUTOFF) +- ec->health_failure = 1; +- } +- + ec->apt_observations++; + + if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) + jent_apt_reset(ec, delta_masked); + } + ++/* APT health test failure detection */ ++static int jent_apt_permanent_failure(struct rand_data *ec) ++{ ++ return (ec->apt_count >= JENT_APT_CUTOFF_PERMANENT) ? 1 : 0; ++} ++ ++static int jent_apt_failure(struct rand_data *ec) ++{ ++ return (ec->apt_count >= JENT_APT_CUTOFF) ? 1 : 0; ++} ++ + /*************************************************************************** + * Stuck Test and its use as Repetition Count Test + * +@@ -206,55 +215,14 @@ static void jent_apt_insert(struct rand_data *ec, unsigned int delta_masked) + */ + static void jent_rct_insert(struct rand_data *ec, int stuck) + { +- /* +- * If we have a count less than zero, a previous RCT round identified +- * a failure. We will not overwrite it. +- */ +- if (ec->rct_count < 0) +- return; +- + if (stuck) { + ec->rct_count++; +- +- /* +- * The cutoff value is based on the following consideration: +- * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8. +- * In addition, we require an entropy value H of 1/OSR as this +- * is the minimum entropy required to provide full entropy. +- * Note, we collect 64 * OSR deltas for inserting them into +- * the entropy pool which should then have (close to) 64 bits +- * of entropy. +- * +- * Note, ec->rct_count (which equals to value B in the pseudo +- * code of SP800-90B section 4.4.1) starts with zero. Hence +- * we need to subtract one from the cutoff value as calculated +- * following SP800-90B. +- */ +- if ((unsigned int)ec->rct_count >= (31 * ec->osr)) { +- ec->rct_count = -1; +- ec->health_failure = 1; +- } + } else { ++ /* Reset RCT */ + ec->rct_count = 0; + } + } + +-/* +- * Is there an RCT health test failure? +- * +- * @ec [in] Reference to entropy collector +- * +- * @return +- * 0 No health test failure +- * 1 Permanent health test failure +- */ +-static int jent_rct_failure(struct rand_data *ec) +-{ +- if (ec->rct_count < 0) +- return 1; +- return 0; +-} +- + static inline __u64 jent_delta(__u64 prev, __u64 next) + { + #define JENT_UINT64_MAX (__u64)(~((__u64) 0)) +@@ -303,18 +271,26 @@ static int jent_stuck(struct rand_data *ec, __u64 current_delta) + return 0; + } + +-/* +- * Report any health test failures +- * +- * @ec [in] Reference to entropy collector +- * +- * @return +- * 0 No health test failure +- * 1 Permanent health test failure +- */ ++/* RCT health test failure detection */ ++static int jent_rct_permanent_failure(struct rand_data *ec) ++{ ++ return (ec->rct_count >= JENT_RCT_CUTOFF_PERMANENT) ? 1 : 0; ++} ++ ++static int jent_rct_failure(struct rand_data *ec) ++{ ++ return (ec->rct_count >= JENT_RCT_CUTOFF) ? 1 : 0; ++} ++ ++/* Report of health test failures */ + static int jent_health_failure(struct rand_data *ec) + { +- return ec->health_failure; ++ return jent_rct_failure(ec) | jent_apt_failure(ec); ++} ++ ++static int jent_permanent_health_failure(struct rand_data *ec) ++{ ++ return jent_rct_permanent_failure(ec) | jent_apt_permanent_failure(ec); + } + + /*************************************************************************** +@@ -600,8 +576,8 @@ static void jent_gen_entropy(struct rand_data *ec) + * + * The following error codes can occur: + * -1 entropy_collector is NULL +- * -2 RCT failed +- * -3 APT test failed ++ * -2 Intermittent health failure ++ * -3 Permanent health failure + */ + int jent_read_entropy(struct rand_data *ec, unsigned char *data, + unsigned int len) +@@ -616,39 +592,23 @@ int jent_read_entropy(struct rand_data *ec, unsigned char *data, + + jent_gen_entropy(ec); + +- if (jent_health_failure(ec)) { +- int ret; +- +- if (jent_rct_failure(ec)) +- ret = -2; +- else +- ret = -3; +- ++ if (jent_permanent_health_failure(ec)) { + /* +- * Re-initialize the noise source +- * +- * If the health test fails, the Jitter RNG remains +- * in failure state and will return a health failure +- * during next invocation. ++ * At this point, the Jitter RNG instance is considered ++ * as a failed instance. There is no rerun of the ++ * startup test any more, because the caller ++ * is assumed to not further use this instance. + */ +- if (jent_entropy_init()) +- return ret; +- +- /* Set APT to initial state */ +- jent_apt_reset(ec, 0); +- ec->apt_base_set = 0; +- +- /* Set RCT to initial state */ +- ec->rct_count = 0; +- +- /* Re-enable Jitter RNG */ +- ec->health_failure = 0; +- ++ return -3; ++ } else if (jent_health_failure(ec)) { + /* +- * Return the health test failure status to the +- * caller as the generated value is not appropriate. ++ * Perform startup health tests and return permanent ++ * error if it fails. + */ +- return ret; ++ if (jent_entropy_init()) ++ return -3; ++ ++ return -2; + } + + if ((DATA_SIZE_BITS / 8) < len) +diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h +index b7397b61..5cc583f6 100644 +--- a/crypto/jitterentropy.h ++++ b/crypto/jitterentropy.h +@@ -2,7 +2,6 @@ + + extern void *jent_zalloc(unsigned int len); + extern void jent_zfree(void *ptr); +-extern void jent_panic(char *s); + extern void jent_memcpy(void *dest, const void *src, unsigned int n); + extern void jent_get_nstime(__u64 *out); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-113-f2fs-Fix-system-crash-due-to-lack-of-free-space.patch b/patches.kernel.org/6.3.4-113-f2fs-Fix-system-crash-due-to-lack-of-free-space.patch new file mode 100644 index 0000000..18bfcd6 --- /dev/null +++ b/patches.kernel.org/6.3.4-113-f2fs-Fix-system-crash-due-to-lack-of-free-space.patch @@ -0,0 +1,170 @@ +From: Yonggil Song +Date: Tue, 21 Mar 2023 09:12:51 +0900 +Subject: [PATCH] f2fs: Fix system crash due to lack of free space in LFS +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d11cef14f8146f3babd286c2cc8ca09c166295e2 + +[ Upstream commit d11cef14f8146f3babd286c2cc8ca09c166295e2 ] + +When f2fs tries to checkpoint during foreground gc in LFS mode, system +crash occurs due to lack of free space if the amount of dirty node and +dentry pages generated by data migration exceeds free space. +The reproduction sequence is as follows. + + - 20GiB capacity block device (null_blk) + - format and mount with LFS mode + - create a file and write 20,000MiB + - 4k random write on full range of the file + + RIP: 0010:new_curseg+0x48a/0x510 [f2fs] + Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff + RSP: 0018:ffff977bc397b218 EFLAGS: 00010246 + RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0 + RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8 + RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40 + R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000 + R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000 + FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + allocate_segment_by_default+0x9c/0x110 [f2fs] + f2fs_allocate_data_block+0x243/0xa30 [f2fs] + ? __mod_lruvec_page_state+0xa0/0x150 + do_write_page+0x80/0x160 [f2fs] + f2fs_do_write_node_page+0x32/0x50 [f2fs] + __write_node_page+0x339/0x730 [f2fs] + f2fs_sync_node_pages+0x5a6/0x780 [f2fs] + block_operations+0x257/0x340 [f2fs] + f2fs_write_checkpoint+0x102/0x1050 [f2fs] + f2fs_gc+0x27c/0x630 [f2fs] + ? folio_mark_dirty+0x36/0x70 + f2fs_balance_fs+0x16f/0x180 [f2fs] + +This patch adds checking whether free sections are enough before checkpoint +during gc. + +Signed-off-by: Yonggil Song +[Jaegeuk Kim: code clean-up] +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/f2fs/gc.c | 10 ++++++++-- + fs/f2fs/gc.h | 2 ++ + fs/f2fs/segment.h | 39 ++++++++++++++++++++++++++++++--------- + 3 files changed, 40 insertions(+), 11 deletions(-) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 2996d38a..f984d9f0 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1810,6 +1810,7 @@ int f2fs_gc(struct f2fs_sb_info *sbi, struct f2fs_gc_control *gc_control) + .iroot = RADIX_TREE_INIT(gc_list.iroot, GFP_NOFS), + }; + unsigned int skipped_round = 0, round = 0; ++ unsigned int upper_secs; + + trace_f2fs_gc_begin(sbi->sb, gc_type, gc_control->no_bg_gc, + gc_control->nr_free_secs, +@@ -1895,8 +1896,13 @@ int f2fs_gc(struct f2fs_sb_info *sbi, struct f2fs_gc_control *gc_control) + } + } + +- /* Write checkpoint to reclaim prefree segments */ +- if (free_sections(sbi) < NR_CURSEG_PERSIST_TYPE && ++ __get_secs_required(sbi, NULL, &upper_secs, NULL); ++ ++ /* ++ * Write checkpoint to reclaim prefree segments. ++ * We need more three extra sections for writer's data/node/dentry. ++ */ ++ if (free_sections(sbi) <= upper_secs + NR_GC_CHECKPOINT_SECS && + prefree_segments(sbi)) { + ret = f2fs_write_checkpoint(sbi, &cpc); + if (ret) +diff --git a/fs/f2fs/gc.h b/fs/f2fs/gc.h +index 5ad6ac63..28a00942 100644 +--- a/fs/f2fs/gc.h ++++ b/fs/f2fs/gc.h +@@ -30,6 +30,8 @@ + /* Search max. number of dirty segments to select a victim segment */ + #define DEF_MAX_VICTIM_SEARCH 4096 /* covers 8GB */ + ++#define NR_GC_CHECKPOINT_SECS (3) /* data/node/dentry sections */ ++ + struct f2fs_gc_kthread { + struct task_struct *f2fs_gc_task; + wait_queue_head_t gc_wait_queue_head; +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index babb29a1..9728bdec 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -602,8 +602,12 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi, + return true; + } + +-static inline bool has_not_enough_free_secs(struct f2fs_sb_info *sbi, +- int freed, int needed) ++/* ++ * calculate needed sections for dirty node/dentry ++ * and call has_curseg_enough_space ++ */ ++static inline void __get_secs_required(struct f2fs_sb_info *sbi, ++ unsigned int *lower_p, unsigned int *upper_p, bool *curseg_p) + { + unsigned int total_node_blocks = get_pages(sbi, F2FS_DIRTY_NODES) + + get_pages(sbi, F2FS_DIRTY_DENTS) + +@@ -613,20 +617,37 @@ static inline bool has_not_enough_free_secs(struct f2fs_sb_info *sbi, + unsigned int dent_secs = total_dent_blocks / CAP_BLKS_PER_SEC(sbi); + unsigned int node_blocks = total_node_blocks % CAP_BLKS_PER_SEC(sbi); + unsigned int dent_blocks = total_dent_blocks % CAP_BLKS_PER_SEC(sbi); +- unsigned int free, need_lower, need_upper; ++ ++ if (lower_p) ++ *lower_p = node_secs + dent_secs; ++ if (upper_p) ++ *upper_p = node_secs + dent_secs + ++ (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0); ++ if (curseg_p) ++ *curseg_p = has_curseg_enough_space(sbi, ++ node_blocks, dent_blocks); ++} ++ ++static inline bool has_not_enough_free_secs(struct f2fs_sb_info *sbi, ++ int freed, int needed) ++{ ++ unsigned int free_secs, lower_secs, upper_secs; ++ bool curseg_space; + + if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING))) + return false; + +- free = free_sections(sbi) + freed; +- need_lower = node_secs + dent_secs + reserved_sections(sbi) + needed; +- need_upper = need_lower + (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0); ++ __get_secs_required(sbi, &lower_secs, &upper_secs, &curseg_space); ++ ++ free_secs = free_sections(sbi) + freed; ++ lower_secs += needed + reserved_sections(sbi); ++ upper_secs += needed + reserved_sections(sbi); + +- if (free > need_upper) ++ if (free_secs > upper_secs) + return false; +- else if (free <= need_lower) ++ else if (free_secs <= lower_secs) + return true; +- return !has_curseg_enough_space(sbi, node_blocks, dent_blocks); ++ return !curseg_space; + } + + static inline bool f2fs_is_checkpoint_ready(struct f2fs_sb_info *sbi) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-114-f2fs-fix-to-drop-all-dirty-pages-during-umount-.patch b/patches.kernel.org/6.3.4-114-f2fs-fix-to-drop-all-dirty-pages-during-umount-.patch new file mode 100644 index 0000000..b96b46d --- /dev/null +++ b/patches.kernel.org/6.3.4-114-f2fs-fix-to-drop-all-dirty-pages-during-umount-.patch @@ -0,0 +1,95 @@ +From: Chao Yu +Date: Mon, 10 Apr 2023 10:12:22 +0800 +Subject: [PATCH] f2fs: fix to drop all dirty pages during umount() if cp_error + is set +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c9b3649a934d131151111354bcbb638076f03a30 + +[ Upstream commit c9b3649a934d131151111354bcbb638076f03a30 ] + +xfstest generic/361 reports a bug as below: + +f2fs_bug_on(sbi, sbi->fsync_node_num); + +kernel BUG at fs/f2fs/super.c:1627! +RIP: 0010:f2fs_put_super+0x3a8/0x3b0 +Call Trace: + generic_shutdown_super+0x8c/0x1b0 + kill_block_super+0x2b/0x60 + kill_f2fs_super+0x87/0x110 + deactivate_locked_super+0x39/0x80 + deactivate_super+0x46/0x50 + cleanup_mnt+0x109/0x170 + __cleanup_mnt+0x16/0x20 + task_work_run+0x65/0xa0 + exit_to_user_mode_prepare+0x175/0x190 + syscall_exit_to_user_mode+0x25/0x50 + do_syscall_64+0x4c/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +During umount(), if cp_error is set, f2fs_wait_on_all_pages() should +not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, +fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing +this bug. + +In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs +to drop all dirty pages rather than redirtying them. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/f2fs/checkpoint.c | 12 ++++++++++-- + fs/f2fs/data.c | 3 ++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index c3e058e0..96af24c3 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -325,8 +325,15 @@ static int __f2fs_write_meta_page(struct page *page, + + trace_f2fs_writepage(page, META); + +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi))) { ++ if (is_sbi_flag_set(sbi, SBI_IS_CLOSE)) { ++ ClearPageUptodate(page); ++ dec_page_count(sbi, F2FS_DIRTY_META); ++ unlock_page(page); ++ return 0; ++ } + goto redirty_out; ++ } + if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING))) + goto redirty_out; + if (wbc->for_reclaim && page->index < GET_SUM_BLOCK(sbi, 0)) +@@ -1306,7 +1313,8 @@ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type) + if (!get_pages(sbi, type)) + break; + +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi) && ++ !is_sbi_flag_set(sbi, SBI_IS_CLOSE))) + break; + + if (type == F2FS_DIRTY_META) +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 1034912a..68feb015 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2800,7 +2800,8 @@ int f2fs_write_single_data_page(struct page *page, int *submitted, + * don't drop any dirty dentry pages for keeping lastest + * directory structure. + */ +- if (S_ISDIR(inode->i_mode)) ++ if (S_ISDIR(inode->i_mode) && ++ !is_sbi_flag_set(sbi, SBI_IS_CLOSE)) + goto redirty_out; + goto out; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-115-f2fs-fix-to-check-readonly-condition-correctly.patch b/patches.kernel.org/6.3.4-115-f2fs-fix-to-check-readonly-condition-correctly.patch new file mode 100644 index 0000000..30a3aa8 --- /dev/null +++ b/patches.kernel.org/6.3.4-115-f2fs-fix-to-check-readonly-condition-correctly.patch @@ -0,0 +1,81 @@ +From: Chao Yu +Date: Tue, 4 Apr 2023 23:28:07 +0800 +Subject: [PATCH] f2fs: fix to check readonly condition correctly +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d78dfefcde9d311284434560d69c0478c55a657e + +[ Upstream commit d78dfefcde9d311284434560d69c0478c55a657e ] + +With below case, it can mount multi-device image w/ rw option, however +one of secondary device is set as ro, later update will cause panic, so +let's introduce f2fs_dev_is_readonly(), and check multi-devices rw status +in f2fs_remount() w/ it in order to avoid such inconsistent mount status. + +mkfs.f2fs -c /dev/zram1 /dev/zram0 -f +blockdev --setro /dev/zram1 +mount -t f2fs dev/zram0 /mnt/f2fs +mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. +mount -t f2fs -o remount,rw mnt/f2fs +dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192 + +kernel BUG at fs/f2fs/inline.c:258! +RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs] +Call Trace: + f2fs_write_single_data_page+0x26b/0x9f0 [f2fs] + f2fs_write_cache_pages+0x389/0xa60 [f2fs] + __f2fs_write_data_pages+0x26b/0x2d0 [f2fs] + f2fs_write_data_pages+0x2e/0x40 [f2fs] + do_writepages+0xd3/0x1b0 + __writeback_single_inode+0x5b/0x420 + writeback_sb_inodes+0x236/0x5a0 + __writeback_inodes_wb+0x56/0xf0 + wb_writeback+0x2a3/0x490 + wb_do_writeback+0x2b2/0x330 + wb_workfn+0x6a/0x260 + process_one_work+0x270/0x5e0 + worker_thread+0x52/0x3e0 + kthread+0xf4/0x120 + ret_from_fork+0x29/0x50 + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/f2fs/f2fs.h | 5 +++++ + fs/f2fs/super.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index d6f9d6e0..47eff365 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -4427,6 +4427,11 @@ static inline bool f2fs_hw_is_readonly(struct f2fs_sb_info *sbi) + return false; + } + ++static inline bool f2fs_dev_is_readonly(struct f2fs_sb_info *sbi) ++{ ++ return f2fs_sb_has_readonly(sbi) || f2fs_hw_is_readonly(sbi); ++} ++ + static inline bool f2fs_lfs_mode(struct f2fs_sb_info *sbi) + { + return F2FS_OPTION(sbi).fs_mode == FS_MODE_LFS; +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 5c1c3a84..333ea095 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2274,7 +2274,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data) + if (f2fs_readonly(sb) && (*flags & SB_RDONLY)) + goto skip; + +- if (f2fs_sb_has_readonly(sbi) && !(*flags & SB_RDONLY)) { ++ if (f2fs_dev_is_readonly(sbi) && !(*flags & SB_RDONLY)) { + err = -EROFS; + goto restore_opts; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-116-samples-bpf-Fix-fout-leak-in-hbm-s-run_bpf_prog.patch b/patches.kernel.org/6.3.4-116-samples-bpf-Fix-fout-leak-in-hbm-s-run_bpf_prog.patch new file mode 100644 index 0000000..4a1c6a6 --- /dev/null +++ b/patches.kernel.org/6.3.4-116-samples-bpf-Fix-fout-leak-in-hbm-s-run_bpf_prog.patch @@ -0,0 +1,36 @@ +From: Hao Zeng +Date: Tue, 11 Apr 2023 16:43:49 +0800 +Subject: [PATCH] samples/bpf: Fix fout leak in hbm's run_bpf_prog +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 23acb14af1914010dd0aae1bbb7fab28bf518b8e + +[ Upstream commit 23acb14af1914010dd0aae1bbb7fab28bf518b8e ] + +Fix fout being fopen'ed but then not subsequently fclose'd. In the affected +branch, fout is otherwise going out of scope. + +Signed-off-by: Hao Zeng +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230411084349.1999628-1-zenghao@kylinos.cn +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + samples/bpf/hbm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/samples/bpf/hbm.c b/samples/bpf/hbm.c +index 516fbac2..7f89700a 100644 +--- a/samples/bpf/hbm.c ++++ b/samples/bpf/hbm.c +@@ -315,6 +315,7 @@ static int run_bpf_prog(char *prog, int cg_id) + fout = fopen(fname, "w"); + fprintf(fout, "id:%d\n", cg_id); + fprintf(fout, "ERROR: Could not lookup queue_stats\n"); ++ fclose(fout); + } else if (stats_flag && qstats.lastPacketTime > + qstats.firstPacketTime) { + long long delta_us = (qstats.lastPacketTime - +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-117-bpf-Add-preempt_count_-sub-add-into-btf-id-deny.patch b/patches.kernel.org/6.3.4-117-bpf-Add-preempt_count_-sub-add-into-btf-id-deny.patch new file mode 100644 index 0000000..97e088e --- /dev/null +++ b/patches.kernel.org/6.3.4-117-bpf-Add-preempt_count_-sub-add-into-btf-id-deny.patch @@ -0,0 +1,74 @@ +From: Yafang +Date: Thu, 13 Apr 2023 02:52:48 +0000 +Subject: [PATCH] bpf: Add preempt_count_{sub,add} into btf id deny list +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c11bd046485d7bf1ca200db0e7d0bdc4bafdd395 + +[ Upstream commit c11bd046485d7bf1ca200db0e7d0bdc4bafdd395 ] + +The recursion check in __bpf_prog_enter* and __bpf_prog_exit* +leave preempt_count_{sub,add} unprotected. When attaching trampoline to +them we get panic as follows, + +[ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) +[ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI +[ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 +[ 867.843100] Call Trace: +[ 867.843101] +[ 867.843104] asm_exc_int3+0x3a/0x40 +[ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 +[ 867.843135] __bpf_prog_enter_recur+0x17/0x90 +[ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 +[ 867.843154] ? preempt_count_sub+0x1/0xa0 +[ 867.843157] preempt_count_sub+0x5/0xa0 +[ 867.843159] ? migrate_enable+0xac/0xf0 +[ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 +[ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 +... +[ 867.843788] preempt_count_sub+0x5/0xa0 +[ 867.843793] ? migrate_enable+0xac/0xf0 +[ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 +[ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) +[ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) +[ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) +[ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 +... + +That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are +called after prog->active is decreased. + +Fixing this by adding these two functions into btf ids deny list. + +Suggested-by: Steven Rostedt +Signed-off-by: Yafang +Cc: Masami Hiramatsu +Cc: Steven Rostedt +Cc: Jiri Olsa +Acked-by: Hao Luo +Link: https://lore.kernel.org/r/20230413025248.79764-1-laoar.shao@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 64600acb..f4b26708 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -17579,6 +17579,10 @@ BTF_ID(func, migrate_enable) + #if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU + BTF_ID(func, rcu_read_unlock_strict) + #endif ++#if defined(CONFIG_DEBUG_PREEMPT) || defined(CONFIG_TRACE_PREEMPT_TOGGLE) ++BTF_ID(func, preempt_count_add) ++BTF_ID(func, preempt_count_sub) ++#endif + BTF_SET_END(btf_id_deny) + + static bool can_be_sleepable(struct bpf_prog *prog) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-118-md-fix-soft-lockup-in-status_resync.patch b/patches.kernel.org/6.3.4-118-md-fix-soft-lockup-in-status_resync.patch new file mode 100644 index 0000000..d12751d --- /dev/null +++ b/patches.kernel.org/6.3.4-118-md-fix-soft-lockup-in-status_resync.patch @@ -0,0 +1,65 @@ +From: Yu Kuai +Date: Fri, 10 Mar 2023 15:38:51 +0800 +Subject: [PATCH] md: fix soft lockup in status_resync +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6efddf1e32e2a264694766ca485a4f5e04ee82a7 + +[ Upstream commit 6efddf1e32e2a264694766ca485a4f5e04ee82a7 ] + +status_resync() will calculate 'curr_resync - recovery_active' to show +user a progress bar like following: + +[============>........] resync = 61.4% + +'curr_resync' and 'recovery_active' is updated in md_do_sync(), and +status_resync() can read them concurrently, hence it's possible that +'curr_resync - recovery_active' can overflow to a huge number. In this +case status_resync() will be stuck in the loop to print a large amount +of '=', which will end up soft lockup. + +Fix the problem by setting 'resync' to MD_RESYNC_ACTIVE in this case, +this way resync in progress will be reported to user. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230310073855.1337560-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/md/md.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 13321dbb..d479e165 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8029,16 +8029,16 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev) + } else if (resync > max_sectors) { + resync = max_sectors; + } else { +- resync -= atomic_read(&mddev->recovery_active); +- if (resync < MD_RESYNC_ACTIVE) { +- /* +- * Resync has started, but the subtraction has +- * yielded one of the special values. Force it +- * to active to ensure the status reports an +- * active resync. +- */ ++ res = atomic_read(&mddev->recovery_active); ++ /* ++ * Resync has started, but the subtraction has overflowed or ++ * yielded one of the special values. Force it to active to ++ * ensure the status reports an active resync. ++ */ ++ if (resync < res || resync - res < MD_RESYNC_ACTIVE) + resync = MD_RESYNC_ACTIVE; +- } ++ else ++ resync -= res; + } + + if (resync == MD_RESYNC_NONE) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-119-net-sched-pass-netlink-extack-to-mqprio-and-tap.patch b/patches.kernel.org/6.3.4-119-net-sched-pass-netlink-extack-to-mqprio-and-tap.patch new file mode 100644 index 0000000..347e913 --- /dev/null +++ b/patches.kernel.org/6.3.4-119-net-sched-pass-netlink-extack-to-mqprio-and-tap.patch @@ -0,0 +1,124 @@ +From: Vladimir Oltean +Date: Tue, 11 Apr 2023 21:01:53 +0300 +Subject: [PATCH] net/sched: pass netlink extack to mqprio and taprio offload +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c54876cd5961ce0f8e74807f79a6739cd6b35ddf + +[ Upstream commit c54876cd5961ce0f8e74807f79a6739cd6b35ddf ] + +With the multiplexed ndo_setup_tc() model which lacks a first-class +struct netlink_ext_ack * argument, the only way to pass the netlink +extended ACK message down to the device driver is to embed it within the +offload structure. + +Do this for struct tc_mqprio_qopt_offload and struct tc_taprio_qopt_offload. + +Since struct tc_taprio_qopt_offload also contains a tc_mqprio_qopt_offload +structure, and since device drivers might effectively reuse their mqprio +implementation for the mqprio portion of taprio, we make taprio set the +extack in both offload structures to point at the same netlink extack +message. + +In fact, the taprio handling is a bit more tricky, for 2 reasons. + +First is because the offload structure has a longer lifetime than the +extack structure. The driver is supposed to populate the extack +synchronously from ndo_setup_tc() and leave it alone afterwards. +To not have any use-after-free surprises, we zero out the extack pointer +when we leave taprio_enable_offload(). + +The second reason is because taprio does overwrite the extack message on +ndo_setup_tc() error. We need to switch to the weak form of setting an +extack message, which preserves a potential message set by the driver. + +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/net/pkt_sched.h | 2 ++ + net/sched/sch_mqprio.c | 5 ++++- + net/sched/sch_taprio.c | 12 ++++++++++-- + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index 20168399..fc688c7e 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -167,6 +167,7 @@ struct tc_mqprio_caps { + struct tc_mqprio_qopt_offload { + /* struct tc_mqprio_qopt must always be the first element */ + struct tc_mqprio_qopt qopt; ++ struct netlink_ext_ack *extack; + u16 mode; + u16 shaper; + u32 flags; +@@ -194,6 +195,7 @@ struct tc_taprio_sched_entry { + + struct tc_taprio_qopt_offload { + struct tc_mqprio_qopt_offload mqprio; ++ struct netlink_ext_ack *extack; + u8 enable; + ktime_t base_time; + u64 cycle_time; +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 48ed87b9..fc6225f1 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -33,9 +33,12 @@ static int mqprio_enable_offload(struct Qdisc *sch, + const struct tc_mqprio_qopt *qopt, + struct netlink_ext_ack *extack) + { +- struct tc_mqprio_qopt_offload mqprio = {.qopt = *qopt}; + struct mqprio_sched *priv = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); ++ struct tc_mqprio_qopt_offload mqprio = { ++ .qopt = *qopt, ++ .extack = extack, ++ }; + int err, i; + + switch (priv->mode) { +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 1f469861..cbad4301 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1520,7 +1520,9 @@ static int taprio_enable_offload(struct net_device *dev, + return -ENOMEM; + } + offload->enable = 1; ++ offload->extack = extack; + mqprio_qopt_reconstruct(dev, &offload->mqprio.qopt); ++ offload->mqprio.extack = extack; + taprio_sched_to_offload(dev, sched, offload, &caps); + + for (tc = 0; tc < TC_MAX_QUEUE; tc++) +@@ -1528,14 +1530,20 @@ static int taprio_enable_offload(struct net_device *dev, + + err = ops->ndo_setup_tc(dev, TC_SETUP_QDISC_TAPRIO, offload); + if (err < 0) { +- NL_SET_ERR_MSG(extack, +- "Device failed to setup taprio offload"); ++ NL_SET_ERR_MSG_WEAK(extack, ++ "Device failed to setup taprio offload"); + goto done; + } + + q->offloaded = true; + + done: ++ /* The offload structure may linger around via a reference taken by the ++ * device driver, so clear up the netlink extack pointer so that the ++ * driver isn't tempted to dereference data which stopped being valid ++ */ ++ offload->extack = NULL; ++ offload->mqprio.extack = NULL; + taprio_offload_free(offload); + + return err; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-120-wifi-iwlwifi-pcie-fix-possible-NULL-pointer-der.patch b/patches.kernel.org/6.3.4-120-wifi-iwlwifi-pcie-fix-possible-NULL-pointer-der.patch new file mode 100644 index 0000000..e150158 --- /dev/null +++ b/patches.kernel.org/6.3.4-120-wifi-iwlwifi-pcie-fix-possible-NULL-pointer-der.patch @@ -0,0 +1,57 @@ +From: Daniel Gabay +Date: Thu, 13 Apr 2023 21:40:32 +0300 +Subject: [PATCH] wifi: iwlwifi: pcie: fix possible NULL pointer dereference +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b655b9a9f8467684cfa8906713d33b71ea8c8f54 + +[ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ] + +It is possible that iwl_pci_probe() will fail and free the trans, +then afterwards iwl_pci_remove() will be called and crash by trying +to access trans which is already freed, fix it. + +iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 + wfpm id 0xa5a5a5a2 +iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2 +... +BUG: kernel NULL pointer dereference, address: 0000000000000028 +... +RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] +pci_device_remove+0x3e/0xb0 +device_release_driver_internal+0x103/0x1f0 +driver_detach+0x4c/0x90 +bus_remove_driver+0x5c/0xd0 +driver_unregister+0x31/0x50 +pci_unregister_driver+0x40/0x90 +iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] +__exit_compat+0x9/0x98 [iwlwifi] +__x64_sys_delete_module+0x147/0x260 + +Signed-off-by: Daniel Gabay +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index a0bf19b1..f83ae0d3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1698,6 +1698,9 @@ static void iwl_pci_remove(struct pci_dev *pdev) + { + struct iwl_trans *trans = pci_get_drvdata(pdev); + ++ if (!trans) ++ return; ++ + iwl_drv_stop(trans->drv); + + iwl_trans_pcie_free(trans); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-121-wifi-iwlwifi-add-a-new-PCI-device-ID-for-BZ-dev.patch b/patches.kernel.org/6.3.4-121-wifi-iwlwifi-add-a-new-PCI-device-ID-for-BZ-dev.patch new file mode 100644 index 0000000..ce57879 --- /dev/null +++ b/patches.kernel.org/6.3.4-121-wifi-iwlwifi-add-a-new-PCI-device-ID-for-BZ-dev.patch @@ -0,0 +1,36 @@ +From: Mukesh Sisodiya +Date: Fri, 14 Apr 2023 13:11:53 +0300 +Subject: [PATCH] wifi: iwlwifi: add a new PCI device ID for BZ device +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c30a2a64788b3d617a9c5d96adb76c68b0862e5f + +[ Upstream commit c30a2a64788b3d617a9c5d96adb76c68b0862e5f ] + +Add support for a new PCI device ID 0x272b once registering with PCIe. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230414130637.56342664110d.I5aa6f2858fdcf69fdea4f1a873115a48bd43764e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index f83ae0d3..25b2d41d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -504,6 +504,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + + /* Bz devices */ + {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0xA840, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x7740, PCI_ANY_ID, iwl_bz_trans_cfg)}, + #endif /* CONFIG_IWLMVM */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-122-wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_w.patch b/patches.kernel.org/6.3.4-122-wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_w.patch new file mode 100644 index 0000000..a12c299 --- /dev/null +++ b/patches.kernel.org/6.3.4-122-wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_w.patch @@ -0,0 +1,58 @@ +From: Hyunwoo Kim +Date: Fri, 14 Apr 2023 13:11:59 +0300 +Subject: [PATCH] wifi: iwlwifi: pcie: Fix integer overflow in + iwl_write_to_user_buf +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 58d1b717879bfeabe09b35e41ad667c79933eb2e + +[ Upstream commit 58d1b717879bfeabe09b35e41ad667c79933eb2e ] + +An integer overflow occurs in the iwl_write_to_user_buf() function, +which is called by the iwl_dbgfs_monitor_data_read() function. + +static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, + void *buf, ssize_t *size, + ssize_t *bytes_copied) +{ + int buf_size_left = count - *bytes_copied; + + buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); + if (*size > buf_size_left) + *size = buf_size_left; + +If the user passes a SIZE_MAX value to the "ssize_t count" parameter, +the ssize_t count parameter is assigned to "int buf_size_left". +Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a +negative number, so "*size" is assigned "buf_size_left" and goes into +the third argument of the copy_to_user function, causing a heap overflow. + +This is not a security vulnerability because iwl_dbgfs_monitor_data_read() +is a debugfs operation with 0400 privileges. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index 171b6bf4..3cc61c30 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2861,7 +2861,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, + void *buf, ssize_t *size, + ssize_t *bytes_copied) + { +- int buf_size_left = count - *bytes_copied; ++ ssize_t buf_size_left = count - *bytes_copied; + + buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); + if (*size > buf_size_left) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-123-wifi-iwlwifi-mvm-fix-ptk_pn-memory-leak.patch b/patches.kernel.org/6.3.4-123-wifi-iwlwifi-mvm-fix-ptk_pn-memory-leak.patch new file mode 100644 index 0000000..6e44fb4 --- /dev/null +++ b/patches.kernel.org/6.3.4-123-wifi-iwlwifi-mvm-fix-ptk_pn-memory-leak.patch @@ -0,0 +1,49 @@ +From: Johannes Berg +Date: Fri, 14 Apr 2023 13:12:02 +0300 +Subject: [PATCH] wifi: iwlwifi: mvm: fix ptk_pn memory leak +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d066a530af8e1833c7ea2cef7784004700c85f79 + +[ Upstream commit d066a530af8e1833c7ea2cef7784004700c85f79 ] + +If adding a key to firmware fails we leak the allocated ptk_pn. +This shouldn't happen in practice, but we should still fix it. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230414130637.99446ffd02bc.I82a2ad6ec1395f188e0a1677cc619e3fcb1feac9@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 9fc2d5d8..a25fd908 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3587,7 +3587,7 @@ static int __iwl_mvm_mac_set_key(struct ieee80211_hw *hw, + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); + struct iwl_mvm_sta *mvmsta = NULL; +- struct iwl_mvm_key_pn *ptk_pn; ++ struct iwl_mvm_key_pn *ptk_pn = NULL; + int keyidx = key->keyidx; + u32 sec_key_id = WIDE_ID(DATA_PATH_GROUP, SEC_KEY_CMD); + u8 sec_key_ver = iwl_fw_lookup_cmd_ver(mvm->fw, sec_key_id, 0); +@@ -3739,6 +3739,10 @@ static int __iwl_mvm_mac_set_key(struct ieee80211_hw *hw, + if (ret) { + IWL_WARN(mvm, "set key failed\n"); + key->hw_key_idx = STA_KEY_IDX_INVALID; ++ if (ptk_pn) { ++ RCU_INIT_POINTER(mvmsta->ptk_pn[keyidx], NULL); ++ kfree(ptk_pn); ++ } + /* + * can't add key for RX, but we don't need it + * in the device for TX so still return 0, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-124-block-bfq-Fix-division-by-zero-error-on-zero-ws.patch b/patches.kernel.org/6.3.4-124-block-bfq-Fix-division-by-zero-error-on-zero-ws.patch new file mode 100644 index 0000000..b9a892b --- /dev/null +++ b/patches.kernel.org/6.3.4-124-block-bfq-Fix-division-by-zero-error-on-zero-ws.patch @@ -0,0 +1,83 @@ +From: Colin Ian King +Date: Thu, 13 Apr 2023 14:30:09 +0100 +Subject: [PATCH] block, bfq: Fix division by zero error on zero wsum +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e53413f8deedf738a6782cc14cc00bd5852ccf18 + +[ Upstream commit e53413f8deedf738a6782cc14cc00bd5852ccf18 ] + +When the weighted sum is zero the calculation of limit causes +a division by zero error. Fix this by continuing to the next level. + +This was discovered by running as root: + +stress-ng --ioprio 0 + +Fixes divison by error oops: + +[ 521.450556] divide error: 0000 [#1] SMP NOPTI +[ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 +[ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +[ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 +[ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 +[ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 +[ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 +[ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 +[ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 +[ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 +[ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 +[ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 +[ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 +[ 521.455491] PKRU: 55555554 +[ 521.455619] Call Trace: +[ 521.455736] +[ 521.455837] ? bfq_request_merge+0x3a/0xc0 +[ 521.456027] ? elv_merge+0x115/0x140 +[ 521.456191] bfq_limit_depth+0xc8/0x240 +[ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 +[ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 +[ 521.456766] __submit_bio+0xb8/0x140 +[ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 +[ 521.457748] submit_bio_noacct+0x1a6/0x580 +[ 521.458220] submit_bio+0x43/0x80 +[ 521.458660] ext4_io_submit+0x23/0x80 +[ 521.459116] ext4_do_writepages+0x40a/0xd00 +[ 521.459596] ext4_writepages+0x65/0x100 +[ 521.460050] do_writepages+0xb7/0x1c0 +[ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 +[ 521.460979] file_write_and_wait_range+0xbf/0x140 +[ 521.461452] ext4_sync_file+0x105/0x340 +[ 521.461882] __x64_sys_fsync+0x67/0x100 +[ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 +[ 521.462768] do_syscall_64+0x3b/0xc0 +[ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 +[ 521.463621] RIP: 0033:0x5640b6c56590 +[ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c + +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20230413133009.1605335-1-colin.i.king@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + block/bfq-iosched.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index d9ed3108..bac977da 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -649,6 +649,8 @@ static bool bfqq_request_over_limit(struct bfq_queue *bfqq, int limit) + sched_data->service_tree[i].wsum; + } + } ++ if (!wsum) ++ continue; + limit = DIV_ROUND_CLOSEST(limit * entity->weight, wsum); + if (entity->allocated >= limit) { + bfq_log_bfqq(bfqq->bfqd, bfqq, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-125-wifi-ath11k-Ignore-frags-from-uninitialized-pee.patch b/patches.kernel.org/6.3.4-125-wifi-ath11k-Ignore-frags-from-uninitialized-pee.patch new file mode 100644 index 0000000..de9ec49 --- /dev/null +++ b/patches.kernel.org/6.3.4-125-wifi-ath11k-Ignore-frags-from-uninitialized-pee.patch @@ -0,0 +1,119 @@ +From: Harshitha Prem +Date: Tue, 4 Apr 2023 00:11:54 +0530 +Subject: [PATCH] wifi: ath11k: Ignore frags from uninitialized peer in dp. +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 + +[ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ] + +When max virtual ap interfaces are configured in all the bands with +ACS and hostapd restart is done every 60s, a crash is observed at +random times. +In this certain scenario, a fragmented packet is received for +self peer, for which rx_tid and rx_frags are not initialized in +datapath. While handling this fragment, crash is observed as the +rx_frag list is uninitialised and when we walk in +ath11k_dp_rx_h_sort_frags, skb null leads to exception. + +To address this, before processing received fragments we check +dp_setup_done flag is set to ensure that peer has completed its +dp peer setup for fragment queue, else ignore processing the +fragments. + +Call trace: + ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] + ath11k_dp_service_srng+0x70/0x370 [ath11k] + 0xffffffc009693a04 + __napi_poll+0x30/0xa4 + net_rx_action+0x118/0x270 + __do_softirq+0x10c/0x244 + irq_exit+0x64/0xb4 + __handle_domain_irq+0x88/0xac + gic_handle_irq+0x74/0xbc + el1_irq+0xf0/0x1c0 + arch_cpu_idle+0x10/0x18 + do_idle+0x104/0x248 + cpu_startup_entry+0x20/0x64 + rest_init+0xd0/0xdc + arch_call_rest_init+0xc/0x14 + start_kernel+0x480/0x4b8 + Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Harshitha Prem +Signed-off-by: Nagarajan Maran +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath11k/dp.c | 4 +++- + drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++ + drivers/net/wireless/ath/ath11k/peer.h | 1 + + 3 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c +index f5156a7f..d070bcb3 100644 +--- a/drivers/net/wireless/ath/ath11k/dp.c ++++ b/drivers/net/wireless/ath/ath11k/dp.c +@@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr) + } + + ath11k_peer_rx_tid_cleanup(ar, peer); ++ peer->dp_setup_done = false; + crypto_free_shash(peer->tfm_mmic); + spin_unlock_bh(&ab->base_lock); + } +@@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr) + ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id); + if (ret) { + ath11k_warn(ab, "failed to setup rx defrag context\n"); +- return ret; ++ tid--; ++ goto peer_clean; + } + + /* TODO: Setup other peer specific resource used in data path */ +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index b65a84a8..294c6fcf 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id + } + + peer->tfm_mmic = tfm; ++ peer->dp_setup_done = true; + spin_unlock_bh(&ab->base_lock); + + return 0; +@@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar, + ret = -ENOENT; + goto out_unlock; + } ++ if (!peer->dp_setup_done) { ++ ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n", ++ peer->addr, peer_id); ++ ret = -ENOENT; ++ goto out_unlock; ++ } ++ + rx_tid = &peer->rx_tid[tid]; + + if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) || +diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h +index 6dd17baf..9bd385d0 100644 +--- a/drivers/net/wireless/ath/ath11k/peer.h ++++ b/drivers/net/wireless/ath/ath11k/peer.h +@@ -35,6 +35,7 @@ struct ath11k_peer { + u16 sec_type; + u16 sec_type_grp; + bool is_authorized; ++ bool dp_setup_done; + }; + + void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-126-wifi-mt76-mt7921-add-Netgear-AXE3000-A8000-supp.patch b/patches.kernel.org/6.3.4-126-wifi-mt76-mt7921-add-Netgear-AXE3000-A8000-supp.patch new file mode 100644 index 0000000..2c30645 --- /dev/null +++ b/patches.kernel.org/6.3.4-126-wifi-mt76-mt7921-add-Netgear-AXE3000-A8000-supp.patch @@ -0,0 +1,46 @@ +From: Reese Russell +Date: Tue, 4 Apr 2023 00:35:12 -0700 +Subject: [PATCH] wifi: mt76: mt7921: add Netgear AXE3000 (A8000) support +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 03eb52dd78cab08f13925aeec8315fbdbcba3253 + +[ Upstream commit 03eb52dd78cab08f13925aeec8315fbdbcba3253 ] + +Issue: Though the Netgear AXE3000 (A8000) is based on the mt7921 +chipset because of the unique USB VID:PID combination this device +does not initialize/register. Thus making it not plug and play. + +Fix: Adds support for the Netgear AXE3000 (A8000) based on the Mediatek +mt7921au chipset. The method of action is adding the USD VID/PID +pair to the mt7921u_device_table[] array. + +Notes: A retail sample of the Netgear AXE3000 (A8000) yeilds the following +from lsusb D 0846:9060 NetGear, Inc. Wireless_Device. This pair +0846:9060 VID:PID has been reported by other users on Github. + +Signed-off-by: Reese Russell +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +index 70c9bbdb..09ab9b83 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +@@ -18,6 +18,9 @@ static const struct usb_device_id mt7921u_device_table[] = { + /* Comfast CF-952AX */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3574, 0x6211, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, ++ /* Netgear, Inc. [A8000,AXE3000] */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, + { }, + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-127-wifi-iwlwifi-fix-iwl_mvm_max_amsdu_size-for-MLO.patch b/patches.kernel.org/6.3.4-127-wifi-iwlwifi-fix-iwl_mvm_max_amsdu_size-for-MLO.patch new file mode 100644 index 0000000..ba9c08e --- /dev/null +++ b/patches.kernel.org/6.3.4-127-wifi-iwlwifi-fix-iwl_mvm_max_amsdu_size-for-MLO.patch @@ -0,0 +1,85 @@ +From: Johannes Berg +Date: Mon, 17 Apr 2023 11:41:30 +0300 +Subject: [PATCH] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b2bc600cced23762d4e97db8989b18772145604f + +[ Upstream commit b2bc600cced23762d4e97db8989b18772145604f ] + +For MLO, we cannot use vif->bss_conf.chandef.chan->band, since +that will lead to a NULL-ptr dereference as bss_conf isn't used. +However, in case of real MLO, we also need to take both LMACs +into account if they exist, since the station might be active +on both LMACs at the same time. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230417113648.3588afc85d79.I11592893bbc191b9548518b8bd782de568a9f848@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 37 +++++++++++++++++++-- + 1 file changed, 34 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 9813d7fa..1c454392 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -791,10 +791,11 @@ unsigned int iwl_mvm_max_amsdu_size(struct iwl_mvm *mvm, + struct ieee80211_sta *sta, unsigned int tid) + { + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); +- enum nl80211_band band = mvmsta->vif->bss_conf.chandef.chan->band; + u8 ac = tid_to_mac80211_ac[tid]; ++ enum nl80211_band band; + unsigned int txf; +- int lmac = iwl_mvm_get_lmac_id(mvm->fw, band); ++ unsigned int val; ++ int lmac; + + /* For HE redirect to trigger based fifos */ + if (sta->deflink.he_cap.has_he && !WARN_ON(!iwl_mvm_has_new_tx_api(mvm))) +@@ -808,7 +809,37 @@ unsigned int iwl_mvm_max_amsdu_size(struct iwl_mvm *mvm, + * We also want to have the start of the next packet inside the + * fifo to be able to send bursts. + */ +- return min_t(unsigned int, mvmsta->max_amsdu_len, ++ val = mvmsta->max_amsdu_len; ++ ++ if (hweight16(sta->valid_links) <= 1) { ++ if (sta->valid_links) { ++ struct ieee80211_bss_conf *link_conf; ++ unsigned int link = ffs(sta->valid_links) - 1; ++ ++ rcu_read_lock(); ++ link_conf = rcu_dereference(mvmsta->vif->link_conf[link]); ++ if (WARN_ON(!link_conf)) ++ band = NL80211_BAND_2GHZ; ++ else ++ band = link_conf->chandef.chan->band; ++ rcu_read_unlock(); ++ } else { ++ band = mvmsta->vif->bss_conf.chandef.chan->band; ++ } ++ ++ lmac = iwl_mvm_get_lmac_id(mvm->fw, band); ++ } else if (fw_has_capa(&mvm->fw->ucode_capa, ++ IWL_UCODE_TLV_CAPA_CDB_SUPPORT)) { ++ /* for real MLO restrict to both LMACs if they exist */ ++ lmac = IWL_LMAC_5G_INDEX; ++ val = min_t(unsigned int, val, ++ mvm->fwrt.smem_cfg.lmac[lmac].txfifo_size[txf] - 256); ++ lmac = IWL_LMAC_24G_INDEX; ++ } else { ++ lmac = IWL_LMAC_24G_INDEX; ++ } ++ ++ return min_t(unsigned int, val, + mvm->fwrt.smem_cfg.lmac[lmac].txfifo_size[txf] - 256); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-128-f2fs-relax-sanity-check-if-checkpoint-is-corrup.patch b/patches.kernel.org/6.3.4-128-f2fs-relax-sanity-check-if-checkpoint-is-corrup.patch new file mode 100644 index 0000000..cf3b419 --- /dev/null +++ b/patches.kernel.org/6.3.4-128-f2fs-relax-sanity-check-if-checkpoint-is-corrup.patch @@ -0,0 +1,108 @@ +From: Jaegeuk Kim +Date: Thu, 6 Apr 2023 16:56:20 -0700 +Subject: [PATCH] f2fs: relax sanity check if checkpoint is corrupted +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bd90c5cd339a9d7cdc609d2d6310b80dc697070d + +[ Upstream commit bd90c5cd339a9d7cdc609d2d6310b80dc697070d ] + +1. extent_cache + - let's drop the largest extent_cache +2. invalidate_block + - don't show the warnings + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/f2fs/checkpoint.c | 10 ++++++++++ + fs/f2fs/data.c | 4 ++++ + fs/f2fs/extent_cache.c | 22 +++++++++++++++------- + 3 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 96af24c3..d4c862cc 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -152,6 +152,11 @@ static bool __is_bitmap_valid(struct f2fs_sb_info *sbi, block_t blkaddr, + se = get_seg_entry(sbi, segno); + + exist = f2fs_test_bit(offset, se->cur_valid_map); ++ ++ /* skip data, if we already have an error in checkpoint. */ ++ if (unlikely(f2fs_cp_error(sbi))) ++ return exist; ++ + if (exist && type == DATA_GENERIC_ENHANCE_UPDATE) { + f2fs_err(sbi, "Inconsistent error blkaddr:%u, sit bitmap:%d", + blkaddr, exist); +@@ -202,6 +207,11 @@ bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + case DATA_GENERIC_ENHANCE_UPDATE: + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) || + blkaddr < MAIN_BLKADDR(sbi))) { ++ ++ /* Skip to emit an error message. */ ++ if (unlikely(f2fs_cp_error(sbi))) ++ return false; ++ + f2fs_warn(sbi, "access invalid blkaddr:%u", + blkaddr); + set_sbi_flag(sbi, SBI_NEED_FSCK); +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 68feb015..92bcdbd8 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2237,6 +2237,10 @@ int f2fs_read_multi_pages(struct compress_ctx *cc, struct bio **bio_ret, + if (ret) + goto out; + ++ if (unlikely(f2fs_cp_error(sbi))) { ++ ret = -EIO; ++ goto out_put_dnode; ++ } + f2fs_bug_on(sbi, dn.data_blkaddr != COMPRESS_ADDR); + + skip_reading_dnode: +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index 9a815389..bea6ab9d 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -23,18 +23,26 @@ bool sanity_check_extent_cache(struct inode *inode) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_inode_info *fi = F2FS_I(inode); ++ struct extent_tree *et = fi->extent_tree[EX_READ]; + struct extent_info *ei; + +- if (!fi->extent_tree[EX_READ]) ++ if (!et) ++ return true; ++ ++ ei = &et->largest; ++ if (!ei->len) + return true; + +- ei = &fi->extent_tree[EX_READ]->largest; ++ /* Let's drop, if checkpoint got corrupted. */ ++ if (is_set_ckpt_flags(sbi, CP_ERROR_FLAG)) { ++ ei->len = 0; ++ et->largest_updated = true; ++ return true; ++ } + +- if (ei->len && +- (!f2fs_is_valid_blkaddr(sbi, ei->blk, +- DATA_GENERIC_ENHANCE) || +- !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1, +- DATA_GENERIC_ENHANCE))) { ++ if (!f2fs_is_valid_blkaddr(sbi, ei->blk, DATA_GENERIC_ENHANCE) || ++ !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1, ++ DATA_GENERIC_ENHANCE)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); + f2fs_warn(sbi, "%s: inode (ino=%lx) extent info [%u, %u, %u] is incorrect, run fsck to fix", + __func__, inode->i_ino, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-129-null_blk-Always-check-queue-mode-setting-from-c.patch b/patches.kernel.org/6.3.4-129-null_blk-Always-check-queue-mode-setting-from-c.patch new file mode 100644 index 0000000..b73be61 --- /dev/null +++ b/patches.kernel.org/6.3.4-129-null_blk-Always-check-queue-mode-setting-from-c.patch @@ -0,0 +1,88 @@ +From: Chaitanya Kulkarni +Date: Sun, 16 Apr 2023 15:03:39 -0700 +Subject: [PATCH] null_blk: Always check queue mode setting from configfs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 63f8793ee60513a09f110ea460a6ff2c33811cdb + +[ Upstream commit 63f8793ee60513a09f110ea460a6ff2c33811cdb ] + +Make sure to check device queue mode in the null_validate_conf() and +return error for NULL_Q_RQ as we don't allow legacy I/O path, without +this patch we get OOPs when queue mode is set to 1 from configfs, +following are repro steps :- + +modprobe null_blk nr_devices=0 +mkdir config/nullb/nullb0 +echo 1 > config/nullb/nullb0/memory_backed +echo 4096 > config/nullb/nullb0/blocksize +echo 20480 > config/nullb/nullb0/size +echo 1 > config/nullb/nullb0/queue_mode +echo 1 > config/nullb/nullb0/power + +Entering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null) +due to oops @ 0xffffffffc041c329 +CPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +RIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk] +Code: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20 +RSP: 0018:ffffc900052cbde0 EFLAGS: 00010246 +RAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00 +RBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002 +R13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740 +FS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0 +DR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a +DR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + + nullb_device_power_store+0xd1/0x120 [null_blk] + configfs_write_iter+0xb4/0x120 + vfs_write+0x2ba/0x3c0 + ksys_write+0x5f/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7fd4460c57a7 +Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +RSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7 +RDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001 +RBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0 +R10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002 +R13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700 + + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Reviewed-by: Ming Lei +Reviewed-by: Nitesh Shetty +Link: https://lore.kernel.org/r/20230416220339.43845-1-kch@nvidia.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/block/null_blk/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 9e6b032c..14491952 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1964,6 +1964,11 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set) + + static int null_validate_conf(struct nullb_device *dev) + { ++ if (dev->queue_mode == NULL_Q_RQ) { ++ pr_err("legacy IO path is no longer available\n"); ++ return -EINVAL; ++ } ++ + dev->blocksize = round_down(dev->blocksize, 512); + dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-130-wifi-iwlwifi-dvm-Fix-memcpy-detected-field-span.patch b/patches.kernel.org/6.3.4-130-wifi-iwlwifi-dvm-Fix-memcpy-detected-field-span.patch new file mode 100644 index 0000000..2473b6b --- /dev/null +++ b/patches.kernel.org/6.3.4-130-wifi-iwlwifi-dvm-Fix-memcpy-detected-field-span.patch @@ -0,0 +1,73 @@ +From: Hans de Goede +Date: Tue, 18 Apr 2023 15:25:46 +0200 +Subject: [PATCH] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write + backtrace +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ef16799640865f937719f0771c93be5dca18adc6 + +[ Upstream commit ef16799640865f937719f0771c93be5dca18adc6 ] + +A received TKIP key may be up to 32 bytes because it may contain +MIC rx/tx keys too. These are not used by iwl and copying these +over overflows the iwl_keyinfo.key field. + +Add a check to not copy more data to iwl_keyinfo.key then will fit. + +This fixes backtraces like this one: + + memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) + WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 + RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Call Trace: + + iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] + iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] + drv_set_key+0xa4/0x1b0 [mac80211] + ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] + ieee80211_key_replace+0x22d/0x8e0 [mac80211] + + +Link: https://www.alionet.org/index.php?topic=1469.0 +Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/ +Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/ +Cc: Kees Cook +Suggested-by: Johannes Berg +Signed-off-by: Hans de Goede +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +index cef43cf8..8b01ab98 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +@@ -1081,6 +1081,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + { + __le16 key_flags; + struct iwl_addsta_cmd sta_cmd; ++ size_t to_copy; + int i; + + spin_lock_bh(&priv->sta_lock); +@@ -1100,7 +1101,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; + for (i = 0; i < 5; i++) + sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); +- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); ++ /* keyconf may contain MIC rx/tx keys which iwl does not use */ ++ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen); ++ memcpy(sta_cmd.key.key, keyconf->key, to_copy); + break; + case WLAN_CIPHER_SUITE_WEP104: + key_flags |= STA_KEY_FLG_KEY_SIZE_MSK; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-131-wifi-ath11k-Fix-SKB-corruption-in-REO-destinati.patch b/patches.kernel.org/6.3.4-131-wifi-ath11k-Fix-SKB-corruption-in-REO-destinati.patch new file mode 100644 index 0000000..1cabc6c --- /dev/null +++ b/patches.kernel.org/6.3.4-131-wifi-ath11k-Fix-SKB-corruption-in-REO-destinati.patch @@ -0,0 +1,81 @@ +From: Nagarajan Maran +Date: Mon, 17 Apr 2023 13:35:02 +0300 +Subject: [PATCH] wifi: ath11k: Fix SKB corruption in REO destination ring +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f9fff67d2d7ca6fa8066132003a3deef654c55b1 + +[ Upstream commit f9fff67d2d7ca6fa8066132003a3deef654c55b1 ] + +While running traffics for a long time, randomly an RX descriptor +filled with value "0" from REO destination ring is received. +This descriptor which is invalid causes the wrong SKB (SKB stored in +the IDR lookup with buffer id "0") to be fetched which in turn +causes SKB memory corruption issue and the same leads to crash +after some time. + +Changed the start id for idr allocation to "1" and the buffer id "0" +is reserved for error validation. Introduced Sanity check to validate +the descriptor, before processing the SKB. + +Crash Signature : + +Unable to handle kernel paging request at virtual address 3f004900 +PC points to "b15_dma_inv_range+0x30/0x50" +LR points to "dma_cache_maint_page+0x8c/0x128". +The Backtrace obtained is as follows: +[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128) +[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc) +[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k]) +[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k]) +[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci]) +[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8) +[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280) +[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280) +[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4) +[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4) +[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90) +[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c) + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Nagarajan Maran +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230403191533.28114-1-quic_nmaran@quicinc.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 294c6fcf..32a4f888 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -389,10 +389,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id, + goto fail_free_skb; + + spin_lock_bh(&rx_ring->idr_lock); +- buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0, +- rx_ring->bufs_max * 3, GFP_ATOMIC); ++ buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1, ++ (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC); + spin_unlock_bh(&rx_ring->idr_lock); +- if (buf_id < 0) ++ if (buf_id <= 0) + goto fail_dma_unmap; + + desc = ath11k_hal_srng_src_get_next_entry(ab, srng); +@@ -2665,6 +2665,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, + cookie); + mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie); + ++ if (unlikely(buf_id == 0)) ++ continue; ++ + ar = ab->pdevs[mac_id].ar; + rx_ring = &ar->dp.rx_refill_buf_ring; + spin_lock_bh(&rx_ring->idr_lock); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-132-wifi-rtw88-Fix-memory-leak-in-rtw88_usb.patch b/patches.kernel.org/6.3.4-132-wifi-rtw88-Fix-memory-leak-in-rtw88_usb.patch new file mode 100644 index 0000000..e8b4a0f --- /dev/null +++ b/patches.kernel.org/6.3.4-132-wifi-rtw88-Fix-memory-leak-in-rtw88_usb.patch @@ -0,0 +1,67 @@ +From: Larry Finger +Date: Mon, 17 Apr 2023 11:03:31 -0500 +Subject: [PATCH] wifi: rtw88: Fix memory leak in rtw88_usb +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 59a3a312009723e3e5082899655fdcc420e2b47a + +[ Upstream commit 59a3a312009723e3e5082899655fdcc420e2b47a ] + +Kmemleak shows the following leak arising from routine in the usb +probe routine: + +unreferenced object 0xffff895cb29bba00 (size 512): + comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s) + hex dump (first 32 bytes): + 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0... + 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U...... + backtrace: + [] kmalloc_trace+0x26/0x90 + [] rtw_usb_probe+0x2f1/0x680 [rtw_usb] + [] usb_probe_interface+0xdd/0x2e0 [usbcore] + [] really_probe+0x18e/0x3d0 + [] __driver_probe_device+0x78/0x160 + [] driver_probe_device+0x1f/0x90 + [] __driver_attach+0xbf/0x1b0 + [] bus_for_each_dev+0x70/0xc0 + [] bus_add_driver+0x10e/0x210 + [] driver_register+0x55/0xf0 + [] usb_register_driver+0x88/0x140 [usbcore] + [] do_one_initcall+0x43/0x210 + [] do_init_module+0x4a/0x200 + [] __do_sys_finit_module+0xac/0x120 + [] do_syscall_64+0x56/0x80 + [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The leak was verified to be real by unloading the driver, which resulted +in a dangling pointer to the allocation. + +The allocated memory is freed in rtw_usb_intf_deinit(). + +Signed-off-by: Larry Finger +Cc: Sascha Hauer +Cc: Ping-Ke Shih +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230417160331.23071-1-Larry.Finger@lwfinger.net +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/realtek/rtw88/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c +index 8e2c99f9..44a5fafb 100644 +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -804,6 +804,7 @@ static void rtw_usb_intf_deinit(struct rtw_dev *rtwdev, + struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev); + + usb_put_dev(rtwusb->udev); ++ kfree(rtwusb->usb_data); + usb_set_intfdata(intf, NULL); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-133-nbd-fix-incomplete-validation-of-ioctl-arg.patch b/patches.kernel.org/6.3.4-133-nbd-fix-incomplete-validation-of-ioctl-arg.patch new file mode 100644 index 0000000..9237026 --- /dev/null +++ b/patches.kernel.org/6.3.4-133-nbd-fix-incomplete-validation-of-ioctl-arg.patch @@ -0,0 +1,83 @@ +From: Zhong Jinghua +Date: Mon, 6 Feb 2023 22:58:05 +0800 +Subject: [PATCH] nbd: fix incomplete validation of ioctl arg +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 55793ea54d77719a071b1ccc05a05056e3b5e009 + +[ Upstream commit 55793ea54d77719a071b1ccc05a05056e3b5e009 ] + +We tested and found an alarm caused by nbd_ioctl arg without verification. +The UBSAN warning calltrace like below: + +UBSAN: Undefined behaviour in fs/buffer.c:1709:35 +signed integer overflow: +-9223372036854775808 - 1 cannot be represented in type 'long long int' +CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 + show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158 + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x170/0x1dc lib/dump_stack.c:118 + ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161 + handle_overflow+0x188/0x1dc lib/ubsan.c:192 + __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206 + __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709 + block_write_full_page+0x1f0/0x280 fs/buffer.c:2934 + blkdev_writepage+0x34/0x40 fs/block_dev.c:607 + __writepage+0x68/0xe8 mm/page-writeback.c:2305 + write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240 + generic_writepages+0xdc/0x148 mm/page-writeback.c:2329 + blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114 + do_writepages+0xd4/0x250 mm/page-writeback.c:2344 + +The reason for triggering this warning is __block_write_full_page() +-> i_size_read(inode) - 1 overflow. +inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize. +We think it is necessary to limit the size of arg to prevent errors. + +Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int. +Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), +it will become 1 after the coercion, which will return unexpected results. + +Fix it by adding checks to prevent passing in too large numbers. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20230206145805.2645671-1-zhongjinghua@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/block/nbd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 592cfa8b..e1c95409 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -325,6 +325,9 @@ static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize, + if (blk_validate_block_size(blksize)) + return -EINVAL; + ++ if (bytesize < 0) ++ return -EINVAL; ++ + nbd->config->bytesize = bytesize; + nbd->config->blksize_bits = __ffs(blksize); + +@@ -1111,6 +1114,9 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + struct nbd_sock *nsock; + int err; + ++ /* Arg will be cast to int, check it to avoid overflow */ ++ if (arg > INT_MAX) ++ return -EINVAL; + sock = nbd_get_socket(nbd, arg, &err); + if (!sock) + return err; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-134-ipvs-Update-width-of-source-for-ip_vs_sync_conn.patch b/patches.kernel.org/6.3.4-134-ipvs-Update-width-of-source-for-ip_vs_sync_conn.patch new file mode 100644 index 0000000..60c251a --- /dev/null +++ b/patches.kernel.org/6.3.4-134-ipvs-Update-width-of-source-for-ip_vs_sync_conn.patch @@ -0,0 +1,91 @@ +From: Simon Horman +Date: Mon, 17 Apr 2023 17:10:45 +0200 +Subject: [PATCH] ipvs: Update width of source for ip_vs_sync_conn_options +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e3478c68f6704638d08f437cbc552ca5970c151a + +[ Upstream commit e3478c68f6704638d08f437cbc552ca5970c151a ] + +In ip_vs_sync_conn_v0() copy is made to struct ip_vs_sync_conn_options. +That structure looks like this: + +struct ip_vs_sync_conn_options { + struct ip_vs_seq in_seq; + struct ip_vs_seq out_seq; +}; + +The source of the copy is the in_seq field of struct ip_vs_conn. Whose +type is struct ip_vs_seq. Thus we can see that the source - is not as +wide as the amount of data copied, which is the width of struct +ip_vs_sync_conn_option. + +The copy is safe because the next field in is another struct ip_vs_seq. +Make use of struct_group() to annotate this. + +Flagged by gcc-13 as: + + In file included from ./include/linux/string.h:254, + from ./include/linux/bitmap.h:11, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/paravirt.h:17, + from ./arch/x86/include/asm/cpuid.h:62, + from ./arch/x86/include/asm/processor.h:19, + from ./arch/x86/include/asm/timex.h:5, + from ./include/linux/timex.h:67, + from ./include/linux/time32.h:13, + from ./include/linux/time.h:60, + from ./include/linux/stat.h:19, + from ./include/linux/module.h:13, + from net/netfilter/ipvs/ip_vs_sync.c:38: + In function 'fortify_memcpy_chk', + inlined from 'ip_vs_sync_conn_v0' at net/netfilter/ipvs/ip_vs_sync.c:606:3: + ./include/linux/fortify-string.h:529:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | + +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Horatiu Vultur +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/net/ip_vs.h | 6 ++++-- + net/netfilter/ipvs/ip_vs_sync.c | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 6d71a5ff..e20f1f92 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -630,8 +630,10 @@ struct ip_vs_conn { + */ + struct ip_vs_app *app; /* bound ip_vs_app object */ + void *app_data; /* Application private data */ +- struct ip_vs_seq in_seq; /* incoming seq. struct */ +- struct ip_vs_seq out_seq; /* outgoing seq. struct */ ++ struct_group(sync_conn_opt, ++ struct ip_vs_seq in_seq; /* incoming seq. struct */ ++ struct ip_vs_seq out_seq; /* outgoing seq. struct */ ++ ); + + const struct ip_vs_pe *pe; + char *pe_data; +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 4963fec8..d4fe7bb4 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -603,7 +603,7 @@ static void ip_vs_sync_conn_v0(struct netns_ipvs *ipvs, struct ip_vs_conn *cp, + if (cp->flags & IP_VS_CONN_F_SEQ_MASK) { + struct ip_vs_sync_conn_options *opt = + (struct ip_vs_sync_conn_options *)&s[1]; +- memcpy(opt, &cp->in_seq, sizeof(*opt)); ++ memcpy(opt, &cp->sync_conn_opt, sizeof(*opt)); + } + + m->nr_conns++; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-135-Bluetooth-btusb-Add-new-PID-VID-04ca-3801-for-M.patch b/patches.kernel.org/6.3.4-135-Bluetooth-btusb-Add-new-PID-VID-04ca-3801-for-M.patch new file mode 100644 index 0000000..6f8390d --- /dev/null +++ b/patches.kernel.org/6.3.4-135-Bluetooth-btusb-Add-new-PID-VID-04ca-3801-for-M.patch @@ -0,0 +1,75 @@ +From: Meng Tang +Date: Tue, 28 Feb 2023 13:55:17 +0800 +Subject: [PATCH] Bluetooth: btusb: Add new PID/VID 04ca:3801 for MT7663 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 13209415d0e88396d99d346b184864834d70d68a + +[ Upstream commit 13209415d0e88396d99d346b184864834d70d68a ] + +This bluetooth device is found in a combo WLAN/BT card +for a MediaTek 7663. + +Tested on Acer Aspire A315-24P Notebook + +The device information: + +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=04ca ProdID=3801 Rev= 1.00 +S: Manufacturer=MediaTek Inc. +S: Product=Wireless_Device +S: SerialNumber=000000000 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms + +Signed-off-by: Meng Tang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 5c536151..683556dc 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -558,6 +558,9 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x043e, 0x310c), .driver_info = BTUSB_MEDIATEK | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x04ca, 0x3801), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Additional MediaTek MT7668 Bluetooth devices */ + { USB_DEVICE(0x043e, 0x3109), .driver_info = BTUSB_MEDIATEK | +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-136-Bluetooth-Add-new-quirk-for-broken-local-ext-fe.patch b/patches.kernel.org/6.3.4-136-Bluetooth-Add-new-quirk-for-broken-local-ext-fe.patch new file mode 100644 index 0000000..b3cb2af --- /dev/null +++ b/patches.kernel.org/6.3.4-136-Bluetooth-Add-new-quirk-for-broken-local-ext-fe.patch @@ -0,0 +1,66 @@ +From: Vasily Khoruzhick +Date: Tue, 7 Mar 2023 23:17:30 +0100 +Subject: [PATCH] Bluetooth: Add new quirk for broken local ext features page 2 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8194f1ef5a815aea815a91daf2c721eab2674f1f + +[ Upstream commit 8194f1ef5a815aea815a91daf2c721eab2674f1f ] + +Some adapters (e.g. RTL8723CS) advertise that they have more than +2 pages for local ext features, but they don't support any features +declared in these pages. RTL8723CS reports max_page = 2 and declares +support for sync train and secure connection, but it responds with +either garbage or with error in status on corresponding commands. + +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Bastian Germann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/net/bluetooth/hci.h | 7 +++++++ + net/bluetooth/hci_event.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 400f8a7d..997107bf 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -294,6 +294,13 @@ enum { + * during the hdev->setup vendor callback. + */ + HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, ++ ++ /* When this quirk is set, max_page for local extended features ++ * is set to 1, even if controller reports higher number. Some ++ * controllers (e.g. RTL8723CS) report more pages, but they ++ * don't actually support features declared there. ++ */ ++ HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, + }; + + /* HCI device flags */ +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e87c928c..51f13518 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -886,8 +886,13 @@ static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, + if (rp->status) + return rp->status; + +- if (hdev->max_page < rp->max_page) +- hdev->max_page = rp->max_page; ++ if (hdev->max_page < rp->max_page) { ++ if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, ++ &hdev->quirks)) ++ bt_dev_warn(hdev, "broken local ext features page 2"); ++ else ++ hdev->max_page = rp->max_page; ++ } + + if (rp->page < HCI_MAX_PAGES) + memcpy(hdev->features[rp->page], rp->features, 8); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-137-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch b/patches.kernel.org/6.3.4-137-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch new file mode 100644 index 0000000..250cb79 --- /dev/null +++ b/patches.kernel.org/6.3.4-137-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch @@ -0,0 +1,295 @@ +From: Vasily Khoruzhick +Date: Tue, 7 Mar 2023 23:17:31 +0100 +Subject: [PATCH] Bluetooth: btrtl: add support for the RTL8723CS +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c0123cb6c4c7fc2a42ead6cd7d3e82b8e1c25c6f + +[ Upstream commit c0123cb6c4c7fc2a42ead6cd7d3e82b8e1c25c6f ] + +The Realtek RTL8723CS is a SDIO WiFi chip. It also contains a Bluetooth +module which is connected via UART to the host. + +It shares lmp subversion with 8703B, so Realtek's userspace +initialization tool (rtk_hciattach) differentiates varieties of RTL8723CS +(CG, VF, XX) with RTL8703B using vendor's command to read chip type. + +Also this chip declares support for some features it doesn't support +so add a quirk to indicate that these features are broken. + +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Bastian Germann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btrtl.c | 120 +++++++++++++++++++++++++++++++++++-- + drivers/bluetooth/btrtl.h | 5 ++ + drivers/bluetooth/hci_h5.c | 4 ++ + 3 files changed, 125 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 69c3fe64..44b672cc 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -17,7 +17,11 @@ + + #define VERSION "0.1" + ++#define RTL_CHIP_8723CS_CG 3 ++#define RTL_CHIP_8723CS_VF 4 ++#define RTL_CHIP_8723CS_XX 5 + #define RTL_EPATCH_SIGNATURE "Realtech" ++#define RTL_ROM_LMP_8703B 0x8703 + #define RTL_ROM_LMP_8723A 0x1200 + #define RTL_ROM_LMP_8723B 0x8723 + #define RTL_ROM_LMP_8821A 0x8821 +@@ -30,6 +34,7 @@ + #define IC_MATCH_FL_HCIREV (1 << 1) + #define IC_MATCH_FL_HCIVER (1 << 2) + #define IC_MATCH_FL_HCIBUS (1 << 3) ++#define IC_MATCH_FL_CHIP_TYPE (1 << 4) + #define IC_INFO(lmps, hcir, hciv, bus) \ + .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV | \ + IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS, \ +@@ -59,6 +64,7 @@ struct id_table { + __u16 hci_rev; + __u8 hci_ver; + __u8 hci_bus; ++ __u8 chip_type; + bool config_needed; + bool has_rom_version; + bool has_msft_ext; +@@ -99,6 +105,39 @@ static const struct id_table ic_id_table[] = { + .fw_name = "rtl_bt/rtl8723b_fw.bin", + .cfg_name = "rtl_bt/rtl8723b_config" }, + ++ /* 8723CS-CG */ ++ { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE | ++ IC_MATCH_FL_HCIBUS, ++ .lmp_subver = RTL_ROM_LMP_8703B, ++ .chip_type = RTL_CHIP_8723CS_CG, ++ .hci_bus = HCI_UART, ++ .config_needed = true, ++ .has_rom_version = true, ++ .fw_name = "rtl_bt/rtl8723cs_cg_fw.bin", ++ .cfg_name = "rtl_bt/rtl8723cs_cg_config" }, ++ ++ /* 8723CS-VF */ ++ { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE | ++ IC_MATCH_FL_HCIBUS, ++ .lmp_subver = RTL_ROM_LMP_8703B, ++ .chip_type = RTL_CHIP_8723CS_VF, ++ .hci_bus = HCI_UART, ++ .config_needed = true, ++ .has_rom_version = true, ++ .fw_name = "rtl_bt/rtl8723cs_vf_fw.bin", ++ .cfg_name = "rtl_bt/rtl8723cs_vf_config" }, ++ ++ /* 8723CS-XX */ ++ { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE | ++ IC_MATCH_FL_HCIBUS, ++ .lmp_subver = RTL_ROM_LMP_8703B, ++ .chip_type = RTL_CHIP_8723CS_XX, ++ .hci_bus = HCI_UART, ++ .config_needed = true, ++ .has_rom_version = true, ++ .fw_name = "rtl_bt/rtl8723cs_xx_fw.bin", ++ .cfg_name = "rtl_bt/rtl8723cs_xx_config" }, ++ + /* 8723D */ + { IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_USB), + .config_needed = true, +@@ -208,7 +247,8 @@ static const struct id_table ic_id_table[] = { + }; + + static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev, +- u8 hci_ver, u8 hci_bus) ++ u8 hci_ver, u8 hci_bus, ++ u8 chip_type) + { + int i; + +@@ -225,6 +265,9 @@ static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev, + if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIBUS) && + (ic_id_table[i].hci_bus != hci_bus)) + continue; ++ if ((ic_id_table[i].match_flags & IC_MATCH_FL_CHIP_TYPE) && ++ (ic_id_table[i].chip_type != chip_type)) ++ continue; + + break; + } +@@ -307,6 +350,7 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev, + { RTL_ROM_LMP_8723B, 1 }, + { RTL_ROM_LMP_8821A, 2 }, + { RTL_ROM_LMP_8761A, 3 }, ++ { RTL_ROM_LMP_8703B, 7 }, + { RTL_ROM_LMP_8822B, 8 }, + { RTL_ROM_LMP_8723B, 9 }, /* 8723D */ + { RTL_ROM_LMP_8821A, 10 }, /* 8821C */ +@@ -587,6 +631,48 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev, + return ret; + } + ++static bool rtl_has_chip_type(u16 lmp_subver) ++{ ++ switch (lmp_subver) { ++ case RTL_ROM_LMP_8703B: ++ return true; ++ default: ++ break; ++ } ++ ++ return false; ++} ++ ++static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type) ++{ ++ struct rtl_chip_type_evt *chip_type; ++ struct sk_buff *skb; ++ const unsigned char cmd_buf[] = {0x00, 0x94, 0xa0, 0x00, 0xb0}; ++ ++ /* Read RTL chip type command */ ++ skb = __hci_cmd_sync(hdev, 0xfc61, 5, cmd_buf, HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) { ++ rtl_dev_err(hdev, "Read chip type failed (%ld)", ++ PTR_ERR(skb)); ++ return PTR_ERR(skb); ++ } ++ ++ chip_type = skb_pull_data(skb, sizeof(*chip_type)); ++ if (!chip_type) { ++ rtl_dev_err(hdev, "RTL chip type event length mismatch"); ++ kfree_skb(skb); ++ return -EIO; ++ } ++ ++ rtl_dev_info(hdev, "chip_type status=%x type=%x", ++ chip_type->status, chip_type->type); ++ ++ *type = chip_type->type & 0x0f; ++ ++ kfree_skb(skb); ++ return 0; ++} ++ + void btrtl_free(struct btrtl_device_info *btrtl_dev) + { + kvfree(btrtl_dev->fw_data); +@@ -603,7 +689,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, + struct hci_rp_read_local_version *resp; + char cfg_name[40]; + u16 hci_rev, lmp_subver; +- u8 hci_ver; ++ u8 hci_ver, chip_type = 0; + int ret; + u16 opcode; + u8 cmd[2]; +@@ -629,8 +715,14 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, + hci_rev = le16_to_cpu(resp->hci_rev); + lmp_subver = le16_to_cpu(resp->lmp_subver); + ++ if (rtl_has_chip_type(lmp_subver)) { ++ ret = rtl_read_chip_type(hdev, &chip_type); ++ if (ret) ++ goto err_free; ++ } ++ + btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver, +- hdev->bus); ++ hdev->bus, chip_type); + + if (!btrtl_dev->ic_info) + btrtl_dev->drop_fw = true; +@@ -673,7 +765,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, + lmp_subver = le16_to_cpu(resp->lmp_subver); + + btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver, +- hdev->bus); ++ hdev->bus, chip_type); + } + out_free: + kfree_skb(skb); +@@ -755,6 +847,7 @@ int btrtl_download_firmware(struct hci_dev *hdev, + case RTL_ROM_LMP_8761A: + case RTL_ROM_LMP_8822B: + case RTL_ROM_LMP_8852A: ++ case RTL_ROM_LMP_8703B: + return btrtl_setup_rtl8723b(hdev, btrtl_dev); + default: + rtl_dev_info(hdev, "assuming no firmware upload needed"); +@@ -795,6 +888,19 @@ void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev) + rtl_dev_dbg(hdev, "WBS supported not enabled."); + break; + } ++ ++ switch (btrtl_dev->ic_info->lmp_subver) { ++ case RTL_ROM_LMP_8703B: ++ /* 8723CS reports two pages for local ext features, ++ * but it doesn't support any features from page 2 - ++ * it either responds with garbage or with error status ++ */ ++ set_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, ++ &hdev->quirks); ++ break; ++ default: ++ break; ++ } + } + EXPORT_SYMBOL_GPL(btrtl_set_quirks); + +@@ -953,6 +1059,12 @@ MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_fw.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_config.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_fw.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_config.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_fw.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_config.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin"); +diff --git a/drivers/bluetooth/btrtl.h b/drivers/bluetooth/btrtl.h +index ebf0101c..349d72ee 100644 +--- a/drivers/bluetooth/btrtl.h ++++ b/drivers/bluetooth/btrtl.h +@@ -14,6 +14,11 @@ + + struct btrtl_device_info; + ++struct rtl_chip_type_evt { ++ __u8 status; ++ __u8 type; ++} __packed; ++ + struct rtl_download_cmd { + __u8 index; + __u8 data[RTL_FRAG_LEN]; +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index 6455bc4f..e9067095 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -936,6 +936,8 @@ static int h5_btrtl_setup(struct h5 *h5) + err = btrtl_download_firmware(h5->hu->hdev, btrtl_dev); + /* Give the device some time before the hci-core sends it a reset */ + usleep_range(10000, 20000); ++ if (err) ++ goto out_free; + + btrtl_set_quirks(h5->hu->hdev, btrtl_dev); + +@@ -1100,6 +1102,8 @@ static const struct of_device_id rtl_bluetooth_of_match[] = { + .data = (const void *)&h5_data_rtl8822cs }, + { .compatible = "realtek,rtl8723bs-bt", + .data = (const void *)&h5_data_rtl8723bs }, ++ { .compatible = "realtek,rtl8723cs-bt", ++ .data = (const void *)&h5_data_rtl8723bs }, + { .compatible = "realtek,rtl8723ds-bt", + .data = (const void *)&h5_data_rtl8723bs }, + #endif +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-138-Bluetooth-Improve-support-for-Actions-Semi-ATS2.patch b/patches.kernel.org/6.3.4-138-Bluetooth-Improve-support-for-Actions-Semi-ATS2.patch new file mode 100644 index 0000000..768d9d2 --- /dev/null +++ b/patches.kernel.org/6.3.4-138-Bluetooth-Improve-support-for-Actions-Semi-ATS2.patch @@ -0,0 +1,55 @@ +From: Raul Cheleguini +Date: Fri, 10 Mar 2023 15:14:10 +0000 +Subject: [PATCH] Bluetooth: Improve support for Actions Semi ATS2851 based + devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7c2b2d2d0cb658aa543e11e90ae95621d3cb5fe6 + +[ Upstream commit 7c2b2d2d0cb658aa543e11e90ae95621d3cb5fe6 ] + +Add two more quirks to resume the device initialization and basic +operation as the device seems not to support "Read Transmit Power" +and "Set Extended Scan Parameters". + +< HCI Command: LE Read Transmit Power (0x08|0x004b) plen 0 +> HCI Event: Command Status (0x0f) plen 4 + LE Read Transmit Power (0x08|0x004b) ncmd 1 + Status: Unknown HCI Command (0x01) + +< HCI Command: LE Set Extended Scan Parameters (0x08|0x0041) plen 8 + Own address type: Random (0x01) + Filter policy: Accept all advertisement (0x00) + PHYs: 0x01 + Entry 0: LE 1M + Type: Active (0x01) + Interval: 11.250 msec (0x0012) + Window: 11.250 msec (0x0012) +> HCI Event: Command Status (0x0f) plen 4 + LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 + Status: Unknown HCI Command (0x01) + +Signed-off-by: Raul Cheleguini +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 683556dc..1ab5663b 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4105,6 +4105,8 @@ static int btusb_probe(struct usb_interface *intf, + if (id->driver_info & BTUSB_ACTIONS_SEMI) { + /* Support is advertised, but not implemented */ + set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks); ++ set_bit(HCI_QUIRK_BROKEN_READ_TRANSMIT_POWER, &hdev->quirks); ++ set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks); + } + + if (!reset) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-139-Bluetooth-btrtl-check-for-NULL-in-btrtl_set_qui.patch b/patches.kernel.org/6.3.4-139-Bluetooth-btrtl-check-for-NULL-in-btrtl_set_qui.patch new file mode 100644 index 0000000..569c3b4 --- /dev/null +++ b/patches.kernel.org/6.3.4-139-Bluetooth-btrtl-check-for-NULL-in-btrtl_set_qui.patch @@ -0,0 +1,40 @@ +From: Max Chou +Date: Tue, 21 Mar 2023 19:48:26 +0800 +Subject: [PATCH] Bluetooth: btrtl: check for NULL in btrtl_set_quirks() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 253cf30e8d3d001850a95c4729d668f916b037ab + +[ Upstream commit 253cf30e8d3d001850a95c4729d668f916b037ab ] + +The btrtl_set_quirks() has accessed btrtl_dev->ic_info->lmp_subver since +b8e482d02513. However, if installing a Realtek Bluetooth controller +without the driver supported, it will hit the NULL point accessed. + +Add a check for NULL to avoid the Kernel Oops. + +Signed-off-by: Max Chou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btrtl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 44b672cc..7061621f 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -889,6 +889,9 @@ void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev) + break; + } + ++ if (!btrtl_dev->ic_info) ++ return; ++ + switch (btrtl_dev->ic_info->lmp_subver) { + case RTL_ROM_LMP_8703B: + /* 8723CS reports two pages for local ext features, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-140-Bluetooth-btintel-Add-LE-States-quirk-support.patch b/patches.kernel.org/6.3.4-140-Bluetooth-btintel-Add-LE-States-quirk-support.patch new file mode 100644 index 0000000..ee97a57 --- /dev/null +++ b/patches.kernel.org/6.3.4-140-Bluetooth-btintel-Add-LE-States-quirk-support.patch @@ -0,0 +1,42 @@ +From: Chethan T N +Date: Tue, 21 Mar 2023 10:03:10 +0530 +Subject: [PATCH] Bluetooth: btintel: Add LE States quirk support +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 77f542b10c535c9a93bf8afdd2665524935807c2 + +[ Upstream commit 77f542b10c535c9a93bf8afdd2665524935807c2 ] + +Basically all Intel controllers support both Central/Peripheral +LE states. + +This patch enables the LE States quirk by default on all +Solar and Magnertor Intel controllers. + +Signed-off-by: Chethan T N +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btintel.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index af774688..7a6dc055 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2684,9 +2684,8 @@ static int btintel_setup_combined(struct hci_dev *hdev) + */ + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); + +- /* Valid LE States quirk for GfP */ +- if (INTEL_HW_VARIANT(ver_tlv.cnvi_bt) == 0x18) +- set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); ++ /* Apply LE States quirk from solar onwards */ ++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); + + /* Setup MSFT Extension support */ + btintel_set_msft_opcode(hdev, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-141-Bluetooth-hci_bcm-Fall-back-to-getting-bdaddr-f.patch b/patches.kernel.org/6.3.4-141-Bluetooth-hci_bcm-Fall-back-to-getting-bdaddr-f.patch new file mode 100644 index 0000000..657b906 --- /dev/null +++ b/patches.kernel.org/6.3.4-141-Bluetooth-hci_bcm-Fall-back-to-getting-bdaddr-f.patch @@ -0,0 +1,115 @@ +From: Hans de Goede +Date: Fri, 31 Mar 2023 23:11:21 +0200 +Subject: [PATCH] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if + not set +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0d218c3642b9ccf71f44987cd03c19320f3bd918 + +[ Upstream commit 0d218c3642b9ccf71f44987cd03c19320f3bd918 ] + +On some devices the BCM Bluetooth adapter does not have a valid bdaddr set. + +btbcm.c currently sets HCI_QUIRK_INVALID_BDADDR to indicate when this is +the case. But this requires users to manual setup a btaddr, by doing e.g.: + +btmgmt -i hci0 public-addr 'B0:F1:EC:82:1D:B3' + +Which means that Bluetooth will not work out of the box on such devices. +To avoid this (where possible) hci_bcm sets: HCI_QUIRK_USE_BDADDR_PROPERTY +which tries to get the bdaddr from devicetree. + +But this only works on devicetree platforms. On UEFI based platforms +there is a special Broadcom UEFI variable which when present contains +the devices bdaddr, just like how there is another UEFI variable which +contains wifi nvram contents including the wifi MAC address. + +Add support for getting the bdaddr from this Broadcom UEFI variable, +so that Bluetooth will work OOTB for users on devices where this +UEFI variable is present. + +This fixes Bluetooth not working on for example Asus T100HA 2-in-1s. + +Signed-off-by: Hans de Goede +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btbcm.c | 47 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 44 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c +index 43e98a59..de2ea589 100644 +--- a/drivers/bluetooth/btbcm.c ++++ b/drivers/bluetooth/btbcm.c +@@ -6,6 +6,7 @@ + * Copyright (C) 2015 Intel Corporation + */ + ++#include + #include + #include + #include +@@ -34,6 +35,43 @@ + /* For kmalloc-ing the fw-name array instead of putting it on the stack */ + typedef char bcm_fw_name[BCM_FW_NAME_LEN]; + ++#ifdef CONFIG_EFI ++static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev) ++{ ++ efi_guid_t guid = EFI_GUID(0x74b00bd9, 0x805a, 0x4d61, 0xb5, 0x1f, ++ 0x43, 0x26, 0x81, 0x23, 0xd1, 0x13); ++ bdaddr_t efi_bdaddr, bdaddr; ++ efi_status_t status; ++ unsigned long len; ++ int ret; ++ ++ if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) ++ return -EOPNOTSUPP; ++ ++ len = sizeof(efi_bdaddr); ++ status = efi.get_variable(L"BDADDR", &guid, NULL, &len, &efi_bdaddr); ++ if (status != EFI_SUCCESS) ++ return -ENXIO; ++ ++ if (len != sizeof(efi_bdaddr)) ++ return -EIO; ++ ++ baswap(&bdaddr, &efi_bdaddr); ++ ++ ret = btbcm_set_bdaddr(hdev, &bdaddr); ++ if (ret) ++ return ret; ++ ++ bt_dev_info(hdev, "BCM: Using EFI device address (%pMR)", &bdaddr); ++ return 0; ++} ++#else ++static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev) ++{ ++ return -EOPNOTSUPP; ++} ++#endif ++ + int btbcm_check_bdaddr(struct hci_dev *hdev) + { + struct hci_rp_read_bd_addr *bda; +@@ -87,9 +125,12 @@ int btbcm_check_bdaddr(struct hci_dev *hdev) + !bacmp(&bda->bdaddr, BDADDR_BCM4345C5) || + !bacmp(&bda->bdaddr, BDADDR_BCM43430A0) || + !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) { +- bt_dev_info(hdev, "BCM: Using default device address (%pMR)", +- &bda->bdaddr); +- set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ /* Try falling back to BDADDR EFI variable */ ++ if (btbcm_set_bdaddr_from_efi(hdev) != 0) { ++ bt_dev_info(hdev, "BCM: Using default device address (%pMR)", ++ &bda->bdaddr); ++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ } + } + + kfree_skb(skb); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-142-Bluetooth-Add-new-quirk-for-broken-set-random-R.patch b/patches.kernel.org/6.3.4-142-Bluetooth-Add-new-quirk-for-broken-set-random-R.patch new file mode 100644 index 0000000..71dc2a9 --- /dev/null +++ b/patches.kernel.org/6.3.4-142-Bluetooth-Add-new-quirk-for-broken-set-random-R.patch @@ -0,0 +1,93 @@ +From: Raul Cheleguini +Date: Thu, 23 Mar 2023 10:45:39 -0300 +Subject: [PATCH] Bluetooth: Add new quirk for broken set random RPA timeout + for ATS2851 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 91b6d02ddcd113352bdd895990b252065c596de7 + +[ Upstream commit 91b6d02ddcd113352bdd895990b252065c596de7 ] + +The ATS2851 based controller advertises support for command "LE Set Random +Private Address Timeout" but does not actually implement it, impeding the +controller initialization. + +Add the quirk HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT to unblock the controller +initialization. + +< HCI Command: LE Set Resolvable Private... (0x08|0x002e) plen 2 + Timeout: 900 seconds +> HCI Event: Command Status (0x0f) plen 4 + LE Set Resolvable Private Address Timeout (0x08|0x002e) ncmd 1 + Status: Unknown HCI Command (0x01) + +Co-developed-by: imoc +Signed-off-by: imoc +Signed-off-by: Raul Cheleguini +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btusb.c | 1 + + include/net/bluetooth/hci.h | 8 ++++++++ + net/bluetooth/hci_sync.c | 6 +++++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 1ab5663b..09235822 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4106,6 +4106,7 @@ static int btusb_probe(struct usb_interface *intf, + /* Support is advertised, but not implemented */ + set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks); + set_bit(HCI_QUIRK_BROKEN_READ_TRANSMIT_POWER, &hdev->quirks); ++ set_bit(HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT, &hdev->quirks); + set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks); + } + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 997107bf..07df96c4 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -301,6 +301,14 @@ enum { + * don't actually support features declared there. + */ + HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, ++ ++ /* ++ * When this quirk is set, the HCI_OP_LE_SET_RPA_TIMEOUT command is ++ * skipped during initialization. This is required for the Actions ++ * Semiconductor ATS2851 based controllers, which erroneously claims ++ * to support it. ++ */ ++ HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT, + }; + + /* HCI device flags */ +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 632be126..b65ee3a3 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -4093,7 +4093,8 @@ static int hci_le_set_rpa_timeout_sync(struct hci_dev *hdev) + { + __le16 timeout = cpu_to_le16(hdev->rpa_timeout); + +- if (!(hdev->commands[35] & 0x04)) ++ if (!(hdev->commands[35] & 0x04) || ++ test_bit(HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT, &hdev->quirks)) + return 0; + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_RPA_TIMEOUT, +@@ -4533,6 +4534,9 @@ static const struct { + "HCI Set Event Filter command not supported."), + HCI_QUIRK_BROKEN(ENHANCED_SETUP_SYNC_CONN, + "HCI Enhanced Setup Synchronous Connection command is " ++ "advertised, but not supported."), ++ HCI_QUIRK_BROKEN(SET_RPA_TIMEOUT, ++ "HCI LE Set Random Private Address Timeout command is " + "advertised, but not supported.") + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-143-Bluetooth-L2CAP-fix-bad-unlock-balance-in-l2cap.patch b/patches.kernel.org/6.3.4-143-Bluetooth-L2CAP-fix-bad-unlock-balance-in-l2cap.patch new file mode 100644 index 0000000..3d7a7ff --- /dev/null +++ b/patches.kernel.org/6.3.4-143-Bluetooth-L2CAP-fix-bad-unlock-balance-in-l2cap.patch @@ -0,0 +1,39 @@ +From: Min Li +Date: Mon, 17 Apr 2023 10:27:54 +0800 +Subject: [PATCH] Bluetooth: L2CAP: fix "bad unlock balance" in + l2cap_disconnect_rsp +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 25e97f7b1866e6b8503be349eeea44bb52d661ce + +[ Upstream commit 25e97f7b1866e6b8503be349eeea44bb52d661ce ] + +conn->chan_lock isn't acquired before l2cap_get_chan_by_scid, +if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance' +is triggered. + +Reported-by: syzbot+9519d6b5b79cf7787cf3@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000894f5f05f95e9f4d@google.com/ +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/bluetooth/l2cap_core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 55a72262..24d07528 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4694,7 +4694,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) { +- mutex_unlock(&conn->chan_lock); + return 0; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-144-Bluetooth-btrtl-Add-the-support-for-RTL8851B.patch b/patches.kernel.org/6.3.4-144-Bluetooth-btrtl-Add-the-support-for-RTL8851B.patch new file mode 100644 index 0000000..b3570c6 --- /dev/null +++ b/patches.kernel.org/6.3.4-144-Bluetooth-btrtl-Add-the-support-for-RTL8851B.patch @@ -0,0 +1,144 @@ +From: Max Chou +Date: Tue, 18 Apr 2023 13:43:54 +0800 +Subject: [PATCH] Bluetooth: btrtl: Add the support for RTL8851B +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7948fe1c92d92313eea5453f83deb7f0141355e8 + +[ Upstream commit 7948fe1c92d92313eea5453f83deb7f0141355e8 ] + +Add the support for RTL8851B BT controller on USB interface. +The necessary firmware will be submitted to linux-firmware project. + +Note that the Bluetooth devices WITH the VID=0x0bda would be set the +feature quirk in btrtl_setup_realtek(). It's able to ignore the +feature flag set for the specific VID and PID in blacklist_table[] of +btusb.c. (check [1]) + +If Realtek Bluetooth chips WITHOUT the VID=0x0bda, it shall be added +the feature flag for the specific VID and PID in blacklist_table[] of +btusb.c. (check [2]) + +[1] '9ab9235fe5cf ("Bluetooth: btrtl: Enable WBS for the specific + Realtek devices")' +[2] '73280f13c9bb ("Bluetooth: btusb: Add the more support IDs for + Realtek RTL8822CE")' + +The device info from /sys/kernel/debug/usb/devices as below. + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 33 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=b851 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=802.11ax WLAN Adapter +S: SerialNumber=00E04C885A01 +C:* #Ifs= 3 Cfg#= 1 Atr=80 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Max Chou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/bluetooth/btrtl.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 7061621f..4fbb282c 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -28,6 +28,7 @@ + #define RTL_ROM_LMP_8761A 0x8761 + #define RTL_ROM_LMP_8822B 0x8822 + #define RTL_ROM_LMP_8852A 0x8852 ++#define RTL_ROM_LMP_8851B 0x8851 + #define RTL_CONFIG_MAGIC 0x8723ab55 + + #define IC_MATCH_FL_LMPSUBV (1 << 0) +@@ -56,6 +57,7 @@ enum btrtl_chip_id { + CHIP_ID_8852A = 18, + CHIP_ID_8852B = 20, + CHIP_ID_8852C = 25, ++ CHIP_ID_8851B = 36, + }; + + struct id_table { +@@ -244,6 +246,14 @@ static const struct id_table ic_id_table[] = { + .has_msft_ext = true, + .fw_name = "rtl_bt/rtl8852cu_fw.bin", + .cfg_name = "rtl_bt/rtl8852cu_config" }, ++ ++ /* 8851B */ ++ { IC_INFO(RTL_ROM_LMP_8851B, 0xb, 0xc, HCI_USB), ++ .config_needed = false, ++ .has_rom_version = true, ++ .has_msft_ext = false, ++ .fw_name = "rtl_bt/rtl8851bu_fw.bin", ++ .cfg_name = "rtl_bt/rtl8851bu_config" }, + }; + + static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev, +@@ -359,6 +369,7 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev, + { RTL_ROM_LMP_8852A, 18 }, /* 8852A */ + { RTL_ROM_LMP_8852A, 20 }, /* 8852B */ + { RTL_ROM_LMP_8852A, 25 }, /* 8852C */ ++ { RTL_ROM_LMP_8851B, 36 }, /* 8851B */ + }; + + min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3; +@@ -848,6 +859,7 @@ int btrtl_download_firmware(struct hci_dev *hdev, + case RTL_ROM_LMP_8822B: + case RTL_ROM_LMP_8852A: + case RTL_ROM_LMP_8703B: ++ case RTL_ROM_LMP_8851B: + return btrtl_setup_rtl8723b(hdev, btrtl_dev); + default: + rtl_dev_info(hdev, "assuming no firmware upload needed"); +@@ -872,6 +884,7 @@ void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev) + case CHIP_ID_8852A: + case CHIP_ID_8852B: + case CHIP_ID_8852C: ++ case CHIP_ID_8851B: + set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); + +@@ -1082,3 +1095,5 @@ MODULE_FIRMWARE("rtl_bt/rtl8852bu_fw.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8852bu_config.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw.bin"); + MODULE_FIRMWARE("rtl_bt/rtl8852cu_config.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8851bu_fw.bin"); ++MODULE_FIRMWARE("rtl_bt/rtl8851bu_config.bin"); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-145-staging-rtl8192e-Replace-macro-RTL_PCI_DEVICE-w.patch b/patches.kernel.org/6.3.4-145-staging-rtl8192e-Replace-macro-RTL_PCI_DEVICE-w.patch new file mode 100644 index 0000000..c55b8d5 --- /dev/null +++ b/patches.kernel.org/6.3.4-145-staging-rtl8192e-Replace-macro-RTL_PCI_DEVICE-w.patch @@ -0,0 +1,59 @@ +From: Philipp Hortmann +Date: Thu, 23 Feb 2023 07:47:21 +0100 +Subject: [PATCH] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with + PCI_DEVICE +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fda2093860df4812d69052a8cf4997e53853a340 + +[ Upstream commit fda2093860df4812d69052a8cf4997e53853a340 ] + +Replace macro RTL_PCI_DEVICE with PCI_DEVICE to get rid of rtl819xp_ops +which is empty. + +Signed-off-by: Philipp Hortmann +Link: https://lore.kernel.org/r/8b45ee783fa91196b7c9d6fc840a189496afd2f4.1677133271.git.philipp.g.hortmann@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 6 +++--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.h | 5 ----- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +index 72d76dc7..92552ce3 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -48,9 +48,9 @@ static const struct rtl819x_ops rtl819xp_ops = { + }; + + static struct pci_device_id rtl8192_pci_id_tbl[] = { +- {RTL_PCI_DEVICE(0x10ec, 0x8192, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0044, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0047, rtl819xp_ops)}, ++ {PCI_DEVICE(0x10ec, 0x8192)}, ++ {PCI_DEVICE(0x07aa, 0x0044)}, ++ {PCI_DEVICE(0x07aa, 0x0047)}, + {} + }; + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +index fd96eef9..bbc1c4ba 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +@@ -55,11 +55,6 @@ + #define IS_HARDWARE_TYPE_8192SE(_priv) \ + (((struct r8192_priv *)rtllib_priv(dev))->card_8192 == NIC_8192SE) + +-#define RTL_PCI_DEVICE(vend, dev, cfg) \ +- .vendor = (vend), .device = (dev), \ +- .subvendor = PCI_ANY_ID, .subdevice = PCI_ANY_ID, \ +- .driver_data = (kernel_ulong_t)&(cfg) +- + #define TOTAL_CAM_ENTRY 32 + #define CAM_CONTENT_COUNT 8 + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-146-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch b/patches.kernel.org/6.3.4-146-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch new file mode 100644 index 0000000..b697c50 --- /dev/null +++ b/patches.kernel.org/6.3.4-146-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch @@ -0,0 +1,102 @@ +From: Alex Henrie +Date: Sun, 26 Feb 2023 20:06:13 -0700 +Subject: [PATCH] HID: apple: Set the tilde quirk flag on the Geyser 4 and + later +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c3388ddc74a863466c7c3fa24d3a9cea9c9bca53 + +[ Upstream commit c3388ddc74a863466c7c3fa24d3a9cea9c9bca53 ] + +I recently tested several old MacBooks and as far as I can tell, all +MacBooks that have an ISO keyboard have the tilde key quirk: + +Product Model Year System CPU Shape Labels Country Quirky +============================================================================ +05ac:021b A1181 2006 MacBook2,1 T5600 ISO British 13 Yes +05ac:021b A1181 2007 MacBook2,1 T7200 ISO Québécois 13 Yes +05ac:0229 A1181 2007 MacBook4,1 T8300 ANSI Usonian 33 No +05ac:022a A1181 2007 MacBook4,1 T8100 ISO English 13 Yes +05ac:022a A1181 2007 MacBook5,2 P7350 ISO Québécois 13 Yes +05ac:0237 A1278 2008 MacBook5,1 P7350 ISO Dutch 13 Yes +05ac:0237 A1278 2009 MacBook5,5 P7550 ISO British 13 Yes + +The model number and year are from the laptop case. Since Apple printed +the same model and year on many different laptops, the system name (as +reported in the SMBIOS tables) and CPU form a more precise identifier. + +Signed-off-by: Alex Henrie +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/hid-apple.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c +index 1ccab8aa..5c145775 100644 +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -882,7 +882,8 @@ static const struct hid_device_id apple_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_ANSI), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_ISO), +- .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | ++ APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_JIS), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | + APPLE_RDESC_JIS }, +@@ -901,7 +902,8 @@ static const struct hid_device_id apple_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_HF_ANSI), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_HF_ISO), +- .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | ++ APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER4_HF_JIS), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | + APPLE_RDESC_JIS }, +@@ -942,31 +944,31 @@ static const struct hid_device_id apple_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ISO), +- .driver_data = APPLE_HAS_FN }, ++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING2_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING2_ISO), +- .driver_data = APPLE_HAS_FN }, ++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING2_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ISO), +- .driver_data = APPLE_HAS_FN }, ++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4_ISO), +- .driver_data = APPLE_HAS_FN }, ++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4A_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4A_ISO), +- .driver_data = APPLE_HAS_FN }, ++ .driver_data = APPLE_HAS_FN | APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING4A_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING5_ANSI), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-147-iio-imu-st_lsm6dsx-discard-samples-during-filte.patch b/patches.kernel.org/6.3.4-147-iio-imu-st_lsm6dsx-discard-samples-during-filte.patch new file mode 100644 index 0000000..45f9beb --- /dev/null +++ b/patches.kernel.org/6.3.4-147-iio-imu-st_lsm6dsx-discard-samples-during-filte.patch @@ -0,0 +1,200 @@ +From: Lorenzo Bianconi +Date: Mon, 27 Feb 2023 12:14:56 +0100 +Subject: [PATCH] iio: imu: st_lsm6dsx: discard samples during filters settling + time +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: db3c490503bee4d0611f9fc17fcd8cfe6fcdbcad + +[ Upstream commit db3c490503bee4d0611f9fc17fcd8cfe6fcdbcad ] + +During digital filters settling time the driver is expected to drop +samples since they can be corrupted. Introduce the capability to drop +a given number of samples according to the configured ODR. +Add sample_to_discard for LSM6DSM-like sensors since new generation +devices (e.g. LSM6DSO) support DRDY mask where corrupted samples are +masked in hw with values greather than 0x7ffd so the driver can easily +discard them. +I have not added sample_to_discard support for LSM6DS3 or LSM6DS3H since +I do not have any sample for testing at the moment. + +Reported-by: Philippe De Muyter +Tested-by: Philippe De Muyter +Signed-off-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/21dcd94935c147ef9b1da4984b3da6264ee9609e.1677496295.git.lorenzo@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 11 ++++ + .../iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 57 ++++++++++++++++--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 18 ++++++ + 3 files changed, 78 insertions(+), 8 deletions(-) + +diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +index 499fcf88..8e119d78 100644 +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +@@ -137,6 +137,13 @@ struct st_lsm6dsx_odr_table_entry { + int odr_len; + }; + ++struct st_lsm6dsx_samples_to_discard { ++ struct { ++ u32 milli_hz; ++ u16 samples; ++ } val[ST_LSM6DSX_ODR_LIST_SIZE]; ++}; ++ + struct st_lsm6dsx_fs { + u32 gain; + u8 val; +@@ -291,6 +298,7 @@ struct st_lsm6dsx_ext_dev_settings { + * @irq_config: interrupts related registers. + * @drdy_mask: register info for data-ready mask (addr + mask). + * @odr_table: Hw sensors odr table (Hz + val). ++ * @samples_to_discard: Number of samples to discard for filters settling time. + * @fs_table: Hw sensors gain table (gain + val). + * @decimator: List of decimator register info (addr + mask). + * @batch: List of FIFO batching register info (addr + mask). +@@ -323,6 +331,7 @@ struct st_lsm6dsx_settings { + } irq_config; + struct st_lsm6dsx_reg drdy_mask; + struct st_lsm6dsx_odr_table_entry odr_table[2]; ++ struct st_lsm6dsx_samples_to_discard samples_to_discard[2]; + struct st_lsm6dsx_fs_table_entry fs_table[2]; + struct st_lsm6dsx_reg decimator[ST_LSM6DSX_MAX_ID]; + struct st_lsm6dsx_reg batch[ST_LSM6DSX_MAX_ID]; +@@ -353,6 +362,7 @@ enum st_lsm6dsx_fifo_mode { + * @hw: Pointer to instance of struct st_lsm6dsx_hw. + * @gain: Configured sensor sensitivity. + * @odr: Output data rate of the sensor [Hz]. ++ * @samples_to_discard: Number of samples to discard for filters settling time. + * @watermark: Sensor watermark level. + * @decimator: Sensor decimation factor. + * @sip: Number of samples in a given pattern. +@@ -367,6 +377,7 @@ struct st_lsm6dsx_sensor { + u32 gain; + u32 odr; + ++ u16 samples_to_discard; + u16 watermark; + u8 decimator; + u8 sip; +diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +index 7dd5205a..f6c11d6f 100644 +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -457,17 +457,31 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) + } + + if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) { +- iio_push_to_buffers_with_timestamp( +- hw->iio_devs[ST_LSM6DSX_ID_GYRO], +- &hw->scan[ST_LSM6DSX_ID_GYRO], +- gyro_sensor->ts_ref + ts); ++ /* ++ * We need to discards gyro samples during ++ * filters settling time ++ */ ++ if (gyro_sensor->samples_to_discard > 0) ++ gyro_sensor->samples_to_discard--; ++ else ++ iio_push_to_buffers_with_timestamp( ++ hw->iio_devs[ST_LSM6DSX_ID_GYRO], ++ &hw->scan[ST_LSM6DSX_ID_GYRO], ++ gyro_sensor->ts_ref + ts); + gyro_sip--; + } + if (acc_sip > 0 && !(sip % acc_sensor->decimator)) { +- iio_push_to_buffers_with_timestamp( +- hw->iio_devs[ST_LSM6DSX_ID_ACC], +- &hw->scan[ST_LSM6DSX_ID_ACC], +- acc_sensor->ts_ref + ts); ++ /* ++ * We need to discards accel samples during ++ * filters settling time ++ */ ++ if (acc_sensor->samples_to_discard > 0) ++ acc_sensor->samples_to_discard--; ++ else ++ iio_push_to_buffers_with_timestamp( ++ hw->iio_devs[ST_LSM6DSX_ID_ACC], ++ &hw->scan[ST_LSM6DSX_ID_ACC], ++ acc_sensor->ts_ref + ts); + acc_sip--; + } + if (ext_sip > 0 && !(sip % ext_sensor->decimator)) { +@@ -654,6 +668,30 @@ int st_lsm6dsx_flush_fifo(struct st_lsm6dsx_hw *hw) + return err; + } + ++static void ++st_lsm6dsx_update_samples_to_discard(struct st_lsm6dsx_sensor *sensor) ++{ ++ const struct st_lsm6dsx_samples_to_discard *data; ++ struct st_lsm6dsx_hw *hw = sensor->hw; ++ int i; ++ ++ if (sensor->id != ST_LSM6DSX_ID_GYRO && ++ sensor->id != ST_LSM6DSX_ID_ACC) ++ return; ++ ++ /* check if drdy mask is supported in hw */ ++ if (hw->settings->drdy_mask.addr) ++ return; ++ ++ data = &hw->settings->samples_to_discard[sensor->id]; ++ for (i = 0; i < ST_LSM6DSX_ODR_LIST_SIZE; i++) { ++ if (data->val[i].milli_hz == sensor->odr) { ++ sensor->samples_to_discard = data->val[i].samples; ++ return; ++ } ++ } ++} ++ + int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable) + { + struct st_lsm6dsx_hw *hw = sensor->hw; +@@ -673,6 +711,9 @@ int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable) + goto out; + } + ++ if (enable) ++ st_lsm6dsx_update_samples_to_discard(sensor); ++ + err = st_lsm6dsx_device_set_enable(sensor, enable); + if (err < 0) + goto out; +diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +index 3f6060c6..966df6ff 100644 +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +@@ -634,6 +634,24 @@ static const struct st_lsm6dsx_settings st_lsm6dsx_sensor_settings[] = { + .fs_len = 4, + }, + }, ++ .samples_to_discard = { ++ [ST_LSM6DSX_ID_ACC] = { ++ .val[0] = { 12500, 1 }, ++ .val[1] = { 26000, 1 }, ++ .val[2] = { 52000, 1 }, ++ .val[3] = { 104000, 2 }, ++ .val[4] = { 208000, 2 }, ++ .val[5] = { 416000, 2 }, ++ }, ++ [ST_LSM6DSX_ID_GYRO] = { ++ .val[0] = { 12500, 2 }, ++ .val[1] = { 26000, 5 }, ++ .val[2] = { 52000, 7 }, ++ .val[3] = { 104000, 12 }, ++ .val[4] = { 208000, 20 }, ++ .val[5] = { 416000, 36 }, ++ }, ++ }, + .irq_config = { + .irq1 = { + .addr = 0x0d, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-148-staging-axis-fifo-initialize-timeouts-in-init-o.patch b/patches.kernel.org/6.3.4-148-staging-axis-fifo-initialize-timeouts-in-init-o.patch new file mode 100644 index 0000000..306c5f5 --- /dev/null +++ b/patches.kernel.org/6.3.4-148-staging-axis-fifo-initialize-timeouts-in-init-o.patch @@ -0,0 +1,103 @@ +From: Khadija Kamran +Date: Fri, 17 Mar 2023 01:09:00 +0500 +Subject: [PATCH] staging: axis-fifo: initialize timeouts in init only +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 752cbd8f191678e86aa754f795546b7f06b7f171 + +[ Upstream commit 752cbd8f191678e86aa754f795546b7f06b7f171 ] + +Initialize the module parameters, read_timeout and write_timeout once in +init(). + +Module parameters can only be set once and cannot be modified later, so we +don't need to evaluate them again when passing the parameters to +wait_event_interruptible_timeout(). + +Convert datatype of {read,write}_timeout from 'int' to 'long int' because +implicit conversion of 'long int' to 'int' in statement +'{read,write}_timeout = MAX_SCHEDULE_TIMEOUT' results in an overflow. + +Change format specifier for {read,write}_timeout from %i to %li. + +Reviewed-by: Fabio M. De Francesco +Suggested-by: Greg Kroah-Hartman +Signed-off-by: Khadija Kamran +Link: https://lore.kernel.org/r/ZBN3XAsItCiTk7CV@khadija-virtual-machine +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/staging/axis-fifo/axis-fifo.c | 28 ++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +diff --git a/drivers/staging/axis-fifo/axis-fifo.c b/drivers/staging/axis-fifo/axis-fifo.c +index dfd2b357..0a85ea66 100644 +--- a/drivers/staging/axis-fifo/axis-fifo.c ++++ b/drivers/staging/axis-fifo/axis-fifo.c +@@ -103,17 +103,17 @@ + * globals + * ---------------------------- + */ +-static int read_timeout = 1000; /* ms to wait before read() times out */ +-static int write_timeout = 1000; /* ms to wait before write() times out */ ++static long read_timeout = 1000; /* ms to wait before read() times out */ ++static long write_timeout = 1000; /* ms to wait before write() times out */ + + /* ---------------------------- + * module command-line arguments + * ---------------------------- + */ + +-module_param(read_timeout, int, 0444); ++module_param(read_timeout, long, 0444); + MODULE_PARM_DESC(read_timeout, "ms to wait before blocking read() timing out; set to -1 for no timeout"); +-module_param(write_timeout, int, 0444); ++module_param(write_timeout, long, 0444); + MODULE_PARM_DESC(write_timeout, "ms to wait before blocking write() timing out; set to -1 for no timeout"); + + /* ---------------------------- +@@ -384,9 +384,7 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, + mutex_lock(&fifo->read_lock); + ret = wait_event_interruptible_timeout(fifo->read_queue, + ioread32(fifo->base_addr + XLLF_RDFO_OFFSET), +- (read_timeout >= 0) ? +- msecs_to_jiffies(read_timeout) : +- MAX_SCHEDULE_TIMEOUT); ++ read_timeout); + + if (ret <= 0) { + if (ret == 0) { +@@ -528,9 +526,7 @@ static ssize_t axis_fifo_write(struct file *f, const char __user *buf, + ret = wait_event_interruptible_timeout(fifo->write_queue, + ioread32(fifo->base_addr + XLLF_TDFV_OFFSET) + >= words_to_write, +- (write_timeout >= 0) ? +- msecs_to_jiffies(write_timeout) : +- MAX_SCHEDULE_TIMEOUT); ++ write_timeout); + + if (ret <= 0) { + if (ret == 0) { +@@ -948,7 +944,17 @@ static struct platform_driver axis_fifo_driver = { + + static int __init axis_fifo_init(void) + { +- pr_info("axis-fifo driver loaded with parameters read_timeout = %i, write_timeout = %i\n", ++ if (read_timeout >= 0) ++ read_timeout = msecs_to_jiffies(read_timeout); ++ else ++ read_timeout = MAX_SCHEDULE_TIMEOUT; ++ ++ if (write_timeout >= 0) ++ write_timeout = msecs_to_jiffies(write_timeout); ++ else ++ write_timeout = MAX_SCHEDULE_TIMEOUT; ++ ++ pr_info("axis-fifo driver loaded with parameters read_timeout = %li, write_timeout = %li\n", + read_timeout, write_timeout); + return platform_driver_register(&axis_fifo_driver); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-149-xhci-mem-Carefully-calculate-size-for-memory-al.patch b/patches.kernel.org/6.3.4-149-xhci-mem-Carefully-calculate-size-for-memory-al.patch new file mode 100644 index 0000000..1c53385 --- /dev/null +++ b/patches.kernel.org/6.3.4-149-xhci-mem-Carefully-calculate-size-for-memory-al.patch @@ -0,0 +1,73 @@ +From: Andy Shevchenko +Date: Fri, 17 Mar 2023 17:47:02 +0200 +Subject: [PATCH] xhci: mem: Carefully calculate size for memory allocations +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 347284984f415e52590373253c6943bbdc806ebf + +[ Upstream commit 347284984f415e52590373253c6943bbdc806ebf ] + +Carefully calculate size for memory allocations, i.e. with help +of size_mul() macro from overflow.h. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230317154715.535523-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/usb/host/xhci-mem.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index d0a9467a..c385513a 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -568,7 +569,7 @@ static struct xhci_stream_ctx *xhci_alloc_stream_ctx(struct xhci_hcd *xhci, + gfp_t mem_flags) + { + struct device *dev = xhci_to_hcd(xhci)->self.sysdev; +- size_t size = sizeof(struct xhci_stream_ctx) * num_stream_ctxs; ++ size_t size = size_mul(sizeof(struct xhci_stream_ctx), num_stream_ctxs); + + if (size > MEDIUM_STREAM_ARRAY_SIZE) + return dma_alloc_coherent(dev, size, +@@ -1660,7 +1661,7 @@ static int scratchpad_alloc(struct xhci_hcd *xhci, gfp_t flags) + goto fail_sp; + + xhci->scratchpad->sp_array = dma_alloc_coherent(dev, +- num_sp * sizeof(u64), ++ size_mul(sizeof(u64), num_sp), + &xhci->scratchpad->sp_dma, flags); + if (!xhci->scratchpad->sp_array) + goto fail_sp2; +@@ -1799,7 +1800,7 @@ int xhci_alloc_erst(struct xhci_hcd *xhci, + struct xhci_segment *seg; + struct xhci_erst_entry *entry; + +- size = sizeof(struct xhci_erst_entry) * evt_ring->num_segs; ++ size = size_mul(sizeof(struct xhci_erst_entry), evt_ring->num_segs); + erst->entries = dma_alloc_coherent(xhci_to_hcd(xhci)->self.sysdev, + size, &erst->erst_dma_addr, flags); + if (!erst->entries) +@@ -1830,7 +1831,7 @@ xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir) + if (!ir) + return; + +- erst_size = sizeof(struct xhci_erst_entry) * (ir->erst.num_entries); ++ erst_size = sizeof(struct xhci_erst_entry) * ir->erst.num_entries; + if (ir->erst.entries) + dma_free_coherent(dev, erst_size, + ir->erst.entries, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-150-spi-intel-pci-Add-support-for-Meteor-Lake-S-SPI.patch b/patches.kernel.org/6.3.4-150-spi-intel-pci-Add-support-for-Meteor-Lake-S-SPI.patch new file mode 100644 index 0000000..10712f0 --- /dev/null +++ b/patches.kernel.org/6.3.4-150-spi-intel-pci-Add-support-for-Meteor-Lake-S-SPI.patch @@ -0,0 +1,38 @@ +From: Mika Westerberg +Date: Fri, 31 Mar 2023 08:28:12 +0300 +Subject: [PATCH] spi: intel-pci: Add support for Meteor Lake-S SPI serial + flash +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c2912d42e86e494935722669e4d9eade69649072 + +[ Upstream commit c2912d42e86e494935722669e4d9eade69649072 ] + +Intel Meteor Lake-S has the same SPI serial flash controller as Meteor +Lake-P. Add Meteor Lake-S PCI ID to the driver list of supported +devices. + +Signed-off-by: Mika Westerberg +Link: https://lore.kernel.org/r/20230331052812.39983-1-mika.westerberg@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/spi/spi-intel-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-intel-pci.c b/drivers/spi/spi-intel-pci.c +index 4d69e320..a7381e77 100644 +--- a/drivers/spi/spi-intel-pci.c ++++ b/drivers/spi/spi-intel-pci.c +@@ -83,6 +83,7 @@ static const struct pci_device_id intel_spi_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0xa2a4), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0xa324), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0xa3a4), (unsigned long)&cnl_info }, ++ { PCI_VDEVICE(INTEL, 0xae23), (unsigned long)&cnl_info }, + { }, + }; + MODULE_DEVICE_TABLE(pci, intel_spi_pci_ids); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-151-ASoC-amd-yc-Add-DMI-entries-to-support-HP-OMEN-.patch b/patches.kernel.org/6.3.4-151-ASoC-amd-yc-Add-DMI-entries-to-support-HP-OMEN-.patch new file mode 100644 index 0000000..4641c02 --- /dev/null +++ b/patches.kernel.org/6.3.4-151-ASoC-amd-yc-Add-DMI-entries-to-support-HP-OMEN-.patch @@ -0,0 +1,42 @@ +From: Prajna Sariputra +Date: Sun, 2 Apr 2023 02:21:30 +1100 +Subject: [PATCH] ASoC: amd: yc: Add DMI entries to support HP OMEN 16-n0xxx + (8A42) +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ee4281de4d60288b9c802bb0906061ec355ecef2 + +[ Upstream commit ee4281de4d60288b9c802bb0906061ec355ecef2 ] + +This model requires an additional detection quirk to enable the internal microphone. + +Signed-off-by: Prajna Sariputra +Link: https://lore.kernel.org/r/2283110.ElGaqSPkdT@n0067ax-linux62 +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 0acdf015..a428e17f 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -262,6 +262,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16z-n000"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_BOARD_NAME, "8A42"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-152-HID-logitech-hidpp-Don-t-use-the-USB-serial-for.patch b/patches.kernel.org/6.3.4-152-HID-logitech-hidpp-Don-t-use-the-USB-serial-for.patch new file mode 100644 index 0000000..a3b6609 --- /dev/null +++ b/patches.kernel.org/6.3.4-152-HID-logitech-hidpp-Don-t-use-the-USB-serial-for.patch @@ -0,0 +1,102 @@ +From: Bastien Nocera +Date: Thu, 2 Mar 2023 14:01:16 +0100 +Subject: [PATCH] HID: logitech-hidpp: Don't use the USB serial for USB devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7ad1fe0da0fa91bf920b79ab05ae97bfabecc4f4 + +[ Upstream commit 7ad1fe0da0fa91bf920b79ab05ae97bfabecc4f4 ] + +For devices that support the 0x0003 feature (Device Information) version 4, +set the serial based on the output of that feature, rather than relying +on the usbhid code setting the USB serial. + +This should allow the serial when connected through USB to (nearly) +match the one when connected through a unifying receiver. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying: 4067-e8-ce-cd-45 +- USB before patch: 017C385C3837 +- USB after patch: c086-e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-1-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/hid-logitech-hidpp.c | 51 ++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 5fc88a06..66380876 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -947,6 +947,55 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + return 0; + } + ++/* -------------------------------------------------------------------------- */ ++/* 0x0003: Device Information */ ++/* -------------------------------------------------------------------------- */ ++ ++#define HIDPP_PAGE_DEVICE_INFORMATION 0x0003 ++ ++#define CMD_GET_DEVICE_INFO 0x00 ++ ++static int hidpp_get_serial(struct hidpp_device *hidpp, u32 *serial) ++{ ++ struct hidpp_report response; ++ u8 feature_type; ++ u8 feature_index; ++ int ret; ++ ++ ret = hidpp_root_get_feature(hidpp, HIDPP_PAGE_DEVICE_INFORMATION, ++ &feature_index, ++ &feature_type); ++ if (ret) ++ return ret; ++ ++ ret = hidpp_send_fap_command_sync(hidpp, feature_index, ++ CMD_GET_DEVICE_INFO, ++ NULL, 0, &response); ++ if (ret) ++ return ret; ++ ++ /* See hidpp_unifying_get_serial() */ ++ *serial = *((u32 *)&response.rap.params[1]); ++ return 0; ++} ++ ++static int hidpp_serial_init(struct hidpp_device *hidpp) ++{ ++ struct hid_device *hdev = hidpp->hid_dev; ++ u32 serial; ++ int ret; ++ ++ ret = hidpp_get_serial(hidpp, &serial); ++ if (ret) ++ return ret; ++ ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", ++ hdev->product, &serial); ++ dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); ++ ++ return 0; ++} ++ + /* -------------------------------------------------------------------------- */ + /* 0x0005: GetDeviceNameType */ + /* -------------------------------------------------------------------------- */ +@@ -4210,6 +4259,8 @@ static int hidpp_probe(struct hid_device *hdev, const struct hid_device_id *id) + + if (hidpp->quirks & HIDPP_QUIRK_UNIFYING) + hidpp_unifying_init(hidpp); ++ else if (hid_is_usb(hidpp->hid_dev)) ++ hidpp_serial_init(hidpp); + + connected = hidpp_root_get_protocol_version(hidpp) == 0; + atomic_set(&hidpp->connected, connected); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-153-HID-logitech-hidpp-Reconcile-USB-and-Unifying-s.patch b/patches.kernel.org/6.3.4-153-HID-logitech-hidpp-Reconcile-USB-and-Unifying-s.patch new file mode 100644 index 0000000..bf5a1b9 --- /dev/null +++ b/patches.kernel.org/6.3.4-153-HID-logitech-hidpp-Reconcile-USB-and-Unifying-s.patch @@ -0,0 +1,56 @@ +From: Bastien Nocera +Date: Thu, 2 Mar 2023 14:01:17 +0100 +Subject: [PATCH] HID: logitech-hidpp: Reconcile USB and Unifying serials +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5b3691d15e04b6d5a32c915577b8dbc5cfb56382 + +[ Upstream commit 5b3691d15e04b6d5a32c915577b8dbc5cfb56382 ] + +Now that USB HID++ devices can gather a serial number that matches the +one that would be gathered when connected through a Unifying receiver, +remove the last difference by dropping the product ID as devices +usually have different product IDs when connected through USB or +Unifying. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying before patch: 4067-e8-ce-cd-45 +- USB before patch: c086-e8-ce-cd-45 +- Unifying and USB after patch: e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-2-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/hid-logitech-hidpp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 66380876..da89e84c 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -853,8 +853,7 @@ static int hidpp_unifying_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ Unifying: Got serial: %s\n", hdev->uniq); + + name = hidpp_unifying_get_name(hidpp); +@@ -989,8 +988,7 @@ static int hidpp_serial_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); + + return 0; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-154-spi-spi-imx-fix-MX51_ECSPI_-macros-when-cs-3.patch b/patches.kernel.org/6.3.4-154-spi-spi-imx-fix-MX51_ECSPI_-macros-when-cs-3.patch new file mode 100644 index 0000000..b6e96a4 --- /dev/null +++ b/patches.kernel.org/6.3.4-154-spi-spi-imx-fix-MX51_ECSPI_-macros-when-cs-3.patch @@ -0,0 +1,81 @@ +From: Kevin Groeneveld +Date: Sat, 18 Mar 2023 18:21:32 -0400 +Subject: [PATCH] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 87c614175bbf28d3fd076dc2d166bac759e41427 + +[ Upstream commit 87c614175bbf28d3fd076dc2d166bac759e41427 ] + +When using gpio based chip select the cs value can go outside the range +0 – 3. The various MX51_ECSPI_* macros did not take this into consideration +resulting in possible corruption of the configuration. + +For example for any cs value over 3 the SCLKPHA bits would not be set and +other values in the register possibly corrupted. + +One way to fix this is to just mask the cs bits to 2 bits. This still +allows all 4 native chip selects to work as well as gpio chip selects +(which can use any of the 4 chip select configurations). + +Signed-off-by: Kevin Groeneveld +Link: https://lore.kernel.org/r/20230318222132.3373-1-kgroeneveld@lenbrook.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/spi/spi-imx.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 6c9c87cd..a2a5ada6 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -252,6 +252,18 @@ static bool spi_imx_can_dma(struct spi_controller *controller, struct spi_device + return true; + } + ++/* ++ * Note the number of natively supported chip selects for MX51 is 4. Some ++ * devices may have less actual SS pins but the register map supports 4. When ++ * using gpio chip selects the cs values passed into the macros below can go ++ * outside the range 0 - 3. We therefore need to limit the cs value to avoid ++ * corrupting bits outside the allocated locations. ++ * ++ * The simplest way to do this is to just mask the cs bits to 2 bits. This ++ * still allows all 4 native chip selects to work as well as gpio chip selects ++ * (which can use any of the 4 chip select configurations). ++ */ ++ + #define MX51_ECSPI_CTRL 0x08 + #define MX51_ECSPI_CTRL_ENABLE (1 << 0) + #define MX51_ECSPI_CTRL_XCH (1 << 2) +@@ -260,16 +272,16 @@ static bool spi_imx_can_dma(struct spi_controller *controller, struct spi_device + #define MX51_ECSPI_CTRL_DRCTL(drctl) ((drctl) << 16) + #define MX51_ECSPI_CTRL_POSTDIV_OFFSET 8 + #define MX51_ECSPI_CTRL_PREDIV_OFFSET 12 +-#define MX51_ECSPI_CTRL_CS(cs) ((cs) << 18) ++#define MX51_ECSPI_CTRL_CS(cs) ((cs & 3) << 18) + #define MX51_ECSPI_CTRL_BL_OFFSET 20 + #define MX51_ECSPI_CTRL_BL_MASK (0xfff << 20) + + #define MX51_ECSPI_CONFIG 0x0c +-#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs) + 0)) +-#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs) + 4)) +-#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs) + 8)) +-#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs) + 12)) +-#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs) + 20)) ++#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs & 3) + 0)) ++#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs & 3) + 4)) ++#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs & 3) + 8)) ++#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs & 3) + 12)) ++#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs & 3) + 20)) + + #define MX51_ECSPI_INT 0x10 + #define MX51_ECSPI_INT_TEEN (1 << 0) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-155-usb-typec-ucsi-acpi-add-quirk-for-ASUS-Zenbook-.patch b/patches.kernel.org/6.3.4-155-usb-typec-ucsi-acpi-add-quirk-for-ASUS-Zenbook-.patch new file mode 100644 index 0000000..8e17e45 --- /dev/null +++ b/patches.kernel.org/6.3.4-155-usb-typec-ucsi-acpi-add-quirk-for-ASUS-Zenbook-.patch @@ -0,0 +1,137 @@ +From: =?UTF-8?q?Samuel=20=C4=8Cavoj?= +Date: Wed, 5 Apr 2023 16:44:56 +0300 +Subject: [PATCH] usb: typec: ucsi: acpi: add quirk for ASUS Zenbook UM325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 326e1c208f3f24d14b93f910b8ae32c94923d22c + +[ Upstream commit 326e1c208f3f24d14b93f910b8ae32c94923d22c ] + +On some ACPI platforms (namely the ASUS Zenbook UM325) the _DSM method must +not be called after a notification is received but instead the mailbox +should be read immediately from RAM. This is because the ACPI interrupt +handler destroys the CCI in ERAM after copying to system memory, and when +_DSM is later called to perform a second copy, it retrieves a garbage +value. + +Instead, the _DSM(read) method should only be called when necessary, i.e. +for polling the state after reset and for retrieving the version. Other +reads should not call _DSM and only peek into the RAM region. + +This adds a separate read operation for the Zenbook that syncs the +ACPI mailbox only with polled commands. + +Link: https://lore.kernel.org/linux-usb/20210823180626.tb6m7h5tp6adhvt2@fastboi.localdomain/ +Signed-off-by: Samuel ÄŒavoj +[ heikki : handling everything in ucsi_acpi.c with DMI quirk ] +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230405134456.49607-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/usb/typec/ucsi/ucsi_acpi.c | 44 ++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi_acpi.c b/drivers/usb/typec/ucsi/ucsi_acpi.c +index 62206a6b..217355f1 100644 +--- a/drivers/usb/typec/ucsi/ucsi_acpi.c ++++ b/drivers/usb/typec/ucsi/ucsi_acpi.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include "ucsi.h" + +@@ -23,6 +24,7 @@ struct ucsi_acpi { + struct completion complete; + unsigned long flags; + guid_t guid; ++ u64 cmd; + }; + + static int ucsi_acpi_dsm(struct ucsi_acpi *ua, int func) +@@ -62,6 +64,7 @@ static int ucsi_acpi_async_write(struct ucsi *ucsi, unsigned int offset, + struct ucsi_acpi *ua = ucsi_get_drvdata(ucsi); + + memcpy(ua->base + offset, val, val_len); ++ ua->cmd = *(u64 *)val; + + return ucsi_acpi_dsm(ua, UCSI_DSM_FUNC_WRITE); + } +@@ -93,13 +96,46 @@ static const struct ucsi_operations ucsi_acpi_ops = { + .async_write = ucsi_acpi_async_write + }; + ++static int ++ucsi_zenbook_read(struct ucsi *ucsi, unsigned int offset, void *val, size_t val_len) ++{ ++ struct ucsi_acpi *ua = ucsi_get_drvdata(ucsi); ++ int ret; ++ ++ if (offset == UCSI_VERSION || UCSI_COMMAND(ua->cmd) == UCSI_PPM_RESET) { ++ ret = ucsi_acpi_dsm(ua, UCSI_DSM_FUNC_READ); ++ if (ret) ++ return ret; ++ } ++ ++ memcpy(val, ua->base + offset, val_len); ++ ++ return 0; ++} ++ ++static const struct ucsi_operations ucsi_zenbook_ops = { ++ .read = ucsi_zenbook_read, ++ .sync_write = ucsi_acpi_sync_write, ++ .async_write = ucsi_acpi_async_write ++}; ++ ++static const struct dmi_system_id zenbook_dmi_id[] = { ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UA_UM325UA"), ++ }, ++ }, ++ { } ++}; ++ + static void ucsi_acpi_notify(acpi_handle handle, u32 event, void *data) + { + struct ucsi_acpi *ua = data; + u32 cci; + int ret; + +- ret = ucsi_acpi_read(ua->ucsi, UCSI_CCI, &cci, sizeof(cci)); ++ ret = ua->ucsi->ops->read(ua->ucsi, UCSI_CCI, &cci, sizeof(cci)); + if (ret) + return; + +@@ -114,6 +150,7 @@ static void ucsi_acpi_notify(acpi_handle handle, u32 event, void *data) + static int ucsi_acpi_probe(struct platform_device *pdev) + { + struct acpi_device *adev = ACPI_COMPANION(&pdev->dev); ++ const struct ucsi_operations *ops = &ucsi_acpi_ops; + struct ucsi_acpi *ua; + struct resource *res; + acpi_status status; +@@ -143,7 +180,10 @@ static int ucsi_acpi_probe(struct platform_device *pdev) + init_completion(&ua->complete); + ua->dev = &pdev->dev; + +- ua->ucsi = ucsi_create(&pdev->dev, &ucsi_acpi_ops); ++ if (dmi_check_system(zenbook_dmi_id)) ++ ops = &ucsi_zenbook_ops; ++ ++ ua->ucsi = ucsi_create(&pdev->dev, ops); + if (IS_ERR(ua->ucsi)) + return PTR_ERR(ua->ucsi); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-156-ALSA-hda-LNL-add-HD-Audio-PCI-ID.patch b/patches.kernel.org/6.3.4-156-ALSA-hda-LNL-add-HD-Audio-PCI-ID.patch new file mode 100644 index 0000000..31ae0b8 --- /dev/null +++ b/patches.kernel.org/6.3.4-156-ALSA-hda-LNL-add-HD-Audio-PCI-ID.patch @@ -0,0 +1,43 @@ +From: Fred Oh +Date: Thu, 6 Apr 2023 10:25:00 -0500 +Subject: [PATCH] ALSA: hda: LNL: add HD Audio PCI ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 714b2f025d767e7df1fe9da18bd70537d64cc157 + +[ Upstream commit 714b2f025d767e7df1fe9da18bd70537d64cc157 ] + +Add HD Audio PCI ID for Intel Lunarlake platform. + +Signed-off-by: Fred Oh +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Bard Liao +Link: https://lore.kernel.org/r/20230406152500.15104-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/hda_intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 77a592f2..881b2f3a 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2528,6 +2528,9 @@ static const struct pci_device_id azx_ids[] = { + /* Meteorlake-P */ + { PCI_DEVICE(0x8086, 0x7e28), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* Lunarlake-P */ ++ { PCI_DEVICE(0x8086, 0xa828), ++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + /* Broxton-P(Apollolake) */ + { PCI_DEVICE(0x8086, 0x5a98), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON }, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-157-ASoC-amd-Add-Dell-G15-5525-to-quirks-list.patch b/patches.kernel.org/6.3.4-157-ASoC-amd-Add-Dell-G15-5525-to-quirks-list.patch new file mode 100644 index 0000000..84fd9d1 --- /dev/null +++ b/patches.kernel.org/6.3.4-157-ASoC-amd-Add-Dell-G15-5525-to-quirks-list.patch @@ -0,0 +1,43 @@ +From: Cem Kaya +Date: Mon, 10 Apr 2023 20:38:15 +0200 +Subject: [PATCH] ASoC: amd: Add Dell G15 5525 to quirks list +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: faf15233e59052f4d61cad2da6e56daf33124d96 + +[ Upstream commit faf15233e59052f4d61cad2da6e56daf33124d96 ] + +Add Dell G15 5525 Ryzen Edition to quirks list for acp6x so that +internal mic works. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217155 +Signed-off-by: Cem Kaya +Link: https://lore.kernel.org/r/20230410183814.260518-1-cemkaya.boun@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index a428e17f..1d59163a 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5525"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-158-ASoC-amd-yc-Add-ThinkBook-14-G5-ARP-to-quirks-l.patch b/patches.kernel.org/6.3.4-158-ASoC-amd-yc-Add-ThinkBook-14-G5-ARP-to-quirks-l.patch new file mode 100644 index 0000000..f31a82a --- /dev/null +++ b/patches.kernel.org/6.3.4-158-ASoC-amd-yc-Add-ThinkBook-14-G5-ARP-to-quirks-l.patch @@ -0,0 +1,46 @@ +From: Baishan Jiang +Date: Wed, 12 Apr 2023 16:40:43 +0800 +Subject: [PATCH] ASoC: amd: yc: Add ThinkBook 14 G5+ ARP to quirks list for + acp6x +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a8f5da0bf4d85a6ad03810d902aba61c572102a6 + +[ Upstream commit a8f5da0bf4d85a6ad03810d902aba61c572102a6 ] + +ThinkBook 14 G5+ ARP uses Ryzen 7735H processor, and has the same +microphone problem as ThinkBook 14 G4+ ARA. + +Adding 21HY to acp6x quirks table enables microphone for ThinkBook +14 G5+ ARP. + +Signed-off-by: Baishan Jiang +Link: https://lore.kernel.org/r/OS3P286MB1711DD6556284B69C79C0C4FE19B9@OS3P286MB1711.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 1d59163a..b9958e55 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -185,6 +185,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "21EN"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21HY"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-159-ASoC-amd-Add-check-for-acp-config-flags.patch b/patches.kernel.org/6.3.4-159-ASoC-amd-Add-check-for-acp-config-flags.patch new file mode 100644 index 0000000..629f504 --- /dev/null +++ b/patches.kernel.org/6.3.4-159-ASoC-amd-Add-check-for-acp-config-flags.patch @@ -0,0 +1,119 @@ +From: Syed Saba Kareem +Date: Wed, 12 Apr 2023 14:46:16 +0530 +Subject: [PATCH] ASoC: amd: Add check for acp config flags +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bddcfb0802eb69b0f51293eab5db33d344c0262f + +[ Upstream commit bddcfb0802eb69b0f51293eab5db33d344c0262f ] + +We have SOF and generic ACP support enabled for Rembrandt and +pheonix platforms on some machines. Since we have same PCI id +used for probing, add check for machine configuration flag to +avoid conflict with newer pci drivers. Such machine flag has +been initialized via dmi match on few Chrome machines. If no +flag is specified probe and register older platform device. + +Signed-off-by: Syed Saba Kareem +Reviewed-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20230412091638.1158901-1-Syed.SabaKareem@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/soc/amd/Kconfig | 2 ++ + sound/soc/amd/ps/acp63.h | 2 ++ + sound/soc/amd/ps/pci-ps.c | 8 +++++++- + sound/soc/amd/yc/acp6x.h | 3 +++ + sound/soc/amd/yc/pci-acp6x.c | 8 +++++++- + 5 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/Kconfig b/sound/soc/amd/Kconfig +index c88ebd84..08e42082 100644 +--- a/sound/soc/amd/Kconfig ++++ b/sound/soc/amd/Kconfig +@@ -90,6 +90,7 @@ config SND_SOC_AMD_VANGOGH_MACH + + config SND_SOC_AMD_ACP6x + tristate "AMD Audio Coprocessor-v6.x Yellow Carp support" ++ select SND_AMD_ACP_CONFIG + depends on X86 && PCI + help + This option enables Audio Coprocessor i.e ACP v6.x support on +@@ -130,6 +131,7 @@ config SND_SOC_AMD_RPL_ACP6x + + config SND_SOC_AMD_PS + tristate "AMD Audio Coprocessor-v6.3 Pink Sardine support" ++ select SND_AMD_ACP_CONFIG + depends on X86 && PCI && ACPI + help + This option enables Audio Coprocessor i.e ACP v6.3 support on +diff --git a/sound/soc/amd/ps/acp63.h b/sound/soc/amd/ps/acp63.h +index 6bf29b52..dd36790b 100644 +--- a/sound/soc/amd/ps/acp63.h ++++ b/sound/soc/amd/ps/acp63.h +@@ -111,3 +111,5 @@ struct acp63_dev_data { + u16 pdev_count; + u16 pdm_dev_index; + }; ++ ++int snd_amd_acp_find_config(struct pci_dev *pci); +diff --git a/sound/soc/amd/ps/pci-ps.c b/sound/soc/amd/ps/pci-ps.c +index 688a1d46..afddb9a7 100644 +--- a/sound/soc/amd/ps/pci-ps.c ++++ b/sound/soc/amd/ps/pci-ps.c +@@ -247,11 +247,17 @@ static int snd_acp63_probe(struct pci_dev *pci, + { + struct acp63_dev_data *adata; + u32 addr; +- u32 irqflags; ++ u32 irqflags, flag; + int val; + int ret; + + irqflags = IRQF_SHARED; ++ ++ /* Return if acp config flag is defined */ ++ flag = snd_amd_acp_find_config(pci); ++ if (flag) ++ return -ENODEV; ++ + /* Pink Sardine device check */ + switch (pci->revision) { + case 0x63: +diff --git a/sound/soc/amd/yc/acp6x.h b/sound/soc/amd/yc/acp6x.h +index 03620756..2de7d1ed 100644 +--- a/sound/soc/amd/yc/acp6x.h ++++ b/sound/soc/amd/yc/acp6x.h +@@ -105,3 +105,6 @@ static inline void acp6x_writel(u32 val, void __iomem *base_addr) + { + writel(val, base_addr - ACP6x_PHY_BASE_ADDRESS); + } ++ ++int snd_amd_acp_find_config(struct pci_dev *pci); ++ +diff --git a/sound/soc/amd/yc/pci-acp6x.c b/sound/soc/amd/yc/pci-acp6x.c +index 77c5fa1f..7af6a349 100644 +--- a/sound/soc/amd/yc/pci-acp6x.c ++++ b/sound/soc/amd/yc/pci-acp6x.c +@@ -149,10 +149,16 @@ static int snd_acp6x_probe(struct pci_dev *pci, + int index = 0; + int val = 0x00; + u32 addr; +- unsigned int irqflags; ++ unsigned int irqflags, flag; + int ret; + + irqflags = IRQF_SHARED; ++ ++ /* Return if acp config flag is defined */ ++ flag = snd_amd_acp_find_config(pci); ++ if (flag) ++ return -ENODEV; ++ + /* Yellow Carp device check */ + switch (pci->revision) { + case 0x60: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-160-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch b/patches.kernel.org/6.3.4-160-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch new file mode 100644 index 0000000..6962de4 --- /dev/null +++ b/patches.kernel.org/6.3.4-160-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch @@ -0,0 +1,42 @@ +From: Alex Henrie +Date: Mon, 3 Apr 2023 20:48:29 -0600 +Subject: [PATCH] HID: apple: Set the tilde quirk flag on the Geyser 3 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 29e1ecc197d410ee59c8877098d54cf417075f7d + +[ Upstream commit 29e1ecc197d410ee59c8877098d54cf417075f7d ] + +I was finally able to obtain a MacBook1,1 to test and I've now confirmed +that it has the tilde key quirk as well: + +Product Model Year System CPU Shape Labels Country Quirky +============================================================================ +05ac:0218 A1181 2006 MacBook1,1 T2500 ISO British 13 Yes + +Signed-off-by: Alex Henrie +Link: https://lore.kernel.org/r/20230404024829.13982-1-alexhenrie24@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/hid-apple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c +index 5c145775..e2c73a78 100644 +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -875,7 +875,8 @@ static const struct hid_device_id apple_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER3_ANSI), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER3_ISO), +- .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | ++ APPLE_ISO_TILDE_QUIRK }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER3_JIS), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | + APPLE_RDESC_JIS }, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-161-HID-Ignore-battery-for-ELAN-touchscreen-on-ROG-.patch b/patches.kernel.org/6.3.4-161-HID-Ignore-battery-for-ELAN-touchscreen-on-ROG-.patch new file mode 100644 index 0000000..9b870f0 --- /dev/null +++ b/patches.kernel.org/6.3.4-161-HID-Ignore-battery-for-ELAN-touchscreen-on-ROG-.patch @@ -0,0 +1,52 @@ +From: weiliang1503 +Date: Thu, 30 Mar 2023 19:56:38 +0800 +Subject: [PATCH] HID: Ignore battery for ELAN touchscreen on ROG Flow X13 + GV301RA +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 35903009dbde804a1565dc89e431c0f15179f054 + +[ Upstream commit 35903009dbde804a1565dc89e431c0f15179f054 ] + +Ignore the reported battery level of the built-in touchscreen to suppress +battery warnings when a stylus is used. The device ID was added and the +battery ignore quirk was enabled. + +Signed-off-by: weiliang1503 +Link: https://lore.kernel.org/r/20230330115638.16146-1-weiliang1503@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-input.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c2e9b6d1..8f3e0a5d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -415,6 +415,7 @@ + #define I2C_DEVICE_ID_HP_SPECTRE_X360_15 0x2817 + #define I2C_DEVICE_ID_HP_SPECTRE_X360_13_AW0020NG 0x29DF + #define I2C_DEVICE_ID_ASUS_TP420IA_TOUCHSCREEN 0x2BC8 ++#define I2C_DEVICE_ID_ASUS_GV301RA_TOUCHSCREEN 0x2C82 + #define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN 0x2544 + #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706 + #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 5c65a584..5a888665 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -372,6 +372,8 @@ static const struct hid_device_id hid_battery_quirks[] = { + HID_BATTERY_QUIRK_IGNORE }, + { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_TP420IA_TOUCHSCREEN), + HID_BATTERY_QUIRK_IGNORE }, ++ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_GV301RA_TOUCHSCREEN), ++ HID_BATTERY_QUIRK_IGNORE }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN), + HID_BATTERY_QUIRK_IGNORE }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-162-HID-wacom-generic-Set-battery-quirk-only-when-w.patch b/patches.kernel.org/6.3.4-162-HID-wacom-generic-Set-battery-quirk-only-when-w.patch new file mode 100644 index 0000000..4dedcc9 --- /dev/null +++ b/patches.kernel.org/6.3.4-162-HID-wacom-generic-Set-battery-quirk-only-when-w.patch @@ -0,0 +1,106 @@ +From: Jason Gerecke +Date: Thu, 13 Apr 2023 11:17:43 -0700 +Subject: [PATCH] HID: wacom: generic: Set battery quirk only when we see + battery data +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bea407a427baa019758f29f4d31b26f008bb8cc6 + +[ Upstream commit bea407a427baa019758f29f4d31b26f008bb8cc6 ] + +Some devices will include battery status usages in the HID descriptor +but we won't see that battery data for one reason or another. For example, +AES sensors won't send battery data unless an AES pen is in proximity. +If a user does not have an AES pen but instead only interacts with the +AES touchscreen with their fingers then there is no need for us to create +a battery object. Similarly, if a family of peripherals shares the same +HID descriptor between wired-only and wireless-capable SKUs, users of the +former may never see a battery event and will not want a power_supply +object created. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217062 +Link: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2354 +Signed-off-by: Jason Gerecke +Tested-by: Mario Limonciello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/hid/wacom_wac.c | 33 +++++++++++---------------------- + 1 file changed, 11 insertions(+), 22 deletions(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 0c6a82c6..d2f50024 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1963,18 +1963,7 @@ static void wacom_map_usage(struct input_dev *input, struct hid_usage *usage, + static void wacom_wac_battery_usage_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { +- struct wacom *wacom = hid_get_drvdata(hdev); +- struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; +- unsigned equivalent_usage = wacom_equivalent_usage(usage->hid); +- +- switch (equivalent_usage) { +- case HID_DG_BATTERYSTRENGTH: +- case WACOM_HID_WD_BATTERY_LEVEL: +- case WACOM_HID_WD_BATTERY_CHARGING: +- features->quirks |= WACOM_QUIRK_BATTERY; +- break; +- } ++ return; + } + + static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *field, +@@ -1995,18 +1984,21 @@ static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *f + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; + } ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_LEVEL: + value = value * 100 / (field->logical_maximum - field->logical_minimum); + wacom_wac->hid_data.battery_capacity = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_CHARGING: + wacom_wac->hid_data.bat_charging = value; + wacom_wac->hid_data.ps_connected = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + } + } +@@ -2022,18 +2014,15 @@ static void wacom_wac_battery_report(struct hid_device *hdev, + { + struct wacom *wacom = hid_get_drvdata(hdev); + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; + +- if (features->quirks & WACOM_QUIRK_BATTERY) { +- int status = wacom_wac->hid_data.bat_status; +- int capacity = wacom_wac->hid_data.battery_capacity; +- bool charging = wacom_wac->hid_data.bat_charging; +- bool connected = wacom_wac->hid_data.bat_connected; +- bool powered = wacom_wac->hid_data.ps_connected; ++ int status = wacom_wac->hid_data.bat_status; ++ int capacity = wacom_wac->hid_data.battery_capacity; ++ bool charging = wacom_wac->hid_data.bat_charging; ++ bool connected = wacom_wac->hid_data.bat_connected; ++ bool powered = wacom_wac->hid_data.ps_connected; + +- wacom_notify_battery(wacom_wac, status, capacity, charging, +- connected, powered); +- } ++ wacom_notify_battery(wacom_wac, status, capacity, charging, ++ connected, powered); + } + + static void wacom_wac_pad_usage_mapping(struct hid_device *hdev, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-163-usb-typec-tcpm-fix-multiple-times-discover-svid.patch b/patches.kernel.org/6.3.4-163-usb-typec-tcpm-fix-multiple-times-discover-svid.patch new file mode 100644 index 0000000..0fc6f9d --- /dev/null +++ b/patches.kernel.org/6.3.4-163-usb-typec-tcpm-fix-multiple-times-discover-svid.patch @@ -0,0 +1,60 @@ +From: Frank Wang +Date: Thu, 16 Mar 2023 16:11:49 +0800 +Subject: [PATCH] usb: typec: tcpm: fix multiple times discover svids error +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dac3b192107b978198e89ec0f77375738352e0c8 + +[ Upstream commit dac3b192107b978198e89ec0f77375738352e0c8 ] + +PD3.0 Spec 6.4.4.3.2 say that only Responder supports 12 or more SVIDs, +the Discover SVIDs Command Shall be executed multiple times until a +Discover SVIDs VDO is returned ending either with a SVID value of +0x0000 in the last part of the last VDO or with a VDO containing two +SVIDs with values of 0x0000. + +In the current implementation, if the last VDO does not find that the +Discover SVIDs Command would be executed multiple times even if the +Responder SVIDs are less than 12, and we found some odd dockers just +meet this case. So fix it. + +Acked-by: Heikki Krogerus +Signed-off-by: Frank Wang +Link: https://lore.kernel.org/r/20230316081149.24519-1-frank.wang@rock-chips.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/usb/typec/tcpm/tcpm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index 1ee774c2..be1708e3 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1523,7 +1523,21 @@ static bool svdm_consume_svids(struct tcpm_port *port, const u32 *p, int cnt) + pmdata->svids[pmdata->nsvids++] = svid; + tcpm_log(port, "SVID %d: 0x%x", pmdata->nsvids, svid); + } +- return true; ++ ++ /* ++ * PD3.0 Spec 6.4.4.3.2: The SVIDs are returned 2 per VDO (see Table ++ * 6-43), and can be returned maximum 6 VDOs per response (see Figure ++ * 6-19). If the Respondersupports 12 or more SVID then the Discover ++ * SVIDs Command Shall be executed multiple times until a Discover ++ * SVIDs VDO is returned ending either with a SVID value of 0x0000 in ++ * the last part of the last VDO or with a VDO containing two SVIDs ++ * with values of 0x0000. ++ * ++ * However, some odd dockers support SVIDs less than 12 but without ++ * 0x0000 in the last VDO, so we need to break the Discover SVIDs ++ * request and return false here. ++ */ ++ return cnt == 7; + abort: + tcpm_log(port, "SVID_DISCOVERY_MAX(%d) too low!", SVID_DISCOVERY_MAX); + return false; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-164-serial-8250-Reinit-port-pm-on-port-specific-dri.patch b/patches.kernel.org/6.3.4-164-serial-8250-Reinit-port-pm-on-port-specific-dri.patch new file mode 100644 index 0000000..b404c98 --- /dev/null +++ b/patches.kernel.org/6.3.4-164-serial-8250-Reinit-port-pm-on-port-specific-dri.patch @@ -0,0 +1,57 @@ +From: Tony Lindgren +Date: Tue, 18 Apr 2023 13:14:06 +0300 +Subject: [PATCH] serial: 8250: Reinit port->pm on port specific driver unbind +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 + +[ Upstream commit 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 ] + +When we unbind a serial port hardware specific 8250 driver, the generic +serial8250 driver takes over the port. After that we see an oops about 10 +seconds later. This can produce the following at least on some TI SoCs: + +Unhandled fault: imprecise external abort (0x1406) +Internal error: : 1406 [#1] SMP ARM + +Turns out that we may still have the serial port hardware specific driver +port->pm in use, and serial8250_pm() tries to call it after the port +specific driver is gone: + +serial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base] +uart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base] +uart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c +__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c +disassociate_ctty from do_exit+0x744/0xaac +do_exit from do_group_exit+0x40/0x8c +do_group_exit from __wake_up_parent+0x0/0x1c + +Let's fix the issue by calling serial8250_set_defaults() in +serial8250_unregister_port(). This will set the port back to using +the serial8250 default functions, and sets the port->pm to point to +serial8250_pm. + +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20230418101407.12403-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/8250/8250_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index ab63c308..13bf535e 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -1158,6 +1158,7 @@ void serial8250_unregister_port(int line) + uart->port.type = PORT_UNKNOWN; + uart->port.dev = &serial8250_isa_devs->dev; + uart->capabilities = 0; ++ serial8250_init_port(uart); + serial8250_apply_quirks(uart); + uart_add_one_port(&serial8250_reg, &uart->port); + } else { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-165-mcb-pci-Reallocate-memory-region-to-avoid-memor.patch b/patches.kernel.org/6.3.4-165-mcb-pci-Reallocate-memory-region-to-avoid-memor.patch new file mode 100644 index 0000000..a112ec6 --- /dev/null +++ b/patches.kernel.org/6.3.4-165-mcb-pci-Reallocate-memory-region-to-avoid-memor.patch @@ -0,0 +1,77 @@ +From: =?UTF-8?q?Rodr=C3=ADguez=20Barbarin=2C=20Jos=C3=A9=20Javier?= + +Date: Tue, 11 Apr 2023 10:33:28 +0200 +Subject: [PATCH] mcb-pci: Reallocate memory region to avoid memory overlapping +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9be24faadd085c284890c3afcec7a0184642315a + +[ Upstream commit 9be24faadd085c284890c3afcec7a0184642315a ] + +mcb-pci requests a fixed-size memory region to parse the chameleon +table, however, if the chameleon table is smaller that the allocated +region, it could overlap with the IP Cores' memory regions. + +After parsing the chameleon table, drop/reallocate the memory region +with the actual chameleon table size. + +Co-developed-by: Jorge Sanjuan Garcia +Signed-off-by: Jorge Sanjuan Garcia +Signed-off-by: Javier Rodriguez +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20230411083329.4506-3-jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/mcb/mcb-pci.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/drivers/mcb/mcb-pci.c b/drivers/mcb/mcb-pci.c +index dc88232d..53d9202f 100644 +--- a/drivers/mcb/mcb-pci.c ++++ b/drivers/mcb/mcb-pci.c +@@ -31,7 +31,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct resource *res; + struct priv *priv; +- int ret; ++ int ret, table_size; + unsigned long flags; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct priv), GFP_KERNEL); +@@ -90,7 +90,30 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret < 0) + goto out_mcb_bus; + +- dev_dbg(&pdev->dev, "Found %d cells\n", ret); ++ table_size = ret; ++ ++ if (table_size < CHAM_HEADER_SIZE) { ++ /* Release the previous resources */ ++ devm_iounmap(&pdev->dev, priv->base); ++ devm_release_mem_region(&pdev->dev, priv->mapbase, CHAM_HEADER_SIZE); ++ ++ /* Then, allocate it again with the actual chameleon table size */ ++ res = devm_request_mem_region(&pdev->dev, priv->mapbase, ++ table_size, ++ KBUILD_MODNAME); ++ if (!res) { ++ dev_err(&pdev->dev, "Failed to request PCI memory\n"); ++ ret = -EBUSY; ++ goto out_mcb_bus; ++ } ++ ++ priv->base = devm_ioremap(&pdev->dev, priv->mapbase, table_size); ++ if (!priv->base) { ++ dev_err(&pdev->dev, "Cannot ioremap\n"); ++ ret = -ENOMEM; ++ goto out_mcb_bus; ++ } ++ } + + mcb_bus_add_devices(priv->bus); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-166-powerpc-Use-of_property_present-for-testing-DT-.patch b/patches.kernel.org/6.3.4-166-powerpc-Use-of_property_present-for-testing-DT-.patch new file mode 100644 index 0000000..0d61817 --- /dev/null +++ b/patches.kernel.org/6.3.4-166-powerpc-Use-of_property_present-for-testing-DT-.patch @@ -0,0 +1,179 @@ +From: Rob Herring +Date: Fri, 10 Mar 2023 08:46:56 -0600 +Subject: [PATCH] powerpc: Use of_property_present() for testing DT property + presence +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 857d423c74228cfa064f79ff3a16b163fdb8d542 + +[ Upstream commit 857d423c74228cfa064f79ff3a16b163fdb8d542 ] + +It is preferred to use typed property access functions (i.e. +of_property_read_ functions) rather than low-level +of_get_property/of_find_property functions for reading properties. As +part of this, convert of_get_property/of_find_property calls to the +recently added of_property_present() helper when we just want to test +for presence of a property and nothing more. + +Signed-off-by: Rob Herring +[mpe: Drop change in ppc4xx_probe_pci_bridge(), formatting] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230310144657.1541039-1-robh@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/powerpc/kernel/legacy_serial.c | 8 ++++---- + arch/powerpc/platforms/44x/iss4xx.c | 2 +- + arch/powerpc/platforms/44x/ppc476.c | 2 +- + arch/powerpc/platforms/cell/spu_manage.c | 2 +- + arch/powerpc/platforms/powermac/pic.c | 3 +-- + arch/powerpc/platforms/powernv/opal-lpc.c | 2 +- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +- + arch/powerpc/platforms/pseries/vio.c | 2 +- + arch/powerpc/sysdev/mpic_msgr.c | 2 +- + 9 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/arch/powerpc/kernel/legacy_serial.c b/arch/powerpc/kernel/legacy_serial.c +index f048c424..1a3b7f35 100644 +--- a/arch/powerpc/kernel/legacy_serial.c ++++ b/arch/powerpc/kernel/legacy_serial.c +@@ -171,11 +171,11 @@ static int __init add_legacy_soc_port(struct device_node *np, + /* We only support ports that have a clock frequency properly + * encoded in the device-tree. + */ +- if (of_get_property(np, "clock-frequency", NULL) == NULL) ++ if (!of_property_present(np, "clock-frequency")) + return -1; + + /* if reg-offset don't try to use it */ +- if ((of_get_property(np, "reg-offset", NULL) != NULL)) ++ if (of_property_present(np, "reg-offset")) + return -1; + + /* if rtas uses this device, don't try to use it as well */ +@@ -237,7 +237,7 @@ static int __init add_legacy_isa_port(struct device_node *np, + * Note: Don't even try on P8 lpc, we know it's not directly mapped + */ + if (!of_device_is_compatible(isa_brg, "ibm,power8-lpc") || +- of_get_property(isa_brg, "ranges", NULL)) { ++ of_property_present(isa_brg, "ranges")) { + taddr = of_translate_address(np, reg); + if (taddr == OF_BAD_ADDR) + taddr = 0; +@@ -268,7 +268,7 @@ static int __init add_legacy_pci_port(struct device_node *np, + * compatible UARTs on PCI need all sort of quirks (port offsets + * etc...) that this code doesn't know about + */ +- if (of_get_property(np, "clock-frequency", NULL) == NULL) ++ if (!of_property_present(np, "clock-frequency")) + return -1; + + /* Get the PCI address. Assume BAR 0 */ +diff --git a/arch/powerpc/platforms/44x/iss4xx.c b/arch/powerpc/platforms/44x/iss4xx.c +index c5f82591..812765cf 100644 +--- a/arch/powerpc/platforms/44x/iss4xx.c ++++ b/arch/powerpc/platforms/44x/iss4xx.c +@@ -52,7 +52,7 @@ static void __init iss4xx_init_irq(void) + + /* Find top level interrupt controller */ + for_each_node_with_property(np, "interrupt-controller") { +- if (of_get_property(np, "interrupts", NULL) == NULL) ++ if (!of_property_present(np, "interrupts")) + break; + } + if (np == NULL) +diff --git a/arch/powerpc/platforms/44x/ppc476.c b/arch/powerpc/platforms/44x/ppc476.c +index 7c91ac5a..70556fd1 100644 +--- a/arch/powerpc/platforms/44x/ppc476.c ++++ b/arch/powerpc/platforms/44x/ppc476.c +@@ -122,7 +122,7 @@ static void __init ppc47x_init_irq(void) + + /* Find top level interrupt controller */ + for_each_node_with_property(np, "interrupt-controller") { +- if (of_get_property(np, "interrupts", NULL) == NULL) ++ if (!of_property_present(np, "interrupts")) + break; + } + if (np == NULL) +diff --git a/arch/powerpc/platforms/cell/spu_manage.c b/arch/powerpc/platforms/cell/spu_manage.c +index f1ac4c74..74567b32 100644 +--- a/arch/powerpc/platforms/cell/spu_manage.c ++++ b/arch/powerpc/platforms/cell/spu_manage.c +@@ -402,7 +402,7 @@ static int __init of_has_vicinity(void) + struct device_node *dn; + + for_each_node_by_type(dn, "spe") { +- if (of_find_property(dn, "vicinity", NULL)) { ++ if (of_property_present(dn, "vicinity")) { + of_node_put(dn); + return 1; + } +diff --git a/arch/powerpc/platforms/powermac/pic.c b/arch/powerpc/platforms/powermac/pic.c +index 8c8d8e0a..7425f94e 100644 +--- a/arch/powerpc/platforms/powermac/pic.c ++++ b/arch/powerpc/platforms/powermac/pic.c +@@ -475,8 +475,7 @@ static int __init pmac_pic_probe_mpic(void) + + /* We can have up to 2 MPICs cascaded */ + for_each_node_by_type(np, "open-pic") { +- if (master == NULL && +- of_get_property(np, "interrupts", NULL) == NULL) ++ if (master == NULL && !of_property_present(np, "interrupts")) + master = of_node_get(np); + else if (slave == NULL) + slave = of_node_get(np); +diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c +index d129d6d4..a16f07cd 100644 +--- a/arch/powerpc/platforms/powernv/opal-lpc.c ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c +@@ -403,7 +403,7 @@ void __init opal_lpc_init(void) + return; + + /* Does it support direct mapping ? */ +- if (of_get_property(np, "ranges", NULL)) { ++ if (of_property_present(np, "ranges")) { + pr_info("OPAL: Found memory mapped LPC bus on chip %d\n", + opal_lpc_chip_id); + isa_bridge_init_non_pci(np); +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index 982e5e4b..1a3cb313 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -493,7 +493,7 @@ static bool valid_cpu_drc_index(struct device_node *parent, u32 drc_index) + bool found = false; + int rc, index; + +- if (of_find_property(parent, "ibm,drc-info", NULL)) ++ if (of_property_present(parent, "ibm,drc-info")) + return drc_info_valid_index(parent, drc_index); + + /* Note that the format of the ibm,drc-indexes array is +diff --git a/arch/powerpc/platforms/pseries/vio.c b/arch/powerpc/platforms/pseries/vio.c +index 770df935..d54306a9 100644 +--- a/arch/powerpc/platforms/pseries/vio.c ++++ b/arch/powerpc/platforms/pseries/vio.c +@@ -1440,7 +1440,7 @@ struct vio_dev *vio_register_device_node(struct device_node *of_node) + viodev->dev.bus = &vio_bus_type; + viodev->dev.release = vio_dev_release; + +- if (of_get_property(viodev->dev.of_node, "ibm,my-dma-window", NULL)) { ++ if (of_property_present(viodev->dev.of_node, "ibm,my-dma-window")) { + if (firmware_has_feature(FW_FEATURE_CMO)) + vio_cmo_set_dma_ops(viodev); + else +diff --git a/arch/powerpc/sysdev/mpic_msgr.c b/arch/powerpc/sysdev/mpic_msgr.c +index d75064fb..1a3ac0b5 100644 +--- a/arch/powerpc/sysdev/mpic_msgr.c ++++ b/arch/powerpc/sysdev/mpic_msgr.c +@@ -116,7 +116,7 @@ static unsigned int mpic_msgr_number_of_blocks(void) + + for (;;) { + snprintf(buf, sizeof(buf), "mpic-msgr-block%d", count); +- if (!of_find_property(aliases, buf, NULL)) ++ if (!of_property_present(aliases, buf)) + break; + + count += 1; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-167-sched-Fix-KCSAN-noinstr-violation.patch b/patches.kernel.org/6.3.4-167-sched-Fix-KCSAN-noinstr-violation.patch new file mode 100644 index 0000000..296fac6 --- /dev/null +++ b/patches.kernel.org/6.3.4-167-sched-Fix-KCSAN-noinstr-violation.patch @@ -0,0 +1,41 @@ +From: Josh Poimboeuf +Date: Wed, 12 Apr 2023 10:24:07 -0700 +Subject: [PATCH] sched: Fix KCSAN noinstr violation +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e0b081d17a9f4e5c0cbb0e5fbeb1abe3de0f7e4e + +[ Upstream commit e0b081d17a9f4e5c0cbb0e5fbeb1abe3de0f7e4e ] + +With KCSAN enabled, end_of_stack() can get out-of-lined. Force it +inline. + +Fixes the following warnings: + + vmlinux.o: warning: objtool: check_stackleak_irqoff+0x2b: call to end_of_stack() leaves .noinstr.text section + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/cc1b4d73d3a428a00d206242a68fdf99a934ca7b.1681320026.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/linux/sched/task_stack.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index 5e799a47..f158b025 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -23,7 +23,7 @@ static __always_inline void *task_stack_page(const struct task_struct *task) + + #define setup_thread_stack(new,old) do { } while(0) + +-static inline unsigned long *end_of_stack(const struct task_struct *task) ++static __always_inline unsigned long *end_of_stack(const struct task_struct *task) + { + #ifdef CONFIG_STACK_GROWSUP + return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-168-lkdtm-stackleak-Fix-noinstr-violation.patch b/patches.kernel.org/6.3.4-168-lkdtm-stackleak-Fix-noinstr-violation.patch new file mode 100644 index 0000000..e5bc6b1 --- /dev/null +++ b/patches.kernel.org/6.3.4-168-lkdtm-stackleak-Fix-noinstr-violation.patch @@ -0,0 +1,67 @@ +From: Josh Poimboeuf +Date: Wed, 12 Apr 2023 10:24:08 -0700 +Subject: [PATCH] lkdtm/stackleak: Fix noinstr violation +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f571da059f86fd9d432aea32c9c7e5aaa53245d8 + +[ Upstream commit f571da059f86fd9d432aea32c9c7e5aaa53245d8 ] + +Fixes the following warning: + + vmlinux.o: warning: objtool: check_stackleak_irqoff+0x2b6: call to _printk() leaves .noinstr.text section + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/ee5209f53aa0a62aea58be18f2b78b17606779a6.1681320026.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/misc/lkdtm/stackleak.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/lkdtm/stackleak.c b/drivers/misc/lkdtm/stackleak.c +index 025b1332..f1d02216 100644 +--- a/drivers/misc/lkdtm/stackleak.c ++++ b/drivers/misc/lkdtm/stackleak.c +@@ -43,12 +43,14 @@ static void noinstr check_stackleak_irqoff(void) + * STACK_END_MAGIC, and in either casee something is seriously wrong. + */ + if (current_sp < task_stack_low || current_sp >= task_stack_high) { ++ instrumentation_begin(); + pr_err("FAIL: current_stack_pointer (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n", + current_sp, task_stack_low, task_stack_high - 1); + test_failed = true; + goto out; + } + if (lowest_sp < task_stack_low || lowest_sp >= task_stack_high) { ++ instrumentation_begin(); + pr_err("FAIL: current->lowest_stack (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n", + lowest_sp, task_stack_low, task_stack_high - 1); + test_failed = true; +@@ -86,11 +88,14 @@ static void noinstr check_stackleak_irqoff(void) + if (*(unsigned long *)poison_low == STACKLEAK_POISON) + continue; + ++ instrumentation_begin(); + pr_err("FAIL: non-poison value %lu bytes below poison boundary: 0x%lx\n", + poison_high - poison_low, *(unsigned long *)poison_low); + test_failed = true; ++ goto out; + } + ++ instrumentation_begin(); + pr_info("stackleak stack usage:\n" + " high offset: %lu bytes\n" + " current: %lu bytes\n" +@@ -113,6 +118,7 @@ static void noinstr check_stackleak_irqoff(void) + } else { + pr_info("OK: the rest of the thread stack is properly erased\n"); + } ++ instrumentation_end(); + } + + static void lkdtm_STACKLEAK_ERASING(void) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-169-riscv-Fix-EFI-stub-usage-of-KASAN-instrumented-.patch b/patches.kernel.org/6.3.4-169-riscv-Fix-EFI-stub-usage-of-KASAN-instrumented-.patch new file mode 100644 index 0000000..8948632 --- /dev/null +++ b/patches.kernel.org/6.3.4-169-riscv-Fix-EFI-stub-usage-of-KASAN-instrumented-.patch @@ -0,0 +1,44 @@ +From: Alexandre Ghiti +Date: Fri, 3 Feb 2023 08:52:30 +0100 +Subject: [PATCH] riscv: Fix EFI stub usage of KASAN instrumented strcmp + function +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 617955ca6e275c4dd0dcf5316fca7fc04a8f2fe6 + +[ Upstream commit 617955ca6e275c4dd0dcf5316fca7fc04a8f2fe6 ] + +The EFI stub must not use any KASAN instrumented code as the kernel +proper did not initialize the thread pointer and the mapping for the +KASAN shadow region. + +Avoid using the generic strcmp function, instead use the one in +drivers/firmware/efi/libstub/string.c. + +Signed-off-by: Alexandre Ghiti +Acked-by: Ard Biesheuvel +Reviewed-by: Atish Patra +Link: https://lore.kernel.org/r/20230203075232.274282-5-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/riscv/kernel/image-vars.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/riscv/kernel/image-vars.h b/arch/riscv/kernel/image-vars.h +index 7e2962ef..15616155 100644 +--- a/arch/riscv/kernel/image-vars.h ++++ b/arch/riscv/kernel/image-vars.h +@@ -23,8 +23,6 @@ + * linked at. The routines below are all implemented in assembler in a + * position independent manner + */ +-__efistub_strcmp = strcmp; +- + __efistub__start = _start; + __efistub__start_kernel = _start_kernel; + __efistub__end = _end; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-170-recordmcount-Fix-memory-leaks-in-the-uwrite-fun.patch b/patches.kernel.org/6.3.4-170-recordmcount-Fix-memory-leaks-in-the-uwrite-fun.patch new file mode 100644 index 0000000..6b55b3c --- /dev/null +++ b/patches.kernel.org/6.3.4-170-recordmcount-Fix-memory-leaks-in-the-uwrite-fun.patch @@ -0,0 +1,49 @@ +From: Hao Zeng +Date: Wed, 26 Apr 2023 09:05:27 +0800 +Subject: [PATCH] recordmcount: Fix memory leaks in the uwrite function +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 + +[ Upstream commit fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 ] + +Common realloc mistake: 'file_append' nulled but not freed upon failure + +Link: https://lkml.kernel.org/r/20230426010527.703093-1-zenghao@kylinos.cn + +Signed-off-by: Hao Zeng +Suggested-by: Steven Rostedt +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + scripts/recordmcount.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index e3021652..40ae6b2c 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -110,6 +110,7 @@ static ssize_t uwrite(void const *const buf, size_t const count) + { + size_t cnt = count; + off_t idx = 0; ++ void *p = NULL; + + file_updated = 1; + +@@ -117,7 +118,10 @@ static ssize_t uwrite(void const *const buf, size_t const count) + off_t aoffset = (file_ptr + count) - file_end; + + if (aoffset > file_append_size) { +- file_append = realloc(file_append, aoffset); ++ p = realloc(file_append, aoffset); ++ if (!p) ++ free(file_append); ++ file_append = p; + file_append_size = aoffset; + } + if (!file_append) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-171-RDMA-core-Fix-multiple-Warray-bounds-warnings.patch b/patches.kernel.org/6.3.4-171-RDMA-core-Fix-multiple-Warray-bounds-warnings.patch new file mode 100644 index 0000000..c514af5 --- /dev/null +++ b/patches.kernel.org/6.3.4-171-RDMA-core-Fix-multiple-Warray-bounds-warnings.patch @@ -0,0 +1,188 @@ +From: "Gustavo A. R. Silva" +Date: Tue, 21 Mar 2023 17:47:03 -0600 +Subject: [PATCH] RDMA/core: Fix multiple -Warray-bounds warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: aa4d540b4150052ae3b36d286b9c833a961ce291 + +[ Upstream commit aa4d540b4150052ae3b36d286b9c833a961ce291 ] + +GCC-13 (and Clang)[1] does not like to access a partially allocated +object, since it cannot reason about it for bounds checking. + +In this case 140 bytes are allocated for an object of type struct +ib_umad_packet: + + packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + +However, notice that sizeof(*packet) is only 104 bytes: + +struct ib_umad_packet { + struct ib_mad_send_buf * msg; /* 0 8 */ + struct ib_mad_recv_wc * recv_wc; /* 8 8 */ + struct list_head list; /* 16 16 */ + int length; /* 32 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct ib_user_mad mad __attribute__((__aligned__(8))); /* 40 64 */ + + /* size: 104, cachelines: 2, members: 5 */ + /* sum members: 100, holes: 1, sum holes: 4 */ + /* forced alignments: 1, forced holes: 1, sum forced holes: 4 */ + /* last cacheline: 40 bytes */ +} __attribute__((__aligned__(8))); + +and 36 bytes extra bytes are allocated for a flexible-array member in +struct ib_user_mad: + +include/rdma/ib_mad.h: +120 enum { +... +123 IB_MGMT_RMPP_HDR = 36, +... } + +struct ib_user_mad { + struct ib_user_mad_hdr hdr; /* 0 64 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __u64 data[] __attribute__((__aligned__(8))); /* 64 0 */ + + /* size: 64, cachelines: 1, members: 2 */ + /* forced alignments: 1 */ +} __attribute__((__aligned__(8))); + +So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes + +Then the address of the flex-array member (for which only 36 bytes were +allocated) is casted and copied into a pointer to struct ib_rmpp_mad, +which, in turn, is of size 256 bytes: + + rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; + +struct ib_rmpp_mad { + struct ib_mad_hdr mad_hdr; /* 0 24 */ + struct ib_rmpp_hdr rmpp_hdr; /* 24 12 */ + u8 data[220]; /* 36 220 */ + + /* size: 256, cachelines: 4, members: 3 */ +}; + +The thing is that those 36 bytes allocated for flex-array member data +in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr +and struct ib_rmpp_hdr, but nothing is left for array u8 data[220]. +So, the compiler is legitimately complaining about accessing an object +for which not enough memory was allocated. + +Apparently, the only members of struct ib_rmpp_mad that are relevant +(that are actually being used) in function ib_umad_write() are mad_hdr +and rmpp_hdr. So, instead of casting packet->mad.data to +(struct ib_rmpp_mad *) create a new structure + +struct ib_rmpp_mad_hdr { + struct ib_mad_hdr mad_hdr; + struct ib_rmpp_hdr rmpp_hdr; +} __packed; + +and cast packet->mad.data to (struct ib_rmpp_mad_hdr *). + +Notice that + + IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes + +Refactor the rest of the code, accordingly. + +Fix the following warnings seen under GCC-13 and -Warray-bounds: +drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] + +Link: https://github.com/KSPP/linux/issues/273 +Link: https://godbolt.org/z/oYWaGM4Yb [1] +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/infiniband/core/user_mad.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index f8395418..d21c0a04 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -131,6 +131,11 @@ struct ib_umad_packet { + struct ib_user_mad mad; + }; + ++struct ib_rmpp_mad_hdr { ++ struct ib_mad_hdr mad_hdr; ++ struct ib_rmpp_hdr rmpp_hdr; ++} __packed; ++ + #define CREATE_TRACE_POINTS + #include + +@@ -494,11 +499,11 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + size_t count, loff_t *pos) + { + struct ib_umad_file *file = filp->private_data; ++ struct ib_rmpp_mad_hdr *rmpp_mad_hdr; + struct ib_umad_packet *packet; + struct ib_mad_agent *agent; + struct rdma_ah_attr ah_attr; + struct ib_ah *ah; +- struct ib_rmpp_mad *rmpp_mad; + __be64 *tid; + int ret, data_len, hdr_len, copy_offset, rmpp_active; + u8 base_version; +@@ -506,7 +511,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + if (count < hdr_size(file) + IB_MGMT_RMPP_HDR) + return -EINVAL; + +- packet = kzalloc(sizeof *packet + IB_MGMT_RMPP_HDR, GFP_KERNEL); ++ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + if (!packet) + return -ENOMEM; + +@@ -560,13 +565,13 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + goto err_up; + } + +- rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; +- hdr_len = ib_get_mad_data_offset(rmpp_mad->mad_hdr.mgmt_class); ++ rmpp_mad_hdr = (struct ib_rmpp_mad_hdr *)packet->mad.data; ++ hdr_len = ib_get_mad_data_offset(rmpp_mad_hdr->mad_hdr.mgmt_class); + +- if (ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) ++ if (ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) + && ib_mad_kernel_rmpp_agent(agent)) { + copy_offset = IB_MGMT_RMPP_HDR; +- rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & ++ rmpp_active = ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & + IB_MGMT_RMPP_FLAG_ACTIVE; + } else { + copy_offset = IB_MGMT_MAD_HDR; +@@ -615,12 +620,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid; + *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 | + (be64_to_cpup(tid) & 0xffffffff)); +- rmpp_mad->mad_hdr.tid = *tid; ++ rmpp_mad_hdr->mad_hdr.tid = *tid; + } + + if (!ib_mad_kernel_rmpp_agent(agent) +- && ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) +- && (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { ++ && ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) ++ && (ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { + spin_lock_irq(&file->send_lock); + list_add_tail(&packet->list, &file->send_list); + spin_unlock_irq(&file->send_lock); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-172-KVM-selftests-Add-malloc-failure-check-in-vcpu_.patch b/patches.kernel.org/6.3.4-172-KVM-selftests-Add-malloc-failure-check-in-vcpu_.patch new file mode 100644 index 0000000..4d7858e --- /dev/null +++ b/patches.kernel.org/6.3.4-172-KVM-selftests-Add-malloc-failure-check-in-vcpu_.patch @@ -0,0 +1,38 @@ +From: Ivan Orlov +Date: Wed, 22 Mar 2023 18:45:28 +0400 +Subject: [PATCH] KVM: selftests: Add 'malloc' failure check in vcpu_save_state +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 735b0e0f2d001b7ed9486db84453fb860e764a4d + +[ Upstream commit 735b0e0f2d001b7ed9486db84453fb860e764a4d ] + +There is a 'malloc' call in vcpu_save_state function, which can +be unsuccessful. This patch will add the malloc failure checking +to avoid possible null dereference and give more information +about test fail reasons. + +Signed-off-by: Ivan Orlov +Link: https://lore.kernel.org/r/20230322144528.704077-1-ivan.orlov0322@gmail.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + tools/testing/selftests/kvm/lib/x86_64/processor.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/kvm/lib/x86_64/processor.c b/tools/testing/selftests/kvm/lib/x86_64/processor.c +index c39a4353..827647ff 100644 +--- a/tools/testing/selftests/kvm/lib/x86_64/processor.c ++++ b/tools/testing/selftests/kvm/lib/x86_64/processor.c +@@ -954,6 +954,7 @@ struct kvm_x86_state *vcpu_save_state(struct kvm_vcpu *vcpu) + vcpu_run_complete_io(vcpu); + + state = malloc(sizeof(*state) + msr_list->nmsrs * sizeof(state->msrs.entries[0])); ++ TEST_ASSERT(state, "-ENOMEM when allocating kvm state"); + + vcpu_events_get(vcpu, &state->events); + vcpu_mp_state_get(vcpu, &state->mp_state); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-173-iommu-arm-smmu-qcom-Limit-the-SMR-groups-to-128.patch b/patches.kernel.org/6.3.4-173-iommu-arm-smmu-qcom-Limit-the-SMR-groups-to-128.patch new file mode 100644 index 0000000..29032b9 --- /dev/null +++ b/patches.kernel.org/6.3.4-173-iommu-arm-smmu-qcom-Limit-the-SMR-groups-to-128.patch @@ -0,0 +1,68 @@ +From: Manivannan Sadhasivam +Date: Mon, 27 Mar 2023 13:30:29 +0530 +Subject: [PATCH] iommu/arm-smmu-qcom: Limit the SMR groups to 128 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 12261134732689b7e30c59db9978f81230965181 + +[ Upstream commit 12261134732689b7e30c59db9978f81230965181 ] + +Some platforms support more than 128 stream matching groups than what is +defined by the ARM SMMU architecture specification. But due to some unknown +reasons, those additional groups don't exhibit the same behavior as the +architecture supported ones. + +For instance, the additional groups will not detect the quirky behavior of +some firmware versions intercepting writes to S2CR register, thus skipping +the quirk implemented in the driver and causing boot crash. + +So let's limit the groups to 128 for now until the issue with those groups +are fixed and issue a notice to users in that case. + +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230327080029.11584-1-manivannan.sadhasivam@linaro.org +[will: Reworded the comment slightly] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index d1b296b9..ae09c627 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -268,12 +268,26 @@ static int qcom_smmu_init_context(struct arm_smmu_domain *smmu_domain, + + static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + { +- unsigned int last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); + struct qcom_smmu *qsmmu = to_qcom_smmu(smmu); ++ unsigned int last_s2cr; + u32 reg; + u32 smr; + int i; + ++ /* ++ * Some platforms support more than the Arm SMMU architected maximum of ++ * 128 stream matching groups. For unknown reasons, the additional ++ * groups don't exhibit the same behavior as the architected registers, ++ * so limit the groups to 128 until the behavior is fixed for the other ++ * groups. ++ */ ++ if (smmu->num_mapping_groups > 128) { ++ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n"); ++ smmu->num_mapping_groups = 128; ++ } ++ ++ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); ++ + /* + * With some firmware versions writes to S2CR of type FAULT are + * ignored, and writing BYPASS will end up written as FAULT in the +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-174-fs-ntfs3-Fix-NULL-pointer-dereference-in-ni_wri.patch b/patches.kernel.org/6.3.4-174-fs-ntfs3-Fix-NULL-pointer-dereference-in-ni_wri.patch new file mode 100644 index 0000000..a3f3341 --- /dev/null +++ b/patches.kernel.org/6.3.4-174-fs-ntfs3-Fix-NULL-pointer-dereference-in-ni_wri.patch @@ -0,0 +1,110 @@ +From: Ye Bin +Date: Thu, 17 Nov 2022 17:19:12 +0800 +Subject: [PATCH] fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: db2a3cc6a3481076da6344cc62a80a4e2525f36f + +[ Upstream commit db2a3cc6a3481076da6344cc62a80a4e2525f36f ] + +Syzbot found the following issue: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 +Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault +Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 +[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 +Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP +Modules linked in: +CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] +pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 +lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 +sp : ffff8000126c3800 +x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 +x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 +x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 +x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 +x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 +x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 +x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 +x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 +Call trace: + is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] + ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 + ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 + evict+0xec/0x334 fs/inode.c:665 + iput_final fs/inode.c:1748 [inline] + iput+0x2c4/0x324 fs/inode.c:1774 + ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 + ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 + ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 + lookup_open fs/namei.c:3413 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x804/0x11c4 fs/namei.c:3688 + do_filp_open+0xdc/0x1b8 fs/namei.c:3718 + do_sys_openat2+0xb8/0x22c fs/open.c:1311 + do_sys_open fs/open.c:1327 [inline] + __do_sys_openat fs/open.c:1343 [inline] + __se_sys_openat fs/open.c:1338 [inline] + __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] + el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 + do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 + el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 + el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 + el0t_64_sync+0x18c/0x190 +Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) +---[ end trace 0000000000000000 ]--- + +Above issue may happens as follows: +ntfs_new_inode + mi_init + mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory + if (!mi->mrec) + return -ENOMEM; +iput + iput_final + evict + ntfs_evict_inode + ni_write_inode + is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref + +To solve above issue if new inode failed make inode bad before call 'iput()' in +'ntfs_new_inode()'. + +Reported-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Ye Bin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/fsntfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 24c9aeb5..2c0ce364 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1683,6 +1683,7 @@ struct ntfs_inode *ntfs_new_inode(struct ntfs_sb_info *sbi, CLST rno, bool dir) + + out: + if (err) { ++ make_bad_inode(inode); + iput(inode); + ni = ERR_PTR(err); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-175-fs-ntfs3-Enhance-the-attribute-size-check.patch b/patches.kernel.org/6.3.4-175-fs-ntfs3-Enhance-the-attribute-size-check.patch new file mode 100644 index 0000000..0237bf8 --- /dev/null +++ b/patches.kernel.org/6.3.4-175-fs-ntfs3-Enhance-the-attribute-size-check.patch @@ -0,0 +1,136 @@ +From: Edward Lo +Date: Thu, 27 Oct 2022 23:33:37 +0800 +Subject: [PATCH] fs/ntfs3: Enhance the attribute size check +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4f082a7531223a438c757bb20e304f4c941c67a8 + +[ Upstream commit 4f082a7531223a438c757bb20e304f4c941c67a8 ] + +This combines the overflow and boundary check so that all attribute size +will be properly examined while enumerating them. + +[ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570 +[ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247 +[ 169.184046] +[ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3 +[ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 169.187066] Call Trace: +[ 169.187492] +[ 169.188049] dump_stack_lvl+0x49/0x63 +[ 169.188495] print_report.cold+0xf5/0x689 +[ 169.188964] ? run_unpack+0x2e3/0x570 +[ 169.189331] kasan_report+0xa7/0x130 +[ 169.189714] ? run_unpack+0x2e3/0x570 +[ 169.190079] __asan_load1+0x51/0x60 +[ 169.190634] run_unpack+0x2e3/0x570 +[ 169.191290] ? run_pack+0x840/0x840 +[ 169.191569] ? run_lookup_entry+0xb3/0x1f0 +[ 169.192443] ? mi_enum_attr+0x20a/0x230 +[ 169.192886] run_unpack_ex+0xad/0x3e0 +[ 169.193276] ? run_unpack+0x570/0x570 +[ 169.193557] ? ni_load_mi+0x80/0x80 +[ 169.193889] ? debug_smp_processor_id+0x17/0x20 +[ 169.194236] ? mi_init+0x4a/0x70 +[ 169.194496] attr_load_runs_vcn+0x166/0x1c0 +[ 169.194851] ? attr_data_write_resident+0x250/0x250 +[ 169.195188] mi_read+0x133/0x2c0 +[ 169.195481] ntfs_iget5+0x277/0x1780 +[ 169.196017] ? call_rcu+0x1c7/0x330 +[ 169.196392] ? ntfs_get_block_bmap+0x70/0x70 +[ 169.196708] ? evict+0x223/0x280 +[ 169.197014] ? __kmalloc+0x33/0x540 +[ 169.197305] ? wnd_init+0x15b/0x1b0 +[ 169.197599] ntfs_fill_super+0x1026/0x1ba0 +[ 169.197994] ? put_ntfs+0x1d0/0x1d0 +[ 169.198299] ? vsprintf+0x20/0x20 +[ 169.198583] ? mutex_unlock+0x81/0xd0 +[ 169.198930] ? set_blocksize+0x95/0x150 +[ 169.199269] get_tree_bdev+0x232/0x370 +[ 169.199750] ? put_ntfs+0x1d0/0x1d0 +[ 169.200094] ntfs_fs_get_tree+0x15/0x20 +[ 169.200431] vfs_get_tree+0x4c/0x130 +[ 169.200714] path_mount+0x654/0xfe0 +[ 169.201067] ? putname+0x80/0xa0 +[ 169.201358] ? finish_automount+0x2e0/0x2e0 +[ 169.201965] ? putname+0x80/0xa0 +[ 169.202445] ? kmem_cache_free+0x1c4/0x440 +[ 169.203075] ? putname+0x80/0xa0 +[ 169.203414] do_mount+0xd6/0xf0 +[ 169.203719] ? path_mount+0xfe0/0xfe0 +[ 169.203977] ? __kasan_check_write+0x14/0x20 +[ 169.204382] __x64_sys_mount+0xca/0x110 +[ 169.204711] do_syscall_64+0x3b/0x90 +[ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 169.205571] RIP: 0033:0x7f67a80e948a +[ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a +[ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0 +[ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020 +[ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0 +[ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff +[ 169.211913] +[ 169.212304] +[ 169.212680] Allocated by task 0: +[ 169.212963] (stack is not available) +[ 169.213200] +[ 169.213472] The buggy address belongs to the object at ffff8880094b5e00 +[ 169.213472] which belongs to the cache UDP of size 1152 +[ 169.214095] The buggy address is located 1088 bytes inside of +[ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280) +[ 169.214639] +[ 169.215004] The buggy address belongs to the physical page: +[ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4 +[ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0 +[ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 169.220272] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888002409b40 +[ 169.221006] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 169.222320] page dumped because: kasan: bad access detected +[ 169.222922] +[ 169.223119] Memory state around the buggy address: +[ 169.224056] ffff8880094b6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.224908] ffff8880094b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.225677] >ffff8880094b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.226445] ^ +[ 169.227055] ffff8880094b6280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.227638] ffff8880094b6300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/record.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index defce6a5..abfe0047 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -220,11 +220,6 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return NULL; + } + +- if (off + asize < off) { +- /* overflow check */ +- return NULL; +- } +- + attr = Add2Ptr(attr, asize); + off += asize; + } +@@ -247,8 +242,8 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + if ((t32 & 0xf) || (t32 > 0x100)) + return NULL; + +- /* Check boundary. */ +- if (off + asize > used) ++ /* Check overflow and boundary. */ ++ if (off + asize < off || off + asize > used) + return NULL; + + /* Check size of attribute. */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-176-fs-ntfs3-Fix-NULL-dereference-in-ni_write_inode.patch b/patches.kernel.org/6.3.4-176-fs-ntfs3-Fix-NULL-dereference-in-ni_write_inode.patch new file mode 100644 index 0000000..f17e9e0 --- /dev/null +++ b/patches.kernel.org/6.3.4-176-fs-ntfs3-Fix-NULL-dereference-in-ni_write_inode.patch @@ -0,0 +1,44 @@ +From: Abdun Nihaal +Date: Sun, 30 Oct 2022 12:32:51 +0530 +Subject: [PATCH] fs/ntfs3: Fix NULL dereference in ni_write_inode +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8dae4f6341e335a09575be60b4fdf697c732a470 + +[ Upstream commit 8dae4f6341e335a09575be60b4fdf697c732a470 ] + +Syzbot reports a NULL dereference in ni_write_inode. +When creating a new inode, if allocation fails in mi_init function +(called in mi_format_new function), mi->mrec is set to NULL. +In the error path of this inode creation, mi->mrec is later +dereferenced in ni_write_inode. + +Add a NULL check to prevent NULL dereference. + +Link: https://syzkaller.appspot.com/bug?extid=f45957555ed4a808cc7a +Reported-and-tested-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Abdun Nihaal +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/frecord.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 7d0473da..1103d4d9 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -3258,6 +3258,9 @@ int ni_write_inode(struct inode *inode, int sync, const char *hint) + return 0; + } + ++ if (!ni->mi.mrec) ++ goto out; ++ + if (is_rec_inuse(ni->mi.mrec) && + !(sbi->flags & NTFS_FLAGS_LOG_REPLAYING) && inode->i_nlink) { + bool modified = false; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-177-fs-ntfs3-Validate-MFT-flags-before-replaying-lo.patch b/patches.kernel.org/6.3.4-177-fs-ntfs3-Validate-MFT-flags-before-replaying-lo.patch new file mode 100644 index 0000000..d27d42f --- /dev/null +++ b/patches.kernel.org/6.3.4-177-fs-ntfs3-Validate-MFT-flags-before-replaying-lo.patch @@ -0,0 +1,142 @@ +From: Edward Lo +Date: Sat, 5 Nov 2022 23:39:44 +0800 +Subject: [PATCH] fs/ntfs3: Validate MFT flags before replaying logs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 + +[ Upstream commit 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 ] + +Log load and replay is part of the metadata handle flow during mount +operation. The $MFT record will be loaded and used while replaying logs. +However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and +contains an ATTR_ROOT attribute will misguide kernel to treat it as a +directory, and try to free the allocated resources when the +corresponding inode is freed, which will cause an invalid kfree because +the memory hasn't actually been allocated. + +[ 101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40 +[ 101.369457] +[ 101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5 +[ 101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 101.371362] Call Trace: +[ 101.371795] +[ 101.372157] dump_stack_lvl+0x49/0x63 +[ 101.372658] print_report.cold+0xf5/0x689 +[ 101.373022] ? ni_write_inode+0x754/0xd90 +[ 101.373378] ? kvfree+0x2c/0x40 +[ 101.373698] kasan_report_invalid_free+0x77/0xf0 +[ 101.374058] ? kvfree+0x2c/0x40 +[ 101.374352] ? kvfree+0x2c/0x40 +[ 101.374668] __kasan_slab_free+0x189/0x1b0 +[ 101.374992] ? kvfree+0x2c/0x40 +[ 101.375271] kfree+0x168/0x3b0 +[ 101.375717] kvfree+0x2c/0x40 +[ 101.376002] indx_clear+0x26/0x60 +[ 101.376316] ni_clear+0xc5/0x290 +[ 101.376661] ntfs_evict_inode+0x45/0x70 +[ 101.377001] evict+0x199/0x280 +[ 101.377432] iput.part.0+0x286/0x320 +[ 101.377819] iput+0x32/0x50 +[ 101.378166] ntfs_loadlog_and_replay+0x143/0x320 +[ 101.378656] ? ntfs_bio_fill_1+0x510/0x510 +[ 101.378968] ? iput.part.0+0x286/0x320 +[ 101.379367] ntfs_fill_super+0xecb/0x1ba0 +[ 101.379729] ? put_ntfs+0x1d0/0x1d0 +[ 101.380046] ? vsprintf+0x20/0x20 +[ 101.380542] ? mutex_unlock+0x81/0xd0 +[ 101.380914] ? set_blocksize+0x95/0x150 +[ 101.381597] get_tree_bdev+0x232/0x370 +[ 101.382254] ? put_ntfs+0x1d0/0x1d0 +[ 101.382699] ntfs_fs_get_tree+0x15/0x20 +[ 101.383094] vfs_get_tree+0x4c/0x130 +[ 101.383675] path_mount+0x654/0xfe0 +[ 101.384203] ? putname+0x80/0xa0 +[ 101.384540] ? finish_automount+0x2e0/0x2e0 +[ 101.384943] ? putname+0x80/0xa0 +[ 101.385362] ? kmem_cache_free+0x1c4/0x440 +[ 101.385968] ? putname+0x80/0xa0 +[ 101.386666] do_mount+0xd6/0xf0 +[ 101.387228] ? path_mount+0xfe0/0xfe0 +[ 101.387585] ? __kasan_check_write+0x14/0x20 +[ 101.387979] __x64_sys_mount+0xca/0x110 +[ 101.388436] do_syscall_64+0x3b/0x90 +[ 101.388757] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.389289] RIP: 0033:0x7fa0f70e948a +[ 101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a +[ 101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0 +[ 101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020 +[ 101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0 +[ 101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff +[ 101.394747] +[ 101.395402] +[ 101.396047] Allocated by task 198: +[ 101.396724] kasan_save_stack+0x26/0x50 +[ 101.397400] __kasan_slab_alloc+0x6d/0x90 +[ 101.397974] kmem_cache_alloc_lru+0x192/0x5a0 +[ 101.398524] ntfs_alloc_inode+0x23/0x70 +[ 101.399137] alloc_inode+0x3b/0xf0 +[ 101.399534] iget5_locked+0x54/0xa0 +[ 101.400026] ntfs_iget5+0xaf/0x1780 +[ 101.400414] ntfs_loadlog_and_replay+0xe5/0x320 +[ 101.400883] ntfs_fill_super+0xecb/0x1ba0 +[ 101.401313] get_tree_bdev+0x232/0x370 +[ 101.401774] ntfs_fs_get_tree+0x15/0x20 +[ 101.402224] vfs_get_tree+0x4c/0x130 +[ 101.402673] path_mount+0x654/0xfe0 +[ 101.403160] do_mount+0xd6/0xf0 +[ 101.403537] __x64_sys_mount+0xca/0x110 +[ 101.404058] do_syscall_64+0x3b/0x90 +[ 101.404333] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.404816] +[ 101.405067] The buggy address belongs to the object at ffff888008cc9ea0 +[ 101.405067] which belongs to the cache ntfs_inode_cache of size 992 +[ 101.406171] The buggy address is located 232 bytes inside of +[ 101.406171] 992-byte region [ffff888008cc9ea0, ffff888008cca280) +[ 101.406995] +[ 101.408559] The buggy address belongs to the physical page: +[ 101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8 +[ 101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0 +[ 101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140 +[ 101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 +[ 101.413799] page dumped because: kasan: bad access detected +[ 101.414213] +[ 101.414427] Memory state around the buggy address: +[ 101.414991] ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.415785] ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.417857] ^ +[ 101.418566] ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.419704] ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index ce6bb3bd..059f2887 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -100,6 +100,12 @@ static struct inode *ntfs_read_mft(struct inode *inode, + /* Record should contain $I30 root. */ + is_dir = rec->flags & RECORD_FLAG_DIR; + ++ /* MFT_REC_MFT is not a dir */ ++ if (is_dir && ino == MFT_REC_MFT) { ++ err = -EINVAL; ++ goto out; ++ } ++ + inode->i_generation = le16_to_cpu(rec->seq); + + /* Enumerate all struct Attributes MFT. */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-178-fs-ntfs3-Add-length-check-in-indx_get_root.patch b/patches.kernel.org/6.3.4-178-fs-ntfs3-Add-length-check-in-indx_get_root.patch new file mode 100644 index 0000000..9d19273 --- /dev/null +++ b/patches.kernel.org/6.3.4-178-fs-ntfs3-Add-length-check-in-indx_get_root.patch @@ -0,0 +1,134 @@ +From: Edward Lo +Date: Tue, 4 Oct 2022 23:15:06 +0800 +Subject: [PATCH] fs/ntfs3: Add length check in indx_get_root +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 08e8cf5f2d9ec383a2e339a2711b62a54ff3fba0 + +[ Upstream commit 08e8cf5f2d9ec383a2e339a2711b62a54ff3fba0 ] + +This adds a length check to guarantee the retrieved index root is legit. + +[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 +[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 +[ 162.460851] +[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 +[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 162.462609] Call Trace: +[ 162.462954] +[ 162.463276] dump_stack_lvl+0x49/0x63 +[ 162.463822] print_report.cold+0xf5/0x689 +[ 162.464608] ? unwind_get_return_address+0x3a/0x60 +[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.466975] kasan_report+0xa7/0x130 +[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 +[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.468536] __asan_load2+0x68/0x90 +[ 162.468923] hdr_find_e.isra.0+0x10c/0x320 +[ 162.469282] ? cmp_uints+0xe0/0xe0 +[ 162.469557] ? cmp_sdh+0x90/0x90 +[ 162.469864] ? ni_find_attr+0x214/0x300 +[ 162.470217] ? ni_load_mi+0x80/0x80 +[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.470931] ? ntfs_bread_run+0x190/0x190 +[ 162.471307] ? indx_get_root+0xe4/0x190 +[ 162.471556] ? indx_get_root+0x140/0x190 +[ 162.471833] ? indx_init+0x1e0/0x1e0 +[ 162.472069] ? fnd_clear+0x115/0x140 +[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 162.472731] indx_find+0x184/0x470 +[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 +[ 162.474704] ? do_syscall_64+0x3b/0x90 +[ 162.474962] dir_search_u+0x196/0x2f0 +[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 +[ 162.475661] ? ntfs_security_init+0x3d6/0x440 +[ 162.475906] ? is_sd_valid+0x180/0x180 +[ 162.476191] ntfs_extend_init+0x13f/0x2c0 +[ 162.476496] ? ntfs_fix_post_read+0x130/0x130 +[ 162.476861] ? iput.part.0+0x286/0x320 +[ 162.477325] ntfs_fill_super+0x11e0/0x1b50 +[ 162.477709] ? put_ntfs+0x1d0/0x1d0 +[ 162.477970] ? vsprintf+0x20/0x20 +[ 162.478258] ? set_blocksize+0x95/0x150 +[ 162.478538] get_tree_bdev+0x232/0x370 +[ 162.478789] ? put_ntfs+0x1d0/0x1d0 +[ 162.479038] ntfs_fs_get_tree+0x15/0x20 +[ 162.479374] vfs_get_tree+0x4c/0x130 +[ 162.479729] path_mount+0x654/0xfe0 +[ 162.480124] ? putname+0x80/0xa0 +[ 162.480484] ? finish_automount+0x2e0/0x2e0 +[ 162.480894] ? putname+0x80/0xa0 +[ 162.481467] ? kmem_cache_free+0x1c4/0x440 +[ 162.482280] ? putname+0x80/0xa0 +[ 162.482714] do_mount+0xd6/0xf0 +[ 162.483264] ? path_mount+0xfe0/0xfe0 +[ 162.484782] ? __kasan_check_write+0x14/0x20 +[ 162.485593] __x64_sys_mount+0xca/0x110 +[ 162.486024] do_syscall_64+0x3b/0x90 +[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.487141] RIP: 0033:0x7f9d374e948a +[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a +[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 +[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 +[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 +[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff +[ 162.493644] +[ 162.493908] +[ 162.494214] The buggy address belongs to the physical page: +[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc +[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 +[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 162.500542] page dumped because: kasan: bad access detected +[ 162.501057] +[ 162.501242] Memory state around the buggy address: +[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503963] ^ +[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/index.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 7a1e01a2..f716487e 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -994,6 +994,7 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + struct ATTR_LIST_ENTRY *le = NULL; + struct ATTRIB *a; + const struct INDEX_NAMES *in = &s_index_names[indx->type]; ++ struct INDEX_ROOT *root = NULL; + + a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, NULL, + mi); +@@ -1003,7 +1004,15 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + if (attr) + *attr = a; + +- return resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ root = resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ ++ /* length check */ ++ if (root && offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) > ++ le32_to_cpu(a->res.data_size)) { ++ return NULL; ++ } ++ ++ return root; + } + + static int indx_write(struct ntfs_index *indx, struct ntfs_inode *ni, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-179-fs-ntfs3-Fix-a-possible-null-pointer-dereferenc.patch b/patches.kernel.org/6.3.4-179-fs-ntfs3-Fix-a-possible-null-pointer-dereferenc.patch new file mode 100644 index 0000000..05ce6b2 --- /dev/null +++ b/patches.kernel.org/6.3.4-179-fs-ntfs3-Fix-a-possible-null-pointer-dereferenc.patch @@ -0,0 +1,51 @@ +From: Jia-Ju Bai +Date: Wed, 11 Jan 2023 16:59:43 +0800 +Subject: [PATCH] fs/ntfs3: Fix a possible null-pointer dereference in + ni_clear() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ec275bf9693d19cc0fdce8436f4c425ced86f6e7 + +[ Upstream commit ec275bf9693d19cc0fdce8436f4c425ced86f6e7 ] + +In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() +could be NULL, and thus a NULL check is added for this variable. + +However, in the same call stack, ni->mi.mrec can be also dereferenced +in ni_clear(): + +ntfs_evict_inode(inode) + ni_write_inode(inode, ...) + ni = ntfs_i(inode); + is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit + ni_clear(ntfs_i(inode)) + is_rec_inuse(ni->mi.mrec) -> No check + +Thus, a possible null-pointer dereference may exist in ni_clear(). +To fix it, a NULL check is added in this function. + +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/ntfs3/frecord.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 1103d4d9..9e7dfee3 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -102,7 +102,7 @@ void ni_clear(struct ntfs_inode *ni) + { + struct rb_node *node; + +- if (!ni->vfs_inode.i_nlink && is_rec_inuse(ni->mi.mrec)) ++ if (!ni->vfs_inode.i_nlink && ni->mi.mrec && is_rec_inuse(ni->mi.mrec)) + ni_delete_all(ni); + + al_destroy(ni); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-180-clk-tegra20-fix-gcc-7-constant-overflow-warning.patch b/patches.kernel.org/6.3.4-180-clk-tegra20-fix-gcc-7-constant-overflow-warning.patch new file mode 100644 index 0000000..b022499 --- /dev/null +++ b/patches.kernel.org/6.3.4-180-clk-tegra20-fix-gcc-7-constant-overflow-warning.patch @@ -0,0 +1,76 @@ +From: Arnd Bergmann +Date: Mon, 27 Feb 2023 09:59:10 +0100 +Subject: [PATCH] clk: tegra20: fix gcc-7 constant overflow warning +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b4a2adbf3586efa12fe78b9dec047423e01f3010 + +[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ] + +Older gcc versions get confused by comparing a u32 value to a negative +constant in a switch()/case block: + +drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq': +drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_12MHZ: + ^~~~ +drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_26MHZ: + +Make the constants unsigned instead. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index 422d7824..dcacc506 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -21,24 +21,24 @@ + #define MISC_CLK_ENB 0x48 + + #define OSC_CTRL 0x50 +-#define OSC_CTRL_OSC_FREQ_MASK (3<<30) +-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30) +-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30) +-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30) +-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30) +-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK) +- +-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28) +-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28) +-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28) +-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28) ++#define OSC_CTRL_OSC_FREQ_MASK (3u<<30) ++#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30) ++#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30) ++#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30) ++#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30) ++#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK) ++ ++#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28) ++#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28) ++#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28) ++#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28) + + #define OSC_FREQ_DET 0x58 +-#define OSC_FREQ_DET_TRIG (1<<31) ++#define OSC_FREQ_DET_TRIG (1u<<31) + + #define OSC_FREQ_DET_STATUS 0x5c +-#define OSC_FREQ_DET_BUSY (1<<31) +-#define OSC_FREQ_DET_CNT_MASK 0xFFFF ++#define OSC_FREQ_DET_BUSYu (1<<31) ++#define OSC_FREQ_DET_CNT_MASK 0xFFFFu + + #define TEGRA20_CLK_PERIPH_BANKS 3 + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-181-iommu-arm-smmu-v3-Acknowledge-pri-event-queue-o.patch b/patches.kernel.org/6.3.4-181-iommu-arm-smmu-v3-Acknowledge-pri-event-queue-o.patch new file mode 100644 index 0000000..062a952 --- /dev/null +++ b/patches.kernel.org/6.3.4-181-iommu-arm-smmu-v3-Acknowledge-pri-event-queue-o.patch @@ -0,0 +1,92 @@ +From: Tomas Krcka +Date: Wed, 29 Mar 2023 12:34:19 +0000 +Subject: [PATCH] iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if + any +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 67ea0b7ce41844eae7c10bb04dfe66a23318c224 + +[ Upstream commit 67ea0b7ce41844eae7c10bb04dfe66a23318c224 ] + +When an overflow occurs in the PRI queue, the SMMU toggles the overflow +flag in the PROD register. To exit the overflow condition, the PRI thread +is supposed to acknowledge it by toggling this flag in the CONS register. +Unacknowledged overflow causes the queue to stop adding anything new. + +Currently, the priq thread always writes the CONS register back to the +SMMU after clearing the queue. + +The writeback is not necessary if the OVFLG in the PROD register has not +been changed, no overflow has occured. + +This commit checks the difference of the overflow flag between CONS and +PROD register. If it's different, toggles the OVACKFLG flag in the CONS +register and write it to the SMMU. + +The situation is similar for the event queue. +The acknowledge register is also toggled after clearing the event +queue but never propagated to the hardware. This would only be done the +next time when executing evtq thread. + +Unacknowledged event queue overflow doesn't affect the event +queue, because the SMMU still adds elements to that queue when the +overflow condition is active. +But it feel nicer to keep SMMU in sync when possible, so use the same +way here as well. + +Signed-off-by: Tomas Krcka +Link: https://lore.kernel.org/r/20230329123420.34641-1-tomas.krcka@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +index f2425b0f..7614739e 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -152,6 +152,18 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q) + q->cons = Q_OVF(q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); + } + ++static void queue_sync_cons_ovf(struct arm_smmu_queue *q) ++{ ++ struct arm_smmu_ll_queue *llq = &q->llq; ++ ++ if (likely(Q_OVF(llq->prod) == Q_OVF(llq->cons))) ++ return; ++ ++ llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | ++ Q_IDX(llq, llq->cons); ++ queue_sync_cons_out(q); ++} ++ + static int queue_sync_prod_in(struct arm_smmu_queue *q) + { + u32 prod; +@@ -1577,8 +1589,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +@@ -1636,9 +1647,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); +- queue_sync_cons_out(q); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-182-iommu-sprd-Release-dma-buffer-to-avoid-memory-l.patch b/patches.kernel.org/6.3.4-182-iommu-sprd-Release-dma-buffer-to-avoid-memory-l.patch new file mode 100644 index 0000000..c654e1f --- /dev/null +++ b/patches.kernel.org/6.3.4-182-iommu-sprd-Release-dma-buffer-to-avoid-memory-l.patch @@ -0,0 +1,72 @@ +From: Chunyan Zhang +Date: Fri, 31 Mar 2023 11:31:23 +0800 +Subject: [PATCH] iommu/sprd: Release dma buffer to avoid memory leak +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9afea57384d4ae7b2034593eac7fa76c7122762a + +[ Upstream commit 9afea57384d4ae7b2034593eac7fa76c7122762a ] + +When attaching to a domain, the driver would alloc a DMA buffer which +is used to store address mapping table, and it need to be released +when the IOMMU domain is freed. + +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230331033124.864691-2-zhang.lyra@gmail.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/iommu/sprd-iommu.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c +index ae94d74b..7df1f730 100644 +--- a/drivers/iommu/sprd-iommu.c ++++ b/drivers/iommu/sprd-iommu.c +@@ -151,13 +151,6 @@ static struct iommu_domain *sprd_iommu_domain_alloc(unsigned int domain_type) + return &dom->domain; + } + +-static void sprd_iommu_domain_free(struct iommu_domain *domain) +-{ +- struct sprd_iommu_domain *dom = to_sprd_domain(domain); +- +- kfree(dom); +-} +- + static void sprd_iommu_first_vpn(struct sprd_iommu_domain *dom) + { + struct sprd_iommu_device *sdev = dom->sdev; +@@ -230,6 +223,28 @@ static void sprd_iommu_hw_en(struct sprd_iommu_device *sdev, bool en) + sprd_iommu_update_bits(sdev, reg_cfg, mask, 0, val); + } + ++static void sprd_iommu_cleanup(struct sprd_iommu_domain *dom) ++{ ++ size_t pgt_size; ++ ++ /* Nothing need to do if the domain hasn't been attached */ ++ if (!dom->sdev) ++ return; ++ ++ pgt_size = sprd_iommu_pgt_size(&dom->domain); ++ dma_free_coherent(dom->sdev->dev, pgt_size, dom->pgt_va, dom->pgt_pa); ++ dom->sdev = NULL; ++ sprd_iommu_hw_en(dom->sdev, false); ++} ++ ++static void sprd_iommu_domain_free(struct iommu_domain *domain) ++{ ++ struct sprd_iommu_domain *dom = to_sprd_domain(domain); ++ ++ sprd_iommu_cleanup(dom); ++ kfree(dom); ++} ++ + static int sprd_iommu_attach_device(struct iommu_domain *domain, + struct device *dev) + { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-183-power-supply-axp288_charger-Use-alt-usb-id-extc.patch b/patches.kernel.org/6.3.4-183-power-supply-axp288_charger-Use-alt-usb-id-extc.patch new file mode 100644 index 0000000..1f95037 --- /dev/null +++ b/patches.kernel.org/6.3.4-183-power-supply-axp288_charger-Use-alt-usb-id-extc.patch @@ -0,0 +1,76 @@ +From: Hans de Goede +Date: Sat, 1 Apr 2023 17:06:51 +0200 +Subject: [PATCH] power: supply: axp288_charger: Use alt usb-id extcon on some + x86 android tablets +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ce38f3fc0f87a358a9560a3815265a94f1b38c37 + +[ Upstream commit ce38f3fc0f87a358a9560a3815265a94f1b38c37 ] + +x86 ACPI boards which ship with only Android as their factory image may +have pretty broken ACPI tables. This includes broken _AEI ACPI GPIO event +handlers, which are normally used to listen to the micro-USB ID pin and: + +1. Switch the USB-mux to the host / device USB controllers +2. Disable Vbus path before enabling the 5V boost (AXP reg 0x30 bit 7) +3. Turn 5V Vboost on / off + +On non broken systems where this is not done through an ACPI GPIO event +handler, there is an ACPI INT3496 device describing the involved GPIOs +which are handled by the extcon-intel-int3496 driver; and axp288-charger.ko +listens to this extcon-device and disables the Vbus path when necessary. + +On x86 Android boards, with broken ACPI GPIO event handlers, these are +disabled by acpi_quirk_skip_gpio_event_handlers() and an intel-int3496 +extcon device is manually instantiated by x86-android-tablets.ko . + +Add support to the axp288-charger code for this setup, so that it +properly disables the Vbus path when necessary. Note this uses +acpi_quirk_skip_gpio_event_handlers() to identify these systems, +to avoid the need to add a separate DMI match table for this. + +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/power/supply/axp288_charger.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c +index 15219ed4..b5903193 100644 +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -836,6 +836,7 @@ static int axp288_charger_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct axp20x_dev *axp20x = dev_get_drvdata(pdev->dev.parent); + struct power_supply_config charger_cfg = {}; ++ const char *extcon_name = NULL; + unsigned int val; + + /* +@@ -872,8 +873,18 @@ static int axp288_charger_probe(struct platform_device *pdev) + return PTR_ERR(info->cable.edev); + } + +- if (acpi_dev_present(USB_HOST_EXTCON_HID, NULL, -1)) { +- info->otg.cable = extcon_get_extcon_dev(USB_HOST_EXTCON_NAME); ++ /* ++ * On devices with broken ACPI GPIO event handlers there also is no ACPI ++ * "INT3496" (USB_HOST_EXTCON_HID) device. x86-android-tablets.ko ++ * instantiates an "intel-int3496" extcon on these devs as a workaround. ++ */ ++ if (acpi_quirk_skip_gpio_event_handlers()) ++ extcon_name = "intel-int3496"; ++ else if (acpi_dev_present(USB_HOST_EXTCON_HID, NULL, -1)) ++ extcon_name = USB_HOST_EXTCON_NAME; ++ ++ if (extcon_name) { ++ info->otg.cable = extcon_get_extcon_dev(extcon_name); + if (IS_ERR(info->otg.cable)) { + dev_err_probe(dev, PTR_ERR(info->otg.cable), + "extcon_get_extcon_dev(%s) failed\n", +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-184-Input-xpad-add-constants-for-GIP-interface-numb.patch b/patches.kernel.org/6.3.4-184-Input-xpad-add-constants-for-GIP-interface-numb.patch new file mode 100644 index 0000000..bb3f68d --- /dev/null +++ b/patches.kernel.org/6.3.4-184-Input-xpad-add-constants-for-GIP-interface-numb.patch @@ -0,0 +1,48 @@ +From: Vicki Pfau +Date: Thu, 13 Apr 2023 23:57:42 -0700 +Subject: [PATCH] Input: xpad - add constants for GIP interface numbers +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f9b2e603c6216824e34dc9a67205d98ccc9a41ca + +[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ] + +Wired GIP devices present multiple interfaces with the same USB identification +other than the interface number. This adds constants for differentiating two of +them and uses them where appropriate + +Signed-off-by: Vicki Pfau +Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/input/joystick/xpad.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 29131f1a..f617b2c6 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -559,6 +559,9 @@ struct xboxone_init_packet { + #define GIP_MOTOR_LT BIT(3) + #define GIP_MOTOR_ALL (GIP_MOTOR_R | GIP_MOTOR_L | GIP_MOTOR_RT | GIP_MOTOR_LT) + ++#define GIP_WIRED_INTF_DATA 0 ++#define GIP_WIRED_INTF_AUDIO 1 ++ + /* + * This packet is required for all Xbox One pads with 2015 + * or later firmware installed (or present from the factory). +@@ -2003,7 +2006,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id + } + + if (xpad->xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) { + /* + * The Xbox One controller lists three interfaces all with the + * same interface class, subclass and protocol. Differentiate by +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-185-RDMA-mlx5-Remove-pcie_relaxed_ordering_enabled-.patch b/patches.kernel.org/6.3.4-185-RDMA-mlx5-Remove-pcie_relaxed_ordering_enabled-.patch new file mode 100644 index 0000000..f7c2c94 --- /dev/null +++ b/patches.kernel.org/6.3.4-185-RDMA-mlx5-Remove-pcie_relaxed_ordering_enabled-.patch @@ -0,0 +1,86 @@ +From: Avihai Horon +Date: Mon, 10 Apr 2023 16:07:50 +0300 +Subject: [PATCH] RDMA/mlx5: Remove pcie_relaxed_ordering_enabled() check for + RO write +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ed4b0661cce119870edb1994fd06c9cbc1dc05c3 + +[ Upstream commit ed4b0661cce119870edb1994fd06c9cbc1dc05c3 ] + +pcie_relaxed_ordering_enabled() check was added to avoid a syndrome when +creating a MKey with relaxed ordering (RO) enabled when the driver's +relaxed_ordering_{read,write} HCA capabilities are out of sync with FW. + +While this can happen with relaxed_ordering_read, it can't happen with +relaxed_ordering_write as it's set if the device supports RO write, +regardless of RO in PCI config space, and thus can't change during +runtime. + +Therefore, drop the pcie_relaxed_ordering_enabled() check for +relaxed_ordering_write while keeping it for relaxed_ordering_read. +Doing so will also allow the usage of RO write in VFs and VMs (where RO +in PCI config space is not reported/emulated properly). + +Signed-off-by: Avihai Horon +Reviewed-by: Shay Drory +Link: https://lore.kernel.org/r/7e8f55e31572c1702d69cae015a395d3a824a38a.1681131553.git.leon@kernel.org +Reviewed-by: Jacob Keller +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/infiniband/hw/mlx5/mr.c | 6 +++--- + drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 3 +-- + drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 2 +- + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 67356f51..bd0a818b 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -67,11 +67,11 @@ static void set_mkc_access_pd_addr_fields(void *mkc, int acc, u64 start_addr, + MLX5_SET(mkc, mkc, lw, !!(acc & IB_ACCESS_LOCAL_WRITE)); + MLX5_SET(mkc, mkc, lr, 1); + +- if ((acc & IB_ACCESS_RELAXED_ORDERING) && +- pcie_relaxed_ordering_enabled(dev->mdev->pdev)) { ++ if (acc & IB_ACCESS_RELAXED_ORDERING) { + if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) + MLX5_SET(mkc, mkc, relaxed_ordering_write, 1); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) ++ if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read) && ++ pcie_relaxed_ordering_enabled(dev->mdev->pdev)) + MLX5_SET(mkc, mkc, relaxed_ordering_read, 1); + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +index a21bd117..d840a59a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +@@ -867,8 +867,7 @@ static void mlx5e_build_rx_cq_param(struct mlx5_core_dev *mdev, + static u8 rq_end_pad_mode(struct mlx5_core_dev *mdev, struct mlx5e_params *params) + { + bool lro_en = params->packet_merge.type == MLX5E_PACKET_MERGE_LRO; +- bool ro = pcie_relaxed_ordering_enabled(mdev->pdev) && +- MLX5_CAP_GEN(mdev, relaxed_ordering_write); ++ bool ro = MLX5_CAP_GEN(mdev, relaxed_ordering_write); + + return ro && lro_en ? + MLX5_WQ_END_PAD_MODE_NONE : MLX5_WQ_END_PAD_MODE_ALIGN; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +index 4c9a3210..993af4c1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +@@ -44,7 +44,7 @@ void mlx5e_mkey_set_relaxed_ordering(struct mlx5_core_dev *mdev, void *mkc) + bool ro_read = MLX5_CAP_GEN(mdev, relaxed_ordering_read); + + MLX5_SET(mkc, mkc, relaxed_ordering_read, ro_pci_enable && ro_read); +- MLX5_SET(mkc, mkc, relaxed_ordering_write, ro_pci_enable && ro_write); ++ MLX5_SET(mkc, mkc, relaxed_ordering_write, ro_write); + } + + int mlx5e_create_mkey(struct mlx5_core_dev *mdev, u32 pdn, u32 *mkey) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-186-clk-rockchip-rk3588-make-gate-linked-clocks-cri.patch b/patches.kernel.org/6.3.4-186-clk-rockchip-rk3588-make-gate-linked-clocks-cri.patch new file mode 100644 index 0000000..c422c0b --- /dev/null +++ b/patches.kernel.org/6.3.4-186-clk-rockchip-rk3588-make-gate-linked-clocks-cri.patch @@ -0,0 +1,159 @@ +From: Sebastian Reichel +Date: Mon, 3 Apr 2023 21:32:49 +0200 +Subject: [PATCH] clk: rockchip: rk3588: make gate linked clocks critical +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 64042c28c3bb6729df8e2fda89bc7ebbe3790907 + +[ Upstream commit 64042c28c3bb6729df8e2fda89bc7ebbe3790907 ] + +RK3588 has a couple of hardware blocks called Native Interface Unit +(NIU) that gate the clocks to devices behind them. Effectively this +means that some clocks require two parent clocks being enabled. +Downstream implemented this by using a separate clock driver +("clk-link") for them, which enables the second clock using PM +framework. + +In the upstream kernel we are currently missing support for the second +parent. The information about it is in the GATE_LINK() macro as +linkname, but that is not used. Thus the second parent clock is not +properly enabled. So far this did not really matter, since these clocks +are mostly required for the more advanced IP blocks, that are not yet +supported upstream. As this is about to change we need a fix. There +are three options available: + +1. Properly implement support for having two parent clocks in the + clock framework. +2. Mark the affected clocks CLK_IGNORE_UNUSED, so that they are not + disabled. This wastes some power, but keeps the hack contained + within the clock driver. Going from this to the first solution + is easy once that has been implemented. +3. Enabling the extra clock in the consumer driver. This leaks some + implementation details into DT. + +This patch implements the second option as an intermediate solution +until the first one is available. I used an alias for CLK_IS_CRITICAL, +so that it's easy to see which clocks are not really critical once +the clock framework supports a better way to implement this. + +Tested-by: Vincent Legoll +Signed-off-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20230403193250.108693-2-sebastian.reichel@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/clk/rockchip/clk-rk3588.c | 42 +++++++++++++++++++------------ + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c +index b7ce3fbd..6994165e 100644 +--- a/drivers/clk/rockchip/clk-rk3588.c ++++ b/drivers/clk/rockchip/clk-rk3588.c +@@ -13,15 +13,25 @@ + #include "clk.h" + + /* +- * GATE with additional linked clock. Downstream enables the linked clock +- * (via runtime PM) whenever the gate is enabled. The downstream implementation +- * does this via separate clock nodes for each of the linked gate clocks, +- * which leaks parts of the clock tree into DT. It is unclear why this is +- * actually needed and things work without it for simple use cases. Thus +- * the linked clock is ignored for now. ++ * Recent Rockchip SoCs have a new hardware block called Native Interface ++ * Unit (NIU), which gates clocks to devices behind them. These effectively ++ * need two parent clocks. ++ * ++ * Downstream enables the linked clock via runtime PM whenever the gate is ++ * enabled. This implementation uses separate clock nodes for each of the ++ * linked gate clocks, which leaks parts of the clock tree into DT. ++ * ++ * The GATE_LINK macro instead takes the second parent via 'linkname', but ++ * ignores the information. Once the clock framework is ready to handle it, the ++ * information should be passed on here. But since these clocks are required to ++ * access multiple relevant IP blocks, such as PCIe or USB, we mark all linked ++ * clocks critical until a better solution is available. This will waste some ++ * power, but avoids leaking implementation details into DT or hanging the ++ * system. + */ + #define GATE_LINK(_id, cname, pname, linkname, f, o, b, gf) \ + GATE(_id, cname, pname, f, o, b, gf) ++#define RK3588_LINKED_CLK CLK_IS_CRITICAL + + + #define RK3588_GRF_SOC_STATUS0 0x600 +@@ -1446,7 +1456,7 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + COMPOSITE_NODIV(HCLK_NVM_ROOT, "hclk_nvm_root", mux_200m_100m_50m_24m_p, 0, + RK3588_CLKSEL_CON(77), 0, 2, MFLAGS, + RK3588_CLKGATE_CON(31), 0, GFLAGS), +- COMPOSITE(ACLK_NVM_ROOT, "aclk_nvm_root", gpll_cpll_p, 0, ++ COMPOSITE(ACLK_NVM_ROOT, "aclk_nvm_root", gpll_cpll_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(77), 7, 1, MFLAGS, 2, 5, DFLAGS, + RK3588_CLKGATE_CON(31), 1, GFLAGS), + GATE(ACLK_EMMC, "aclk_emmc", "aclk_nvm_root", 0, +@@ -1675,13 +1685,13 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + RK3588_CLKGATE_CON(42), 9, GFLAGS), + + /* vdpu */ +- COMPOSITE(ACLK_VDPU_ROOT, "aclk_vdpu_root", gpll_cpll_aupll_p, 0, ++ COMPOSITE(ACLK_VDPU_ROOT, "aclk_vdpu_root", gpll_cpll_aupll_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(98), 5, 2, MFLAGS, 0, 5, DFLAGS, + RK3588_CLKGATE_CON(44), 0, GFLAGS), + COMPOSITE_NODIV(ACLK_VDPU_LOW_ROOT, "aclk_vdpu_low_root", mux_400m_200m_100m_24m_p, 0, + RK3588_CLKSEL_CON(98), 7, 2, MFLAGS, + RK3588_CLKGATE_CON(44), 1, GFLAGS), +- COMPOSITE_NODIV(HCLK_VDPU_ROOT, "hclk_vdpu_root", mux_200m_100m_50m_24m_p, 0, ++ COMPOSITE_NODIV(HCLK_VDPU_ROOT, "hclk_vdpu_root", mux_200m_100m_50m_24m_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(98), 9, 2, MFLAGS, + RK3588_CLKGATE_CON(44), 2, GFLAGS), + COMPOSITE(ACLK_JPEG_DECODER_ROOT, "aclk_jpeg_decoder_root", gpll_cpll_aupll_spll_p, 0, +@@ -1732,9 +1742,9 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + COMPOSITE(ACLK_RKVENC0_ROOT, "aclk_rkvenc0_root", gpll_cpll_npll_p, 0, + RK3588_CLKSEL_CON(102), 7, 2, MFLAGS, 2, 5, DFLAGS, + RK3588_CLKGATE_CON(47), 1, GFLAGS), +- GATE(HCLK_RKVENC0, "hclk_rkvenc0", "hclk_rkvenc0_root", 0, ++ GATE(HCLK_RKVENC0, "hclk_rkvenc0", "hclk_rkvenc0_root", RK3588_LINKED_CLK, + RK3588_CLKGATE_CON(47), 4, GFLAGS), +- GATE(ACLK_RKVENC0, "aclk_rkvenc0", "aclk_rkvenc0_root", 0, ++ GATE(ACLK_RKVENC0, "aclk_rkvenc0", "aclk_rkvenc0_root", RK3588_LINKED_CLK, + RK3588_CLKGATE_CON(47), 5, GFLAGS), + COMPOSITE(CLK_RKVENC0_CORE, "clk_rkvenc0_core", gpll_cpll_aupll_npll_p, 0, + RK3588_CLKSEL_CON(102), 14, 2, MFLAGS, 9, 5, DFLAGS, +@@ -1744,10 +1754,10 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + RK3588_CLKGATE_CON(48), 6, GFLAGS), + + /* vi */ +- COMPOSITE(ACLK_VI_ROOT, "aclk_vi_root", gpll_cpll_npll_aupll_spll_p, 0, ++ COMPOSITE(ACLK_VI_ROOT, "aclk_vi_root", gpll_cpll_npll_aupll_spll_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(106), 5, 3, MFLAGS, 0, 5, DFLAGS, + RK3588_CLKGATE_CON(49), 0, GFLAGS), +- COMPOSITE_NODIV(HCLK_VI_ROOT, "hclk_vi_root", mux_200m_100m_50m_24m_p, 0, ++ COMPOSITE_NODIV(HCLK_VI_ROOT, "hclk_vi_root", mux_200m_100m_50m_24m_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(106), 8, 2, MFLAGS, + RK3588_CLKGATE_CON(49), 1, GFLAGS), + COMPOSITE_NODIV(PCLK_VI_ROOT, "pclk_vi_root", mux_100m_50m_24m_p, 0, +@@ -1919,10 +1929,10 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + COMPOSITE(ACLK_VOP_ROOT, "aclk_vop_root", gpll_cpll_dmyaupll_npll_spll_p, 0, + RK3588_CLKSEL_CON(110), 5, 3, MFLAGS, 0, 5, DFLAGS, + RK3588_CLKGATE_CON(52), 0, GFLAGS), +- COMPOSITE_NODIV(ACLK_VOP_LOW_ROOT, "aclk_vop_low_root", mux_400m_200m_100m_24m_p, 0, ++ COMPOSITE_NODIV(ACLK_VOP_LOW_ROOT, "aclk_vop_low_root", mux_400m_200m_100m_24m_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(110), 8, 2, MFLAGS, + RK3588_CLKGATE_CON(52), 1, GFLAGS), +- COMPOSITE_NODIV(HCLK_VOP_ROOT, "hclk_vop_root", mux_200m_100m_50m_24m_p, 0, ++ COMPOSITE_NODIV(HCLK_VOP_ROOT, "hclk_vop_root", mux_200m_100m_50m_24m_p, RK3588_LINKED_CLK, + RK3588_CLKSEL_CON(110), 10, 2, MFLAGS, + RK3588_CLKGATE_CON(52), 2, GFLAGS), + COMPOSITE_NODIV(PCLK_VOP_ROOT, "pclk_vop_root", mux_100m_50m_24m_p, 0, +@@ -2425,7 +2435,7 @@ static struct rockchip_clk_branch rk3588_clk_branches[] __initdata = { + + GATE_LINK(ACLK_ISP1_PRE, "aclk_isp1_pre", "aclk_isp1_root", "aclk_vi_root", 0, RK3588_CLKGATE_CON(26), 6, GFLAGS), + GATE_LINK(HCLK_ISP1_PRE, "hclk_isp1_pre", "hclk_isp1_root", "hclk_vi_root", 0, RK3588_CLKGATE_CON(26), 8, GFLAGS), +- GATE_LINK(HCLK_NVM, "hclk_nvm", "hclk_nvm_root", "aclk_nvm_root", 0, RK3588_CLKGATE_CON(31), 2, GFLAGS), ++ GATE_LINK(HCLK_NVM, "hclk_nvm", "hclk_nvm_root", "aclk_nvm_root", RK3588_LINKED_CLK, RK3588_CLKGATE_CON(31), 2, GFLAGS), + GATE_LINK(ACLK_USB, "aclk_usb", "aclk_usb_root", "aclk_vo1usb_top_root", 0, RK3588_CLKGATE_CON(42), 2, GFLAGS), + GATE_LINK(HCLK_USB, "hclk_usb", "hclk_usb_root", "hclk_vo1usb_top_root", 0, RK3588_CLKGATE_CON(42), 3, GFLAGS), + GATE_LINK(ACLK_JPEG_DECODER_PRE, "aclk_jpeg_decoder_pre", "aclk_jpeg_decoder_root", "aclk_vdpu_root", 0, RK3588_CLKGATE_CON(44), 7, GFLAGS), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-187-cifs-missing-lock-when-updating-session-status.patch b/patches.kernel.org/6.3.4-187-cifs-missing-lock-when-updating-session-status.patch new file mode 100644 index 0000000..d2bfe8b --- /dev/null +++ b/patches.kernel.org/6.3.4-187-cifs-missing-lock-when-updating-session-status.patch @@ -0,0 +1,54 @@ +From: Steve French +Date: Wed, 26 Apr 2023 22:01:31 -0500 +Subject: [PATCH] cifs: missing lock when updating session status +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 943fb67b090212f1d3789eb7796b1c9045c62fd6 + +[ Upstream commit 943fb67b090212f1d3789eb7796b1c9045c62fd6 ] + +Coverity noted a place where we were not grabbing +the ses_lock when setting (and checking) ses_status. + +Addresses-Coverity: 1536833 ("Data race condition (MISSING_LOCK)") +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + fs/cifs/connect.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 59a10330..8e9a6723 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1918,18 +1918,22 @@ void __cifs_put_smb_ses(struct cifs_ses *ses) + /* ses_count can never go negative */ + WARN_ON(ses->ses_count < 0); + ++ spin_lock(&ses->ses_lock); + if (ses->ses_status == SES_GOOD) + ses->ses_status = SES_EXITING; + +- cifs_free_ipc(ses); +- + if (ses->ses_status == SES_EXITING && server->ops->logoff) { ++ spin_unlock(&ses->ses_lock); ++ cifs_free_ipc(ses); + xid = get_xid(); + rc = server->ops->logoff(xid, ses); + if (rc) + cifs_server_dbg(VFS, "%s: Session Logoff failure rc=%d\n", + __func__, rc); + _free_xid(xid); ++ } else { ++ spin_unlock(&ses->ses_lock); ++ cifs_free_ipc(ses); + } + + spin_lock(&cifs_tcp_ses_lock); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-188-pinctrl-at91-use-devm_kasprintf-to-avoid-potent.patch b/patches.kernel.org/6.3.4-188-pinctrl-at91-use-devm_kasprintf-to-avoid-potent.patch new file mode 100644 index 0000000..f6edb7f --- /dev/null +++ b/patches.kernel.org/6.3.4-188-pinctrl-at91-use-devm_kasprintf-to-avoid-potent.patch @@ -0,0 +1,100 @@ +From: Andy Shevchenko +Date: Wed, 15 Feb 2023 15:42:38 +0200 +Subject: [PATCH] pinctrl: at91: use devm_kasprintf() to avoid potential leaks + (part 2) +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f494c1913cbb34b9e2078b7b045c87c1ca6df791 + +[ Upstream commit f494c1913cbb34b9e2078b7b045c87c1ca6df791 ] + +Use devm_kasprintf() instead of kasprintf() to avoid any potential +leaks. At the moment drivers have no remove functionality hence +there is no need for fixes tag. + +While at it, switch to use devm_kasprintf_strarray(). + +Signed-off-by: Andy Shevchenko +Reviewed-by: Claudiu Beznea +Tested-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230215134242.37618-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/pinctrl/pinctrl-at91.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index 735c501e..9fa68ca4 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + /* Since we request GPIOs from ourself */ + #include +@@ -1371,6 +1372,7 @@ static int at91_pinctrl_probe_dt(struct platform_device *pdev, + + static int at91_pinctrl_probe(struct platform_device *pdev) + { ++ struct device *dev = &pdev->dev; + struct at91_pinctrl *info; + struct pinctrl_pin_desc *pdesc; + int ret, i, j, k; +@@ -1394,9 +1396,19 @@ static int at91_pinctrl_probe(struct platform_device *pdev) + return -ENOMEM; + + for (i = 0, k = 0; i < gpio_banks; i++) { ++ char **names; ++ ++ names = devm_kasprintf_strarray(dev, "pio", MAX_NB_GPIO_PER_BANK); ++ if (!names) ++ return -ENOMEM; ++ + for (j = 0; j < MAX_NB_GPIO_PER_BANK; j++, k++) { ++ char *name = names[j]; ++ ++ strreplace(name, '-', i + 'A'); ++ + pdesc->number = k; +- pdesc->name = kasprintf(GFP_KERNEL, "pio%c%d", i + 'A', j); ++ pdesc->name = name; + pdesc++; + } + } +@@ -1797,7 +1809,8 @@ static const struct of_device_id at91_gpio_of_match[] = { + + static int at91_gpio_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node; ++ struct device *dev = &pdev->dev; ++ struct device_node *np = dev->of_node; + struct at91_gpio_chip *at91_chip = NULL; + struct gpio_chip *chip; + struct pinctrl_gpio_range *range; +@@ -1866,16 +1879,14 @@ static int at91_gpio_probe(struct platform_device *pdev) + chip->ngpio = ngpio; + } + +- names = devm_kcalloc(&pdev->dev, chip->ngpio, sizeof(char *), +- GFP_KERNEL); +- ++ names = devm_kasprintf_strarray(dev, "pio", chip->ngpio); + if (!names) { + ret = -ENOMEM; + goto clk_enable_err; + } + + for (i = 0; i < chip->ngpio; i++) +- names[i] = devm_kasprintf(&pdev->dev, GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); ++ strreplace(names[i], '-', alias_idx + 'A'); + + chip->names = (const char *const *)names; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-189-soundwire-dmi-quirks-add-remapping-for-Intel-Ro.patch b/patches.kernel.org/6.3.4-189-soundwire-dmi-quirks-add-remapping-for-Intel-Ro.patch new file mode 100644 index 0000000..c6c20d6 --- /dev/null +++ b/patches.kernel.org/6.3.4-189-soundwire-dmi-quirks-add-remapping-for-Intel-Ro.patch @@ -0,0 +1,75 @@ +From: Eugene Huang +Date: Tue, 14 Mar 2023 17:06:18 +0800 +Subject: [PATCH] soundwire: dmi-quirks: add remapping for Intel 'Rooks County' + NUC M15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 01b33e284ca28cc977bdcfb23be2c719f2139175 + +[ Upstream commit 01b33e284ca28cc977bdcfb23be2c719f2139175 ] + +Same DSDT problem as the HP Omen 16-k0005TX, except rt1316 amp is on +link2. + +Link: https://github.com/thesofproject/linux/issues/4088 +Signed-off-by: Eugene Huang +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20230314090618.498716-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/soundwire/dmi-quirks.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c +index 7969881f..58ea013f 100644 +--- a/drivers/soundwire/dmi-quirks.c ++++ b/drivers/soundwire/dmi-quirks.c +@@ -73,6 +73,23 @@ static const struct adr_remap hp_omen_16[] = { + {} + }; + ++/* ++ * Intel NUC M15 LAPRC510 and LAPRC710 ++ */ ++static const struct adr_remap intel_rooks_county[] = { ++ /* rt711-sdca on link0 */ ++ { ++ 0x000020025d071100ull, ++ 0x000030025d071101ull ++ }, ++ /* rt1316-sdca on link2 */ ++ { ++ 0x000120025d071100ull, ++ 0x000230025d131601ull ++ }, ++ {} ++}; ++ + static const struct dmi_system_id adr_remap_quirk_table[] = { + /* TGL devices */ + { +@@ -98,6 +115,14 @@ static const struct dmi_system_id adr_remap_quirk_table[] = { + }, + .driver_data = (void *)intel_tgl_bios, + }, ++ { ++ /* quirk used for NUC15 'Rooks County' LAPRC510 and LAPRC710 skews */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel(R) Client Systems"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LAPRC"), ++ }, ++ .driver_data = (void *)intel_rooks_county, ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-190-phy-st-miphy28lp-use-_poll_timeout-functions-fo.patch b/patches.kernel.org/6.3.4-190-phy-st-miphy28lp-use-_poll_timeout-functions-fo.patch new file mode 100644 index 0000000..6b788ae --- /dev/null +++ b/patches.kernel.org/6.3.4-190-phy-st-miphy28lp-use-_poll_timeout-functions-fo.patch @@ -0,0 +1,114 @@ +From: Alain Volmat +Date: Fri, 10 Feb 2023 23:43:08 +0100 +Subject: [PATCH] phy: st: miphy28lp: use _poll_timeout functions for waits +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e3be4dd2c8d8aabfd2c3127d0e2e5754d3ae82d6 + +[ Upstream commit e3be4dd2c8d8aabfd2c3127d0e2e5754d3ae82d6 ] + +This commit introduces _poll_timeout functions usage instead of +wait loops waiting for a status bit. + +Signed-off-by: Alain Volmat +Reviewed-by: Patrice Chotard +Link: https://lore.kernel.org/r/20230210224309.98452-1-avolmat@me.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/phy/st/phy-miphy28lp.c | 42 ++++++++-------------------------- + 1 file changed, 10 insertions(+), 32 deletions(-) + +diff --git a/drivers/phy/st/phy-miphy28lp.c b/drivers/phy/st/phy-miphy28lp.c +index 068160a3..e30305b7 100644 +--- a/drivers/phy/st/phy-miphy28lp.c ++++ b/drivers/phy/st/phy-miphy28lp.c +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -484,19 +485,11 @@ static inline void miphy28lp_pcie_config_gen(struct miphy28lp_phy *miphy_phy) + + static inline int miphy28lp_wait_compensation(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 val; + + /* Waiting for Compensation to complete */ +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_COMP_FSM_6); +- +- if (time_after_eq(jiffies, finish)) +- return -EBUSY; +- cpu_relax(); +- } while (!(val & COMP_DONE)); +- +- return 0; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_COMP_FSM_6, ++ val, val & COMP_DONE, 1, 5 * USEC_PER_SEC); + } + + +@@ -805,7 +798,6 @@ static inline void miphy28lp_configure_usb3(struct miphy28lp_phy *miphy_phy) + + static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 mask = HFC_PLL | HFC_RDY; + u8 val; + +@@ -816,21 +808,14 @@ static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + if (miphy_phy->type == PHY_TYPE_SATA) + mask |= PHY_RDY; + +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_STATUS_1); +- if ((val & mask) != mask) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_STATUS_1, ++ val, (val & mask) == mask, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + { + struct miphy28lp_dev *miphy_dev = miphy_phy->phydev; +- unsigned long finish = jiffies + 5 * HZ; + u32 val; + + if (!miphy_phy->osc_rdy) +@@ -839,17 +824,10 @@ static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + if (!miphy_phy->syscfg_reg[SYSCFG_STATUS]) + return -EINVAL; + +- do { +- regmap_read(miphy_dev->regmap, +- miphy_phy->syscfg_reg[SYSCFG_STATUS], &val); +- +- if ((val & MIPHY_OSC_RDY) != MIPHY_OSC_RDY) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return regmap_read_poll_timeout(miphy_dev->regmap, ++ miphy_phy->syscfg_reg[SYSCFG_STATUS], ++ val, val & MIPHY_OSC_RDY, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy28lp_get_resource_byname(struct device_node *child, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-191-soundwire-qcom-gracefully-handle-too-many-ports.patch b/patches.kernel.org/6.3.4-191-soundwire-qcom-gracefully-handle-too-many-ports.patch new file mode 100644 index 0000000..837e35c --- /dev/null +++ b/patches.kernel.org/6.3.4-191-soundwire-qcom-gracefully-handle-too-many-ports.patch @@ -0,0 +1,51 @@ +From: Krzysztof Kozlowski +Date: Wed, 22 Feb 2023 15:44:12 +0100 +Subject: [PATCH] soundwire: qcom: gracefully handle too many ports in DT +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2367e0ecb498764e95cfda691ff0828f7d25f9a4 + +[ Upstream commit 2367e0ecb498764e95cfda691ff0828f7d25f9a4 ] + +There are two issues related to the number of ports coming from +Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to +incorrect memory accesses: +1. With DTS having too big value of input or output ports, the driver, + when copying port parameters from local/stack arrays into 'pconfig' + array in 'struct qcom_swrm_ctrl', will iterate over their sizes. + +2. If DTS also has too many parameters for these ports (e.g. + qcom,ports-sinterval-low), the driver will overflow buffers on the + stack when reading these properties from DTS. + +Add a sanity check so incorrect DTS will not cause kernel memory +corruption. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230222144412.237832-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/soundwire/qcom.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index ba502129..30575ed2 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -1217,6 +1217,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl) + ctrl->num_dout_ports = val; + + nports = ctrl->num_dout_ports + ctrl->num_din_ports; ++ if (nports > QCOM_SDW_MAX_PORTS) ++ return -EINVAL; ++ + /* Valid port numbers are from 1-14, so mask out port 0 explicitly */ + set_bit(0, &ctrl->dout_port_mask); + set_bit(0, &ctrl->din_port_mask); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-192-soundwire-bus-Fix-unbalanced-pm_runtime_put-cau.patch b/patches.kernel.org/6.3.4-192-soundwire-bus-Fix-unbalanced-pm_runtime_put-cau.patch new file mode 100644 index 0000000..a5e907c --- /dev/null +++ b/patches.kernel.org/6.3.4-192-soundwire-bus-Fix-unbalanced-pm_runtime_put-cau.patch @@ -0,0 +1,93 @@ +From: Richard Fitzgerald +Date: Thu, 6 Apr 2023 14:46:40 +0100 +Subject: [PATCH] soundwire: bus: Fix unbalanced pm_runtime_put() causing usage + count underflow +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e9537962519e88969f5f69cd0571eb4f6984403c + +[ Upstream commit e9537962519e88969f5f69cd0571eb4f6984403c ] + +This reverts commit +443a98e649b4 ("soundwire: bus: use pm_runtime_resume_and_get()") + +Change calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync(). +This fixes a usage count underrun caused by doing a pm_runtime_put() even +though pm_runtime_resume_and_get() returned an error. + +The three affected functions ignore -EACCES error from trying to get +pm_runtime, and carry on, including a put at the end of the function. +But pm_runtime_resume_and_get() does not increment the usage count if it +returns an error. So in the -EACCES case you must not call +pm_runtime_put(). + +The documentation for pm_runtime_get_sync() says: + "Consider using pm_runtime_resume_and_get() ... as this is likely to + result in cleaner code." + +In this case I don't think it results in cleaner code because the +pm_runtime_put() at the end of the function would have to be conditional on +the return value from pm_runtime_resume_and_get() at the top of the +function. + +pm_runtime_get_sync() doesn't have this problem because it always +increments the count, so always needs a put. The code can just flow through +and do the pm_runtime_put() unconditionally. + +Signed-off-by: Richard Fitzgerald +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230406134640.8582-1-rf@opensource.cirrus.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/soundwire/bus.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c +index b6aca59c..7fd99e58 100644 +--- a/drivers/soundwire/bus.c ++++ b/drivers/soundwire/bus.c +@@ -546,9 +546,11 @@ int sdw_nread(struct sdw_slave *slave, u32 addr, size_t count, u8 *val) + { + int ret; + +- ret = pm_runtime_resume_and_get(&slave->dev); +- if (ret < 0 && ret != -EACCES) ++ ret = pm_runtime_get_sync(&slave->dev); ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_noidle(&slave->dev); + return ret; ++ } + + ret = sdw_nread_no_pm(slave, addr, count, val); + +@@ -570,9 +572,11 @@ int sdw_nwrite(struct sdw_slave *slave, u32 addr, size_t count, const u8 *val) + { + int ret; + +- ret = pm_runtime_resume_and_get(&slave->dev); +- if (ret < 0 && ret != -EACCES) ++ ret = pm_runtime_get_sync(&slave->dev); ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_noidle(&slave->dev); + return ret; ++ } + + ret = sdw_nwrite_no_pm(slave, addr, count, val); + +@@ -1541,9 +1545,10 @@ static int sdw_handle_slave_alerts(struct sdw_slave *slave) + + sdw_modify_slave_status(slave, SDW_SLAVE_ALERT); + +- ret = pm_runtime_resume_and_get(&slave->dev); ++ ret = pm_runtime_get_sync(&slave->dev); + if (ret < 0 && ret != -EACCES) { + dev_err(&slave->dev, "Failed to resume device: %d\n", ret); ++ pm_runtime_put_noidle(&slave->dev); + return ret; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-193-mfd-intel_soc_pmic_chtwc-Add-Lenovo-Yoga-Book-X.patch b/patches.kernel.org/6.3.4-193-mfd-intel_soc_pmic_chtwc-Add-Lenovo-Yoga-Book-X.patch new file mode 100644 index 0000000..dc1a09e --- /dev/null +++ b/patches.kernel.org/6.3.4-193-mfd-intel_soc_pmic_chtwc-Add-Lenovo-Yoga-Book-X.patch @@ -0,0 +1,61 @@ +From: Hans de Goede +Date: Wed, 1 Mar 2023 10:54:02 +0100 +Subject: [PATCH] mfd: intel_soc_pmic_chtwc: Add Lenovo Yoga Book X90F to + intel_cht_wc_models +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ded99b89d25fd73a1d7bd910378e0339fd9d4c4a + +[ Upstream commit ded99b89d25fd73a1d7bd910378e0339fd9d4c4a ] + +The Android Lenovo Yoga Book X90F / X90L uses the same charger / fuelgauge +setup as the already supported Windows Lenovo Yoga Book X91F/L, add +a DMI match for this to intel_cht_wc_models with driver_data +set to INTEL_CHT_WC_LENOVO_YOGABOOK1. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230301095402.28582-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/mfd/intel_soc_pmic_chtwc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/intel_soc_pmic_chtwc.c b/drivers/mfd/intel_soc_pmic_chtwc.c +index d53dae25..871776d5 100644 +--- a/drivers/mfd/intel_soc_pmic_chtwc.c ++++ b/drivers/mfd/intel_soc_pmic_chtwc.c +@@ -159,11 +159,19 @@ static const struct dmi_system_id cht_wc_model_dmi_ids[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Mipad2"), + }, + }, { +- /* Lenovo Yoga Book X90F / X91F / X91L */ ++ /* Lenovo Yoga Book X90F / X90L */ + .driver_data = (void *)(long)INTEL_CHT_WC_LENOVO_YOGABOOK1, + .matches = { +- /* Non exact match to match all versions */ +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ }, ++ }, { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .driver_data = (void *)(long)INTEL_CHT_WC_LENOVO_YOGABOOK1, ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + }, + }, { + /* Lenovo Yoga Tab 3 Pro YT3-X90F */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-194-mfd-dln2-Fix-memory-leak-in-dln2_probe.patch b/patches.kernel.org/6.3.4-194-mfd-dln2-Fix-memory-leak-in-dln2_probe.patch new file mode 100644 index 0000000..fa69731 --- /dev/null +++ b/patches.kernel.org/6.3.4-194-mfd-dln2-Fix-memory-leak-in-dln2_probe.patch @@ -0,0 +1,39 @@ +From: Qiang Ning +Date: Thu, 30 Mar 2023 10:43:53 +0800 +Subject: [PATCH] mfd: dln2: Fix memory leak in dln2_probe() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 96da8f148396329ba769246cb8ceaa35f1ddfc48 + +[ Upstream commit 96da8f148396329ba769246cb8ceaa35f1ddfc48 ] + +When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets +to call usb_put_dev() to decrease the refcount of dln2->usb_dev. + +Fix this by adding usb_put_dev() in the error handling code of +dln2_probe(). + +Signed-off-by: Qiang Ning +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230330024353.4503-1-qning0106@126.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/mfd/dln2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 6cd0b0c7..c3149729 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -827,6 +827,7 @@ static int dln2_probe(struct usb_interface *interface, + dln2_stop_rx_urbs(dln2); + + out_free: ++ usb_put_dev(dln2->usb_dev); + dln2_free(dln2); + + return ret; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-195-mfd-intel-lpss-Add-Intel-Meteor-Lake-PCH-S-LPSS.patch b/patches.kernel.org/6.3.4-195-mfd-intel-lpss-Add-Intel-Meteor-Lake-PCH-S-LPSS.patch new file mode 100644 index 0000000..63fae45 --- /dev/null +++ b/patches.kernel.org/6.3.4-195-mfd-intel-lpss-Add-Intel-Meteor-Lake-PCH-S-LPSS.patch @@ -0,0 +1,50 @@ +From: Jarkko Nikula +Date: Thu, 30 Mar 2023 16:26:18 +0300 +Subject: [PATCH] mfd: intel-lpss: Add Intel Meteor Lake PCH-S LPSS PCI IDs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 72d4a1683741ee578da0e265886e6a7f3d42266c + +[ Upstream commit 72d4a1683741ee578da0e265886e6a7f3d42266c ] + +Add Intel Meteor Lake PCH-S also called as Meteor Point-S LPSS PCI IDs. + +Signed-off-by: Jarkko Nikula +Acked-by: Andy Shevchenko +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230330132618.4108665-1-jarkko.nikula@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/mfd/intel-lpss-pci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c +index dde31c50..699f44ff 100644 +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -447,6 +447,21 @@ static const struct pci_device_id intel_lpss_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x7e79), (kernel_ulong_t)&bxt_i2c_info }, + { PCI_VDEVICE(INTEL, 0x7e7a), (kernel_ulong_t)&bxt_i2c_info }, + { PCI_VDEVICE(INTEL, 0x7e7b), (kernel_ulong_t)&bxt_i2c_info }, ++ /* MTP-S */ ++ { PCI_VDEVICE(INTEL, 0x7f28), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x7f29), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x7f2a), (kernel_ulong_t)&tgl_info }, ++ { PCI_VDEVICE(INTEL, 0x7f2b), (kernel_ulong_t)&tgl_info }, ++ { PCI_VDEVICE(INTEL, 0x7f4c), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x7f4d), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x7f4e), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x7f4f), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x7f5c), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x7f5d), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x7f5e), (kernel_ulong_t)&tgl_info }, ++ { PCI_VDEVICE(INTEL, 0x7f5f), (kernel_ulong_t)&tgl_info }, ++ { PCI_VDEVICE(INTEL, 0x7f7a), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x7f7b), (kernel_ulong_t)&bxt_i2c_info }, + /* LKF */ + { PCI_VDEVICE(INTEL, 0x98a8), (kernel_ulong_t)&bxt_uart_info }, + { PCI_VDEVICE(INTEL, 0x98a9), (kernel_ulong_t)&bxt_uart_info }, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-196-parisc-Replace-regular-spinlock-with-spin_trylo.patch b/patches.kernel.org/6.3.4-196-parisc-Replace-regular-spinlock-with-spin_trylo.patch new file mode 100644 index 0000000..b6c686e --- /dev/null +++ b/patches.kernel.org/6.3.4-196-parisc-Replace-regular-spinlock-with-spin_trylo.patch @@ -0,0 +1,138 @@ +From: "Guilherme G. Piccoli" +Date: Mon, 20 Feb 2023 18:11:05 -0300 +Subject: [PATCH] parisc: Replace regular spinlock with spin_trylock on panic + path +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 829632dae8321787525ee37dc4828bbe6edafdae + +[ Upstream commit 829632dae8321787525ee37dc4828bbe6edafdae ] + +The panic notifiers' callbacks execute in an atomic context, with +interrupts/preemption disabled, and all CPUs not running the panic +function are off, so it's very dangerous to wait on a regular +spinlock, there's a risk of deadlock. + +Refactor the panic notifier of parisc/power driver to make use +of spin_trylock - for that, we've added a second version of the +soft-power function. Also, some comments were reorganized and +trailing white spaces, useless header inclusion and blank lines +were removed. + +Cc: "James E.J. Bottomley" +Cc: Jeroen Roovers +Acked-by: Helge Deller # parisc +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/parisc/include/asm/pdc.h | 1 + + arch/parisc/kernel/firmware.c | 27 +++++++++++++++++++++++---- + drivers/parisc/power.c | 16 ++++++++++------ + 3 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/arch/parisc/include/asm/pdc.h b/arch/parisc/include/asm/pdc.h +index 40793bef..2b4fad83 100644 +--- a/arch/parisc/include/asm/pdc.h ++++ b/arch/parisc/include/asm/pdc.h +@@ -80,6 +80,7 @@ int pdc_do_firm_test_reset(unsigned long ftc_bitmap); + int pdc_do_reset(void); + int pdc_soft_power_info(unsigned long *power_reg); + int pdc_soft_power_button(int sw_control); ++int pdc_soft_power_button_panic(int sw_control); + void pdc_io_reset(void); + void pdc_io_reset_devices(void); + int pdc_iodc_getc(void); +diff --git a/arch/parisc/kernel/firmware.c b/arch/parisc/kernel/firmware.c +index 6817892a..cc124d9f 100644 +--- a/arch/parisc/kernel/firmware.c ++++ b/arch/parisc/kernel/firmware.c +@@ -1232,15 +1232,18 @@ int __init pdc_soft_power_info(unsigned long *power_reg) + } + + /* +- * pdc_soft_power_button - Control the soft power button behaviour +- * @sw_control: 0 for hardware control, 1 for software control ++ * pdc_soft_power_button{_panic} - Control the soft power button behaviour ++ * @sw_control: 0 for hardware control, 1 for software control + * + * + * This PDC function places the soft power button under software or + * hardware control. +- * Under software control the OS may control to when to allow to shut +- * down the system. Under hardware control pressing the power button ++ * Under software control the OS may control to when to allow to shut ++ * down the system. Under hardware control pressing the power button + * powers off the system immediately. ++ * ++ * The _panic version relies on spin_trylock to prevent deadlock ++ * on panic path. + */ + int pdc_soft_power_button(int sw_control) + { +@@ -1254,6 +1257,22 @@ int pdc_soft_power_button(int sw_control) + return retval; + } + ++int pdc_soft_power_button_panic(int sw_control) ++{ ++ int retval; ++ unsigned long flags; ++ ++ if (!spin_trylock_irqsave(&pdc_lock, flags)) { ++ pr_emerg("Couldn't enable soft power button\n"); ++ return -EBUSY; /* ignored by the panic notifier */ ++ } ++ ++ retval = mem_pdc_call(PDC_SOFT_POWER, PDC_SOFT_POWER_ENABLE, __pa(pdc_result), sw_control); ++ spin_unlock_irqrestore(&pdc_lock, flags); ++ ++ return retval; ++} ++ + /* + * pdc_io_reset - Hack to avoid overlapping range registers of Bridges devices. + * Primarily a problem on T600 (which parisc-linux doesn't support) but +diff --git a/drivers/parisc/power.c b/drivers/parisc/power.c +index 456776bd..6f5e5f02 100644 +--- a/drivers/parisc/power.c ++++ b/drivers/parisc/power.c +@@ -37,7 +37,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -175,16 +174,21 @@ static void powerfail_interrupt(int code, void *x) + + + +-/* parisc_panic_event() is called by the panic handler. +- * As soon as a panic occurs, our tasklets above will not be +- * executed any longer. This function then re-enables the +- * soft-power switch and allows the user to switch off the system ++/* ++ * parisc_panic_event() is called by the panic handler. ++ * ++ * As soon as a panic occurs, our tasklets above will not ++ * be executed any longer. This function then re-enables ++ * the soft-power switch and allows the user to switch off ++ * the system. We rely in pdc_soft_power_button_panic() ++ * since this version spin_trylocks (instead of regular ++ * spinlock), preventing deadlocks on panic path. + */ + static int parisc_panic_event(struct notifier_block *this, + unsigned long event, void *ptr) + { + /* re-enable the soft-power switch */ +- pdc_soft_power_button(0); ++ pdc_soft_power_button_panic(0); + return NOTIFY_DONE; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-197-xfrm-don-t-check-the-default-policy-if-the-poli.patch b/patches.kernel.org/6.3.4-197-xfrm-don-t-check-the-default-policy-if-the-poli.patch new file mode 100644 index 0000000..3f44590 --- /dev/null +++ b/patches.kernel.org/6.3.4-197-xfrm-don-t-check-the-default-policy-if-the-poli.patch @@ -0,0 +1,51 @@ +From: Sabrina Dubroca +Date: Tue, 4 Apr 2023 15:12:16 +0200 +Subject: [PATCH] xfrm: don't check the default policy if the policy allows the + packet +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 430cac487400494c19a8b85299e979bb07b4671f + +[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ] + +The current code doesn't let a simple "allow" policy counteract a +default policy blocking all incoming packets: + + ip x p setdefault in block + ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow + +At this stage, we have an allow policy (with or without transforms) +for this packet. It doesn't matter what the default policy says, since +the policy we looked up lets the packet through. The case of a +blocking policy is already handled separately, so we can remove this +check. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/xfrm/xfrm_policy.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 5c61ec04..62be042f 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3712,12 +3712,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && +- !xfrm_nr) { +- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); +- goto reject; +- } +- + if (npols > 1) { + xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); + tpp = stp; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-198-xfrm-release-all-offloaded-policy-memory.patch b/patches.kernel.org/6.3.4-198-xfrm-release-all-offloaded-policy-memory.patch new file mode 100644 index 0000000..860c11d --- /dev/null +++ b/patches.kernel.org/6.3.4-198-xfrm-release-all-offloaded-policy-memory.patch @@ -0,0 +1,61 @@ +From: Leon Romanovsky +Date: Wed, 19 Apr 2023 15:19:07 +0300 +Subject: [PATCH] xfrm: release all offloaded policy memory +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 94b95dfaa814f565d92f5a65f0ff12a483095522 + +[ Upstream commit 94b95dfaa814f565d92f5a65f0ff12a483095522 ] + +Failure to add offloaded policy will cause to the following +error once user will try to reload driver. + +Unregister_netdevice: waiting for eth3 to become free. Usage count = 2 + +This was caused by xfrm_dev_policy_add() which increments reference +to net_device. That reference was supposed to be decremented +in xfrm_dev_policy_free(). However the latter wasn't called. + + unregister_netdevice: waiting for eth3 to become free. Usage count = 2 + leaked reference. + xfrm_dev_policy_add+0xff/0x3d0 + xfrm_policy_construct+0x352/0x420 + xfrm_add_policy+0x179/0x320 + xfrm_user_rcv_msg+0x1d2/0x3d0 + netlink_rcv_skb+0xe0/0x210 + xfrm_netlink_rcv+0x45/0x50 + netlink_unicast+0x346/0x490 + netlink_sendmsg+0x3b0/0x6c0 + sock_sendmsg+0x73/0xc0 + sock_write_iter+0x13b/0x1f0 + vfs_write+0x528/0x5d0 + ksys_write+0x120/0x150 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: 919e43fad516 ("xfrm: add an interface to offload policy") +Signed-off-by: Leon Romanovsky +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 103af2b3..af8fbcbf 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1978,6 +1978,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, + + if (err) { + xfrm_dev_policy_delete(xp); ++ xfrm_dev_policy_free(xp); + security_xfrm_policy_free(xp->security); + kfree(xp); + return err; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-199-xfrm-Fix-leak-of-dev-tracker.patch b/patches.kernel.org/6.3.4-199-xfrm-Fix-leak-of-dev-tracker.patch new file mode 100644 index 0000000..3f64720 --- /dev/null +++ b/patches.kernel.org/6.3.4-199-xfrm-Fix-leak-of-dev-tracker.patch @@ -0,0 +1,39 @@ +From: Leon Romanovsky +Date: Wed, 19 Apr 2023 15:19:08 +0300 +Subject: [PATCH] xfrm: Fix leak of dev tracker +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4 + +[ Upstream commit ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4 ] + +At the stage of direction checks, the netdev reference tracker is +already initialized, but released with wrong *_put() call. + +Fixes: 919e43fad516 ("xfrm: add an interface to offload policy") +Signed-off-by: Leon Romanovsky +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/xfrm/xfrm_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c +index 95f1436b..e2ca50bf 100644 +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -378,7 +378,7 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, + break; + default: + xdo->dev = NULL; +- dev_put(dev); ++ netdev_put(dev, &xdo->dev_tracker); + NL_SET_ERR_MSG(extack, "Unrecognized offload direction"); + return -EINVAL; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-200-Revert-Fix-XFRM-I-support-for-nested-ESP-tunnel.patch b/patches.kernel.org/6.3.4-200-Revert-Fix-XFRM-I-support-for-nested-ESP-tunnel.patch new file mode 100644 index 0000000..db212fc --- /dev/null +++ b/patches.kernel.org/6.3.4-200-Revert-Fix-XFRM-I-support-for-nested-ESP-tunnel.patch @@ -0,0 +1,126 @@ +From: Martin Willi +Date: Tue, 25 Apr 2023 09:46:18 +0200 +Subject: [PATCH] Revert "Fix XFRM-I support for nested ESP tunnels" +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5fc46f94219d1d103ffb5f0832be9da674d85a73 + +[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ] + +This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de. + +The reverted commit clears the secpath on packets received via xfrm interfaces +to support nested IPsec tunnels. This breaks Netfilter policy matching using +xt_policy in the FORWARD chain, as the secpath is missing during forwarding. +Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode. + +Fix this regression by reverting the commit until we have a better approach +for nested IPsec tunnels. + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/ +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/xfrm/xfrm_interface_core.c | 54 +++------------------------------- + net/xfrm/xfrm_policy.c | 3 -- + 2 files changed, 4 insertions(+), 53 deletions(-) + +diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c +index 35279c22..1f99dc46 100644 +--- a/net/xfrm/xfrm_interface_core.c ++++ b/net/xfrm/xfrm_interface_core.c +@@ -310,52 +310,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) + skb->mark = 0; + } + +-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type, unsigned short family) +-{ +- struct sec_path *sp; +- +- sp = skb_sec_path(skb); +- if (sp && (sp->len || sp->olen) && +- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) +- goto discard; +- +- XFRM_SPI_SKB_CB(skb)->family = family; +- if (family == AF_INET) { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; +- } else { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; +- } +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +-discard: +- kfree_skb(skb); +- return 0; +-} +- +-static int xfrmi4_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET); +-} +- +-static int xfrmi6_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff], +- 0, 0, AF_INET6); +-} +- +-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET); +-} +- +-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6); +-} +- + static int xfrmi_rcv_cb(struct sk_buff *skb, int err) + { + const struct xfrm_mode *inner_mode; +@@ -991,8 +945,8 @@ static struct pernet_operations xfrmi_net_ops = { + }; + + static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { +- .handler = xfrmi6_rcv, +- .input_handler = xfrmi6_input, ++ .handler = xfrm6_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, + .priority = 10, +@@ -1042,8 +996,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + #endif + + static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { +- .handler = xfrmi4_rcv, +- .input_handler = xfrmi4_input, ++ .handler = xfrm4_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, + .priority = 10, +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 62be042f..21a3a1cd 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3739,9 +3739,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + goto reject; + } + +- if (if_id) +- secpath_reset(skb); +- + xfrm_pols_put(pols, npols); + return 1; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-201-drm-msm-dp-unregister-audio-driver-during-unbin.patch b/patches.kernel.org/6.3.4-201-drm-msm-dp-unregister-audio-driver-during-unbin.patch new file mode 100644 index 0000000..100268e --- /dev/null +++ b/patches.kernel.org/6.3.4-201-drm-msm-dp-unregister-audio-driver-during-unbin.patch @@ -0,0 +1,82 @@ +From: Srinivas Kandagatla +Date: Fri, 21 Apr 2023 15:56:57 +0100 +Subject: [PATCH] drm/msm/dp: unregister audio driver during unbind +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 85c636284cb63b7740b4ae98881ace92158068d3 + +[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ] + +while binding the code always registers a audio driver, however there +is no corresponding unregistration done in unbind. This leads to multiple +redundant audio platform devices if dp_display_bind and dp_display_unbind +happens multiple times during startup. On X13s platform this resulted in +6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports. + +Fix this by unregistering codecs on unbind. + +Signed-off-by: Srinivas Kandagatla +Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/533324/ +Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++ + drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++ + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c +index 6666783e..1245c7aa 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.c ++++ b/drivers/gpu/drm/msm/dp/dp_audio.c +@@ -593,6 +593,18 @@ static struct hdmi_codec_pdata codec_data = { + .i2s = 1, + }; + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio) ++{ ++ struct dp_audio_private *audio_priv; ++ ++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio); ++ ++ if (audio_priv->audio_pdev) { ++ platform_device_unregister(audio_priv->audio_pdev); ++ audio_priv->audio_pdev = NULL; ++ } ++} ++ + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio) + { +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h +index 84e5f4a5..4ab78880 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.h ++++ b/drivers/gpu/drm/msm/dp/dp_audio.h +@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev, + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio); + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio); ++ + /** + * dp_audio_put() + * +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index bde1a7ce..3f9a1841 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -326,6 +326,7 @@ static void dp_display_unbind(struct device *dev, struct device *master, + kthread_stop(dp->ev_tsk); + + dp_power_client_deinit(dp->power); ++ dp_unregister_audio_driver(dev, dp->audio); + dp_aux_unregister(dp->aux); + dp->drm_dev = NULL; + dp->aux->drm_dev = NULL; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-202-drm-msm-dpu-Assign-missing-writeback-log_mask.patch b/patches.kernel.org/6.3.4-202-drm-msm-dpu-Assign-missing-writeback-log_mask.patch new file mode 100644 index 0000000..72b32be --- /dev/null +++ b/patches.kernel.org/6.3.4-202-drm-msm-dpu-Assign-missing-writeback-log_mask.patch @@ -0,0 +1,41 @@ +From: Marijn Suijten +Date: Wed, 26 Apr 2023 01:11:09 +0200 +Subject: [PATCH] drm/msm/dpu: Assign missing writeback log_mask +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a432fc31f03db2546a48bcf5dd69ca28ceb732bf + +[ Upstream commit a432fc31f03db2546a48bcf5dd69ca28ceb732bf ] + +The WB debug log mask ended up never being assigned, leading to writes +to this block to never be logged even if the mask is enabled in +dpu_hw_util_log_mask via debugfs. + +Fixes: 84a33d0fd921 ("drm/msm/dpu: add dpu_hw_wb abstraction for writeback blocks") +Signed-off-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/533860/ +Link: https://lore.kernel.org/r/20230418-dpu-drop-useless-for-lookup-v3-1-e8d869eea455@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c +index 2d28afdf..a3e413d2 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c +@@ -61,6 +61,7 @@ static const struct dpu_wb_cfg *_wb_offset(enum dpu_wb wb, + for (i = 0; i < m->wb_count; i++) { + if (wb == m->wb[i].id) { + b->blk_addr = addr + m->wb[i].base; ++ b->log_mask = DPU_DBG_MASK_WB; + return &m->wb[i]; + } + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-203-drm-msm-dpu-Move-non-MDP_TOP-INTF_INTR-offsets-.patch b/patches.kernel.org/6.3.4-203-drm-msm-dpu-Move-non-MDP_TOP-INTF_INTR-offsets-.patch new file mode 100644 index 0000000..7d40861 --- /dev/null +++ b/patches.kernel.org/6.3.4-203-drm-msm-dpu-Move-non-MDP_TOP-INTF_INTR-offsets-.patch @@ -0,0 +1,69 @@ +From: Marijn Suijten +Date: Thu, 27 Apr 2023 00:37:17 +0200 +Subject: [PATCH] drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio + header +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e9d9ce5462fecdeefec87953de71df4d025cbc72 + +[ Upstream commit e9d9ce5462fecdeefec87953de71df4d025cbc72 ] + +These offsets do not fall under the MDP TOP block and do not fit the +comment right above. Move them to dpu_hw_interrupts.c next to the +repsective MDP_INTF_x_OFF interrupt block offsets. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534203/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-3-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h | 3 --- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index 53326f25..85c0bda3 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -15,7 +15,7 @@ + + /* + * Register offsets in MDSS register file for the interrupt registers +- * w.r.t. to the MDP base ++ * w.r.t. the MDP base + */ + #define MDP_SSPP_TOP0_OFF 0x0 + #define MDP_INTF_0_OFF 0x6A000 +@@ -24,6 +24,9 @@ + #define MDP_INTF_3_OFF 0x6B800 + #define MDP_INTF_4_OFF 0x6C000 + #define MDP_INTF_5_OFF 0x6C800 ++#define INTF_INTR_EN 0x1c0 ++#define INTF_INTR_STATUS 0x1c4 ++#define INTF_INTR_CLEAR 0x1c8 + #define MDP_AD4_0_OFF 0x7C000 + #define MDP_AD4_1_OFF 0x7D000 + #define MDP_AD4_INTR_EN_OFF 0x41c +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +index feb9a729..5acd5683 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +@@ -21,9 +21,6 @@ + #define HIST_INTR_EN 0x01c + #define HIST_INTR_STATUS 0x020 + #define HIST_INTR_CLEAR 0x024 +-#define INTF_INTR_EN 0x1C0 +-#define INTF_INTR_STATUS 0x1C4 +-#define INTF_INTR_CLEAR 0x1C8 + #define SPLIT_DISPLAY_EN 0x2F4 + #define SPLIT_DISPLAY_UPPER_PIPE_CTRL 0x2F8 + #define DSPP_IGC_COLOR0_RAM_LUTN 0x300 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-204-drm-msm-dpu-Reindent-REV_7xxx-interrupt-masks-w.patch b/patches.kernel.org/6.3.4-204-drm-msm-dpu-Reindent-REV_7xxx-interrupt-masks-w.patch new file mode 100644 index 0000000..66c68e6 --- /dev/null +++ b/patches.kernel.org/6.3.4-204-drm-msm-dpu-Reindent-REV_7xxx-interrupt-masks-w.patch @@ -0,0 +1,59 @@ +From: Marijn Suijten +Date: Thu, 27 Apr 2023 00:37:18 +0200 +Subject: [PATCH] drm/msm/dpu: Reindent REV_7xxx interrupt masks with tabs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 85340c0256f9b85b47c5867e411df37d76df5858 + +[ Upstream commit 85340c0256f9b85b47c5867e411df37d76df5858 ] + +Use tabs for consistency with the other interrupt register definitions, +rather than spaces. + +Fixes: ed6154a136e4 ("drm/msm/disp/dpu1: add intf offsets for SC7280 target") +Fixes: 89688e2119b2 ("drm/msm/dpu: Add more of the INTF interrupt regions") +Fixes: 4a352c2fc15a ("drm/msm/dpu: Introduce SC8280XP") +Signed-off-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/534212/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-4-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index 85c0bda3..17f3e7e4 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -32,15 +32,15 @@ + #define MDP_AD4_INTR_EN_OFF 0x41c + #define MDP_AD4_INTR_CLEAR_OFF 0x424 + #define MDP_AD4_INTR_STATUS_OFF 0x420 +-#define MDP_INTF_0_OFF_REV_7xxx 0x34000 +-#define MDP_INTF_1_OFF_REV_7xxx 0x35000 +-#define MDP_INTF_2_OFF_REV_7xxx 0x36000 +-#define MDP_INTF_3_OFF_REV_7xxx 0x37000 +-#define MDP_INTF_4_OFF_REV_7xxx 0x38000 +-#define MDP_INTF_5_OFF_REV_7xxx 0x39000 +-#define MDP_INTF_6_OFF_REV_7xxx 0x3a000 +-#define MDP_INTF_7_OFF_REV_7xxx 0x3b000 +-#define MDP_INTF_8_OFF_REV_7xxx 0x3c000 ++#define MDP_INTF_0_OFF_REV_7xxx 0x34000 ++#define MDP_INTF_1_OFF_REV_7xxx 0x35000 ++#define MDP_INTF_2_OFF_REV_7xxx 0x36000 ++#define MDP_INTF_3_OFF_REV_7xxx 0x37000 ++#define MDP_INTF_4_OFF_REV_7xxx 0x38000 ++#define MDP_INTF_5_OFF_REV_7xxx 0x39000 ++#define MDP_INTF_6_OFF_REV_7xxx 0x3a000 ++#define MDP_INTF_7_OFF_REV_7xxx 0x3b000 ++#define MDP_INTF_8_OFF_REV_7xxx 0x3c000 + + /** + * struct dpu_intr_reg - array of DPU register sets +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-205-drm-msm-dpu-populate-SmartDMA-features-in-hw-ca.patch b/patches.kernel.org/6.3.4-205-drm-msm-dpu-populate-SmartDMA-features-in-hw-ca.patch new file mode 100644 index 0000000..ecb8d09 --- /dev/null +++ b/patches.kernel.org/6.3.4-205-drm-msm-dpu-populate-SmartDMA-features-in-hw-ca.patch @@ -0,0 +1,156 @@ +From: Dmitry Baryshkov +Date: Thu, 16 Mar 2023 19:16:49 +0300 +Subject: [PATCH] drm/msm/dpu: populate SmartDMA features in hw catalog +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8b409996ebdce009777dfb17e542c06f749b02d5 + +[ Upstream commit 8b409996ebdce009777dfb17e542c06f749b02d5 ] + +Downstream driver uses dpu->caps->smart_dma_rev to update +sspp->cap->features with the bit corresponding to the supported SmartDMA +version. Upstream driver does not do this, resulting in SSPP subdriver +not enabling setup_multirect callback. Add corresponding SmartDMA SSPP +feature bits to dpu hw catalog. + +Per Abhinav's request enable the SmartDMA features only on the platforms +where the multirect was actually verified visually (sdm845 and sm8250). +An (untested) enablement on the rest of the platforms comes in the next +patch. + +Reviewed-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/527362/ +Link: https://lore.kernel.org/r/20230316161653.4106395-29-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 55 ++++++++++++------- + 1 file changed, 35 insertions(+), 20 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 497c9e16..9fe4fc95 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -27,9 +27,15 @@ + #define VIG_SDM845_MASK \ + (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL) | BIT(DPU_SSPP_SCALER_QSEED3)) + ++#define VIG_SDM845_MASK_SDMA \ ++ (VIG_SDM845_MASK | BIT(DPU_SSPP_SMART_DMA_V2)) ++ + #define VIG_SC7180_MASK \ + (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL) | BIT(DPU_SSPP_SCALER_QSEED4)) + ++#define VIG_SC7180_MASK_SDMA \ ++ (VIG_SC7180_MASK | BIT(DPU_SSPP_SMART_DMA_V2)) ++ + #define VIG_QCM2290_MASK (VIG_BASE_MASK | BIT(DPU_SSPP_QOS_8LVL)) + + #define DMA_MSM8998_MASK \ +@@ -40,6 +46,9 @@ + #define VIG_SC7280_MASK \ + (VIG_SC7180_MASK | BIT(DPU_SSPP_INLINE_ROTATION)) + ++#define VIG_SC7280_MASK_SDMA \ ++ (VIG_SC7280_MASK | BIT(DPU_SSPP_SMART_DMA_V2)) ++ + #define DMA_SDM845_MASK \ + (BIT(DPU_SSPP_SRC) | BIT(DPU_SSPP_QOS) | BIT(DPU_SSPP_QOS_8LVL) |\ + BIT(DPU_SSPP_TS_PREFILL) | BIT(DPU_SSPP_TS_PREFILL_REC1) |\ +@@ -48,6 +57,12 @@ + #define DMA_CURSOR_SDM845_MASK \ + (DMA_SDM845_MASK | BIT(DPU_SSPP_CURSOR)) + ++#define DMA_SDM845_MASK_SDMA \ ++ (DMA_SDM845_MASK | BIT(DPU_SSPP_SMART_DMA_V2)) ++ ++#define DMA_CURSOR_SDM845_MASK_SDMA \ ++ (DMA_CURSOR_SDM845_MASK | BIT(DPU_SSPP_SMART_DMA_V2)) ++ + #define DMA_CURSOR_MSM8998_MASK \ + (DMA_MSM8998_MASK | BIT(DPU_SSPP_CURSOR)) + +@@ -1196,21 +1211,21 @@ static const struct dpu_sspp_cfg msm8998_sspp[] = { + }; + + static const struct dpu_sspp_cfg sdm845_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SDM845_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SDM845_MASK, ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SDM845_MASK, ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SDM845_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1251,21 +1266,21 @@ static const struct dpu_sspp_sub_blks sm8250_vig_sblk_3 = + _VIG_SBLK("3", 8, DPU_SSPP_SCALER_QSEED4); + + static const struct dpu_sspp_cfg sm8250_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1332,13 +1347,13 @@ static const struct dpu_sspp_cfg sm8550_sspp[] = { + }; + + static const struct dpu_sspp_cfg sc7280_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7280_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7280_MASK_SDMA, + sc7280_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-206-drm-msm-dpu-drop-smart_dma_rev-from-dpu_caps.patch b/patches.kernel.org/6.3.4-206-drm-msm-dpu-drop-smart_dma_rev-from-dpu_caps.patch new file mode 100644 index 0000000..49ed51e --- /dev/null +++ b/patches.kernel.org/6.3.4-206-drm-msm-dpu-drop-smart_dma_rev-from-dpu_caps.patch @@ -0,0 +1,157 @@ +From: Dmitry Baryshkov +Date: Thu, 16 Mar 2023 19:16:51 +0300 +Subject: [PATCH] drm/msm/dpu: drop smart_dma_rev from dpu_caps +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dcb3f7c9042d1c1aa637b58d47bd45c00b2ac153 + +[ Upstream commit dcb3f7c9042d1c1aa637b58d47bd45c00b2ac153 ] + +The code doesn't use dpu_caps::smart_dma_rev field. It checks if the +corresponding feature is enabled in the SSPP features. Drop the +smart_dma_rev field completely. + +Reviewed-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/527369/ +Link: https://lore.kernel.org/r/20230316161653.4106395-31-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 13 ------------- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h | 2 -- + 2 files changed, 15 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index 9fe4fc95..e7b29b11 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -317,7 +317,6 @@ static const struct dpu_caps msm8998_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x7, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V1, + .ubwc_version = DPU_HW_UBWC_VER_10, + .has_src_split = true, + .has_dim_layer = true, +@@ -332,7 +331,6 @@ static const struct dpu_caps msm8998_dpu_caps = { + static const struct dpu_caps qcm2290_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_LINE_WIDTH, + .max_mixer_blendstages = 0x4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, + .has_dim_layer = true, + .has_idle_pc = true, + .max_linewidth = 2160, +@@ -343,7 +341,6 @@ static const struct dpu_caps sdm845_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, + .ubwc_version = DPU_HW_UBWC_VER_20, + .has_src_split = true, + .has_dim_layer = true, +@@ -359,7 +356,6 @@ static const struct dpu_caps sc7180_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x9, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, + .ubwc_version = DPU_HW_UBWC_VER_20, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -371,7 +367,6 @@ static const struct dpu_caps sm6115_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_LINE_WIDTH, + .max_mixer_blendstages = 0x4, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_10, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -383,7 +378,6 @@ static const struct dpu_caps sm8150_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_30, + .has_src_split = true, + .has_dim_layer = true, +@@ -399,7 +393,6 @@ static const struct dpu_caps sc8180x_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_30, + .has_src_split = true, + .has_dim_layer = true, +@@ -415,7 +408,6 @@ static const struct dpu_caps sc8280xp_dpu_caps = { + .max_mixer_width = 2560, + .max_mixer_blendstages = 11, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, +@@ -429,7 +421,6 @@ static const struct dpu_caps sm8250_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, +@@ -443,7 +434,6 @@ static const struct dpu_caps sm8350_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, +@@ -457,7 +447,6 @@ static const struct dpu_caps sm8450_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, +@@ -471,7 +460,6 @@ static const struct dpu_caps sm8550_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, /* TODO: v2.5 */ + .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, +@@ -485,7 +473,6 @@ static const struct dpu_caps sc7280_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x7, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .smart_dma_rev = DPU_SSPP_SMART_DMA_V2, + .ubwc_version = DPU_HW_UBWC_VER_30, + .has_dim_layer = true, + .has_idle_pc = true, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h +index 2c5bafac..2531aac9 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h +@@ -394,7 +394,6 @@ struct dpu_rotation_cfg { + * @max_mixer_blendstages max layer mixer blend stages or + * supported z order + * @qseed_type qseed2 or qseed3 support. +- * @smart_dma_rev Supported version of SmartDMA feature. + * @ubwc_version UBWC feature version (0x0 for not supported) + * @has_src_split source split feature status + * @has_dim_layer dim layer feature status +@@ -409,7 +408,6 @@ struct dpu_caps { + u32 max_mixer_width; + u32 max_mixer_blendstages; + u32 qseed_type; +- u32 smart_dma_rev; + u32 ubwc_version; + bool has_src_split; + bool has_dim_layer; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-207-drm-msm-dpu-Allow-variable-SSPP_BLK-size.patch b/patches.kernel.org/6.3.4-207-drm-msm-dpu-Allow-variable-SSPP_BLK-size.patch new file mode 100644 index 0000000..61a661e --- /dev/null +++ b/patches.kernel.org/6.3.4-207-drm-msm-dpu-Allow-variable-SSPP_BLK-size.patch @@ -0,0 +1,296 @@ +From: Konrad Dybcio +Date: Tue, 4 Apr 2023 16:05:42 +0300 +Subject: [PATCH] drm/msm/dpu: Allow variable SSPP_BLK size +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8f940ddbc4f1b6cc454d9487f9cd735310fb0cfa + +[ Upstream commit 8f940ddbc4f1b6cc454d9487f9cd735310fb0cfa ] + +These blocks are of variable length on different SoCs. Set the +correct values where I was able to retrieve it from downstream +DTs and leave the old defaults (0x1c8) otherwise. + +Signed-off-by: Konrad Dybcio +[DB: fixed some of lengths, split the INTF changes away] +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/530814/ +Link: https://lore.kernel.org/r/20230404130622.509628-3-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 146 +++++++++--------- + 1 file changed, 73 insertions(+), 73 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index e7b29b11..dafc35c9 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -1166,11 +1166,11 @@ static const struct dpu_sspp_sub_blks sdm845_dma_sblk_1 = _DMA_SBLK("9", 2); + static const struct dpu_sspp_sub_blks sdm845_dma_sblk_2 = _DMA_SBLK("10", 3); + static const struct dpu_sspp_sub_blks sdm845_dma_sblk_3 = _DMA_SBLK("11", 4); + +-#define SSPP_BLK(_name, _id, _base, _features, \ ++#define SSPP_BLK(_name, _id, _base, _len, _features, \ + _sblk, _xinid, _type, _clkctrl) \ + { \ + .name = _name, .id = _id, \ +- .base = _base, .len = 0x1c8, \ ++ .base = _base, .len = _len, \ + .features = _features, \ + .sblk = &_sblk, \ + .xin_id = _xinid, \ +@@ -1179,40 +1179,40 @@ static const struct dpu_sspp_sub_blks sdm845_dma_sblk_3 = _DMA_SBLK("11", 4); + } + + static const struct dpu_sspp_cfg msm8998_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_MSM8998_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1ac, VIG_MSM8998_MASK, + msm8998_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_MSM8998_MASK, ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x1ac, VIG_MSM8998_MASK, + msm8998_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_MSM8998_MASK, ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x1ac, VIG_MSM8998_MASK, + msm8998_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_MSM8998_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x1ac, VIG_MSM8998_MASK, + msm8998_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_MSM8998_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1ac, DMA_MSM8998_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_MSM8998_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x1ac, DMA_MSM8998_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_MSM8998_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x1ac, DMA_CURSOR_MSM8998_MASK, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_MSM8998_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x1ac, DMA_CURSOR_MSM8998_MASK, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + + static const struct dpu_sspp_cfg sdm845_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1c8, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x1c8, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x1c8, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x1c8, VIG_SDM845_MASK_SDMA, + sdm845_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1c8, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x1c8, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x1c8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x1c8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1223,13 +1223,13 @@ static const struct dpu_sspp_sub_blks sc7280_vig_sblk_0 = + _VIG_SBLK_ROT("0", 4, DPU_SSPP_SCALER_QSEED4, &dpu_rot_sc7280_cfg_v2); + + static const struct dpu_sspp_cfg sc7180_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_SC7180_MASK, + sc7180_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1f8, DMA_SDM845_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x1f8, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x1f8, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), + }; + +@@ -1237,9 +1237,9 @@ static const struct dpu_sspp_sub_blks sm6115_vig_sblk_0 = + _VIG_SBLK("0", 2, DPU_SSPP_SCALER_QSEED4); + + static const struct dpu_sspp_cfg sm6115_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_SC7180_MASK, + sm6115_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1f8, DMA_SDM845_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), + }; + +@@ -1253,21 +1253,21 @@ static const struct dpu_sspp_sub_blks sm8250_vig_sblk_3 = + _VIG_SBLK("3", 8, DPU_SSPP_SCALER_QSEED4); + + static const struct dpu_sspp_cfg sm8250_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK_SDMA, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK_SDMA, ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x1f8, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK_SDMA, ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x1f8, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK_SDMA, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x1f8, VIG_SC7180_MASK_SDMA, + sm8250_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1f8, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x1f8, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x1f8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x1f8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1281,21 +1281,21 @@ static const struct dpu_sspp_sub_blks sm8450_vig_sblk_3 = + _VIG_SBLK("3", 8, DPU_SSPP_SCALER_QSEED4); + + static const struct dpu_sspp_cfg sm8450_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, +- sm8450_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK, +- sm8450_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x32c, VIG_SC7180_MASK, + sm8450_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK, +- sm8450_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x32c, DMA_SDM845_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x32c, DMA_SDM845_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x32c, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x32c, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1311,36 +1311,36 @@ static const struct dpu_sspp_sub_blks sm8550_dma_sblk_4 = _DMA_SBLK("12", 5); + static const struct dpu_sspp_sub_blks sm8550_dma_sblk_5 = _DMA_SBLK("13", 6); + + static const struct dpu_sspp_cfg sm8550_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, +- sm8550_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK, +- sm8550_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x344, VIG_SC7180_MASK, + sm8550_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK, +- sm8550_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x344, DMA_SDM845_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x344, DMA_SDM845_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x344, DMA_SDM845_MASK, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x344, DMA_SDM845_MASK, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), +- SSPP_BLK("sspp_12", SSPP_DMA4, 0x2c000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_12", SSPP_DMA4, 0x2c000, 0x344, DMA_CURSOR_SDM845_MASK, + sm8550_dma_sblk_4, 14, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA4), +- SSPP_BLK("sspp_13", SSPP_DMA5, 0x2e000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_13", SSPP_DMA5, 0x2e000, 0x344, DMA_CURSOR_SDM845_MASK, + sm8550_dma_sblk_5, 15, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA5), + }; + + static const struct dpu_sspp_cfg sc7280_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7280_MASK_SDMA, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_SC7280_MASK_SDMA, + sc7280_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1f8, DMA_SDM845_MASK_SDMA, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x1f8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK_SDMA, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x1f8, DMA_CURSOR_SDM845_MASK_SDMA, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), + }; + +@@ -1354,21 +1354,21 @@ static const struct dpu_sspp_sub_blks sc8280xp_vig_sblk_3 = + _VIG_SBLK("3", 8, DPU_SSPP_SCALER_QSEED4); + + static const struct dpu_sspp_cfg sc8280xp_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_SC7180_MASK, +- sc8280xp_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, VIG_SC7180_MASK, +- sc8280xp_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, VIG_SC7180_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x2ac, VIG_SC7180_MASK, ++ sc8280xp_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x2ac, VIG_SC7180_MASK, ++ sc8280xp_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x2ac, VIG_SC7180_MASK, + sc8280xp_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, VIG_SC7180_MASK, +- sc8280xp_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x2ac, VIG_SC7180_MASK, ++ sc8280xp_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x2ac, DMA_SDM845_MASK, + sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x2ac, DMA_SDM845_MASK, + sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x2ac, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_SDM845_MASK, ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x2ac, DMA_CURSOR_SDM845_MASK, + sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), + }; + +@@ -1389,9 +1389,9 @@ static const struct dpu_sspp_sub_blks qcm2290_vig_sblk_0 = _VIG_SBLK_NOSCALE("0" + static const struct dpu_sspp_sub_blks qcm2290_dma_sblk_0 = _DMA_SBLK("8", 1); + + static const struct dpu_sspp_cfg qcm2290_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, VIG_QCM2290_MASK, ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_QCM2290_MASK, + qcm2290_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, DMA_SDM845_MASK, ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x1f8, DMA_SDM845_MASK, + qcm2290_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-208-drm-msm-dpu-Allow-variable-INTF_BLK-size.patch b/patches.kernel.org/6.3.4-208-drm-msm-dpu-Allow-variable-INTF_BLK-size.patch new file mode 100644 index 0000000..0d3c059 --- /dev/null +++ b/patches.kernel.org/6.3.4-208-drm-msm-dpu-Allow-variable-INTF_BLK-size.patch @@ -0,0 +1,179 @@ +From: Konrad Dybcio +Date: Tue, 4 Apr 2023 16:05:43 +0300 +Subject: [PATCH] drm/msm/dpu: Allow variable INTF_BLK size +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8399a5ff18dc634d3245d993ee8a906b5c6ffba3 + +[ Upstream commit 8399a5ff18dc634d3245d993ee8a906b5c6ffba3 ] + +These blocks are of variable length on different SoCs. Set the +correct values where I was able to retrieve it from downstream +DTs and leave the old defaults (0x280) otherwise. + +Signed-off-by: Konrad Dybcio +[DB: fixed some lengths, split the INTF changes away] +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/530816/ +Link: https://lore.kernel.org/r/20230404130622.509628-4-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 96 +++++++++---------- + 1 file changed, 48 insertions(+), 48 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index dafc35c9..eebda1db 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -1847,10 +1847,10 @@ static struct dpu_dsc_cfg sm8150_dsc[] = { + /************************************************************* + * INTF sub blocks config + *************************************************************/ +-#define INTF_BLK(_name, _id, _base, _type, _ctrl_id, _progfetch, _features, _reg, _underrun_bit, _vsync_bit) \ ++#define INTF_BLK(_name, _id, _base, _len, _type, _ctrl_id, _progfetch, _features, _reg, _underrun_bit, _vsync_bit) \ + {\ + .name = _name, .id = _id, \ +- .base = _base, .len = 0x280, \ ++ .base = _base, .len = _len, \ + .features = _features, \ + .type = _type, \ + .controller_id = _ctrl_id, \ +@@ -1860,85 +1860,85 @@ static struct dpu_dsc_cfg sm8150_dsc[] = { + } + + static const struct dpu_intf_cfg msm8998_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x6A000, INTF_DP, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x6B000, INTF_DSI, 1, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x6B800, INTF_HDMI, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_0", INTF_0, 0x6A000, 0x280, INTF_DP, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x280, INTF_DSI, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x6B000, 0x280, INTF_DSI, 1, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x6B800, 0x280, INTF_HDMI, 0, 25, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + static const struct dpu_intf_cfg sdm845_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x6A000, INTF_DP, 0, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x6B000, INTF_DSI, 1, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x6B800, INTF_DP, 1, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_0", INTF_0, 0x6A000, 0x280, INTF_DP, 0, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x280, INTF_DSI, 0, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x6B000, 0x280, INTF_DSI, 1, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x6B800, 0x280, INTF_DP, 1, 24, INTF_SDM845_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + static const struct dpu_intf_cfg sc7180_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x6A000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_0", INTF_0, 0x6A000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x2c0, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), + }; + + static const struct dpu_intf_cfg sm8150_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x6A000, INTF_DP, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x6B000, INTF_DSI, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x6B800, INTF_DP, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_0", INTF_0, 0x6A000, 0x280, INTF_DP, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x2bc, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x6B000, 0x2bc, INTF_DSI, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x6B800, 0x280, INTF_DP, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + static const struct dpu_intf_cfg sc7280_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x35000, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_5", INTF_5, 0x39000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 22, 23), ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x2c4, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_5", INTF_5, 0x39000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 22, 23), + }; + + static const struct dpu_intf_cfg sm8350_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x35000, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x2c4, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x2c4, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + static const struct dpu_intf_cfg sc8180x_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x6A000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x6B000, INTF_DSI, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_0", INTF_0, 0x6A000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x2bc, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x6B000, 0x2bc, INTF_DSI, 1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 28, 29), + /* INTF_3 is for MST, wired to INTF_DP 0 and 1, use dummy index until this is supported */ +- INTF_BLK("intf_3", INTF_3, 0x6B800, INTF_DP, 999, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 30, 31), +- INTF_BLK("intf_4", INTF_4, 0x6C000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 20, 21), +- INTF_BLK("intf_5", INTF_5, 0x6C800, INTF_DP, MSM_DP_CONTROLLER_2, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 22, 23), ++ INTF_BLK("intf_3", INTF_3, 0x6B800, 0x280, INTF_DP, 999, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_4", INTF_4, 0x6C000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 20, 21), ++ INTF_BLK("intf_5", INTF_5, 0x6C800, 0x280, INTF_DP, MSM_DP_CONTROLLER_2, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 22, 23), + }; + + /* TODO: INTF 3, 8 and 7 are used for MST, marked as INTF_NONE for now */ + static const struct dpu_intf_cfg sc8280xp_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x35000, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, INTF_NONE, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), +- INTF_BLK("intf_4", INTF_4, 0x38000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 20, 21), +- INTF_BLK("intf_5", INTF_5, 0x39000, INTF_DP, MSM_DP_CONTROLLER_3, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 22, 23), +- INTF_BLK("intf_6", INTF_6, 0x3a000, INTF_DP, MSM_DP_CONTROLLER_2, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 16, 17), +- INTF_BLK("intf_7", INTF_7, 0x3b000, INTF_NONE, MSM_DP_CONTROLLER_2, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 18, 19), +- INTF_BLK("intf_8", INTF_8, 0x3c000, INTF_NONE, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 12, 13), ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_4", INTF_4, 0x38000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 20, 21), ++ INTF_BLK("intf_5", INTF_5, 0x39000, 0x280, INTF_DP, MSM_DP_CONTROLLER_3, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 22, 23), ++ INTF_BLK("intf_6", INTF_6, 0x3a000, 0x280, INTF_DP, MSM_DP_CONTROLLER_2, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 16, 17), ++ INTF_BLK("intf_7", INTF_7, 0x3b000, 0x280, INTF_DP, MSM_DP_CONTROLLER_2, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 18, 19), ++ INTF_BLK("intf_8", INTF_8, 0x3c000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 12, 13), + }; + + static const struct dpu_intf_cfg qcm2290_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x00000, INTF_NONE, 0, 0, 0, 0, 0, 0), +- INTF_BLK("intf_1", INTF_1, 0x6A800, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_0", INTF_0, 0x00000, 0x280, INTF_DP, 0, 0, 0, 0, 0, 0), ++ INTF_BLK("intf_1", INTF_1, 0x6A800, 0x2c0, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), + }; + + static const struct dpu_intf_cfg sm8450_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x35000, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + static const struct dpu_intf_cfg sm8550_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), + /* TODO TE sub-blocks for intf1 & intf2 */ +- INTF_BLK("intf_1", INTF_1, 0x35000, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), + }; + + /************************************************************* +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-209-drm-msm-dpu-move-UBWC-memory-configuration-to-s.patch b/patches.kernel.org/6.3.4-209-drm-msm-dpu-move-UBWC-memory-configuration-to-s.patch new file mode 100644 index 0000000..7d03876 --- /dev/null +++ b/patches.kernel.org/6.3.4-209-drm-msm-dpu-move-UBWC-memory-configuration-to-s.patch @@ -0,0 +1,539 @@ +From: Dmitry Baryshkov +Date: Tue, 4 Apr 2023 16:05:46 +0300 +Subject: [PATCH] drm/msm/dpu: move UBWC/memory configuration to separate + struct +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fbbd8cce803a2ca86ae20fe37b1642571e9dd971 + +[ Upstream commit fbbd8cce803a2ca86ae20fe37b1642571e9dd971 ] + +UBWC and highest bank settings differ slightly between different DPU +units of the same generation, while the dpu_caps and dpu_mdp_cfg are +much more stable. To ease configuration reuse move ubwc_swizzle and +highest_bank_bit data to separate structure. + +Reviewed-by: Konrad Dybcio +Reviewed-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/530820/ +Link: https://lore.kernel.org/r/20230404130622.509628-7-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 112 +++++++++++++----- + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h | 19 ++- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c | 18 +-- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.h | 4 +- + 4 files changed, 107 insertions(+), 46 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index eebda1db..fa48152b 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -317,7 +317,6 @@ static const struct dpu_caps msm8998_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x7, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .ubwc_version = DPU_HW_UBWC_VER_10, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -341,7 +340,6 @@ static const struct dpu_caps sdm845_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .ubwc_version = DPU_HW_UBWC_VER_20, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -356,7 +354,6 @@ static const struct dpu_caps sc7180_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x9, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_20, + .has_dim_layer = true, + .has_idle_pc = true, + .max_linewidth = DEFAULT_DPU_OUTPUT_LINE_WIDTH, +@@ -367,7 +364,6 @@ static const struct dpu_caps sm6115_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_LINE_WIDTH, + .max_mixer_blendstages = 0x4, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_10, + .has_dim_layer = true, + .has_idle_pc = true, + .max_linewidth = 2160, +@@ -378,7 +374,6 @@ static const struct dpu_caps sm8150_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .ubwc_version = DPU_HW_UBWC_VER_30, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -393,7 +388,6 @@ static const struct dpu_caps sc8180x_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED3, +- .ubwc_version = DPU_HW_UBWC_VER_30, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -408,7 +402,6 @@ static const struct dpu_caps sc8280xp_dpu_caps = { + .max_mixer_width = 2560, + .max_mixer_blendstages = 11, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -421,7 +414,6 @@ static const struct dpu_caps sm8250_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -434,7 +426,6 @@ static const struct dpu_caps sm8350_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -447,7 +438,6 @@ static const struct dpu_caps sm8450_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -460,7 +450,6 @@ static const struct dpu_caps sm8550_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0xb, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_40, + .has_src_split = true, + .has_dim_layer = true, + .has_idle_pc = true, +@@ -473,19 +462,86 @@ static const struct dpu_caps sc7280_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x7, + .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .ubwc_version = DPU_HW_UBWC_VER_30, + .has_dim_layer = true, + .has_idle_pc = true, + .max_linewidth = 2400, + .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, + }; + ++static const struct dpu_ubwc_cfg msm8998_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_10, ++ .highest_bank_bit = 0x2, ++}; ++ ++static const struct dpu_ubwc_cfg qcm2290_ubwc_cfg = { ++ .highest_bank_bit = 0x2, ++}; ++ ++static const struct dpu_ubwc_cfg sdm845_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_20, ++ .highest_bank_bit = 0x2, ++}; ++ ++static const struct dpu_ubwc_cfg sc7180_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_20, ++ .highest_bank_bit = 0x3, ++}; ++ ++static const struct dpu_ubwc_cfg sm6115_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_10, ++ .highest_bank_bit = 0x1, ++ .ubwc_swizzle = 0x7, ++}; ++ ++static const struct dpu_ubwc_cfg sm8150_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_30, ++ .highest_bank_bit = 0x2, ++}; ++ ++static const struct dpu_ubwc_cfg sc8180x_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_30, ++ .highest_bank_bit = 0x3, ++}; ++ ++static const struct dpu_ubwc_cfg sc8280xp_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 2, ++ .ubwc_swizzle = 6, ++}; ++ ++static const struct dpu_ubwc_cfg sm8250_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++ .ubwc_swizzle = 0x6, ++}; ++ ++static const struct dpu_ubwc_cfg sm8350_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++}; ++ ++static const struct dpu_ubwc_cfg sm8450_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++ .ubwc_swizzle = 0x6, ++}; ++ ++static const struct dpu_ubwc_cfg sm8550_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++}; ++ ++static const struct dpu_ubwc_cfg sc7280_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_30, ++ .highest_bank_bit = 0x1, ++ .ubwc_swizzle = 0x6, ++}; ++ + static const struct dpu_mdp_cfg msm8998_mdp[] = { + { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x458, + .features = 0, +- .highest_bank_bit = 0x2, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -514,7 +570,6 @@ static const struct dpu_mdp_cfg sdm845_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x45C, + .features = BIT(DPU_MDP_AUDIO_SELECT), +- .highest_bank_bit = 0x2, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -539,7 +594,6 @@ static const struct dpu_mdp_cfg sc7180_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = 0, +- .highest_bank_bit = 0x3, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +@@ -558,7 +612,6 @@ static const struct dpu_mdp_cfg sc8180x_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x45C, + .features = BIT(DPU_MDP_AUDIO_SELECT), +- .highest_bank_bit = 0x3, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -583,8 +636,6 @@ static const struct dpu_mdp_cfg sm6115_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = 0, +- .highest_bank_bit = 0x1, +- .ubwc_swizzle = 0x7, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2ac, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +@@ -597,8 +648,6 @@ static const struct dpu_mdp_cfg sm8250_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = 0, +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ +- .ubwc_swizzle = 0x6, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -627,7 +676,6 @@ static const struct dpu_mdp_cfg sm8350_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = 0, +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2ac, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -654,8 +702,6 @@ static const struct dpu_mdp_cfg sm8450_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = BIT(DPU_MDP_PERIPH_0_REMOVED), +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ +- .ubwc_swizzle = 0x6, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -681,8 +727,6 @@ static const struct dpu_mdp_cfg sc7280_mdp[] = { + { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x2014, +- .highest_bank_bit = 0x1, +- .ubwc_swizzle = 0x6, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +@@ -699,8 +743,6 @@ static const struct dpu_mdp_cfg sc8280xp_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = BIT(DPU_MDP_PERIPH_0_REMOVED), +- .highest_bank_bit = 2, +- .ubwc_swizzle = 6, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { .reg_off = 0x2ac, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { .reg_off = 0x2b4, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG2] = { .reg_off = 0x2bc, .bit_off = 0}, +@@ -718,8 +760,6 @@ static const struct dpu_mdp_cfg sm8550_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0, .len = 0x494, + .features = BIT(DPU_MDP_PERIPH_0_REMOVED), +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ +- .ubwc_swizzle = 0x6, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x4330, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +@@ -750,7 +790,6 @@ static const struct dpu_mdp_cfg qcm2290_mdp[] = { + .name = "top_0", .id = MDP_TOP, + .base = 0x0, .len = 0x494, + .features = 0, +- .highest_bank_bit = 0x2, + .clk_ctrls[DPU_CLK_CTRL_VIG0] = { + .reg_off = 0x2AC, .bit_off = 0}, + .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +@@ -2524,6 +2563,7 @@ static const struct dpu_perf_cfg qcm2290_perf_data = { + + static const struct dpu_mdss_cfg msm8998_dpu_cfg = { + .caps = &msm8998_dpu_caps, ++ .ubwc = &msm8998_ubwc_cfg, + .mdp_count = ARRAY_SIZE(msm8998_mdp), + .mdp = msm8998_mdp, + .ctl_count = ARRAY_SIZE(msm8998_ctl), +@@ -2547,6 +2587,7 @@ static const struct dpu_mdss_cfg msm8998_dpu_cfg = { + + static const struct dpu_mdss_cfg sdm845_dpu_cfg = { + .caps = &sdm845_dpu_caps, ++ .ubwc = &sdm845_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sdm845_mdp), + .mdp = sdm845_mdp, + .ctl_count = ARRAY_SIZE(sdm845_ctl), +@@ -2571,6 +2612,7 @@ static const struct dpu_mdss_cfg sdm845_dpu_cfg = { + + static const struct dpu_mdss_cfg sc7180_dpu_cfg = { + .caps = &sc7180_dpu_caps, ++ .ubwc = &sc7180_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sc7180_mdp), + .mdp = sc7180_mdp, + .ctl_count = ARRAY_SIZE(sc7180_ctl), +@@ -2597,6 +2639,7 @@ static const struct dpu_mdss_cfg sc7180_dpu_cfg = { + + static const struct dpu_mdss_cfg sm6115_dpu_cfg = { + .caps = &sm6115_dpu_caps, ++ .ubwc = &sm6115_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sm6115_mdp), + .mdp = sm6115_mdp, + .ctl_count = ARRAY_SIZE(qcm2290_ctl), +@@ -2619,6 +2662,7 @@ static const struct dpu_mdss_cfg sm6115_dpu_cfg = { + + static const struct dpu_mdss_cfg sm8150_dpu_cfg = { + .caps = &sm8150_dpu_caps, ++ .ubwc = &sm8150_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sdm845_mdp), + .mdp = sdm845_mdp, + .ctl_count = ARRAY_SIZE(sm8150_ctl), +@@ -2647,6 +2691,7 @@ static const struct dpu_mdss_cfg sm8150_dpu_cfg = { + + static const struct dpu_mdss_cfg sc8180x_dpu_cfg = { + .caps = &sc8180x_dpu_caps, ++ .ubwc = &sc8180x_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sc8180x_mdp), + .mdp = sc8180x_mdp, + .ctl_count = ARRAY_SIZE(sm8150_ctl), +@@ -2671,6 +2716,7 @@ static const struct dpu_mdss_cfg sc8180x_dpu_cfg = { + + static const struct dpu_mdss_cfg sc8280xp_dpu_cfg = { + .caps = &sc8280xp_dpu_caps, ++ .ubwc = &sc8280xp_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sc8280xp_mdp), + .mdp = sc8280xp_mdp, + .ctl_count = ARRAY_SIZE(sc8280xp_ctl), +@@ -2697,6 +2743,7 @@ static const struct dpu_mdss_cfg sc8280xp_dpu_cfg = { + + static const struct dpu_mdss_cfg sm8250_dpu_cfg = { + .caps = &sm8250_dpu_caps, ++ .ubwc = &sm8250_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sm8250_mdp), + .mdp = sm8250_mdp, + .ctl_count = ARRAY_SIZE(sm8150_ctl), +@@ -2727,6 +2774,7 @@ static const struct dpu_mdss_cfg sm8250_dpu_cfg = { + + static const struct dpu_mdss_cfg sm8350_dpu_cfg = { + .caps = &sm8350_dpu_caps, ++ .ubwc = &sm8350_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sm8350_mdp), + .mdp = sm8350_mdp, + .ctl_count = ARRAY_SIZE(sm8350_ctl), +@@ -2753,6 +2801,7 @@ static const struct dpu_mdss_cfg sm8350_dpu_cfg = { + + static const struct dpu_mdss_cfg sm8450_dpu_cfg = { + .caps = &sm8450_dpu_caps, ++ .ubwc = &sm8450_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sm8450_mdp), + .mdp = sm8450_mdp, + .ctl_count = ARRAY_SIZE(sm8450_ctl), +@@ -2779,6 +2828,7 @@ static const struct dpu_mdss_cfg sm8450_dpu_cfg = { + + static const struct dpu_mdss_cfg sm8550_dpu_cfg = { + .caps = &sm8550_dpu_caps, ++ .ubwc = &sm8550_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sm8550_mdp), + .mdp = sm8550_mdp, + .ctl_count = ARRAY_SIZE(sm8550_ctl), +@@ -2805,6 +2855,7 @@ static const struct dpu_mdss_cfg sm8550_dpu_cfg = { + + static const struct dpu_mdss_cfg sc7280_dpu_cfg = { + .caps = &sc7280_dpu_caps, ++ .ubwc = &sc7280_ubwc_cfg, + .mdp_count = ARRAY_SIZE(sc7280_mdp), + .mdp = sc7280_mdp, + .ctl_count = ARRAY_SIZE(sc7280_ctl), +@@ -2827,6 +2878,7 @@ static const struct dpu_mdss_cfg sc7280_dpu_cfg = { + + static const struct dpu_mdss_cfg qcm2290_dpu_cfg = { + .caps = &qcm2290_dpu_caps, ++ .ubwc = &qcm2290_ubwc_cfg, + .mdp_count = ARRAY_SIZE(qcm2290_mdp), + .mdp = qcm2290_mdp, + .ctl_count = ARRAY_SIZE(qcm2290_ctl), +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h +index 2531aac9..5f96dd8d 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h +@@ -394,7 +394,6 @@ struct dpu_rotation_cfg { + * @max_mixer_blendstages max layer mixer blend stages or + * supported z order + * @qseed_type qseed2 or qseed3 support. +- * @ubwc_version UBWC feature version (0x0 for not supported) + * @has_src_split source split feature status + * @has_dim_layer dim layer feature status + * @has_idle_pc indicate if idle power collapse feature is supported +@@ -408,7 +407,6 @@ struct dpu_caps { + u32 max_mixer_width; + u32 max_mixer_blendstages; + u32 qseed_type; +- u32 ubwc_version; + bool has_src_split; + bool has_dim_layer; + bool has_idle_pc; +@@ -537,15 +535,24 @@ struct dpu_clk_ctrl_reg { + * @id: index identifying this block + * @base: register base offset to mdss + * @features bit mask identifying sub-blocks/features +- * @highest_bank_bit: UBWC parameter +- * @ubwc_swizzle: ubwc default swizzle setting + * @clk_ctrls clock control register definition + */ + struct dpu_mdp_cfg { + DPU_HW_BLK_INFO; ++ struct dpu_clk_ctrl_reg clk_ctrls[DPU_CLK_CTRL_MAX]; ++}; ++ ++/** ++ * struct dpu_ubwc_cfg - UBWC and memory configuration ++ * ++ * @ubwc_version UBWC feature version (0x0 for not supported) ++ * @highest_bank_bit: UBWC parameter ++ * @ubwc_swizzle: ubwc default swizzle setting ++ */ ++struct dpu_ubwc_cfg { ++ u32 ubwc_version; + u32 highest_bank_bit; + u32 ubwc_swizzle; +- struct dpu_clk_ctrl_reg clk_ctrls[DPU_CLK_CTRL_MAX]; + }; + + /* struct dpu_ctl_cfg : MDP CTL instance info +@@ -847,6 +854,8 @@ struct dpu_perf_cfg { + struct dpu_mdss_cfg { + const struct dpu_caps *caps; + ++ const struct dpu_ubwc_cfg *ubwc; ++ + u32 mdp_count; + const struct dpu_mdp_cfg *mdp; + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +index 4246ab0b..a82113b7 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +@@ -307,25 +307,25 @@ static void dpu_hw_sspp_setup_format(struct dpu_hw_pipe *ctx, + src_format |= (fmt->fetch_mode & 3) << 30; /*FRAME_FORMAT */ + DPU_REG_WRITE(c, SSPP_FETCH_CONFIG, + DPU_FETCH_CONFIG_RESET_VALUE | +- ctx->mdp->highest_bank_bit << 18); +- switch (ctx->catalog->caps->ubwc_version) { ++ ctx->ubwc->highest_bank_bit << 18); ++ switch (ctx->ubwc->ubwc_version) { + case DPU_HW_UBWC_VER_10: + fast_clear = fmt->alpha_enable ? BIT(31) : 0; + DPU_REG_WRITE(c, SSPP_UBWC_STATIC_CTRL, +- fast_clear | (ctx->mdp->ubwc_swizzle & 0x1) | ++ fast_clear | (ctx->ubwc->ubwc_swizzle & 0x1) | + BIT(8) | +- (ctx->mdp->highest_bank_bit << 4)); ++ (ctx->ubwc->highest_bank_bit << 4)); + break; + case DPU_HW_UBWC_VER_20: + fast_clear = fmt->alpha_enable ? BIT(31) : 0; + DPU_REG_WRITE(c, SSPP_UBWC_STATIC_CTRL, +- fast_clear | (ctx->mdp->ubwc_swizzle) | +- (ctx->mdp->highest_bank_bit << 4)); ++ fast_clear | (ctx->ubwc->ubwc_swizzle) | ++ (ctx->ubwc->highest_bank_bit << 4)); + break; + case DPU_HW_UBWC_VER_30: + DPU_REG_WRITE(c, SSPP_UBWC_STATIC_CTRL, +- BIT(30) | (ctx->mdp->ubwc_swizzle) | +- (ctx->mdp->highest_bank_bit << 4)); ++ BIT(30) | (ctx->ubwc->ubwc_swizzle) | ++ (ctx->ubwc->highest_bank_bit << 4)); + break; + case DPU_HW_UBWC_VER_40: + DPU_REG_WRITE(c, SSPP_UBWC_STATIC_CTRL, +@@ -804,7 +804,7 @@ struct dpu_hw_pipe *dpu_hw_sspp_init(enum dpu_sspp idx, + + /* Assign ops */ + hw_pipe->catalog = catalog; +- hw_pipe->mdp = &catalog->mdp[0]; ++ hw_pipe->ubwc = catalog->ubwc; + hw_pipe->idx = idx; + hw_pipe->cap = cfg; + _setup_layer_ops(hw_pipe, hw_pipe->cap->features); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.h +index 0c95b7e6..cc435fa5 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.h +@@ -351,7 +351,7 @@ struct dpu_hw_sspp_ops { + * @base: hardware block base structure + * @hw: block hardware details + * @catalog: back pointer to catalog +- * @mdp: pointer to associated mdp portion of the catalog ++ * @ubwc: ubwc configuration data + * @idx: pipe index + * @cap: pointer to layer_cfg + * @ops: pointer to operations possible for this pipe +@@ -360,7 +360,7 @@ struct dpu_hw_pipe { + struct dpu_hw_blk base; + struct dpu_hw_blk_reg_map hw; + const struct dpu_mdss_cfg *catalog; +- const struct dpu_mdp_cfg *mdp; ++ const struct dpu_ubwc_cfg *ubwc; + + /* Pipe */ + enum dpu_sspp idx; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-210-drm-msm-dpu-split-SM8550-catalog-entry-to-the-s.patch b/patches.kernel.org/6.3.4-210-drm-msm-dpu-split-SM8550-catalog-entry-to-the-s.patch new file mode 100644 index 0000000..30bbf59 --- /dev/null +++ b/patches.kernel.org/6.3.4-210-drm-msm-dpu-split-SM8550-catalog-entry-to-the-s.patch @@ -0,0 +1,897 @@ +From: Dmitry Baryshkov +Date: Tue, 4 Apr 2023 16:05:47 +0300 +Subject: [PATCH] drm/msm/dpu: split SM8550 catalog entry to the separate file +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9cc547933636fa0656b52691f24373ccd7ec61cb + +[ Upstream commit 9cc547933636fa0656b52691f24373ccd7ec61cb ] + +Reviewed-by: Konrad DYbcio +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/530824/ +Link: https://lore.kernel.org/r/20230404130622.509628-8-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: 701f69183d4d ("drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 202 +++++++++ + .../msm/disp/dpu1/catalog/dpu_9_0_sm8550.h | 177 ++++++++ + .../gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 383 +----------------- + 3 files changed, 383 insertions(+), 379 deletions(-) + create mode 100644 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h + create mode 100644 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h +new file mode 100644 +index 00000000..51f6a57e +--- /dev/null ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h +@@ -0,0 +1,202 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Copyright (c) 2022. Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2015-2018, 2020 The Linux Foundation. All rights reserved. ++ */ ++ ++#ifndef _DPU_8_1_SM8450_H ++#define _DPU_8_1_SM8450_H ++ ++static const struct dpu_caps sm8450_dpu_caps = { ++ .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, ++ .max_mixer_blendstages = 0xb, ++ .qseed_type = DPU_SSPP_SCALER_QSEED4, ++ .has_src_split = true, ++ .has_dim_layer = true, ++ .has_idle_pc = true, ++ .has_3d_merge = true, ++ .max_linewidth = 5120, ++ .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, ++}; ++ ++static const struct dpu_ubwc_cfg sm8450_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++ .ubwc_swizzle = 0x6, ++}; ++ ++static const struct dpu_mdp_cfg sm8450_mdp[] = { ++ { ++ .name = "top_0", .id = MDP_TOP, ++ .base = 0x0, .len = 0x494, ++ .features = BIT(DPU_MDP_PERIPH_0_REMOVED), ++ .clk_ctrls[DPU_CLK_CTRL_VIG0] = { .reg_off = 0x2ac, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG1] = { .reg_off = 0x2b4, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG2] = { .reg_off = 0x2bc, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG3] = { .reg_off = 0x2c4, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA0] = { .reg_off = 0x2ac, .bit_off = 8 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA1] = { .reg_off = 0x2b4, .bit_off = 8 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA2] = { .reg_off = 0x2bc, .bit_off = 8 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA3] = { .reg_off = 0x2c4, .bit_off = 8 }, ++ .clk_ctrls[DPU_CLK_CTRL_REG_DMA] = { .reg_off = 0x2bc, .bit_off = 20 }, ++ }, ++}; ++ ++static const struct dpu_ctl_cfg sm8450_ctl[] = { ++ { ++ .name = "ctl_0", .id = CTL_0, ++ .base = 0x15000, .len = 0x204, ++ .features = BIT(DPU_CTL_ACTIVE_CFG) | BIT(DPU_CTL_SPLIT_DISPLAY) | BIT(DPU_CTL_FETCH_ACTIVE), ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9), ++ }, ++ { ++ .name = "ctl_1", .id = CTL_1, ++ .base = 0x16000, .len = 0x204, ++ .features = BIT(DPU_CTL_SPLIT_DISPLAY) | CTL_SC7280_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10), ++ }, ++ { ++ .name = "ctl_2", .id = CTL_2, ++ .base = 0x17000, .len = 0x204, ++ .features = CTL_SC7280_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11), ++ }, ++ { ++ .name = "ctl_3", .id = CTL_3, ++ .base = 0x18000, .len = 0x204, ++ .features = CTL_SC7280_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 12), ++ }, ++ { ++ .name = "ctl_4", .id = CTL_4, ++ .base = 0x19000, .len = 0x204, ++ .features = CTL_SC7280_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 13), ++ }, ++ { ++ .name = "ctl_5", .id = CTL_5, ++ .base = 0x1a000, .len = 0x204, ++ .features = CTL_SC7280_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 23), ++ }, ++}; ++ ++static const struct dpu_sspp_cfg sm8450_sspp[] = { ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x32c, VIG_SC7180_MASK, ++ sm8450_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x32c, DMA_SDM845_MASK, ++ sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x32c, DMA_SDM845_MASK, ++ sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x32c, DMA_CURSOR_SDM845_MASK, ++ sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x32c, DMA_CURSOR_SDM845_MASK, ++ sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), ++}; ++ ++/* FIXME: interrupts */ ++static const struct dpu_pingpong_cfg sm8450_pp[] = { ++ PP_BLK_TE("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sdm845_pp_sblk_te, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 8), ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 12)), ++ PP_BLK_TE("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sdm845_pp_sblk_te, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 9), ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 13)), ++ PP_BLK("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sdm845_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 10), ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 14)), ++ PP_BLK("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sdm845_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 11), ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 15)), ++ PP_BLK("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sdm845_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 30), ++ -1), ++ PP_BLK("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sdm845_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 31), ++ -1), ++ PP_BLK("pingpong_6", PINGPONG_6, 0x65800, MERGE_3D_3, sdm845_pp_sblk, ++ -1, ++ -1), ++ PP_BLK("pingpong_7", PINGPONG_7, 0x65c00, MERGE_3D_3, sdm845_pp_sblk, ++ -1, ++ -1), ++}; ++ ++static const struct dpu_merge_3d_cfg sm8450_merge_3d[] = { ++ MERGE_3D_BLK("merge_3d_0", MERGE_3D_0, 0x4e000), ++ MERGE_3D_BLK("merge_3d_1", MERGE_3D_1, 0x4f000), ++ MERGE_3D_BLK("merge_3d_2", MERGE_3D_2, 0x50000), ++ MERGE_3D_BLK("merge_3d_3", MERGE_3D_3, 0x65f00), ++}; ++ ++static const struct dpu_intf_cfg sm8450_intf[] = { ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++}; ++ ++static const struct dpu_perf_cfg sm8450_perf_data = { ++ .max_bw_low = 13600000, ++ .max_bw_high = 18200000, ++ .min_core_ib = 2500000, ++ .min_llcc_ib = 0, ++ .min_dram_ib = 800000, ++ .min_prefill_lines = 35, ++ /* FIXME: lut tables */ ++ .danger_lut_tbl = {0x3ffff, 0x3ffff, 0x0}, ++ .safe_lut_tbl = {0xfe00, 0xfe00, 0xffff}, ++ .qos_lut_tbl = { ++ {.nentry = ARRAY_SIZE(sc7180_qos_linear), ++ .entries = sc7180_qos_linear ++ }, ++ {.nentry = ARRAY_SIZE(sc7180_qos_macrotile), ++ .entries = sc7180_qos_macrotile ++ }, ++ {.nentry = ARRAY_SIZE(sc7180_qos_nrt), ++ .entries = sc7180_qos_nrt ++ }, ++ /* TODO: macrotile-qseed is different from macrotile */ ++ }, ++ .cdp_cfg = { ++ {.rd_enable = 1, .wr_enable = 1}, ++ {.rd_enable = 1, .wr_enable = 0} ++ }, ++ .clk_inefficiency_factor = 105, ++ .bw_inefficiency_factor = 120, ++}; ++ ++static const struct dpu_mdss_cfg sm8450_dpu_cfg = { ++ .caps = &sm8450_dpu_caps, ++ .ubwc = &sm8450_ubwc_cfg, ++ .mdp_count = ARRAY_SIZE(sm8450_mdp), ++ .mdp = sm8450_mdp, ++ .ctl_count = ARRAY_SIZE(sm8450_ctl), ++ .ctl = sm8450_ctl, ++ .sspp_count = ARRAY_SIZE(sm8450_sspp), ++ .sspp = sm8450_sspp, ++ .mixer_count = ARRAY_SIZE(sm8150_lm), ++ .mixer = sm8150_lm, ++ .dspp_count = ARRAY_SIZE(sm8150_dspp), ++ .dspp = sm8150_dspp, ++ .pingpong_count = ARRAY_SIZE(sm8450_pp), ++ .pingpong = sm8450_pp, ++ .merge_3d_count = ARRAY_SIZE(sm8450_merge_3d), ++ .merge_3d = sm8450_merge_3d, ++ .intf_count = ARRAY_SIZE(sm8450_intf), ++ .intf = sm8450_intf, ++ .vbif_count = ARRAY_SIZE(sdm845_vbif), ++ .vbif = sdm845_vbif, ++ .reg_dma_count = 1, ++ .dma_cfg = &sm8450_regdma, ++ .perf = &sm8450_perf_data, ++ .mdss_irqs = IRQ_SM8450_MASK, ++}; ++ ++#endif +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +new file mode 100644 +index 00000000..29d87862 +--- /dev/null ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +@@ -0,0 +1,177 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Copyright (c) 2022. Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2015-2018, 2020 The Linux Foundation. All rights reserved. ++ */ ++ ++#ifndef _DPU_9_0_SM8550_H ++#define _DPU_9_0_SM8550_H ++ ++static const struct dpu_caps sm8550_dpu_caps = { ++ .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, ++ .max_mixer_blendstages = 0xb, ++ .qseed_type = DPU_SSPP_SCALER_QSEED4, ++ .has_src_split = true, ++ .has_dim_layer = true, ++ .has_idle_pc = true, ++ .has_3d_merge = true, ++ .max_linewidth = 5120, ++ .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, ++}; ++ ++static const struct dpu_ubwc_cfg sm8550_ubwc_cfg = { ++ .ubwc_version = DPU_HW_UBWC_VER_40, ++ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ ++}; ++ ++static const struct dpu_mdp_cfg sm8550_mdp[] = { ++ { ++ .name = "top_0", .id = MDP_TOP, ++ .base = 0, .len = 0x494, ++ .features = BIT(DPU_MDP_PERIPH_0_REMOVED), ++ .clk_ctrls[DPU_CLK_CTRL_VIG0] = { .reg_off = 0x4330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG1] = { .reg_off = 0x6330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG2] = { .reg_off = 0x8330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_VIG3] = { .reg_off = 0xa330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA0] = { .reg_off = 0x24330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA1] = { .reg_off = 0x26330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA2] = { .reg_off = 0x28330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA3] = { .reg_off = 0x2a330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA4] = { .reg_off = 0x2c330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_DMA5] = { .reg_off = 0x2e330, .bit_off = 0 }, ++ .clk_ctrls[DPU_CLK_CTRL_REG_DMA] = { .reg_off = 0x2bc, .bit_off = 20 }, ++ }, ++}; ++ ++static const struct dpu_ctl_cfg sm8550_ctl[] = { ++ { ++ .name = "ctl_0", .id = CTL_0, ++ .base = 0x15000, .len = 0x290, ++ .features = CTL_SM8550_MASK | BIT(DPU_CTL_SPLIT_DISPLAY), ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9), ++ }, ++ { ++ .name = "ctl_1", .id = CTL_1, ++ .base = 0x16000, .len = 0x290, ++ .features = CTL_SM8550_MASK | BIT(DPU_CTL_SPLIT_DISPLAY), ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10), ++ }, ++ { ++ .name = "ctl_2", .id = CTL_2, ++ .base = 0x17000, .len = 0x290, ++ .features = CTL_SM8550_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11), ++ }, ++ { ++ .name = "ctl_3", .id = CTL_3, ++ .base = 0x18000, .len = 0x290, ++ .features = CTL_SM8550_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 12), ++ }, ++ { ++ .name = "ctl_4", .id = CTL_4, ++ .base = 0x19000, .len = 0x290, ++ .features = CTL_SM8550_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 13), ++ }, ++ { ++ .name = "ctl_5", .id = CTL_5, ++ .base = 0x1a000, .len = 0x290, ++ .features = CTL_SM8550_MASK, ++ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 23), ++ }, ++}; ++ ++static const struct dpu_sspp_cfg sm8550_sspp[] = { ++ SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), ++ SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), ++ SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), ++ SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x344, VIG_SC7180_MASK, ++ sm8550_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), ++ SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x344, DMA_SDM845_MASK, ++ sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), ++ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x344, DMA_SDM845_MASK, ++ sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), ++ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x344, DMA_SDM845_MASK, ++ sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), ++ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x344, DMA_SDM845_MASK, ++ sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), ++ SSPP_BLK("sspp_12", SSPP_DMA4, 0x2c000, 0x344, DMA_CURSOR_SDM845_MASK, ++ sm8550_dma_sblk_4, 14, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA4), ++ SSPP_BLK("sspp_13", SSPP_DMA5, 0x2e000, 0x344, DMA_CURSOR_SDM845_MASK, ++ sm8550_dma_sblk_5, 15, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA5), ++}; ++ ++static const struct dpu_pingpong_cfg sm8550_pp[] = { ++ PP_BLK_DIPHER("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 8), ++ -1), ++ PP_BLK_DIPHER("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 9), ++ -1), ++ PP_BLK_DIPHER("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 10), ++ -1), ++ PP_BLK_DIPHER("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 11), ++ -1), ++ PP_BLK_DIPHER("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 30), ++ -1), ++ PP_BLK_DIPHER("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sc7280_pp_sblk, ++ DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 31), ++ -1), ++ PP_BLK_DIPHER("pingpong_6", PINGPONG_6, 0x66000, MERGE_3D_3, sc7280_pp_sblk, ++ -1, ++ -1), ++ PP_BLK_DIPHER("pingpong_7", PINGPONG_7, 0x66400, MERGE_3D_3, sc7280_pp_sblk, ++ -1, ++ -1), ++}; ++ ++static const struct dpu_merge_3d_cfg sm8550_merge_3d[] = { ++ MERGE_3D_BLK("merge_3d_0", MERGE_3D_0, 0x4e000), ++ MERGE_3D_BLK("merge_3d_1", MERGE_3D_1, 0x4f000), ++ MERGE_3D_BLK("merge_3d_2", MERGE_3D_2, 0x50000), ++ MERGE_3D_BLK("merge_3d_3", MERGE_3D_3, 0x66700), ++}; ++ ++static const struct dpu_intf_cfg sm8550_intf[] = { ++ INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), ++ /* TODO TE sub-blocks for intf1 & intf2 */ ++ INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), ++ INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), ++ INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), ++}; ++ ++static const struct dpu_mdss_cfg sm8550_dpu_cfg = { ++ .caps = &sm8550_dpu_caps, ++ .ubwc = &sm8550_ubwc_cfg, ++ .mdp_count = ARRAY_SIZE(sm8550_mdp), ++ .mdp = sm8550_mdp, ++ .ctl_count = ARRAY_SIZE(sm8550_ctl), ++ .ctl = sm8550_ctl, ++ .sspp_count = ARRAY_SIZE(sm8550_sspp), ++ .sspp = sm8550_sspp, ++ .mixer_count = ARRAY_SIZE(sm8150_lm), ++ .mixer = sm8150_lm, ++ .dspp_count = ARRAY_SIZE(sm8150_dspp), ++ .dspp = sm8150_dspp, ++ .pingpong_count = ARRAY_SIZE(sm8550_pp), ++ .pingpong = sm8550_pp, ++ .merge_3d_count = ARRAY_SIZE(sm8550_merge_3d), ++ .merge_3d = sm8550_merge_3d, ++ .intf_count = ARRAY_SIZE(sm8550_intf), ++ .intf = sm8550_intf, ++ .vbif_count = ARRAY_SIZE(sdm845_vbif), ++ .vbif = sdm845_vbif, ++ .reg_dma_count = 1, ++ .dma_cfg = &sm8450_regdma, ++ .perf = &sm8450_perf_data, ++ .mdss_irqs = IRQ_SM8450_MASK, ++}; ++ ++#endif +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index fa48152b..e32b8aed 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -434,30 +434,6 @@ static const struct dpu_caps sm8350_dpu_caps = { + .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, + }; + +-static const struct dpu_caps sm8450_dpu_caps = { +- .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, +- .max_mixer_blendstages = 0xb, +- .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .has_src_split = true, +- .has_dim_layer = true, +- .has_idle_pc = true, +- .has_3d_merge = true, +- .max_linewidth = 5120, +- .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, +-}; +- +-static const struct dpu_caps sm8550_dpu_caps = { +- .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, +- .max_mixer_blendstages = 0xb, +- .qseed_type = DPU_SSPP_SCALER_QSEED4, +- .has_src_split = true, +- .has_dim_layer = true, +- .has_idle_pc = true, +- .has_3d_merge = true, +- .max_linewidth = 5120, +- .pixel_ram_size = DEFAULT_PIXEL_RAM_SIZE, +-}; +- + static const struct dpu_caps sc7280_dpu_caps = { + .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH, + .max_mixer_blendstages = 0x7, +@@ -520,17 +496,6 @@ static const struct dpu_ubwc_cfg sm8350_ubwc_cfg = { + .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ + }; + +-static const struct dpu_ubwc_cfg sm8450_ubwc_cfg = { +- .ubwc_version = DPU_HW_UBWC_VER_40, +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ +- .ubwc_swizzle = 0x6, +-}; +- +-static const struct dpu_ubwc_cfg sm8550_ubwc_cfg = { +- .ubwc_version = DPU_HW_UBWC_VER_40, +- .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */ +-}; +- + static const struct dpu_ubwc_cfg sc7280_ubwc_cfg = { + .ubwc_version = DPU_HW_UBWC_VER_30, + .highest_bank_bit = 0x1, +@@ -697,32 +662,6 @@ static const struct dpu_mdp_cfg sm8350_mdp[] = { + }, + }; + +-static const struct dpu_mdp_cfg sm8450_mdp[] = { +- { +- .name = "top_0", .id = MDP_TOP, +- .base = 0x0, .len = 0x494, +- .features = BIT(DPU_MDP_PERIPH_0_REMOVED), +- .clk_ctrls[DPU_CLK_CTRL_VIG0] = { +- .reg_off = 0x2AC, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +- .reg_off = 0x2B4, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG2] = { +- .reg_off = 0x2BC, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG3] = { +- .reg_off = 0x2C4, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +- .reg_off = 0x2AC, .bit_off = 8}, +- .clk_ctrls[DPU_CLK_CTRL_DMA1] = { +- .reg_off = 0x2B4, .bit_off = 8}, +- .clk_ctrls[DPU_CLK_CTRL_DMA2] = { +- .reg_off = 0x2BC, .bit_off = 8}, +- .clk_ctrls[DPU_CLK_CTRL_DMA3] = { +- .reg_off = 0x2C4, .bit_off = 8}, +- .clk_ctrls[DPU_CLK_CTRL_REG_DMA] = { +- .reg_off = 0x2BC, .bit_off = 20}, +- }, +-}; +- + static const struct dpu_mdp_cfg sc7280_mdp[] = { + { + .name = "top_0", .id = MDP_TOP, +@@ -755,36 +694,6 @@ static const struct dpu_mdp_cfg sc8280xp_mdp[] = { + }, + }; + +-static const struct dpu_mdp_cfg sm8550_mdp[] = { +- { +- .name = "top_0", .id = MDP_TOP, +- .base = 0, .len = 0x494, +- .features = BIT(DPU_MDP_PERIPH_0_REMOVED), +- .clk_ctrls[DPU_CLK_CTRL_VIG0] = { +- .reg_off = 0x4330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG1] = { +- .reg_off = 0x6330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG2] = { +- .reg_off = 0x8330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_VIG3] = { +- .reg_off = 0xa330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA0] = { +- .reg_off = 0x24330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA1] = { +- .reg_off = 0x26330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA2] = { +- .reg_off = 0x28330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA3] = { +- .reg_off = 0x2a330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA4] = { +- .reg_off = 0x2c330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_DMA5] = { +- .reg_off = 0x2e330, .bit_off = 0}, +- .clk_ctrls[DPU_CLK_CTRL_REG_DMA] = { +- .reg_off = 0x2bc, .bit_off = 20}, +- }, +-}; +- + static const struct dpu_mdp_cfg qcm2290_mdp[] = { + { + .name = "top_0", .id = MDP_TOP, +@@ -1004,84 +913,6 @@ static const struct dpu_ctl_cfg sm8350_ctl[] = { + }, + }; + +-static const struct dpu_ctl_cfg sm8450_ctl[] = { +- { +- .name = "ctl_0", .id = CTL_0, +- .base = 0x15000, .len = 0x204, +- .features = BIT(DPU_CTL_ACTIVE_CFG) | BIT(DPU_CTL_SPLIT_DISPLAY) | BIT(DPU_CTL_FETCH_ACTIVE), +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9), +- }, +- { +- .name = "ctl_1", .id = CTL_1, +- .base = 0x16000, .len = 0x204, +- .features = BIT(DPU_CTL_SPLIT_DISPLAY) | CTL_SC7280_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10), +- }, +- { +- .name = "ctl_2", .id = CTL_2, +- .base = 0x17000, .len = 0x204, +- .features = CTL_SC7280_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11), +- }, +- { +- .name = "ctl_3", .id = CTL_3, +- .base = 0x18000, .len = 0x204, +- .features = CTL_SC7280_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 12), +- }, +- { +- .name = "ctl_4", .id = CTL_4, +- .base = 0x19000, .len = 0x204, +- .features = CTL_SC7280_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 13), +- }, +- { +- .name = "ctl_5", .id = CTL_5, +- .base = 0x1a000, .len = 0x204, +- .features = CTL_SC7280_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 23), +- }, +-}; +- +-static const struct dpu_ctl_cfg sm8550_ctl[] = { +- { +- .name = "ctl_0", .id = CTL_0, +- .base = 0x15000, .len = 0x290, +- .features = CTL_SM8550_MASK | BIT(DPU_CTL_SPLIT_DISPLAY), +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9), +- }, +- { +- .name = "ctl_1", .id = CTL_1, +- .base = 0x16000, .len = 0x290, +- .features = CTL_SM8550_MASK | BIT(DPU_CTL_SPLIT_DISPLAY), +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10), +- }, +- { +- .name = "ctl_2", .id = CTL_2, +- .base = 0x17000, .len = 0x290, +- .features = CTL_SM8550_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11), +- }, +- { +- .name = "ctl_3", .id = CTL_3, +- .base = 0x18000, .len = 0x290, +- .features = CTL_SM8550_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 12), +- }, +- { +- .name = "ctl_4", .id = CTL_4, +- .base = 0x19000, .len = 0x290, +- .features = CTL_SM8550_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 13), +- }, +- { +- .name = "ctl_5", .id = CTL_5, +- .base = 0x1a000, .len = 0x290, +- .features = CTL_SM8550_MASK, +- .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 23), +- }, +-}; +- + static const struct dpu_ctl_cfg sc7280_ctl[] = { + { + .name = "ctl_0", .id = CTL_0, +@@ -1319,25 +1150,6 @@ static const struct dpu_sspp_sub_blks sm8450_vig_sblk_2 = + static const struct dpu_sspp_sub_blks sm8450_vig_sblk_3 = + _VIG_SBLK("3", 8, DPU_SSPP_SCALER_QSEED4); + +-static const struct dpu_sspp_cfg sm8450_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x32c, VIG_SC7180_MASK, +- sm8450_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x32c, VIG_SC7180_MASK, +- sm8450_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x32c, VIG_SC7180_MASK, +- sm8450_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x32c, VIG_SC7180_MASK, +- sm8450_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x32c, DMA_SDM845_MASK, +- sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x32c, DMA_SDM845_MASK, +- sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x32c, DMA_CURSOR_SDM845_MASK, +- sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x32c, DMA_CURSOR_SDM845_MASK, +- sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), +-}; +- + static const struct dpu_sspp_sub_blks sm8550_vig_sblk_0 = + _VIG_SBLK("0", 7, DPU_SSPP_SCALER_QSEED4); + static const struct dpu_sspp_sub_blks sm8550_vig_sblk_1 = +@@ -1349,29 +1161,6 @@ static const struct dpu_sspp_sub_blks sm8550_vig_sblk_3 = + static const struct dpu_sspp_sub_blks sm8550_dma_sblk_4 = _DMA_SBLK("12", 5); + static const struct dpu_sspp_sub_blks sm8550_dma_sblk_5 = _DMA_SBLK("13", 6); + +-static const struct dpu_sspp_cfg sm8550_sspp[] = { +- SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x344, VIG_SC7180_MASK, +- sm8550_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +- SSPP_BLK("sspp_1", SSPP_VIG1, 0x6000, 0x344, VIG_SC7180_MASK, +- sm8550_vig_sblk_1, 4, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG1), +- SSPP_BLK("sspp_2", SSPP_VIG2, 0x8000, 0x344, VIG_SC7180_MASK, +- sm8550_vig_sblk_2, 8, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG2), +- SSPP_BLK("sspp_3", SSPP_VIG3, 0xa000, 0x344, VIG_SC7180_MASK, +- sm8550_vig_sblk_3, 12, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG3), +- SSPP_BLK("sspp_8", SSPP_DMA0, 0x24000, 0x344, DMA_SDM845_MASK, +- sdm845_dma_sblk_0, 1, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA0), +- SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, 0x344, DMA_SDM845_MASK, +- sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1), +- SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, 0x344, DMA_SDM845_MASK, +- sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2), +- SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, 0x344, DMA_SDM845_MASK, +- sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3), +- SSPP_BLK("sspp_12", SSPP_DMA4, 0x2c000, 0x344, DMA_CURSOR_SDM845_MASK, +- sm8550_dma_sblk_4, 14, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA4), +- SSPP_BLK("sspp_13", SSPP_DMA5, 0x2e000, 0x344, DMA_CURSOR_SDM845_MASK, +- sm8550_dma_sblk_5, 15, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA5), +-}; +- + static const struct dpu_sspp_cfg sc7280_sspp[] = { + SSPP_BLK("sspp_0", SSPP_VIG0, 0x4000, 0x1f8, VIG_SC7280_MASK_SDMA, + sc7280_vig_sblk_0, 0, SSPP_TYPE_VIG, DPU_CLK_CTRL_VIG0), +@@ -1767,61 +1556,6 @@ static struct dpu_pingpong_cfg qcm2290_pp[] = { + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 12)), + }; + +-/* FIXME: interrupts */ +-static const struct dpu_pingpong_cfg sm8450_pp[] = { +- PP_BLK_TE("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sdm845_pp_sblk_te, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 8), +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 12)), +- PP_BLK_TE("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sdm845_pp_sblk_te, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 9), +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 13)), +- PP_BLK("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sdm845_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 10), +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 14)), +- PP_BLK("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sdm845_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 11), +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 15)), +- PP_BLK("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sdm845_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 30), +- -1), +- PP_BLK("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sdm845_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 31), +- -1), +- PP_BLK("pingpong_6", PINGPONG_6, 0x65800, MERGE_3D_3, sdm845_pp_sblk, +- -1, +- -1), +- PP_BLK("pingpong_7", PINGPONG_7, 0x65c00, MERGE_3D_3, sdm845_pp_sblk, +- -1, +- -1), +-}; +- +-static const struct dpu_pingpong_cfg sm8550_pp[] = { +- PP_BLK_DIPHER("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 8), +- -1), +- PP_BLK_DIPHER("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 9), +- -1), +- PP_BLK_DIPHER("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 10), +- -1), +- PP_BLK_DIPHER("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 11), +- -1), +- PP_BLK_DIPHER("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 30), +- -1), +- PP_BLK_DIPHER("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sc7280_pp_sblk, +- DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 31), +- -1), +- PP_BLK_DIPHER("pingpong_6", PINGPONG_6, 0x66000, MERGE_3D_3, sc7280_pp_sblk, +- -1, +- -1), +- PP_BLK_DIPHER("pingpong_7", PINGPONG_7, 0x66400, MERGE_3D_3, sc7280_pp_sblk, +- -1, +- -1), +-}; +- + /************************************************************* + * MERGE_3D sub blocks config + *************************************************************/ +@@ -1845,20 +1579,6 @@ static const struct dpu_merge_3d_cfg sm8350_merge_3d[] = { + MERGE_3D_BLK("merge_3d_2", MERGE_3D_2, 0x50000), + }; + +-static const struct dpu_merge_3d_cfg sm8450_merge_3d[] = { +- MERGE_3D_BLK("merge_3d_0", MERGE_3D_0, 0x4e000), +- MERGE_3D_BLK("merge_3d_1", MERGE_3D_1, 0x4f000), +- MERGE_3D_BLK("merge_3d_2", MERGE_3D_2, 0x50000), +- MERGE_3D_BLK("merge_3d_3", MERGE_3D_3, 0x65f00), +-}; +- +-static const struct dpu_merge_3d_cfg sm8550_merge_3d[] = { +- MERGE_3D_BLK("merge_3d_0", MERGE_3D_0, 0x4e000), +- MERGE_3D_BLK("merge_3d_1", MERGE_3D_1, 0x4f000), +- MERGE_3D_BLK("merge_3d_2", MERGE_3D_2, 0x50000), +- MERGE_3D_BLK("merge_3d_3", MERGE_3D_3, 0x66700), +-}; +- + /************************************************************* + * DSC sub blocks config + *************************************************************/ +@@ -1965,21 +1685,6 @@ static const struct dpu_intf_cfg qcm2290_intf[] = { + INTF_BLK("intf_1", INTF_1, 0x6A800, 0x2c0, INTF_DSI, 0, 24, INTF_SC7180_MASK, MDP_SSPP_TOP0_INTR, 26, 27), + }; + +-static const struct dpu_intf_cfg sm8450_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), +-}; +- +-static const struct dpu_intf_cfg sm8550_intf[] = { +- INTF_BLK("intf_0", INTF_0, 0x34000, 0x280, INTF_DP, MSM_DP_CONTROLLER_0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 24, 25), +- /* TODO TE sub-blocks for intf1 & intf2 */ +- INTF_BLK("intf_1", INTF_1, 0x35000, 0x300, INTF_DSI, 0, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 26, 27), +- INTF_BLK("intf_2", INTF_2, 0x36000, 0x300, INTF_DSI, 1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 28, 29), +- INTF_BLK("intf_3", INTF_3, 0x37000, 0x280, INTF_DP, MSM_DP_CONTROLLER_1, 24, INTF_SC7280_MASK, MDP_SSPP_TOP0_INTR, 30, 31), +-}; +- + /************************************************************* + * Writeback blocks config + *************************************************************/ +@@ -2448,36 +2153,6 @@ static const struct dpu_perf_cfg sm8250_perf_data = { + .bw_inefficiency_factor = 120, + }; + +-static const struct dpu_perf_cfg sm8450_perf_data = { +- .max_bw_low = 13600000, +- .max_bw_high = 18200000, +- .min_core_ib = 2500000, +- .min_llcc_ib = 0, +- .min_dram_ib = 800000, +- .min_prefill_lines = 35, +- /* FIXME: lut tables */ +- .danger_lut_tbl = {0x3ffff, 0x3ffff, 0x0}, +- .safe_lut_tbl = {0xfe00, 0xfe00, 0xffff}, +- .qos_lut_tbl = { +- {.nentry = ARRAY_SIZE(sc7180_qos_linear), +- .entries = sc7180_qos_linear +- }, +- {.nentry = ARRAY_SIZE(sc7180_qos_macrotile), +- .entries = sc7180_qos_macrotile +- }, +- {.nentry = ARRAY_SIZE(sc7180_qos_nrt), +- .entries = sc7180_qos_nrt +- }, +- /* TODO: macrotile-qseed is different from macrotile */ +- }, +- .cdp_cfg = { +- {.rd_enable = 1, .wr_enable = 1}, +- {.rd_enable = 1, .wr_enable = 0} +- }, +- .clk_inefficiency_factor = 105, +- .bw_inefficiency_factor = 120, +-}; +- + static const struct dpu_perf_cfg sc7280_perf_data = { + .max_bw_low = 4700000, + .max_bw_high = 8800000, +@@ -2799,60 +2474,6 @@ static const struct dpu_mdss_cfg sm8350_dpu_cfg = { + .mdss_irqs = IRQ_SM8350_MASK, + }; + +-static const struct dpu_mdss_cfg sm8450_dpu_cfg = { +- .caps = &sm8450_dpu_caps, +- .ubwc = &sm8450_ubwc_cfg, +- .mdp_count = ARRAY_SIZE(sm8450_mdp), +- .mdp = sm8450_mdp, +- .ctl_count = ARRAY_SIZE(sm8450_ctl), +- .ctl = sm8450_ctl, +- .sspp_count = ARRAY_SIZE(sm8450_sspp), +- .sspp = sm8450_sspp, +- .mixer_count = ARRAY_SIZE(sm8150_lm), +- .mixer = sm8150_lm, +- .dspp_count = ARRAY_SIZE(sm8150_dspp), +- .dspp = sm8150_dspp, +- .pingpong_count = ARRAY_SIZE(sm8450_pp), +- .pingpong = sm8450_pp, +- .merge_3d_count = ARRAY_SIZE(sm8450_merge_3d), +- .merge_3d = sm8450_merge_3d, +- .intf_count = ARRAY_SIZE(sm8450_intf), +- .intf = sm8450_intf, +- .vbif_count = ARRAY_SIZE(sdm845_vbif), +- .vbif = sdm845_vbif, +- .reg_dma_count = 1, +- .dma_cfg = &sm8450_regdma, +- .perf = &sm8450_perf_data, +- .mdss_irqs = IRQ_SM8450_MASK, +-}; +- +-static const struct dpu_mdss_cfg sm8550_dpu_cfg = { +- .caps = &sm8550_dpu_caps, +- .ubwc = &sm8550_ubwc_cfg, +- .mdp_count = ARRAY_SIZE(sm8550_mdp), +- .mdp = sm8550_mdp, +- .ctl_count = ARRAY_SIZE(sm8550_ctl), +- .ctl = sm8550_ctl, +- .sspp_count = ARRAY_SIZE(sm8550_sspp), +- .sspp = sm8550_sspp, +- .mixer_count = ARRAY_SIZE(sm8150_lm), +- .mixer = sm8150_lm, +- .dspp_count = ARRAY_SIZE(sm8150_dspp), +- .dspp = sm8150_dspp, +- .pingpong_count = ARRAY_SIZE(sm8550_pp), +- .pingpong = sm8550_pp, +- .merge_3d_count = ARRAY_SIZE(sm8550_merge_3d), +- .merge_3d = sm8550_merge_3d, +- .intf_count = ARRAY_SIZE(sm8550_intf), +- .intf = sm8550_intf, +- .vbif_count = ARRAY_SIZE(sdm845_vbif), +- .vbif = sdm845_vbif, +- .reg_dma_count = 1, +- .dma_cfg = &sm8450_regdma, +- .perf = &sm8450_perf_data, +- .mdss_irqs = IRQ_SM8450_MASK, +-}; +- + static const struct dpu_mdss_cfg sc7280_dpu_cfg = { + .caps = &sc7280_dpu_caps, + .ubwc = &sc7280_ubwc_cfg, +@@ -2899,6 +2520,10 @@ static const struct dpu_mdss_cfg qcm2290_dpu_cfg = { + .mdss_irqs = IRQ_SC7180_MASK, + }; + ++#include "catalog/dpu_8_1_sm8450.h" ++ ++#include "catalog/dpu_9_0_sm8550.h" ++ + static const struct dpu_mdss_hw_cfg_handler cfg_handler[] = { + { .hw_rev = DPU_HW_VER_300, .dpu_cfg = &msm8998_dpu_cfg}, + { .hw_rev = DPU_HW_VER_301, .dpu_cfg = &msm8998_dpu_cfg}, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-211-drm-msm-dpu-Fix-PP_BLK_DIPHER-DITHER-typo.patch b/patches.kernel.org/6.3.4-211-drm-msm-dpu-Fix-PP_BLK_DIPHER-DITHER-typo.patch new file mode 100644 index 0000000..2ebc7d1 --- /dev/null +++ b/patches.kernel.org/6.3.4-211-drm-msm-dpu-Fix-PP_BLK_DIPHER-DITHER-typo.patch @@ -0,0 +1,86 @@ +From: Marijn Suijten +Date: Thu, 27 Apr 2023 00:37:19 +0200 +Subject: [PATCH] drm/msm/dpu: Fix PP_BLK_DIPHER -> DITHER typo +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 701f69183d4d52533fb2af0d6948b7d1b00d1a09 + +[ Upstream commit 701f69183d4d52533fb2af0d6948b7d1b00d1a09 ] + +SM8550 exclusively has a DITHER sub-block inside the PINGPONG block and +no other registers, hence the DITHER name of the macro and a +corresponding PINGPONG block length of zero. However, the PP_BLK_ macro +name was typo'd to DIPHER rather than DITHER. + +Fixes: efcd0107727c ("drm/msm/dpu: add support for SM8550") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534214/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-5-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h | 16 ++++++++-------- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +index 29d87862..6b71ab01 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +@@ -106,28 +106,28 @@ static const struct dpu_sspp_cfg sm8550_sspp[] = { + }; + + static const struct dpu_pingpong_cfg sm8550_pp[] = { +- PP_BLK_DIPHER("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_0", PINGPONG_0, 0x69000, MERGE_3D_0, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 8), + -1), +- PP_BLK_DIPHER("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_1", PINGPONG_1, 0x6a000, MERGE_3D_0, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 9), + -1), +- PP_BLK_DIPHER("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_2", PINGPONG_2, 0x6b000, MERGE_3D_1, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 10), + -1), +- PP_BLK_DIPHER("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_3", PINGPONG_3, 0x6c000, MERGE_3D_1, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 11), + -1), +- PP_BLK_DIPHER("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_4", PINGPONG_4, 0x6d000, MERGE_3D_2, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 30), + -1), +- PP_BLK_DIPHER("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_5", PINGPONG_5, 0x6e000, MERGE_3D_2, sc7280_pp_sblk, + DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 31), + -1), +- PP_BLK_DIPHER("pingpong_6", PINGPONG_6, 0x66000, MERGE_3D_3, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_6", PINGPONG_6, 0x66000, MERGE_3D_3, sc7280_pp_sblk, + -1, + -1), +- PP_BLK_DIPHER("pingpong_7", PINGPONG_7, 0x66400, MERGE_3D_3, sc7280_pp_sblk, ++ PP_BLK_DITHER("pingpong_7", PINGPONG_7, 0x66400, MERGE_3D_3, sc7280_pp_sblk, + -1, + -1), + }; +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +index e32b8aed..f7214c44 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c +@@ -1435,7 +1435,7 @@ static const struct dpu_pingpong_sub_blks sc7280_pp_sblk = { + .len = 0x20, .version = 0x20000}, + }; + +-#define PP_BLK_DIPHER(_name, _id, _base, _merge_3d, _sblk, _done, _rdptr) \ ++#define PP_BLK_DITHER(_name, _id, _base, _merge_3d, _sblk, _done, _rdptr) \ + {\ + .name = _name, .id = _id, \ + .base = _base, .len = 0, \ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-212-drm-msm-dpu-Remove-duplicate-register-defines-f.patch b/patches.kernel.org/6.3.4-212-drm-msm-dpu-Remove-duplicate-register-defines-f.patch new file mode 100644 index 0000000..81b6adf --- /dev/null +++ b/patches.kernel.org/6.3.4-212-drm-msm-dpu-Remove-duplicate-register-defines-f.patch @@ -0,0 +1,46 @@ +From: Marijn Suijten +Date: Thu, 27 Apr 2023 00:37:22 +0200 +Subject: [PATCH] drm/msm/dpu: Remove duplicate register defines from INTF +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 202c044203ac5860e3025169105368d99f9bc6a2 + +[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ] + +The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT +registers are already defined higher up, in the right place when sorted +numerically. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534231/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +index 7ce66bf3..b2a94b9a 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +@@ -56,11 +56,6 @@ + #define INTF_TPG_RGB_MAPPING 0x11C + #define INTF_PROG_FETCH_START 0x170 + #define INTF_PROG_ROT_START 0x174 +- +-#define INTF_FRAME_LINE_COUNT_EN 0x0A8 +-#define INTF_FRAME_COUNT 0x0AC +-#define INTF_LINE_COUNT 0x0B0 +- + #define INTF_MUX 0x25C + + #define INTF_CFG_ACTIVE_H_EN BIT(29) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-213-dt-bindings-display-msm-dsi-controller-main-Doc.patch b/patches.kernel.org/6.3.4-213-dt-bindings-display-msm-dsi-controller-main-Doc.patch new file mode 100644 index 0000000..03e8bfa --- /dev/null +++ b/patches.kernel.org/6.3.4-213-dt-bindings-display-msm-dsi-controller-main-Doc.patch @@ -0,0 +1,53 @@ +From: Jianhua Lu +Date: Thu, 27 Apr 2023 20:21:32 +0800 +Subject: [PATCH] dt-bindings: display/msm: dsi-controller-main: Document qcom, + master-dsi and qcom, sync-dual-dsi +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ca29699a57ecee6084a4056f5bfd6f11dd359a71 + +[ Upstream commit ca29699a57ecee6084a4056f5bfd6f11dd359a71 ] + +This fixes warning: + sm8250-xiaomi-elish-csot.dtb: dsi@ae94000: Unevaluated properties are not allowed ('qcom,master-dsi', 'qcom,sync-dual-dsi' were unexpected) + +Reviewed-by: Dmitry Baryshkov +Acked-by: Rob Herring +Signed-off-by: Jianhua Lu +Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534306/ +Link: https://lore.kernel.org/r/20230427122132.24840-1-lujianhua000@gmail.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../bindings/display/msm/dsi-controller-main.yaml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +index e75a3efe..c888dd37 100644 +--- a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml ++++ b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +@@ -82,6 +82,18 @@ properties: + Indicates if the DSI controller is driving a panel which needs + 2 DSI links. + ++ qcom,master-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller is the master DSI controller when ++ qcom,dual-dsi-mode enabled. ++ ++ qcom,sync-dual-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller needs to sync the other DSI controller ++ with MIPI DCS commands when qcom,dual-dsi-mode enabled. ++ + assigned-clocks: + minItems: 2 + maxItems: 4 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-214-SUNRPC-Fix-encoding-of-accepted-but-unsuccessfu.patch b/patches.kernel.org/6.3.4-214-SUNRPC-Fix-encoding-of-accepted-but-unsuccessfu.patch new file mode 100644 index 0000000..d9ddb8e --- /dev/null +++ b/patches.kernel.org/6.3.4-214-SUNRPC-Fix-encoding-of-accepted-but-unsuccessfu.patch @@ -0,0 +1,96 @@ +From: Chuck Lever +Date: Tue, 2 May 2023 14:59:10 -0400 +Subject: [PATCH] SUNRPC: Fix encoding of accepted but unsuccessful RPC replies +Patch-mainline: 6.3.4 +References: bsc#1012628 bsc#1210995 +Git-commit: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 + +[ Upstream commit 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 ] + +Jiri Slaby says: +> I bisected to this ... as it breaks nfs3-only servers in 6.3. +> I.e. /etc/nfs.conf containing: +> [nfsd] +> vers4=no +> +> The client sees: +> mount("10.0.2.15:/tmp", "/mnt", "nfs", 0, "vers=4.2,addr=10.0.2.15,clientad"...) = -1 EIO (Input/output error) +> write(2, "mount.nfs: mount system call fai"..., 45 +> mount.nfs: mount system call failed for /mnt +> +> And the kernel says: +> nfs4_discover_server_trunking unhandled error -5. Exiting with error EIO + +Reported-by: Jiri Slaby +Link: https://bugzilla.suse.com/show_bug.cgi?id=1210995 +Fixes: 4bcf0343e8a6 ("SUNRPC: Set rq_accept_statp inside ->accept methods") +Tested-by: Jiri Slaby +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/sunrpc/svc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index fea7ce8f..9874a6de 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1382,7 +1382,7 @@ svc_process_common(struct svc_rqst *rqstp) + /* Only RPCv2 supported */ + xdr_stream_encode_u32(xdr, RPC_VERSION); + xdr_stream_encode_u32(xdr, RPC_VERSION); +- goto sendit; ++ return 1; /* don't wrap */ + + err_bad_auth: + dprintk("svc: authentication failed (%d)\n", +@@ -1398,7 +1398,7 @@ svc_process_common(struct svc_rqst *rqstp) + err_bad_prog: + dprintk("svc: unknown program %d\n", rqstp->rq_prog); + serv->sv_stats->rpcbadfmt++; +- xdr_stream_encode_u32(xdr, RPC_PROG_UNAVAIL); ++ *rqstp->rq_accept_statp = rpc_prog_unavail; + goto sendit; + + err_bad_vers: +@@ -1406,7 +1406,12 @@ svc_process_common(struct svc_rqst *rqstp) + rqstp->rq_vers, rqstp->rq_prog, progp->pg_name); + + serv->sv_stats->rpcbadfmt++; +- xdr_stream_encode_u32(xdr, RPC_PROG_MISMATCH); ++ *rqstp->rq_accept_statp = rpc_prog_mismatch; ++ ++ /* ++ * svc_authenticate() has already added the verifier and ++ * advanced the stream just past rq_accept_statp. ++ */ + xdr_stream_encode_u32(xdr, process.mismatch.lovers); + xdr_stream_encode_u32(xdr, process.mismatch.hivers); + goto sendit; +@@ -1415,19 +1420,19 @@ svc_process_common(struct svc_rqst *rqstp) + svc_printk(rqstp, "unknown procedure (%d)\n", rqstp->rq_proc); + + serv->sv_stats->rpcbadfmt++; +- xdr_stream_encode_u32(xdr, RPC_PROC_UNAVAIL); ++ *rqstp->rq_accept_statp = rpc_proc_unavail; + goto sendit; + + err_garbage_args: + svc_printk(rqstp, "failed to decode RPC header\n"); + + serv->sv_stats->rpcbadfmt++; +- xdr_stream_encode_u32(xdr, RPC_GARBAGE_ARGS); ++ *rqstp->rq_accept_statp = rpc_garbage_args; + goto sendit; + + err_system_err: + serv->sv_stats->rpcbadfmt++; +- xdr_stream_encode_u32(xdr, RPC_SYSTEM_ERR); ++ *rqstp->rq_accept_statp = rpc_system_err; + goto sendit; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-215-ASoC-fsl_micfil-Fix-error-handler-with-pm_runti.patch b/patches.kernel.org/6.3.4-215-ASoC-fsl_micfil-Fix-error-handler-with-pm_runti.patch new file mode 100644 index 0000000..117e447 --- /dev/null +++ b/patches.kernel.org/6.3.4-215-ASoC-fsl_micfil-Fix-error-handler-with-pm_runti.patch @@ -0,0 +1,71 @@ +From: Shengjiu Wang +Date: Mon, 8 May 2023 18:16:36 +0800 +Subject: [PATCH] ASoC: fsl_micfil: Fix error handler with pm_runtime_enable +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 17955aba7877a4494d8093ae5498e19469b01d57 + +[ Upstream commit 17955aba7877a4494d8093ae5498e19469b01d57 ] + +There is error message when defer probe happens: + +fsl-micfil-dai 30ca0000.micfil: Unbalanced pm_runtime_enable! + +Fix the error handler with pm_runtime_enable and add +fsl_micfil_remove() for pm_runtime_disable. + +Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.") +Signed-off-by: Shengjiu Wang +Signed-off-by: Jiri Slaby +--- + sound/soc/fsl/fsl_micfil.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 94341e43..3f08082a 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -1159,7 +1159,7 @@ static int fsl_micfil_probe(struct platform_device *pdev) + ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); + if (ret) { + dev_err(&pdev->dev, "failed to pcm register\n"); +- return ret; ++ goto err_pm_disable; + } + + fsl_micfil_dai.capture.formats = micfil->soc->formats; +@@ -1169,9 +1169,20 @@ static int fsl_micfil_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, "failed to register component %s\n", + fsl_micfil_component.name); ++ goto err_pm_disable; + } + + return ret; ++ ++err_pm_disable: ++ pm_runtime_disable(&pdev->dev); ++ ++ return ret; ++} ++ ++static void fsl_micfil_remove(struct platform_device *pdev) ++{ ++ pm_runtime_disable(&pdev->dev); + } + + static int __maybe_unused fsl_micfil_runtime_suspend(struct device *dev) +@@ -1232,6 +1243,7 @@ static const struct dev_pm_ops fsl_micfil_pm_ops = { + + static struct platform_driver fsl_micfil_driver = { + .probe = fsl_micfil_probe, ++ .remove_new = fsl_micfil_remove, + .driver = { + .name = "fsl-micfil-dai", + .pm = &fsl_micfil_pm_ops, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-216-cpupower-Make-TSC-read-per-CPU-for-Mperf-monito.patch b/patches.kernel.org/6.3.4-216-cpupower-Make-TSC-read-per-CPU-for-Mperf-monito.patch new file mode 100644 index 0000000..ec05896 --- /dev/null +++ b/patches.kernel.org/6.3.4-216-cpupower-Make-TSC-read-per-CPU-for-Mperf-monito.patch @@ -0,0 +1,160 @@ +From: Wyes Karny +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: [PATCH] cpupower: Make TSC read per CPU for Mperf monitor +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c2adb1877b76fc81ae041e1db1a6ed2078c6746b + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index e7d48cb5..ae6af354 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -70,8 +70,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -364,6 +359,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-217-xfrm-Reject-optional-tunnel-BEET-mode-templates.patch b/patches.kernel.org/6.3.4-217-xfrm-Reject-optional-tunnel-BEET-mode-templates.patch new file mode 100644 index 0000000..aa6f1e3 --- /dev/null +++ b/patches.kernel.org/6.3.4-217-xfrm-Reject-optional-tunnel-BEET-mode-templates.patch @@ -0,0 +1,94 @@ +From: Tobias Brunner +Date: Tue, 9 May 2023 10:59:58 +0200 +Subject: [PATCH] xfrm: Reject optional tunnel/BEET mode templates in outbound + policies +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3d776e31c841ba2f69895d2255a49320bec7cea6 + +[ Upstream commit 3d776e31c841ba2f69895d2255a49320bec7cea6 ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/xfrm/xfrm_user.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index af8fbcbf..6794b9de 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1768,7 +1768,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, + } + + static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, +- struct netlink_ext_ack *extack) ++ int dir, struct netlink_ext_ack *extack) + { + u16 prev_family; + int i; +@@ -1794,6 +1794,10 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, + switch (ut[i].mode) { + case XFRM_MODE_TUNNEL: + case XFRM_MODE_BEET: ++ if (ut[i].optional && dir == XFRM_POLICY_OUT) { ++ NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); ++ return -EINVAL; ++ } + break; + default: + if (ut[i].family != prev_family) { +@@ -1831,7 +1835,7 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, + } + + static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, +- struct netlink_ext_ack *extack) ++ int dir, struct netlink_ext_ack *extack) + { + struct nlattr *rt = attrs[XFRMA_TMPL]; + +@@ -1842,7 +1846,7 @@ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, + int nr = nla_len(rt) / sizeof(*utmpl); + int err; + +- err = validate_tmpl(nr, utmpl, pol->family, extack); ++ err = validate_tmpl(nr, utmpl, pol->family, dir, extack); + if (err) + return err; + +@@ -1919,7 +1923,7 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net, + if (err) + goto error; + +- if (!(err = copy_from_user_tmpl(xp, attrs, extack))) ++ if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack))) + err = copy_from_user_sec_ctx(xp, attrs); + if (err) + goto error; +@@ -3498,7 +3502,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, + return NULL; + + nr = ((len - sizeof(*p)) / sizeof(*ut)); +- if (validate_tmpl(nr, ut, p->sel.family, NULL)) ++ if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL)) + return NULL; + + if (p->dir > XFRM_POLICY_OUT) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-218-af_key-Reject-optional-tunnel-BEET-mode-templat.patch b/patches.kernel.org/6.3.4-218-af_key-Reject-optional-tunnel-BEET-mode-templat.patch new file mode 100644 index 0000000..2725918 --- /dev/null +++ b/patches.kernel.org/6.3.4-218-af_key-Reject-optional-tunnel-BEET-mode-templat.patch @@ -0,0 +1,72 @@ +From: Tobias Brunner +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: [PATCH] af_key: Reject optional tunnel/BEET mode templates in + outbound policies +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: cf3128a7aca55b2eefb68281d44749c683bdc96f + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index a815f5ab..31ab12fd 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-219-drm-msm-Fix-submit-error-path-leaks.patch b/patches.kernel.org/6.3.4-219-drm-msm-Fix-submit-error-path-leaks.patch new file mode 100644 index 0000000..c603162 --- /dev/null +++ b/patches.kernel.org/6.3.4-219-drm-msm-Fix-submit-error-path-leaks.patch @@ -0,0 +1,88 @@ +From: Rob Clark +Date: Tue, 9 May 2023 13:30:41 -0700 +Subject: [PATCH] drm/msm: Fix submit error-path leaks +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 68dc6c2d5eec45515855cce99256162f45651a0b + +[ Upstream commit 68dc6c2d5eec45515855cce99256162f45651a0b ] + +For errors after msm_submitqueue_get(), we need to drop the submitqueue +reference. Additionally after get_unused_fd() we need to drop the fd. +The ordering for dropping the queue lock and put_unused_fd() is not +important, so just move this all into out_post_unlock. + +v2: Only drop queue ref if submit doesn't take it +v3: Fix unitialized submit ref in error path +v4: IS_ERR_OR_NULL() + +Reported-by: pinkperfect2021@gmail.com +Fixes: f0de40a131d9 drm/msm: ("Reorder lock vs submit alloc") +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/536073/ +Link: https://lore.kernel.org/r/20230509203041.440619-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index ac8ed731..842dbf96 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -719,7 +719,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + struct msm_drm_private *priv = dev->dev_private; + struct drm_msm_gem_submit *args = data; + struct msm_file_private *ctx = file->driver_priv; +- struct msm_gem_submit *submit; ++ struct msm_gem_submit *submit = NULL; + struct msm_gpu *gpu = priv->gpu; + struct msm_gpu_submitqueue *queue; + struct msm_ringbuffer *ring; +@@ -766,13 +766,15 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + out_fence_fd = get_unused_fd_flags(O_CLOEXEC); + if (out_fence_fd < 0) { + ret = out_fence_fd; +- return ret; ++ goto out_post_unlock; + } + } + + submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds); +- if (IS_ERR(submit)) +- return PTR_ERR(submit); ++ if (IS_ERR(submit)) { ++ ret = PTR_ERR(submit); ++ goto out_post_unlock; ++ } + + trace_msm_gpu_submit(pid_nr(submit->pid), ring->id, submit->ident, + args->nr_bos, args->nr_cmds); +@@ -955,11 +957,20 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + if (has_ww_ticket) + ww_acquire_fini(&submit->ticket); + out_unlock: +- if (ret && (out_fence_fd >= 0)) +- put_unused_fd(out_fence_fd); + mutex_unlock(&queue->lock); + out_post_unlock: +- msm_gem_submit_put(submit); ++ if (ret && (out_fence_fd >= 0)) ++ put_unused_fd(out_fence_fd); ++ ++ if (!IS_ERR_OR_NULL(submit)) { ++ msm_gem_submit_put(submit); ++ } else { ++ /* ++ * If the submit hasn't yet taken ownership of the queue ++ * then we need to drop the reference ourself: ++ */ ++ msm_submitqueue_put(queue); ++ } + if (!IS_ERR_OR_NULL(post_deps)) { + for (i = 0; i < args->nr_out_syncobjs; ++i) { + kfree(post_deps[i].chain); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-220-selftests-seg6-disable-DAD-on-IPv6-router-cfg-f.patch b/patches.kernel.org/6.3.4-220-selftests-seg6-disable-DAD-on-IPv6-router-cfg-f.patch new file mode 100644 index 0000000..0453321 --- /dev/null +++ b/patches.kernel.org/6.3.4-220-selftests-seg6-disable-DAD-on-IPv6-router-cfg-f.patch @@ -0,0 +1,57 @@ +From: Andrea Mayer +Date: Wed, 10 May 2023 13:16:37 +0200 +Subject: [PATCH] selftests: seg6: disable DAD on IPv6 router cfg for + srv6_end_dt4_l3vpn_test +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 21a933c79a33add3612808f3be4ad65dd4dc026b + +[ Upstream commit 21a933c79a33add3612808f3be4ad65dd4dc026b ] + +The srv6_end_dt4_l3vpn_test instantiates a virtual network consisting of +several routers (rt-1, rt-2) and hosts. +When the IPv6 addresses of rt-{1,2} routers are configured, the Deduplicate +Address Detection (DAD) kicks in when enabled in the Linux distros running +the selftests. DAD is used to check whether an IPv6 address is already +assigned in a network. Such a mechanism consists of sending an ICMPv6 Echo +Request and waiting for a reply. +As the DAD process could take too long to complete, it may cause the +failing of some tests carried out by the srv6_end_dt4_l3vpn_test script. + +To make the srv6_end_dt4_l3vpn_test more robust, we disable DAD on routers +since we configure the virtual network manually and do not need any address +deduplication mechanism at all. + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Signed-off-by: Andrea Mayer +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 10031197..37f08d58 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -232,10 +232,14 @@ setup_rt_networking() + local nsname=rt-${rt} + + ip netns add ${nsname} ++ ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0 ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0 ++ + ip link set veth-rt-${rt} netns ${nsname} + ip -netns ${nsname} link set veth-rt-${rt} name veth0 + +- ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 ++ ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad + ip -netns ${nsname} link set veth0 up + ip -netns ${nsname} link set lo up + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-221-selftets-seg6-disable-rp_filter-by-default-in-s.patch b/patches.kernel.org/6.3.4-221-selftets-seg6-disable-rp_filter-by-default-in-s.patch new file mode 100644 index 0000000..96942d7 --- /dev/null +++ b/patches.kernel.org/6.3.4-221-selftets-seg6-disable-rp_filter-by-default-in-s.patch @@ -0,0 +1,64 @@ +From: Andrea Mayer +Date: Wed, 10 May 2023 13:16:38 +0200 +Subject: [PATCH] selftets: seg6: disable rp_filter by default in + srv6_end_dt4_l3vpn_test +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f97b8401e0deb46ad1e4245c21f651f64f55aaa6 + +[ Upstream commit f97b8401e0deb46ad1e4245c21f651f64f55aaa6 ] + +On some distributions, the rp_filter is automatically set (=1) by +default on a netdev basis (also on VRFs). +In an SRv6 End.DT4 behavior, decapsulated IPv4 packets are routed using +the table associated with the VRF bound to that tunnel. During lookup +operations, the rp_filter can lead to packet loss when activated on the +VRF. +Therefore, we chose to make this selftest more robust by explicitly +disabling the rp_filter during tests (as it is automatically set by some +Linux distributions). + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Reported-by: Hangbin Liu +Signed-off-by: Andrea Mayer +Tested-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 37f08d58..f9628236 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -258,6 +258,12 @@ setup_hs() + + # set the networking for the host + ip netns add ${hsname} ++ ++ # disable the rp_filter otherwise the kernel gets confused about how ++ # to route decap ipv4 packets. ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ + ip -netns ${hsname} link add veth0 type veth peer name ${rtveth} + ip -netns ${hsname} link set ${rtveth} netns ${rtname} + ip -netns ${hsname} addr add ${IPv4_HS_NETWORK}.${hs}/24 dev veth0 +@@ -276,11 +282,6 @@ setup_hs() + + ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.proxy_arp=1 + +- # disable the rp_filter otherwise the kernel gets confused about how +- # to route decap ipv4 packets. +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.rp_filter=0 +- + ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode" + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-222-devlink-change-per-devlink-netdev-notifier-to-s.patch b/patches.kernel.org/6.3.4-222-devlink-change-per-devlink-netdev-notifier-to-s.patch new file mode 100644 index 0000000..71e9641 --- /dev/null +++ b/patches.kernel.org/6.3.4-222-devlink-change-per-devlink-netdev-notifier-to-s.patch @@ -0,0 +1,147 @@ +From: Jiri Pirko +Date: Wed, 10 May 2023 16:46:21 +0200 +Subject: [PATCH] devlink: change per-devlink netdev notifier to static one +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e93c9378e33f68b61ea9318580d841caa22fb9ea + +[ Upstream commit e93c9378e33f68b61ea9318580d841caa22fb9ea ] + +The commit 565b4824c39f ("devlink: change port event netdev notifier +from per-net to global") changed original per-net notifier to be +per-devlink instance. That fixed the issue of non-receiving events +of netdev uninit if that moved to a different namespace. +That worked fine in -net tree. + +However, later on when commit ee75f1fc44dd ("net/mlx5e: Create +separate devlink instance for ethernet auxiliary device") and +commit 72ed5d5624af ("net/mlx5: Suspend auxiliary devices only in +case of PCI device suspend") were merged, a deadlock was introduced +when removing a namespace with devlink instance with another nested +instance. + +Here there is the bad flow example resulting in deadlock with mlx5: +net_cleanup_work -> cleanup_net (takes down_read(&pernet_ops_rwsem) -> +devlink_pernet_pre_exit() -> devlink_reload() -> +mlx5_devlink_reload_down() -> mlx5_unload_one_devl_locked() -> +mlx5_detach_device() -> del_adev() -> mlx5e_remove() -> +mlx5e_destroy_devlink() -> devlink_free() -> +unregister_netdevice_notifier() (takes down_write(&pernet_ops_rwsem) + +Steps to reproduce: +$ modprobe mlx5_core +$ ip netns add ns1 +$ devlink dev reload pci/0000:08:00.0 netns ns1 +$ ip netns del ns1 + +Resolve this by converting the notifier from per-devlink instance to +a static one registered during init phase and leaving it registered +forever. Use this notifier for all devlink port instances created +later on. + +Note what a tree needs this fix only in case all of the cited fixes +commits are present. + +Reported-by: Moshe Shemesh +Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global") +Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device") +Fixes: 72ed5d5624af ("net/mlx5: Suspend auxiliary devices only in case of PCI device suspend") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230510144621.932017-1-jiri@resnulli.us +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/devlink/core.c | 16 +++++++--------- + net/devlink/devl_internal.h | 1 - + net/devlink/leftover.c | 5 ++--- + 3 files changed, 9 insertions(+), 13 deletions(-) + +diff --git a/net/devlink/core.c b/net/devlink/core.c +index 777b091e..0e58eee4 100644 +--- a/net/devlink/core.c ++++ b/net/devlink/core.c +@@ -204,11 +204,6 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops, + if (ret < 0) + goto err_xa_alloc; + +- devlink->netdevice_nb.notifier_call = devlink_port_netdevice_event; +- ret = register_netdevice_notifier(&devlink->netdevice_nb); +- if (ret) +- goto err_register_netdevice_notifier; +- + devlink->dev = dev; + devlink->ops = ops; + xa_init_flags(&devlink->ports, XA_FLAGS_ALLOC); +@@ -233,8 +228,6 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops, + + return devlink; + +-err_register_netdevice_notifier: +- xa_erase(&devlinks, devlink->index); + err_xa_alloc: + kfree(devlink); + return NULL; +@@ -266,8 +259,6 @@ void devlink_free(struct devlink *devlink) + xa_destroy(&devlink->params); + xa_destroy(&devlink->ports); + +- WARN_ON_ONCE(unregister_netdevice_notifier(&devlink->netdevice_nb)); +- + xa_erase(&devlinks, devlink->index); + + devlink_put(devlink); +@@ -303,6 +294,10 @@ static struct pernet_operations devlink_pernet_ops __net_initdata = { + .pre_exit = devlink_pernet_pre_exit, + }; + ++static struct notifier_block devlink_port_netdevice_nb __net_initdata = { ++ .notifier_call = devlink_port_netdevice_event, ++}; ++ + static int __init devlink_init(void) + { + int err; +@@ -311,6 +306,9 @@ static int __init devlink_init(void) + if (err) + goto out; + err = register_pernet_subsys(&devlink_pernet_ops); ++ if (err) ++ goto out; ++ err = register_netdevice_notifier(&devlink_port_netdevice_nb); + + out: + WARN_ON(err); +diff --git a/net/devlink/devl_internal.h b/net/devlink/devl_internal.h +index e133f423..62921b2e 100644 +--- a/net/devlink/devl_internal.h ++++ b/net/devlink/devl_internal.h +@@ -50,7 +50,6 @@ struct devlink { + u8 reload_failed:1; + refcount_t refcount; + struct rcu_work rwork; +- struct notifier_block netdevice_nb; + char priv[] __aligned(NETDEV_ALIGN); + }; + +diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c +index dffca2f9..cd025496 100644 +--- a/net/devlink/leftover.c ++++ b/net/devlink/leftover.c +@@ -7073,10 +7073,9 @@ int devlink_port_netdevice_event(struct notifier_block *nb, + struct devlink_port *devlink_port = netdev->devlink_port; + struct devlink *devlink; + +- devlink = container_of(nb, struct devlink, netdevice_nb); +- +- if (!devlink_port || devlink_port->devlink != devlink) ++ if (!devlink_port) + return NOTIFY_OK; ++ devlink = devlink_port->devlink; + + switch (event) { + case NETDEV_POST_INIT: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-223-net-fec-Better-handle-pm_runtime_get-failing-in.patch b/patches.kernel.org/6.3.4-223-net-fec-Better-handle-pm_runtime_get-failing-in.patch new file mode 100644 index 0000000..f9779a6 --- /dev/null +++ b/patches.kernel.org/6.3.4-223-net-fec-Better-handle-pm_runtime_get-failing-in.patch @@ -0,0 +1,68 @@ +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: [PATCH] net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f816b9829b19394d318e01953aa3b2721bca040d + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 42ec6ca3..241df41d 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -4478,9 +4478,11 @@ fec_drv_remove(struct platform_device *pdev) + struct device_node *np = pdev->dev.of_node; + int ret; + +- ret = pm_runtime_resume_and_get(&pdev->dev); ++ ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -4493,8 +4495,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-224-net-phy-dp83867-add-w-a-for-packet-errors-seen-.patch b/patches.kernel.org/6.3.4-224-net-phy-dp83867-add-w-a-for-packet-errors-seen-.patch new file mode 100644 index 0000000..ecb7380 --- /dev/null +++ b/patches.kernel.org/6.3.4-224-net-phy-dp83867-add-w-a-for-packet-errors-seen-.patch @@ -0,0 +1,79 @@ +From: Grygorii Strashko +Date: Wed, 10 May 2023 18:21:39 +0530 +Subject: [PATCH] net: phy: dp83867: add w/a for packet errors seen with short + cables +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0b01db274028f5acd207332686ffc92ac77491ac + +[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ] + +Introduce the W/A for packet errors seen with short cables (<1m) between +two DP83867 PHYs. + +The W/A recommended by DM requires FFE Equalizer Configuration tuning by +writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard +and soft resets as follows: + +write_reg(0x001F, 0x8000); //hard reset +write_reg(DSP_FFE_CFG, 0x0E81); +write_reg(0x001F, 0x4000); //soft reset + +Since DP83867 PHY DM says "Changing this register to 0x0E81, will not +affect Long Cable performance.", enable the W/A by default. + +Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy") +Signed-off-by: Grygorii Strashko +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 89cd821f..9f7ff882 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -42,6 +42,7 @@ + #define DP83867_STRAP_STS1 0x006E + #define DP83867_STRAP_STS2 0x006f + #define DP83867_RGMIIDCTL 0x0086 ++#define DP83867_DSP_FFE_CFG 0x012c + #define DP83867_RXFCFG 0x0134 + #define DP83867_RXFPMD1 0x0136 + #define DP83867_RXFPMD2 0x0137 +@@ -910,8 +911,27 @@ static int dp83867_phy_reset(struct phy_device *phydev) + + usleep_range(10, 20); + +- return phy_modify(phydev, MII_DP83867_PHYCTRL, ++ err = phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); ++ if (err < 0) ++ return err; ++ ++ /* Configure the DSP Feedforward Equalizer Configuration register to ++ * improve short cable (< 1 meter) performance. This will not affect ++ * long cable performance. ++ */ ++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG, ++ 0x0e81); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); ++ if (err < 0) ++ return err; ++ ++ usleep_range(10, 20); ++ ++ return 0; + } + + static void dp83867_link_change_notify(struct phy_device *phydev) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-225-ALSA-firewire-digi00x-prevent-potential-use-aft.patch b/patches.kernel.org/6.3.4-225-ALSA-firewire-digi00x-prevent-potential-use-aft.patch new file mode 100644 index 0000000..c7dc484 --- /dev/null +++ b/patches.kernel.org/6.3.4-225-ALSA-firewire-digi00x-prevent-potential-use-aft.patch @@ -0,0 +1,42 @@ +From: Dan Carpenter +Date: Tue, 9 May 2023 12:07:11 +0300 +Subject: [PATCH] ALSA: firewire-digi00x: prevent potential use after free +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c0e72058d5e21982e61a29de6b098f7c1f0db498 + +[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ] + +This code was supposed to return an error code if init_stream() +failed, but it instead freed dg00x->rx_stream and returned success. +This potentially leads to a use after free. + +Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/firewire/digi00x/digi00x-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c +index a15f55b0..295163bb 100644 +--- a/sound/firewire/digi00x/digi00x-stream.c ++++ b/sound/firewire/digi00x/digi00x-stream.c +@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) + return err; + + err = init_stream(dg00x, &dg00x->tx_stream); +- if (err < 0) ++ if (err < 0) { + destroy_stream(dg00x, &dg00x->rx_stream); ++ return err; ++ } + + err = amdtp_domain_init(&dg00x->domain); + if (err < 0) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-226-wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch b/patches.kernel.org/6.3.4-226-wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch new file mode 100644 index 0000000..ba98bee --- /dev/null +++ b/patches.kernel.org/6.3.4-226-wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch @@ -0,0 +1,52 @@ +From: Ryder Lee +Date: Mon, 24 Apr 2023 05:39:06 +0800 +Subject: [PATCH] wifi: mt76: connac: fix stats->tx_bytes calculation +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c7ab7a29ef5c0779574120d922256ce4651555d3 + +[ Upstream commit c7ab7a29ef5c0779574120d922256ce4651555d3 ] + +The stats->tx_bytes shall subtract retry byte from tx byte. + +Fixes: 43eaa3689507 ("wifi: mt76: add PPDU based TxS support for WED device") +Signed-off-by: Ryder Lee +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/b3cd45596943cf5a06b2e08e2fe732ab0b51311b.1682285873.git.ryder.lee@mediatek.com +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h | 2 +- + drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h +index f33171bc..c3b692ea 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h +@@ -163,7 +163,7 @@ enum { + #define MT_TXS5_MPDU_TX_CNT GENMASK(31, 23) + + #define MT_TXS6_MPDU_FAIL_CNT GENMASK(31, 23) +- ++#define MT_TXS7_MPDU_RETRY_BYTE GENMASK(22, 0) + #define MT_TXS7_MPDU_RETRY_CNT GENMASK(31, 23) + + /* RXD DW1 */ +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c +index 82aac0a0..e57eade2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c +@@ -576,7 +576,8 @@ bool mt76_connac2_mac_fill_txs(struct mt76_dev *dev, struct mt76_wcid *wcid, + /* PPDU based reporting */ + if (FIELD_GET(MT_TXS0_TXS_FORMAT, txs) > 1) { + stats->tx_bytes += +- le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE); ++ le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE) - ++ le32_get_bits(txs_data[7], MT_TXS7_MPDU_RETRY_BYTE); + stats->tx_packets += + le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_CNT); + stats->tx_failed += +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-227-ALSA-hda-realtek-Apply-HP-B-O-top-speaker-profi.patch b/patches.kernel.org/6.3.4-227-ALSA-hda-realtek-Apply-HP-B-O-top-speaker-profi.patch new file mode 100644 index 0000000..a95b98e --- /dev/null +++ b/patches.kernel.org/6.3.4-227-ALSA-hda-realtek-Apply-HP-B-O-top-speaker-profi.patch @@ -0,0 +1,41 @@ +From: "Ryan C. Underwood" +Date: Thu, 11 May 2023 12:32:21 -0500 +Subject: [PATCH] ALSA: hda/realtek: Apply HP B&O top speaker profile to + Pavilion 15 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 92553ee03166ef8fa978e7683f9f4af30c9c4e6b + +[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ] + +The Pavilion 15 line has B&O top speakers similar to the x360 and +applying the same profile produces good sound. Without this, the +sound would be tinny and underpowered without either applying +model=alc295-hp-x360 or booting another OS first. + +Signed-off-by: Ryan Underwood +Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15") +Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 172ffc2c..5d78d4ba 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9363,7 +9363,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), + SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC), +- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-228-ice-Fix-undersized-tx_flags-variable.patch b/patches.kernel.org/6.3.4-228-ice-Fix-undersized-tx_flags-variable.patch new file mode 100644 index 0000000..28cb768 --- /dev/null +++ b/patches.kernel.org/6.3.4-228-ice-Fix-undersized-tx_flags-variable.patch @@ -0,0 +1,113 @@ +From: Jan Sokolowski +Date: Thu, 11 May 2023 08:53:19 -0700 +Subject: [PATCH] ice: Fix undersized tx_flags variable +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9113302bb43cf7a6d5a414d49b29478e57451c86 + +[ Upstream commit 9113302bb43cf7a6d5a414d49b29478e57451c86 ] + +As not all ICE_TX_FLAGS_* fit in current 16-bit limited +tx_flags field that was introduced in the Fixes commit, +VLAN-related information would be discarded completely. +As such, creating a vlan and trying to run ping through +would result in no traffic passing. + +Fix that by refactoring tx_flags variable into flags only and +a separate variable that holds VLAN ID. As there is some space left, +type variable can fit between those two. Pahole reports no size +change to ice_tx_buf struct. + +Fixes: aa1d3faf71a6 ("ice: Robustify cleaning/completing XDP Tx buffers") +Signed-off-by: Jan Sokolowski +Reviewed-by: Alexander Lobakin +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 5 ++--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 8 +++----- + drivers/net/ethernet/intel/ice/ice_txrx.h | 9 +++------ + 3 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c +index c6d4926f..850db8e0 100644 +--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c +@@ -932,10 +932,9 @@ ice_tx_prepare_vlan_flags_dcb(struct ice_tx_ring *tx_ring, + if ((first->tx_flags & ICE_TX_FLAGS_HW_VLAN || + first->tx_flags & ICE_TX_FLAGS_HW_OUTER_SINGLE_VLAN) || + skb->priority != TC_PRIO_CONTROL) { +- first->tx_flags &= ~ICE_TX_FLAGS_VLAN_PR_M; ++ first->vid &= ~VLAN_PRIO_MASK; + /* Mask the lower 3 bits to set the 802.1p priority */ +- first->tx_flags |= (skb->priority & 0x7) << +- ICE_TX_FLAGS_VLAN_PR_S; ++ first->vid |= (skb->priority << VLAN_PRIO_SHIFT) & VLAN_PRIO_MASK; + /* if this is not already set it means a VLAN 0 + priority needs + * to be offloaded + */ +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index 4fcf2d07..059bd911 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -1664,8 +1664,7 @@ ice_tx_map(struct ice_tx_ring *tx_ring, struct ice_tx_buf *first, + + if (first->tx_flags & ICE_TX_FLAGS_HW_VLAN) { + td_cmd |= (u64)ICE_TX_DESC_CMD_IL2TAG1; +- td_tag = (first->tx_flags & ICE_TX_FLAGS_VLAN_M) >> +- ICE_TX_FLAGS_VLAN_S; ++ td_tag = first->vid; + } + + dma = dma_map_single(tx_ring->dev, skb->data, size, DMA_TO_DEVICE); +@@ -1998,7 +1997,7 @@ ice_tx_prepare_vlan_flags(struct ice_tx_ring *tx_ring, struct ice_tx_buf *first) + * VLAN offloads exclusively so we only care about the VLAN ID here + */ + if (skb_vlan_tag_present(skb)) { +- first->tx_flags |= skb_vlan_tag_get(skb) << ICE_TX_FLAGS_VLAN_S; ++ first->vid = skb_vlan_tag_get(skb); + if (tx_ring->flags & ICE_TX_FLAGS_RING_VLAN_L2TAG2) + first->tx_flags |= ICE_TX_FLAGS_HW_OUTER_SINGLE_VLAN; + else +@@ -2388,8 +2387,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring) + offload.cd_qw1 |= (u64)(ICE_TX_DESC_DTYPE_CTX | + (ICE_TX_CTX_DESC_IL2TAG2 << + ICE_TXD_CTX_QW1_CMD_S)); +- offload.cd_l2tag2 = (first->tx_flags & ICE_TX_FLAGS_VLAN_M) >> +- ICE_TX_FLAGS_VLAN_S; ++ offload.cd_l2tag2 = first->vid; + } + + /* set up TSO offload */ +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index fff0efe2..166413fc 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -127,10 +127,6 @@ static inline int ice_skb_pad(void) + #define ICE_TX_FLAGS_IPV6 BIT(6) + #define ICE_TX_FLAGS_TUNNEL BIT(7) + #define ICE_TX_FLAGS_HW_OUTER_SINGLE_VLAN BIT(8) +-#define ICE_TX_FLAGS_VLAN_M 0xffff0000 +-#define ICE_TX_FLAGS_VLAN_PR_M 0xe0000000 +-#define ICE_TX_FLAGS_VLAN_PR_S 29 +-#define ICE_TX_FLAGS_VLAN_S 16 + + #define ICE_XDP_PASS 0 + #define ICE_XDP_CONSUMED BIT(0) +@@ -182,8 +178,9 @@ struct ice_tx_buf { + unsigned int gso_segs; + unsigned int nr_frags; /* used for mbuf XDP */ + }; +- u32 type:16; /* &ice_tx_buf_type */ +- u32 tx_flags:16; ++ u32 tx_flags:12; ++ u32 type:4; /* &ice_tx_buf_type */ ++ u32 vid:16; + DEFINE_DMA_UNMAP_LEN(len); + DEFINE_DMA_UNMAP_ADDR(dma); + }; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-229-sfc-disable-RXFCS-and-RXALL-features-by-default.patch b/patches.kernel.org/6.3.4-229-sfc-disable-RXFCS-and-RXALL-features-by-default.patch new file mode 100644 index 0000000..38563c5 --- /dev/null +++ b/patches.kernel.org/6.3.4-229-sfc-disable-RXFCS-and-RXALL-features-by-default.patch @@ -0,0 +1,44 @@ +From: Pieter Jansen van Vuuren +Date: Thu, 11 May 2023 10:43:33 +0100 +Subject: [PATCH] sfc: disable RXFCS and RXALL features by default +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 134120b066044399ef59564ff3ba66ab344cfc5b + +[ Upstream commit 134120b066044399ef59564ff3ba66ab344cfc5b ] + +By default we would not want RXFCS and RXALL features enabled as they are +mainly intended for debugging purposes. This does not stop users from +enabling them later on as needed. + +Fixes: 8e57daf70671 ("sfc_ef100: RX path for EF100") +Signed-off-by: Pieter Jansen van Vuuren +Co-developed-by: Edward Cree +Signed-off-by: Edward Cree +Reviewed-by: Martin Habets +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/sfc/ef100_netdev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c +index d916877b..be395cd8 100644 +--- a/drivers/net/ethernet/sfc/ef100_netdev.c ++++ b/drivers/net/ethernet/sfc/ef100_netdev.c +@@ -378,7 +378,9 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data) + efx->net_dev = net_dev; + SET_NETDEV_DEV(net_dev, &efx->pci_dev->dev); + +- net_dev->features |= efx->type->offload_features; ++ /* enable all supported features except rx-fcs and rx-all */ ++ net_dev->features |= efx->type->offload_features & ++ ~(NETIF_F_RXFCS | NETIF_F_RXALL); + net_dev->hw_features |= efx->type->offload_features; + net_dev->hw_enc_features |= efx->type->offload_features; + net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG | +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-230-vsock-avoid-to-close-connected-socket-after-the.patch b/patches.kernel.org/6.3.4-230-vsock-avoid-to-close-connected-socket-after-the.patch new file mode 100644 index 0000000..a4d8fbd --- /dev/null +++ b/patches.kernel.org/6.3.4-230-vsock-avoid-to-close-connected-socket-after-the.patch @@ -0,0 +1,55 @@ +From: Zhuang Shengen +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: [PATCH] vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6d4486efe9c69626cab423456169e250a5cd3af5 + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 19aea7cb..5d480174 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1426,7 +1426,7 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-231-tcp-fix-possible-sk_priority-leak-in-tcp_v4_sen.patch b/patches.kernel.org/6.3.4-231-tcp-fix-possible-sk_priority-leak-in-tcp_v4_sen.patch new file mode 100644 index 0000000..5561ccd --- /dev/null +++ b/patches.kernel.org/6.3.4-231-tcp-fix-possible-sk_priority-leak-in-tcp_v4_sen.patch @@ -0,0 +1,63 @@ +From: Eric Dumazet +Date: Thu, 11 May 2023 11:47:49 +0000 +Subject: [PATCH] tcp: fix possible sk_priority leak in tcp_v4_send_reset() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 + +[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ] + +When tcp_v4_send_reset() is called with @sk == NULL, +we do not change ctl_sk->sk_priority, which could have been +set from a prior invocation. + +Change tcp_v4_send_reset() to set sk_priority and sk_mark +fields before calling ip_send_unicast_reply(). + +This means tcp_v4_send_reset() and tcp_v4_send_ack() +no longer have to clear ctl_sk->sk_mark after +their call to ip_send_unicast_reply(). + +Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state") +Signed-off-by: Eric Dumazet +Cc: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index b9d55277..c87958f9 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -829,6 +829,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ } else { ++ ctl_sk->sk_mark = 0; ++ ctl_sk->sk_priority = 0; + } + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +@@ -836,7 +839,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -935,7 +937,6 @@ static void tcp_v4_send_ack(const struct sock *sk, + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + local_bh_enable(); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-232-media-pvrusb2-fix-DVB_CORE-dependency.patch b/patches.kernel.org/6.3.4-232-media-pvrusb2-fix-DVB_CORE-dependency.patch new file mode 100644 index 0000000..4c8cbcf --- /dev/null +++ b/patches.kernel.org/6.3.4-232-media-pvrusb2-fix-DVB_CORE-dependency.patch @@ -0,0 +1,46 @@ +From: Arnd Bergmann +Date: Tue, 17 Jan 2023 17:10:16 +0000 +Subject: [PATCH] media: pvrusb2: fix DVB_CORE dependency +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 53558de2b5c4f4ee6bfcfbe34e27071c2d0073d5 + +[ Upstream commit 53558de2b5c4f4ee6bfcfbe34e27071c2d0073d5 ] + +Now that DVB_CORE can be a loadable module, pvrusb2 can run into +a link error: + +ld.lld: error: undefined symbol: dvb_module_probe +>>> referenced by pvrusb2-devattr.c +>>> drivers/media/usb/pvrusb2/pvrusb2-devattr.o:(pvr2_lgdt3306a_attach) in archive vmlinux.a +ld.lld: error: undefined symbol: dvb_module_release +>>> referenced by pvrusb2-devattr.c +>>> drivers/media/usb/pvrusb2/pvrusb2-devattr.o:(pvr2_dual_fe_attach) in archive vmlinux.a + +Refine the Kconfig dependencies to avoid this case. + +Link: https://lore.kernel.org/linux-media/20230117171055.2714621-1-arnd@kernel.org +Fixes: 7655c342dbc4 ("media: Kconfig: Make DVB_CORE=m possible when MEDIA_SUPPORT=y") +Signed-off-by: Arnd Bergmann +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/usb/pvrusb2/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/pvrusb2/Kconfig b/drivers/media/usb/pvrusb2/Kconfig +index 9501b10b..0df10270 100644 +--- a/drivers/media/usb/pvrusb2/Kconfig ++++ b/drivers/media/usb/pvrusb2/Kconfig +@@ -37,6 +37,7 @@ config VIDEO_PVRUSB2_DVB + bool "pvrusb2 ATSC/DVB support" + default y + depends on VIDEO_PVRUSB2 && DVB_CORE ++ depends on VIDEO_PVRUSB2=m || DVB_CORE=y + select DVB_LGDT330X if MEDIA_SUBDRV_AUTOSELECT + select DVB_S5H1409 if MEDIA_SUBDRV_AUTOSELECT + select DVB_S5H1411 if MEDIA_SUBDRV_AUTOSELECT +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-233-serial-arc_uart-fix-of_iomap-leak-in-arc_serial.patch b/patches.kernel.org/6.3.4-233-serial-arc_uart-fix-of_iomap-leak-in-arc_serial.patch new file mode 100644 index 0000000..63a205f --- /dev/null +++ b/patches.kernel.org/6.3.4-233-serial-arc_uart-fix-of_iomap-leak-in-arc_serial.patch @@ -0,0 +1,52 @@ +From: Ke Zhang +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: [PATCH] serial: arc_uart: fix of_iomap leak in `arc_serial_probe` +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 59e25f2b..4b2512ee 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -606,10 +606,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-234-serial-8250_bcm7271-balance-clk_enable-calls.patch b/patches.kernel.org/6.3.4-234-serial-8250_bcm7271-balance-clk_enable-calls.patch new file mode 100644 index 0000000..990ef74 --- /dev/null +++ b/patches.kernel.org/6.3.4-234-serial-8250_bcm7271-balance-clk_enable-calls.patch @@ -0,0 +1,59 @@ +From: Doug Berger +Date: Thu, 27 Apr 2023 11:19:15 -0700 +Subject: [PATCH] serial: 8250_bcm7271: balance clk_enable calls +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d + +[ Upstream commit 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d ] + +The sw_baud clock must be disabled when the device driver is not +connected to the device. This now occurs when probe fails and +upon remove. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-2-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/8250/8250_bcm7271.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index f801b1f5..90ee7bc1 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1032,7 +1032,7 @@ static int brcmuart_probe(struct platform_device *pdev) + if (clk_rate == 0) { + dev_err(dev, "clock-frequency or clk not defined\n"); + ret = -EINVAL; +- goto release_dma; ++ goto err_clk_disable; + } + + dev_dbg(dev, "DMA is %senabled\n", priv->dma_enabled ? "" : "not "); +@@ -1119,6 +1119,8 @@ static int brcmuart_probe(struct platform_device *pdev) + serial8250_unregister_port(priv->line); + err: + brcmuart_free_bufs(dev, priv); ++err_clk_disable: ++ clk_disable_unprepare(baud_mux_clk); + release_dma: + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); +@@ -1133,6 +1135,7 @@ static int brcmuart_remove(struct platform_device *pdev) + hrtimer_cancel(&priv->hrt); + serial8250_unregister_port(priv->line); + brcmuart_free_bufs(&pdev->dev, priv); ++ clk_disable_unprepare(priv->baud_mux_clk); + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); + return 0; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-235-serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch b/patches.kernel.org/6.3.4-235-serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch new file mode 100644 index 0000000..e077f10 --- /dev/null +++ b/patches.kernel.org/6.3.4-235-serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch @@ -0,0 +1,44 @@ +From: Doug Berger +Date: Thu, 27 Apr 2023 11:19:16 -0700 +Subject: [PATCH] serial: 8250_bcm7271: fix leak in `brcmuart_probe` +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f264f2f6f4788dc031cef60a0cf2881902736709 + +[ Upstream commit f264f2f6f4788dc031cef60a0cf2881902736709 ] + +Smatch reports: +drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: +'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032. + +The issue is fixed by using a managed clock. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-3-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/8250/8250_bcm7271.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index 90ee7bc1..af0e1c07 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1012,7 +1012,7 @@ static int brcmuart_probe(struct platform_device *pdev) + of_property_read_u32(np, "clock-frequency", &clk_rate); + + /* See if a Baud clock has been specified */ +- baud_mux_clk = of_clk_get_by_name(np, "sw_baud"); ++ baud_mux_clk = devm_clk_get(dev, "sw_baud"); + if (IS_ERR(baud_mux_clk)) { + if (PTR_ERR(baud_mux_clk) == -EPROBE_DEFER) { + ret = -EPROBE_DEFER; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-236-erspan-get-the-proto-with-the-md-version-for-co.patch b/patches.kernel.org/6.3.4-236-erspan-get-the-proto-with-the-md-version-for-co.patch new file mode 100644 index 0000000..77b832a --- /dev/null +++ b/patches.kernel.org/6.3.4-236-erspan-get-the-proto-with-the-md-version-for-co.patch @@ -0,0 +1,82 @@ +From: Xin Long +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: [PATCH] erspan: get the proto with the md version for collect_md +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d80fc101d2eb9b3188c228d61223890aeea480a4 + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index a4ecfc9d..da80974a 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1015,12 +1015,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1043,24 +1045,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-237-net-dsa-rzn1-a5psw-enable-management-frames-for.patch b/patches.kernel.org/6.3.4-237-net-dsa-rzn1-a5psw-enable-management-frames-for.patch new file mode 100644 index 0000000..4fd318b --- /dev/null +++ b/patches.kernel.org/6.3.4-237-net-dsa-rzn1-a5psw-enable-management-frames-for.patch @@ -0,0 +1,58 @@ +From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= +Date: Fri, 12 May 2023 09:27:10 +0200 +Subject: [PATCH] net: dsa: rzn1-a5psw: enable management frames for CPU port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9e4b45f20c5aac786c728619e5ee746bffce1798 + +[ Upstream commit 9e4b45f20c5aac786c728619e5ee746bffce1798 ] + +Currently, management frame were discarded before reaching the CPU port due +to a misconfiguration of the MGMT_CONFIG register. Enable them by setting +the correct value in this register in order to correctly receive management +frame and handle STP. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/rzn1_a5psw.c | 2 +- + drivers/net/dsa/rzn1_a5psw.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index 919027cf..8a419e2f 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -673,7 +673,7 @@ static int a5psw_setup(struct dsa_switch *ds) + } + + /* Configure management port */ +- reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_DISCARD; ++ reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_ENABLE; + a5psw_reg_writel(a5psw, A5PSW_MGMT_CFG, reg); + + /* Set pattern 0 to forward all frame to mgmt port */ +diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h +index c67abd49..b4fbf453 100644 +--- a/drivers/net/dsa/rzn1_a5psw.h ++++ b/drivers/net/dsa/rzn1_a5psw.h +@@ -36,7 +36,7 @@ + #define A5PSW_INPUT_LEARN_BLOCK(p) BIT(p) + + #define A5PSW_MGMT_CFG 0x20 +-#define A5PSW_MGMT_CFG_DISCARD BIT(7) ++#define A5PSW_MGMT_CFG_ENABLE BIT(6) + + #define A5PSW_MODE_CFG 0x24 + #define A5PSW_MODE_STATS_RESET BIT(31) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-238-net-dsa-rzn1-a5psw-fix-STP-states-handling.patch b/patches.kernel.org/6.3.4-238-net-dsa-rzn1-a5psw-fix-STP-states-handling.patch new file mode 100644 index 0000000..d42c222 --- /dev/null +++ b/patches.kernel.org/6.3.4-238-net-dsa-rzn1-a5psw-fix-STP-states-handling.patch @@ -0,0 +1,143 @@ +From: =?UTF-8?q?Alexis=20Lothor=C3=A9?= +Date: Fri, 12 May 2023 09:27:11 +0200 +Subject: [PATCH] net: dsa: rzn1-a5psw: fix STP states handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ebe9bc50952757b4b25eaf514da7c464196c9606 + +[ Upstream commit ebe9bc50952757b4b25eaf514da7c464196c9606 ] + +stp_set_state() should actually allow receiving BPDU while in LEARNING +mode which is not the case. Additionally, the BLOCKEN bit does not +actually forbid sending forwarded frames from that port. To fix this, add +a5psw_port_tx_enable() function which allows to disable TX. However, while +its name suggest that TX is totally disabled, it is not and can still +allow to send BPDUs even if disabled. This can be done by using forced +forwarding with the switch tagging mechanism but keeping "filtering" +disabled (which is already the case in the rzn1-a5sw tag driver). With +these fixes, STP support is now functional. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/rzn1_a5psw.c | 57 ++++++++++++++++++++++++++++++------ + drivers/net/dsa/rzn1_a5psw.h | 1 + + 2 files changed, 49 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index 8a419e2f..e2549cb3 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -120,6 +120,22 @@ static void a5psw_port_mgmtfwd_set(struct a5psw *a5psw, int port, bool enable) + a5psw_port_pattern_set(a5psw, port, A5PSW_PATTERN_MGMTFWD, enable); + } + ++static void a5psw_port_tx_enable(struct a5psw *a5psw, int port, bool enable) ++{ ++ u32 mask = A5PSW_PORT_ENA_TX(port); ++ u32 reg = enable ? mask : 0; ++ ++ /* Even though the port TX is disabled through TXENA bit in the ++ * PORT_ENA register, it can still send BPDUs. This depends on the tag ++ * configuration added when sending packets from the CPU port to the ++ * switch port. Indeed, when using forced forwarding without filtering, ++ * even disabled ports will be able to send packets that are tagged. ++ * This allows to implement STP support when ports are in a state where ++ * forwarding traffic should be stopped but BPDUs should still be sent. ++ */ ++ a5psw_reg_rmw(a5psw, A5PSW_PORT_ENA, mask, reg); ++} ++ + static void a5psw_port_enable_set(struct a5psw *a5psw, int port, bool enable) + { + u32 port_ena = 0; +@@ -292,6 +308,22 @@ static int a5psw_set_ageing_time(struct dsa_switch *ds, unsigned int msecs) + return 0; + } + ++static void a5psw_port_learning_set(struct a5psw *a5psw, int port, bool learn) ++{ ++ u32 mask = A5PSW_INPUT_LEARN_DIS(port); ++ u32 reg = !learn ? mask : 0; ++ ++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++} ++ ++static void a5psw_port_rx_block_set(struct a5psw *a5psw, int port, bool block) ++{ ++ u32 mask = A5PSW_INPUT_LEARN_BLOCK(port); ++ u32 reg = block ? mask : 0; ++ ++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++} ++ + static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port, + bool set) + { +@@ -344,28 +376,35 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port, + + static void a5psw_port_stp_state_set(struct dsa_switch *ds, int port, u8 state) + { +- u32 mask = A5PSW_INPUT_LEARN_DIS(port) | A5PSW_INPUT_LEARN_BLOCK(port); ++ bool learning_enabled, rx_enabled, tx_enabled; + struct a5psw *a5psw = ds->priv; +- u32 reg = 0; + + switch (state) { + case BR_STATE_DISABLED: + case BR_STATE_BLOCKING: +- reg |= A5PSW_INPUT_LEARN_DIS(port); +- reg |= A5PSW_INPUT_LEARN_BLOCK(port); +- break; + case BR_STATE_LISTENING: +- reg |= A5PSW_INPUT_LEARN_DIS(port); ++ rx_enabled = false; ++ tx_enabled = false; ++ learning_enabled = false; + break; + case BR_STATE_LEARNING: +- reg |= A5PSW_INPUT_LEARN_BLOCK(port); ++ rx_enabled = false; ++ tx_enabled = false; ++ learning_enabled = true; + break; + case BR_STATE_FORWARDING: +- default: ++ rx_enabled = true; ++ tx_enabled = true; ++ learning_enabled = true; + break; ++ default: ++ dev_err(ds->dev, "invalid STP state: %d\n", state); ++ return; + } + +- a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg); ++ a5psw_port_learning_set(a5psw, port, learning_enabled); ++ a5psw_port_rx_block_set(a5psw, port, !rx_enabled); ++ a5psw_port_tx_enable(a5psw, port, tx_enabled); + } + + static void a5psw_port_fast_age(struct dsa_switch *ds, int port) +diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h +index b4fbf453..b869192e 100644 +--- a/drivers/net/dsa/rzn1_a5psw.h ++++ b/drivers/net/dsa/rzn1_a5psw.h +@@ -19,6 +19,7 @@ + #define A5PSW_PORT_OFFSET(port) (0x400 * (port)) + + #define A5PSW_PORT_ENA 0x8 ++#define A5PSW_PORT_ENA_TX(port) BIT(port) + #define A5PSW_PORT_ENA_RX_SHIFT 16 + #define A5PSW_PORT_ENA_TX_RX(port) (BIT((port) + A5PSW_PORT_ENA_RX_SHIFT) | \ + BIT(port)) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-239-net-dsa-rzn1-a5psw-disable-learning-for-standal.patch b/patches.kernel.org/6.3.4-239-net-dsa-rzn1-a5psw-disable-learning-for-standal.patch new file mode 100644 index 0000000..01022d8 --- /dev/null +++ b/patches.kernel.org/6.3.4-239-net-dsa-rzn1-a5psw-disable-learning-for-standal.patch @@ -0,0 +1,90 @@ +From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= +Date: Fri, 12 May 2023 09:27:12 +0200 +Subject: [PATCH] net: dsa: rzn1-a5psw: disable learning for standalone ports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ec52b69c046a6219011af780aca155a96719637b + +[ Upstream commit ec52b69c046a6219011af780aca155a96719637b ] + +When ports are in standalone mode, they should have learning disabled to +avoid adding new entries in the MAC lookup table which might be used by +other bridge ports to forward packets. While adding that, also make sure +learning is enabled for CPU port. + +Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver") +Signed-off-by: Clément Léger +Signed-off-by: Alexis Lothoré +Reviewed-by: Piotr Raczynski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/rzn1_a5psw.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c +index e2549cb3..c37d2e53 100644 +--- a/drivers/net/dsa/rzn1_a5psw.c ++++ b/drivers/net/dsa/rzn1_a5psw.c +@@ -340,6 +340,14 @@ static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port, + a5psw_reg_writel(a5psw, offsets[i], a5psw->bridged_ports); + } + ++static void a5psw_port_set_standalone(struct a5psw *a5psw, int port, ++ bool standalone) ++{ ++ a5psw_port_learning_set(a5psw, port, !standalone); ++ a5psw_flooding_set_resolution(a5psw, port, !standalone); ++ a5psw_port_mgmtfwd_set(a5psw, port, standalone); ++} ++ + static int a5psw_port_bridge_join(struct dsa_switch *ds, int port, + struct dsa_bridge bridge, + bool *tx_fwd_offload, +@@ -355,8 +363,7 @@ static int a5psw_port_bridge_join(struct dsa_switch *ds, int port, + } + + a5psw->br_dev = bridge.dev; +- a5psw_flooding_set_resolution(a5psw, port, true); +- a5psw_port_mgmtfwd_set(a5psw, port, false); ++ a5psw_port_set_standalone(a5psw, port, false); + + return 0; + } +@@ -366,8 +373,7 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port, + { + struct a5psw *a5psw = ds->priv; + +- a5psw_flooding_set_resolution(a5psw, port, false); +- a5psw_port_mgmtfwd_set(a5psw, port, true); ++ a5psw_port_set_standalone(a5psw, port, true); + + /* No more ports bridged */ + if (a5psw->bridged_ports == BIT(A5PSW_CPU_PORT)) +@@ -761,13 +767,15 @@ static int a5psw_setup(struct dsa_switch *ds) + if (dsa_port_is_unused(dp)) + continue; + +- /* Enable egress flooding for CPU port */ +- if (dsa_port_is_cpu(dp)) ++ /* Enable egress flooding and learning for CPU port */ ++ if (dsa_port_is_cpu(dp)) { + a5psw_flooding_set_resolution(a5psw, port, true); ++ a5psw_port_learning_set(a5psw, port, true); ++ } + +- /* Enable management forward only for user ports */ ++ /* Enable standalone mode for user ports */ + if (dsa_port_is_user(dp)) +- a5psw_port_mgmtfwd_set(a5psw, port, true); ++ a5psw_port_set_standalone(a5psw, port, true); + } + + return 0; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-240-net-hns3-fix-output-information-incomplete-for-.patch b/patches.kernel.org/6.3.4-240-net-hns3-fix-output-information-incomplete-for-.patch new file mode 100644 index 0000000..a6e8b93 --- /dev/null +++ b/patches.kernel.org/6.3.4-240-net-hns3-fix-output-information-incomplete-for-.patch @@ -0,0 +1,55 @@ +From: Jie Wang +Date: Fri, 12 May 2023 18:00:11 +0800 +Subject: [PATCH] net: hns3: fix output information incomplete for dumping tx + queue info with debugfs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 89f6bfb071182f05d7188c255b0e7251c3806f16 + +[ Upstream commit 89f6bfb071182f05d7188c255b0e7251c3806f16 ] + +In function hns3_dump_tx_queue_info, The print buffer is not enough when +the tx BD number is configured to 32760. As a result several BD +information wouldn't be displayed. + +So fix it by increasing the tx queue print buffer length. + +Fixes: 630a6738da82 ("net: hns3: adjust string spaces of some parameters of tx bd info in debugfs") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 66feb23f..bcccd82a 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -130,7 +130,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "tx_bd_queue", + .cmd = HNAE3_DBG_CMD_TX_BD, + .dentry = HNS3_DBG_DENTRY_TX_BD, +- .buf_len = HNS3_DBG_READ_LEN_4MB, ++ .buf_len = HNS3_DBG_READ_LEN_5MB, + .init = hns3_dbg_bd_file_init, + }, + { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +index 97578eab..4a5ef8a9 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +@@ -10,6 +10,7 @@ + #define HNS3_DBG_READ_LEN_128KB 0x20000 + #define HNS3_DBG_READ_LEN_1MB 0x100000 + #define HNS3_DBG_READ_LEN_4MB 0x400000 ++#define HNS3_DBG_READ_LEN_5MB 0x500000 + #define HNS3_DBG_WRITE_LEN 1024 + + #define HNS3_DBG_DATA_STR_LEN 32 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-241-net-hns3-fix-sending-pfc-frames-after-reset-iss.patch b/patches.kernel.org/6.3.4-241-net-hns3-fix-sending-pfc-frames-after-reset-iss.patch new file mode 100644 index 0000000..02145a9 --- /dev/null +++ b/patches.kernel.org/6.3.4-241-net-hns3-fix-sending-pfc-frames-after-reset-iss.patch @@ -0,0 +1,92 @@ +From: Jijie Shao +Date: Fri, 12 May 2023 18:00:12 +0800 +Subject: [PATCH] net: hns3: fix sending pfc frames after reset issue +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f14db07064727dd3bc0906c77a6d2759c1bbb395 + +[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ] + +To prevent the system from abnormally sending PFC frames after an +abnormal reset. The hns3 driver notifies the firmware to disable pfc +before reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------ + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++-- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 07ad5f35..50e956d6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -8053,12 +8053,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ +- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET && +- hdev->reset_type != HNAE3_FLR_RESET) { +- hclge_mac_stop_phy(hdev); +- hclge_update_link_status(hdev); +- return; ++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) { ++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE, ++ HCLGE_PFC_DISABLE); ++ if (hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { ++ hclge_mac_stop_phy(hdev); ++ hclge_update_link_status(hdev); ++ return; ++ } + } + + hclge_reset_tqp(handle); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 4a33f651..922c0da3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -171,8 +171,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) + return hclge_cmd_send(&hdev->hw, &desc, 1); + } + +-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, +- u8 pfc_bitmap) ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap) + { + struct hclge_desc desc; + struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index 68f28a98..dd6f1fd4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -164,6 +164,9 @@ struct hclge_bp_to_qs_map_cmd { + u32 rsvd1; + }; + ++#define HCLGE_PFC_DISABLE 0 ++#define HCLGE_PFC_TX_RX_DISABLE 0 ++ + struct hclge_pfc_en_cmd { + u8 tx_rx_en_bitmap; + u8 pri_en_bitmap; +@@ -235,6 +238,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc); + void hclge_tm_pfc_info_update(struct hclge_dev *hdev); + int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); + void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-242-net-hns3-fix-reset-delay-time-to-avoid-configur.patch b/patches.kernel.org/6.3.4-242-net-hns3-fix-reset-delay-time-to-avoid-configur.patch new file mode 100644 index 0000000..b4f464d --- /dev/null +++ b/patches.kernel.org/6.3.4-242-net-hns3-fix-reset-delay-time-to-avoid-configur.patch @@ -0,0 +1,46 @@ +From: Jie Wang +Date: Fri, 12 May 2023 18:00:13 +0800 +Subject: [PATCH] net: hns3: fix reset delay time to avoid configuration + timeout +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 814d0c786068e858d889ada3153bff82f64223ad + +[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ] + +Currently the hns3 vf function reset delays 5000ms before vf rebuild +process. In product applications, this delay is too long for application +configurations and causes configuration timeout. + +According to the tests, 500ms delay is enough for reset process except PF +FLR. So this patch modifies delay to 500ms in these scenarios. + +Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index e84e5be8..b1b14850 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1436,7 +1436,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev) + * might happen in case reset assertion was made by PF. Yes, this also + * means we might end up waiting bit more even for VF reset. + */ +- msleep(5000); ++ if (hdev->reset_type == HNAE3_VF_FULL_RESET) ++ msleep(5000); ++ else ++ msleep(500); + + return 0; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-243-net-hns3-fix-reset-timeout-when-enable-full-VF.patch b/patches.kernel.org/6.3.4-243-net-hns3-fix-reset-timeout-when-enable-full-VF.patch new file mode 100644 index 0000000..248a3a6 --- /dev/null +++ b/patches.kernel.org/6.3.4-243-net-hns3-fix-reset-timeout-when-enable-full-VF.patch @@ -0,0 +1,112 @@ +From: Jijie Shao +Date: Fri, 12 May 2023 18:00:14 +0800 +Subject: [PATCH] net: hns3: fix reset timeout when enable full VF +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6b45d5ff8c2c61baddd67d7510075ae121c5e704 + +[ Upstream commit 6b45d5ff8c2c61baddd67d7510075ae121c5e704 ] + +The timeout of the cmdq reset command has been increased to +resolve the reset timeout issue in the full VF scenario. +The timeout of other cmdq commands remains unchanged. + +Fixes: 8d307f8e8cf1 ("net: hns3: create new set of unified hclge_comm_cmd_send APIs") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + .../hns3/hns3_common/hclge_comm_cmd.c | 25 ++++++++++++++++--- + .../hns3/hns3_common/hclge_comm_cmd.h | 8 +++++- + 2 files changed, 28 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c +index f671a63c..c797d54f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c +@@ -330,9 +330,25 @@ static int hclge_comm_cmd_csq_done(struct hclge_comm_hw *hw) + return head == hw->cmq.csq.next_to_use; + } + +-static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, ++static u32 hclge_get_cmdq_tx_timeout(u16 opcode, u32 tx_timeout) ++{ ++ static const struct hclge_cmdq_tx_timeout_map cmdq_tx_timeout_map[] = { ++ {HCLGE_OPC_CFG_RST_TRIGGER, HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS}, ++ }; ++ u32 i; ++ ++ for (i = 0; i < ARRAY_SIZE(cmdq_tx_timeout_map); i++) ++ if (cmdq_tx_timeout_map[i].opcode == opcode) ++ return cmdq_tx_timeout_map[i].tx_timeout; ++ ++ return tx_timeout; ++} ++ ++static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, u16 opcode, + bool *is_completed) + { ++ u32 cmdq_tx_timeout = hclge_get_cmdq_tx_timeout(opcode, ++ hw->cmq.tx_timeout); + u32 timeout = 0; + + do { +@@ -342,7 +358,7 @@ static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, + } + udelay(1); + timeout++; +- } while (timeout < hw->cmq.tx_timeout); ++ } while (timeout < cmdq_tx_timeout); + } + + static int hclge_comm_cmd_convert_err_code(u16 desc_ret) +@@ -406,7 +422,8 @@ static int hclge_comm_cmd_check_result(struct hclge_comm_hw *hw, + * if multi descriptors to be sent, use the first one to check + */ + if (HCLGE_COMM_SEND_SYNC(le16_to_cpu(desc->flag))) +- hclge_comm_wait_for_resp(hw, &is_completed); ++ hclge_comm_wait_for_resp(hw, le16_to_cpu(desc->opcode), ++ &is_completed); + + if (!is_completed) + ret = -EBADE; +@@ -528,7 +545,7 @@ int hclge_comm_cmd_queue_init(struct pci_dev *pdev, struct hclge_comm_hw *hw) + cmdq->crq.desc_num = HCLGE_COMM_NIC_CMQ_DESC_NUM; + + /* Setup Tx write back timeout */ +- cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT; ++ cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT; + + /* Setup queue rings */ + ret = hclge_comm_alloc_cmd_queue(hw, HCLGE_COMM_TYPE_CSQ); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h +index b1f9383b..2b2928c6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h +@@ -54,7 +54,8 @@ + #define HCLGE_COMM_NIC_SW_RST_RDY BIT(HCLGE_COMM_NIC_SW_RST_RDY_B) + #define HCLGE_COMM_NIC_CMQ_DESC_NUM_S 3 + #define HCLGE_COMM_NIC_CMQ_DESC_NUM 1024 +-#define HCLGE_COMM_CMDQ_TX_TIMEOUT 30000 ++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT 30000 ++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS 500000 + + enum hclge_opcode_type { + /* Generic commands */ +@@ -357,6 +358,11 @@ struct hclge_comm_caps_bit_map { + u16 local_bit; + }; + ++struct hclge_cmdq_tx_timeout_map { ++ u32 opcode; ++ u32 tx_timeout; ++}; ++ + struct hclge_comm_firmware_compat_cmd { + __le32 compat; + u8 rsv[20]; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-244-media-netup_unidvb-fix-use-after-free-at-del_ti.patch b/patches.kernel.org/6.3.4-244-media-netup_unidvb-fix-use-after-free-at-del_ti.patch new file mode 100644 index 0000000..2cb8efc --- /dev/null +++ b/patches.kernel.org/6.3.4-244-media-netup_unidvb-fix-use-after-free-at-del_ti.patch @@ -0,0 +1,50 @@ +From: Duoming Zhou +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: [PATCH] media: netup_unidvb: fix use-after-free at del_timer() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0f5bb36bf9b39a2a96e730bf4455095b50713f63 + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 8287851b..aaa1d2de 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-245-SUNRPC-double-free-xprt_ctxt-while-still-in-use.patch b/patches.kernel.org/6.3.4-245-SUNRPC-double-free-xprt_ctxt-while-still-in-use.patch new file mode 100644 index 0000000..f7efc29 --- /dev/null +++ b/patches.kernel.org/6.3.4-245-SUNRPC-double-free-xprt_ctxt-while-still-in-use.patch @@ -0,0 +1,59 @@ +From: NeilBrown +Date: Tue, 9 May 2023 09:41:49 +1000 +Subject: [PATCH] SUNRPC: double free xprt_ctxt while still in use +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 + +[ Upstream commit eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 ] + +When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out +of the svc_rqst into the svc_deferred_req. +When the deferred request is revisited, the pointer is copied into +the new svc_rqst - and also remains in the svc_deferred_req. + +In the (rare?) case that the request is deferred a second time, the old +svc_deferred_req is reused - it still has all the correct content. +However in that case the rq_xprt_ctxt pointer is NOT cleared so that +when xpo_release_xprt is called, the ctxt is freed (UDP) or possible +added to a free list (RDMA). +When the deferred request is revisited for a second time, it will +reference this ctxt which may be invalid, and the free the object a +second time which is likely to oops. + +So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that +the value is now stored in the svc_deferred_req. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/sunrpc/svc_xprt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index ba629297..feab34db 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1224,13 +1224,14 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; + dr->xprt_ctxt = rqstp->rq_xprt_ctxt; +- rqstp->rq_xprt_ctxt = NULL; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } ++ WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); + dr->xprt = rqstp->rq_xprt; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-246-SUNRPC-always-free-ctxt-when-freeing-deferred-r.patch b/patches.kernel.org/6.3.4-246-SUNRPC-always-free-ctxt-when-freeing-deferred-r.patch new file mode 100644 index 0000000..99ea36a --- /dev/null +++ b/patches.kernel.org/6.3.4-246-SUNRPC-always-free-ctxt-when-freeing-deferred-r.patch @@ -0,0 +1,268 @@ +From: NeilBrown +Date: Tue, 9 May 2023 09:42:47 +1000 +Subject: [PATCH] SUNRPC: always free ctxt when freeing deferred request +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 948f072ada23e0a504c5e4d7d71d4c83bd0785ec + +[ Upstream commit 948f072ada23e0a504c5e4d7d71d4c83bd0785ec ] + +Since the ->xprt_ctxt pointer was added to svc_deferred_req, it has not +been sufficient to use kfree() to free a deferred request. We may need +to free the ctxt as well. + +As freeing the ctxt is all that ->xpo_release_rqst() does, we repurpose +it to explicit do that even when the ctxt is not stored in an rqst. +So we now have ->xpo_release_ctxt() which is given an xprt and a ctxt, +which may have been taken either from an rqst or from a dreq. The +caller is now responsible for clearing that pointer after the call to +->xpo_release_ctxt. + +We also clear dr->xprt_ctxt when the ctxt is moved into a new rqst when +revisiting a deferred request. This ensures there is only one pointer +to the ctxt, so the risk of double freeing in future is reduced. The +new code in svc_xprt_release which releases both the ctxt and any +rq_deferred depends on this. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + include/linux/sunrpc/svc_rdma.h | 2 +- + include/linux/sunrpc/svc_xprt.h | 2 +- + net/sunrpc/svc_xprt.c | 23 +++++++++++++----- + net/sunrpc/svcsock.c | 30 +++++++++++++----------- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 ++++----- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 2 +- + 6 files changed, 41 insertions(+), 29 deletions(-) + +diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h +index 24aa159d..fbc4bd42 100644 +--- a/include/linux/sunrpc/svc_rdma.h ++++ b/include/linux/sunrpc/svc_rdma.h +@@ -176,7 +176,7 @@ extern struct svc_rdma_recv_ctxt * + extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + struct svc_rdma_recv_ctxt *ctxt); + extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma); +-extern void svc_rdma_release_rqst(struct svc_rqst *rqstp); ++extern void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *ctxt); + extern int svc_rdma_recvfrom(struct svc_rqst *); + + /* svc_rdma_rw.c */ +diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h +index 77536880..f725a3ac 100644 +--- a/include/linux/sunrpc/svc_xprt.h ++++ b/include/linux/sunrpc/svc_xprt.h +@@ -23,7 +23,7 @@ struct svc_xprt_ops { + int (*xpo_sendto)(struct svc_rqst *); + int (*xpo_result_payload)(struct svc_rqst *, unsigned int, + unsigned int); +- void (*xpo_release_rqst)(struct svc_rqst *); ++ void (*xpo_release_ctxt)(struct svc_xprt *xprt, void *ctxt); + void (*xpo_detach)(struct svc_xprt *); + void (*xpo_free)(struct svc_xprt *); + void (*xpo_kill_temp_xprt)(struct svc_xprt *); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index feab34db..76762877 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -532,13 +532,23 @@ void svc_reserve(struct svc_rqst *rqstp, int space) + } + EXPORT_SYMBOL_GPL(svc_reserve); + ++static void free_deferred(struct svc_xprt *xprt, struct svc_deferred_req *dr) ++{ ++ if (!dr) ++ return; ++ ++ xprt->xpt_ops->xpo_release_ctxt(xprt, dr->xprt_ctxt); ++ kfree(dr); ++} ++ + static void svc_xprt_release(struct svc_rqst *rqstp) + { + struct svc_xprt *xprt = rqstp->rq_xprt; + +- xprt->xpt_ops->xpo_release_rqst(rqstp); ++ xprt->xpt_ops->xpo_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + +- kfree(rqstp->rq_deferred); ++ free_deferred(xprt, rqstp->rq_deferred); + rqstp->rq_deferred = NULL; + + pagevec_release(&rqstp->rq_pvec); +@@ -1055,7 +1065,7 @@ static void svc_delete_xprt(struct svc_xprt *xprt) + spin_unlock_bh(&serv->sv_lock); + + while ((dr = svc_deferred_dequeue(xprt)) != NULL) +- kfree(dr); ++ free_deferred(xprt, dr); + + call_xpt_users(xprt); + svc_xprt_put(xprt); +@@ -1177,8 +1187,8 @@ static void svc_revisit(struct cache_deferred_req *dreq, int too_many) + if (too_many || test_bit(XPT_DEAD, &xprt->xpt_flags)) { + spin_unlock(&xprt->xpt_lock); + trace_svc_defer_drop(dr); ++ free_deferred(xprt, dr); + svc_xprt_put(xprt); +- kfree(dr); + return; + } + dr->xprt = NULL; +@@ -1223,14 +1233,13 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->addrlen = rqstp->rq_addrlen; + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; +- dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } +- WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); +@@ -1264,6 +1273,8 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp) + rqstp->rq_daddr = dr->daddr; + rqstp->rq_respages = rqstp->rq_pages; + rqstp->rq_xprt_ctxt = dr->xprt_ctxt; ++ ++ dr->xprt_ctxt = NULL; + svc_xprt_received(rqstp->rq_xprt); + return dr->argslen << 2; + } +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 03a4f561..bf2d2cdc 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -112,27 +112,27 @@ static void svc_reclassify_socket(struct socket *sock) + #endif + + /** +- * svc_tcp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_tcp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_tcp_release_rqst(struct svc_rqst *rqstp) ++static void svc_tcp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { + } + + /** +- * svc_udp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_udp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_udp_release_rqst(struct svc_rqst *rqstp) ++static void svc_udp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { +- struct sk_buff *skb = rqstp->rq_xprt_ctxt; ++ struct sk_buff *skb = ctxt; + +- if (skb) { +- rqstp->rq_xprt_ctxt = NULL; ++ if (skb) + consume_skb(skb); +- } + } + + union svc_pktinfo_u { +@@ -560,7 +560,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_udp_release_rqst(rqstp); ++ svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + svc_set_cmsg_data(rqstp, cmh); + +@@ -632,7 +633,7 @@ static const struct svc_xprt_ops svc_udp_ops = { + .xpo_recvfrom = svc_udp_recvfrom, + .xpo_sendto = svc_udp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_udp_release_rqst, ++ .xpo_release_ctxt = svc_udp_release_ctxt, + .xpo_detach = svc_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_udp_has_wspace, +@@ -1162,7 +1163,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_tcp_release_rqst(rqstp); ++ svc_tcp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + atomic_inc(&svsk->sk_sendqlen); + mutex_lock(&xprt->xpt_mutex); +@@ -1207,7 +1209,7 @@ static const struct svc_xprt_ops svc_tcp_ops = { + .xpo_recvfrom = svc_tcp_recvfrom, + .xpo_sendto = svc_tcp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_tcp_release_rqst, ++ .xpo_release_ctxt = svc_tcp_release_ctxt, + .xpo_detach = svc_tcp_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_tcp_has_wspace, +diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +index 1c658fa4..a22fe758 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -239,21 +239,20 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + } + + /** +- * svc_rdma_release_rqst - Release transport-specific per-rqst resources +- * @rqstp: svc_rqst being released ++ * svc_rdma_release_ctxt - Release transport-specific per-rqst resources ++ * @xprt: the transport which owned the context ++ * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + * Ensure that the recv_ctxt is released whether or not a Reply + * was sent. For example, the client could close the connection, + * or svc_process could drop an RPC, before the Reply is sent. + */ +-void svc_rdma_release_rqst(struct svc_rqst *rqstp) ++void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt) + { +- struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt; +- struct svc_xprt *xprt = rqstp->rq_xprt; ++ struct svc_rdma_recv_ctxt *ctxt = vctxt; + struct svcxprt_rdma *rdma = + container_of(xprt, struct svcxprt_rdma, sc_xprt); + +- rqstp->rq_xprt_ctxt = NULL; + if (ctxt) + svc_rdma_recv_ctxt_put(rdma, ctxt); + } +diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c +index 416b298f..ca04f7a6 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -80,7 +80,7 @@ static const struct svc_xprt_ops svc_rdma_ops = { + .xpo_recvfrom = svc_rdma_recvfrom, + .xpo_sendto = svc_rdma_sendto, + .xpo_result_payload = svc_rdma_result_payload, +- .xpo_release_rqst = svc_rdma_release_rqst, ++ .xpo_release_ctxt = svc_rdma_release_ctxt, + .xpo_detach = svc_rdma_detach, + .xpo_free = svc_rdma_free, + .xpo_has_wspace = svc_rdma_has_wspace, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-247-SUNRPC-Fix-trace_svc_register-call-site.patch b/patches.kernel.org/6.3.4-247-SUNRPC-Fix-trace_svc_register-call-site.patch new file mode 100644 index 0000000..f04b21a --- /dev/null +++ b/patches.kernel.org/6.3.4-247-SUNRPC-Fix-trace_svc_register-call-site.patch @@ -0,0 +1,36 @@ +From: Chuck Lever +Date: Sun, 14 May 2023 15:51:48 -0400 +Subject: [PATCH] SUNRPC: Fix trace_svc_register() call site +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 07a27305938559fb35f7a46fb90a5e37728bdee6 + +[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ] + +The trace event recorded incorrect values for the registered family, +protocol, and port because the arguments are in the wrong order. + +Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/sunrpc/svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index 9874a6de..84d0b879 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1018,7 +1018,7 @@ static int __svc_register(struct net *net, const char *progname, + #endif + } + +- trace_svc_register(progname, version, protocol, port, family, error); ++ trace_svc_register(progname, version, family, protocol, port, error); + return error; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-248-ASoC-SOF-ipc3-topology-Make-sure-that-only-one-.patch b/patches.kernel.org/6.3.4-248-ASoC-SOF-ipc3-topology-Make-sure-that-only-one-.patch new file mode 100644 index 0000000..001b7d3 --- /dev/null +++ b/patches.kernel.org/6.3.4-248-ASoC-SOF-ipc3-topology-Make-sure-that-only-one-.patch @@ -0,0 +1,60 @@ +From: Peter Ujfalusi +Date: Fri, 12 May 2023 14:03:17 +0300 +Subject: [PATCH] ASoC: SOF: ipc3-topology: Make sure that only one cmd is sent + in dai_config +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4708449eafe60742334606168926985798c9c9b8 + +[ Upstream commit 4708449eafe60742334606168926985798c9c9b8 ] + +The commands in sof_ipc_dai_config.flags are encoded as bits: +1 (bit0) - hw_params +2 (bit1) - hw_free +4 (bit2) - pause + +These are commands, they cannot be combined as one would assume, for +example +3 (bit0 | bit1) is invalid. + +This can happen right at the second start of a stream as at the end of the +first stream we set the hw_free command (bit1) and on the second start we +would OR on top of it the hw_params (bit0). + +Fixes: b66bfc3a9810 ("ASoC: SOF: sof-audio: Fix broken early bclk feature for SSP") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Jiri Slaby +--- + sound/soc/sof/ipc3-topology.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c +index b1f425b3..ffa4c6de 100644 +--- a/sound/soc/sof/ipc3-topology.c ++++ b/sound/soc/sof/ipc3-topology.c +@@ -2111,10 +2111,13 @@ static int sof_ipc3_dai_config(struct snd_sof_dev *sdev, struct snd_sof_widget * + * For the case of PAUSE/HW_FREE, since there are no quirks, flags can be used as is. + */ + +- if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS) ++ if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS) { ++ /* Clear stale command */ ++ config->flags &= ~SOF_DAI_CONFIG_FLAGS_CMD_MASK; + config->flags |= flags; +- else ++ } else { + config->flags = flags; ++ } + + /* only send the IPC if the widget is set up in the DSP */ + if (swidget->use_count > 0) { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-249-ASoC-mediatek-mt8186-Fix-use-after-free-in-driv.patch b/patches.kernel.org/6.3.4-249-ASoC-mediatek-mt8186-Fix-use-after-free-in-driv.patch new file mode 100644 index 0000000..6e5a842 --- /dev/null +++ b/patches.kernel.org/6.3.4-249-ASoC-mediatek-mt8186-Fix-use-after-free-in-driv.patch @@ -0,0 +1,172 @@ +From: Douglas Anderson +Date: Thu, 11 May 2023 09:25:12 -0700 +Subject: [PATCH] ASoC: mediatek: mt8186: Fix use-after-free in driver remove + path +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a93d2afd3f77a7331271a0f25c6a11003db69b3c + +[ Upstream commit a93d2afd3f77a7331271a0f25c6a11003db69b3c ] + +When devm runs function in the "remove" path for a device it runs them +in the reverse order. That means that if you have parts of your driver +that aren't using devm or are using "roll your own" devm w/ +devm_add_action_or_reset() you need to keep that in mind. + +The mt8186 audio driver didn't quite get this right. Specifically, in +mt8186_init_clock() it called mt8186_audsys_clk_register() and then +went on to call a bunch of other devm function. The caller of +mt8186_init_clock() used devm_add_action_or_reset() to call +mt8186_deinit_clock() but, because of the intervening devm functions, +the order was wrong. + +Specifically at probe time, the order was: +1. mt8186_audsys_clk_register() +2. afe_priv->clk = devm_kcalloc(...) +3. afe_priv->clk[i] = devm_clk_get(...) + +At remove time, the order (which should have been 3, 2, 1) was: +1. mt8186_audsys_clk_unregister() +3. Free all of afe_priv->clk[i] +2. Free afe_priv->clk + +The above seemed to be causing a use-after-free. Luckily, it's easy to +fix this by simply using devm more correctly. Let's move the +devm_add_action_or_reset() to the right place. In addition to fixing +the use-after-free, code inspection shows that this fixes a leak +(missing call to mt8186_audsys_clk_unregister()) that would have +happened if any of the syscon_regmap_lookup_by_phandle() calls in +mt8186_init_clock() had failed. + +Fixes: 55b423d5623c ("ASoC: mediatek: mt8186: support audio clock control in platform driver") +Signed-off-by: Douglas Anderson +Signed-off-by: Jiri Slaby +--- + sound/soc/mediatek/mt8186/mt8186-afe-clk.c | 6 --- + sound/soc/mediatek/mt8186/mt8186-afe-clk.h | 1 - + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 4 -- + sound/soc/mediatek/mt8186/mt8186-audsys-clk.c | 46 ++++++++++--------- + sound/soc/mediatek/mt8186/mt8186-audsys-clk.h | 1 - + 5 files changed, 24 insertions(+), 34 deletions(-) + +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c +index a6b4f290..539e3a02 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c +@@ -644,9 +644,3 @@ int mt8186_init_clock(struct mtk_base_afe *afe) + + return 0; + } +- +-void mt8186_deinit_clock(void *priv) +-{ +- struct mtk_base_afe *afe = priv; +- mt8186_audsys_clk_unregister(afe); +-} +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h +index d5988717..a9d59e50 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h +@@ -81,7 +81,6 @@ enum { + struct mtk_base_afe; + int mt8186_set_audio_int_bus_parent(struct mtk_base_afe *afe, int clk_id); + int mt8186_init_clock(struct mtk_base_afe *afe); +-void mt8186_deinit_clock(void *priv); + int mt8186_afe_enable_cgs(struct mtk_base_afe *afe); + void mt8186_afe_disable_cgs(struct mtk_base_afe *afe); + int mt8186_afe_enable_clock(struct mtk_base_afe *afe); +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +index 41172a82..a868a04e 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +@@ -2848,10 +2848,6 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev) + return ret; + } + +- ret = devm_add_action_or_reset(dev, mt8186_deinit_clock, (void *)afe); +- if (ret) +- return ret; +- + /* init memif */ + afe->memif_32bit_supported = 0; + afe->memif_size = MT8186_MEMIF_NUM; +diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c +index 578969ca..5666be6b 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c ++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c +@@ -84,6 +84,29 @@ static const struct afe_gate aud_clks[CLK_AUD_NR_CLK] = { + GATE_AUD2(CLK_AUD_ETDM_OUT1_BCLK, "aud_etdm_out1_bclk", "top_audio", 24), + }; + ++static void mt8186_audsys_clk_unregister(void *data) ++{ ++ struct mtk_base_afe *afe = data; ++ struct mt8186_afe_private *afe_priv = afe->platform_priv; ++ struct clk *clk; ++ struct clk_lookup *cl; ++ int i; ++ ++ if (!afe_priv) ++ return; ++ ++ for (i = 0; i < CLK_AUD_NR_CLK; i++) { ++ cl = afe_priv->lookup[i]; ++ if (!cl) ++ continue; ++ ++ clk = cl->clk; ++ clk_unregister_gate(clk); ++ ++ clkdev_drop(cl); ++ } ++} ++ + int mt8186_audsys_clk_register(struct mtk_base_afe *afe) + { + struct mt8186_afe_private *afe_priv = afe->platform_priv; +@@ -124,27 +147,6 @@ int mt8186_audsys_clk_register(struct mtk_base_afe *afe) + afe_priv->lookup[i] = cl; + } + +- return 0; ++ return devm_add_action_or_reset(afe->dev, mt8186_audsys_clk_unregister, afe); + } + +-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe) +-{ +- struct mt8186_afe_private *afe_priv = afe->platform_priv; +- struct clk *clk; +- struct clk_lookup *cl; +- int i; +- +- if (!afe_priv) +- return; +- +- for (i = 0; i < CLK_AUD_NR_CLK; i++) { +- cl = afe_priv->lookup[i]; +- if (!cl) +- continue; +- +- clk = cl->clk; +- clk_unregister_gate(clk); +- +- clkdev_drop(cl); +- } +-} +diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h +index b8d6a06e..897a2914 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h ++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h +@@ -10,6 +10,5 @@ + #define _MT8186_AUDSYS_CLK_H_ + + int mt8186_audsys_clk_register(struct mtk_base_afe *afe); +-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe); + + #endif +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-250-ASoC-SOF-topology-Fix-logic-for-copying-tuples.patch b/patches.kernel.org/6.3.4-250-ASoC-SOF-topology-Fix-logic-for-copying-tuples.patch new file mode 100644 index 0000000..3e329a8 --- /dev/null +++ b/patches.kernel.org/6.3.4-250-ASoC-SOF-topology-Fix-logic-for-copying-tuples.patch @@ -0,0 +1,50 @@ +From: Ranjani Sridharan +Date: Fri, 12 May 2023 14:46:30 +0300 +Subject: [PATCH] ASoC: SOF: topology: Fix logic for copying tuples +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 41c5305cc3d827d2ea686533777a285176ae01a0 + +[ Upstream commit 41c5305cc3d827d2ea686533777a285176ae01a0 ] + +Topology could have more instances of the tokens being searched for than +the number of sets that need to be copied. Stop copying token after the +limit of number of token instances has been reached. This worked before +only by chance as we had allocated more size for the tuples array than +the number of actual tokens being parsed. + +Fixes: 7006d20e5e9d ("ASoC: SOF: Introduce IPC3 ops") +Signed-off-by: Ranjani Sridharan +Signed-off-by: Jiri Slaby +--- + sound/soc/sof/topology.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 9f3a038f..93ab58ce 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -586,6 +586,10 @@ static int sof_copy_tuples(struct snd_sof_dev *sdev, struct snd_soc_tplg_vendor_ + if (*num_copied_tuples == tuples_size) + return 0; + } ++ ++ /* stop when we've found the required token instances */ ++ if (found == num_tokens * token_instance_num) ++ return 0; + } + + /* next array */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-251-drm-exynos-fix-g2d_open-close-helper-function-d.patch b/patches.kernel.org/6.3.4-251-drm-exynos-fix-g2d_open-close-helper-function-d.patch new file mode 100644 index 0000000..e241df9 --- /dev/null +++ b/patches.kernel.org/6.3.4-251-drm-exynos-fix-g2d_open-close-helper-function-d.patch @@ -0,0 +1,49 @@ +From: Arnd Bergmann +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: [PATCH] drm/exynos: fix g2d_open/close helper function definitions +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2ef0785b30bd6549ddbc124979f1b6596e065ae2 + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 74ea3c26..1a5ae781 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-252-net-nsh-Use-correct-mac_offset-to-unwind-gso-sk.patch b/patches.kernel.org/6.3.4-252-net-nsh-Use-correct-mac_offset-to-unwind-gso-sk.patch new file mode 100644 index 0000000..0e8272e --- /dev/null +++ b/patches.kernel.org/6.3.4-252-net-nsh-Use-correct-mac_offset-to-unwind-gso-sk.patch @@ -0,0 +1,102 @@ +From: Dong Chenchen +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: [PATCH] net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c83b49383b595be50647f0c764a48c78b5f3c4f8 + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index e9ca0077..0f23e5e8 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-253-net-fec-remove-the-xdp_return_frame-when-lack-o.patch b/patches.kernel.org/6.3.4-253-net-fec-remove-the-xdp_return_frame-when-lack-o.patch new file mode 100644 index 0000000..c3cf845 --- /dev/null +++ b/patches.kernel.org/6.3.4-253-net-fec-remove-the-xdp_return_frame-when-lack-o.patch @@ -0,0 +1,38 @@ +From: Shenwei Wang +Date: Fri, 12 May 2023 08:38:43 -0500 +Subject: [PATCH] net: fec: remove the xdp_return_frame when lack of tx BDs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6ead9c98cafcbc6992cf35f0ca393df2c03e3316 + +[ Upstream commit 6ead9c98cafcbc6992cf35f0ca393df2c03e3316 ] + +In the implementation, the sent_frame count does not increment when +transmit errors occur. Therefore, bq_xmit_all() will take care of +returning the XDP frames. + +Fixes: 26312c685ae0 ("net: fec: correct the counting of XDP sent frames") +Signed-off-by: Shenwei Wang +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/freescale/fec_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 241df41d..577d9482 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3798,7 +3798,6 @@ static int fec_enet_txq_xmit_frame(struct fec_enet_private *fep, + entries_free = fec_enet_get_free_txdesc_num(txq); + if (entries_free < MAX_SKB_FRAGS + 1) { + netdev_err(fep->netdev, "NOT enough BD for SG!\n"); +- xdp_return_frame(frame); + return NETDEV_TX_BUSY; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-254-virtio_net-Fix-error-unwinding-of-XDP-initializ.patch b/patches.kernel.org/6.3.4-254-virtio_net-Fix-error-unwinding-of-XDP-initializ.patch new file mode 100644 index 0000000..1fa7ed9 --- /dev/null +++ b/patches.kernel.org/6.3.4-254-virtio_net-Fix-error-unwinding-of-XDP-initializ.patch @@ -0,0 +1,127 @@ +From: Feng Liu +Date: Fri, 12 May 2023 11:18:12 -0400 +Subject: [PATCH] virtio_net: Fix error unwinding of XDP initialization +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5306623a9826aa7d63b32c6a3803c798a765474d + +[ Upstream commit 5306623a9826aa7d63b32c6a3803c798a765474d ] + +When initializing XDP in virtnet_open(), some rq xdp initialization +may hit an error causing net device open failed. However, previous +rqs have already initialized XDP and enabled NAPI, which is not the +expected behavior. Need to roll back the previous rq initialization +to avoid leaks in error unwinding of init code. + +Also extract helper functions of disable and enable queue pairs. +Use newly introduced disable helper function in error unwinding and +virtnet_close. Use enable helper function in virtnet_open. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Signed-off-by: Feng Liu +Reviewed-by: Jiri Pirko +Reviewed-by: William Tu +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Xuan Zhuo +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/virtio_net.c | 61 +++++++++++++++++++++++++++++----------- + 1 file changed, 44 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 744bdc8a..13ac7f1c 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1867,6 +1867,38 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + return received; + } + ++static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ virtnet_napi_tx_disable(&vi->sq[qp_index].napi); ++ napi_disable(&vi->rq[qp_index].napi); ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++} ++ ++static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ struct net_device *dev = vi->dev; ++ int err; ++ ++ err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index, ++ vi->rq[qp_index].napi.napi_id); ++ if (err < 0) ++ return err; ++ ++ err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq, ++ MEM_TYPE_PAGE_SHARED, NULL); ++ if (err < 0) ++ goto err_xdp_reg_mem_model; ++ ++ virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi); ++ virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi); ++ ++ return 0; ++ ++err_xdp_reg_mem_model: ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++ return err; ++} ++ + static int virtnet_open(struct net_device *dev) + { + struct virtnet_info *vi = netdev_priv(dev); +@@ -1880,22 +1912,20 @@ static int virtnet_open(struct net_device *dev) + if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL)) + schedule_delayed_work(&vi->refill, 0); + +- err = xdp_rxq_info_reg(&vi->rq[i].xdp_rxq, dev, i, vi->rq[i].napi.napi_id); ++ err = virtnet_enable_queue_pair(vi, i); + if (err < 0) +- return err; +- +- err = xdp_rxq_info_reg_mem_model(&vi->rq[i].xdp_rxq, +- MEM_TYPE_PAGE_SHARED, NULL); +- if (err < 0) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- return err; +- } +- +- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi); +- virtnet_napi_tx_enable(vi, vi->sq[i].vq, &vi->sq[i].napi); ++ goto err_enable_qp; + } + + return 0; ++ ++err_enable_qp: ++ disable_delayed_refill(vi); ++ cancel_delayed_work_sync(&vi->refill); ++ ++ for (i--; i >= 0; i--) ++ virtnet_disable_queue_pair(vi, i); ++ return err; + } + + static int virtnet_poll_tx(struct napi_struct *napi, int budget) +@@ -2304,11 +2334,8 @@ static int virtnet_close(struct net_device *dev) + /* Make sure refill_work doesn't re-enable napi! */ + cancel_delayed_work_sync(&vi->refill); + +- for (i = 0; i < vi->max_queue_pairs; i++) { +- virtnet_napi_tx_disable(&vi->sq[i].napi); +- napi_disable(&vi->rq[i].napi); +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- } ++ for (i = 0; i < vi->max_queue_pairs; i++) ++ virtnet_disable_queue_pair(vi, i); + + return 0; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-255-tipc-add-tipc_bearer_min_mtu-to-calculate-min-m.patch b/patches.kernel.org/6.3.4-255-tipc-add-tipc_bearer_min_mtu-to-calculate-min-m.patch new file mode 100644 index 0000000..47b7cff --- /dev/null +++ b/patches.kernel.org/6.3.4-255-tipc-add-tipc_bearer_min_mtu-to-calculate-min-m.patch @@ -0,0 +1,106 @@ +From: Xin Long +Date: Sun, 14 May 2023 15:52:27 -0400 +Subject: [PATCH] tipc: add tipc_bearer_min_mtu to calculate min mtu +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 + +[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ] + +As different media may requires different min mtu, and even the +same media with different net family requires different min mtu, +add tipc_bearer_min_mtu() to calculate min mtu accordingly. + +This API will be used to check the new mtu when doing the link +mtu negotiation in the next patch. + +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/tipc/bearer.c | 13 +++++++++++++ + net/tipc/bearer.h | 3 +++ + net/tipc/udp_media.c | 5 +++-- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 35cac773..0e9a29e1 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -541,6 +541,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id) + return mtu; + } + ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id) ++{ ++ int mtu = TIPC_MIN_BEARER_MTU; ++ struct tipc_bearer *b; ++ ++ rcu_read_lock(); ++ b = bearer_get(net, bearer_id); ++ if (b) ++ mtu += b->encap_hlen; ++ rcu_read_unlock(); ++ return mtu; ++} ++ + /* tipc_bearer_xmit_skb - sends buffer to destination over bearer + */ + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index 490ad6e5..bd0cc5c2 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -146,6 +146,7 @@ struct tipc_media { + * @identity: array index of this bearer within TIPC bearer array + * @disc: ptr to link setup request + * @net_plane: network plane ('A' through 'H') currently associated with bearer ++ * @encap_hlen: encap headers length + * @up: bearer up flag (bit 0) + * @refcnt: tipc_bearer reference counter + * +@@ -170,6 +171,7 @@ struct tipc_bearer { + u32 identity; + struct tipc_discoverer *disc; + char net_plane; ++ u16 encap_hlen; + unsigned long up; + refcount_t refcnt; + }; +@@ -232,6 +234,7 @@ int tipc_bearer_setup(void); + void tipc_bearer_cleanup(void); + void tipc_bearer_stop(struct net *net); + int tipc_bearer_mtu(struct net *net, u32 bearer_id); ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id); + bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id); + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, + struct sk_buff *skb, +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index c2bb8187..0a85244f 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -738,8 +738,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + udp_conf.local_ip.s_addr = local.ipv4.s_addr; + udp_conf.use_udp_checksums = false; + ub->ifindex = dev->ifindex; +- if (tipc_mtu_bad(dev, sizeof(struct iphdr) + +- sizeof(struct udphdr))) { ++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr); ++ if (tipc_mtu_bad(dev, b->encap_hlen)) { + err = -EINVAL; + goto err; + } +@@ -760,6 +760,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + else + udp_conf.local_ip6 = local.ipv6; + ub->ifindex = dev->ifindex; ++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr); + b->mtu = 1280; + #endif + } else { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-256-tipc-do-not-update-mtu-if-msg_max-is-too-small-.patch b/patches.kernel.org/6.3.4-256-tipc-do-not-update-mtu-if-msg_max-is-too-small-.patch new file mode 100644 index 0000000..7521760 --- /dev/null +++ b/patches.kernel.org/6.3.4-256-tipc-do-not-update-mtu-if-msg_max-is-too-small-.patch @@ -0,0 +1,94 @@ +From: Xin Long +Date: Sun, 14 May 2023 15:52:28 -0400 +Subject: [PATCH] tipc: do not update mtu if msg_max is too small in mtu + negotiation +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 56077b56cd3fb78e1c8619e29581ba25a5c55e86 + +[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ] + +When doing link mtu negotiation, a malicious peer may send Activate msg +with a very small mtu, e.g. 4 in Shuang's testing, without checking for +the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then +n->links[bearer_id].mtu is set to 4294967228, which is a overflow of +'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss(). + +With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning: + + tipc: Too large msg, purging xmit list 1 5 0 40 4! + tipc: Too large msg, purging xmit list 1 15 0 60 4! + +And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in +named_distribute(), and when purging it in tipc_link_xmit(), a crash +was even caused: + + general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 + RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0 + Call Trace: + + skb_release_data+0xf9/0x1d0 + kfree_skb_reason+0x40/0x100 + tipc_link_xmit+0x57a/0x740 [tipc] + tipc_node_xmit+0x16c/0x5c0 [tipc] + tipc_named_node_up+0x27f/0x2c0 [tipc] + tipc_node_write_unlock+0x149/0x170 [tipc] + tipc_rcv+0x608/0x740 [tipc] + tipc_udp_recv+0xdc/0x1f0 [tipc] + udp_queue_rcv_one_skb+0x33e/0x620 + udp_unicast_rcv_skb.isra.72+0x75/0x90 + __udp4_lib_rcv+0x56d/0xc20 + ip_protocol_deliver_rcu+0x100/0x2d0 + +This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(), +and not updating mtu if it is too small. + +Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/tipc/link.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index b3ce2482..2eff1c79 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2200,7 +2200,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + struct tipc_msg *hdr = buf_msg(skb); + struct tipc_gap_ack_blks *ga = NULL; + bool reply = msg_probe(hdr), retransmitted = false; +- u32 dlen = msg_data_sz(hdr), glen = 0; ++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max; + u16 peers_snd_nxt = msg_next_sent(hdr); + u16 peers_tol = msg_link_tolerance(hdr); + u16 peers_prio = msg_linkprio(hdr); +@@ -2239,6 +2239,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + switch (mtyp) { + case RESET_MSG: + case ACTIVATE_MSG: ++ msg_max = msg_max_pkt(hdr); ++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id)) ++ break; + /* Complete own link name with peer's interface name */ + if_name = strrchr(l->name, ':') + 1; + if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME) +@@ -2283,8 +2286,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + l->peer_session = msg_session(hdr); + l->in_session = true; + l->peer_bearer_id = msg_bearer_id(hdr); +- if (l->mtu > msg_max_pkt(hdr)) +- l->mtu = msg_max_pkt(hdr); ++ if (l->mtu > msg_max) ++ l->mtu = msg_max; + break; + + case STATE_MSG: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-257-tipc-check-the-bearer-min-mtu-properly-when-set.patch b/patches.kernel.org/6.3.4-257-tipc-check-the-bearer-min-mtu-properly-when-set.patch new file mode 100644 index 0000000..4e63b8a --- /dev/null +++ b/patches.kernel.org/6.3.4-257-tipc-check-the-bearer-min-mtu-properly-when-set.patch @@ -0,0 +1,47 @@ +From: Xin Long +Date: Sun, 14 May 2023 15:52:29 -0400 +Subject: [PATCH] tipc: check the bearer min mtu properly when setting it by + netlink +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 + +[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ] + +Checking the bearer min mtu with tipc_udp_mtu_bad() only works for +IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the +min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU +for min mtu, which works for both IPv4 and IPv6 UDP bearer. + +Note that tipc_udp_mtu_bad() is still used to check media min mtu +in __tipc_nl_media_set(), as m->mtu currently is only used by the +IPv4 UDP bearer as its default mtu value. + +Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/tipc/bearer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 0e9a29e1..53881406 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1151,8 +1151,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + #ifdef CONFIG_TIPC_MEDIA_UDP +- if (tipc_udp_mtu_bad(nla_get_u32 +- (props[TIPC_NLA_PROP_MTU]))) { ++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) < ++ b->encap_hlen + TIPC_MIN_BEARER_MTU) { + NL_SET_ERR_MSG(info->extack, + "MTU value is out-of-range"); + return -EINVAL; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-258-s390-cio-include-subchannels-without-devices-al.patch b/patches.kernel.org/6.3.4-258-s390-cio-include-subchannels-without-devices-al.patch new file mode 100644 index 0000000..a96bf53 --- /dev/null +++ b/patches.kernel.org/6.3.4-258-s390-cio-include-subchannels-without-devices-al.patch @@ -0,0 +1,46 @@ +From: Vineeth Vijayan +Date: Tue, 2 May 2023 11:12:42 +0200 +Subject: [PATCH] s390/cio: include subchannels without devices also for + evaluation +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: b1b0d5aec1cf9f9a900a14964f869c68688d923e + +[ Upstream commit b1b0d5aec1cf9f9a900a14964f869c68688d923e ] + +Currently when the new channel-path is enabled, we do evaluation only +on the subchannels with a device connected on it. This is because, +in the past, if the device in the subchannel is not working or not +available, we used to unregister the subchannels. But, from the 'commit +2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")' +we allow subchannels with or without an active device connected +on it. So, when we do the io_subchannel_verify, make sure that, +we are evaluating the subchannels without any device too. + +Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +Reported-by: Boris Fiuczynski +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/s390/cio/device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index 8eb089b9..d5c43e9b 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1111,6 +1111,8 @@ static void io_subchannel_verify(struct subchannel *sch) + cdev = sch_get_cdev(sch); + if (cdev) + dev_fsm_event(cdev, DEV_EVENT_VERIFY); ++ else ++ css_schedule_eval(sch->schid); + } + + static void io_subchannel_terminate_path(struct subchannel *sch, u8 mask) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-259-can-dev-fix-missing-CAN-XL-support-in-can_put_e.patch b/patches.kernel.org/6.3.4-259-can-dev-fix-missing-CAN-XL-support-in-can_put_e.patch new file mode 100644 index 0000000..e518673 --- /dev/null +++ b/patches.kernel.org/6.3.4-259-can-dev-fix-missing-CAN-XL-support-in-can_put_e.patch @@ -0,0 +1,40 @@ +From: Oliver Hartkopp +Date: Sat, 6 May 2023 20:45:15 +0200 +Subject: [PATCH] can: dev: fix missing CAN XL support in can_put_echo_skb() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6bffdc38f9935bae49f980448f3f6be2dada0564 + +[ Upstream commit 6bffdc38f9935bae49f980448f3f6be2dada0564 ] + +can_put_echo_skb() checks for the enabled IFF_ECHO flag and the +correct ETH_P type of the given skbuff. When implementing the CAN XL +support the new check for ETH_P_CANXL has been forgotten. + +Fixes: fb08cba12b52 ("can: canxl: update CAN infrastructure for CAN XL frames") +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230506184515.39241-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/can/dev/skb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/skb.c b/drivers/net/can/dev/skb.c +index 241ec636..f6d05b3e 100644 +--- a/drivers/net/can/dev/skb.c ++++ b/drivers/net/can/dev/skb.c +@@ -54,7 +54,8 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, + /* check flag whether this packet has to be looped back */ + if (!(dev->flags & IFF_ECHO) || + (skb->protocol != htons(ETH_P_CAN) && +- skb->protocol != htons(ETH_P_CANFD))) { ++ skb->protocol != htons(ETH_P_CANFD) && ++ skb->protocol != htons(ETH_P_CANXL))) { + kfree_skb(skb); + return 0; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-260-net-bcmgenet-Remove-phy_stop-from-bcmgenet_neti.patch b/patches.kernel.org/6.3.4-260-net-bcmgenet-Remove-phy_stop-from-bcmgenet_neti.patch new file mode 100644 index 0000000..0b666bb --- /dev/null +++ b/patches.kernel.org/6.3.4-260-net-bcmgenet-Remove-phy_stop-from-bcmgenet_neti.patch @@ -0,0 +1,39 @@ +From: Florian Fainelli +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: [PATCH] net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 93e0401e0fc0c54b0ac05b687cd135c2ac38187c + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Stable-dep-of: 225c657945c4 ("net: bcmgenet: Restore phy_stop() depending upon suspend/close") +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index d937daa8..f28ffc31 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3465,7 +3465,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-261-net-bcmgenet-Restore-phy_stop-depending-upon-su.patch b/patches.kernel.org/6.3.4-261-net-bcmgenet-Restore-phy_stop-depending-upon-su.patch new file mode 100644 index 0000000..5ce529e --- /dev/null +++ b/patches.kernel.org/6.3.4-261-net-bcmgenet-Restore-phy_stop-depending-upon-su.patch @@ -0,0 +1,73 @@ +From: Florian Fainelli +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: [PATCH] net: bcmgenet: Restore phy_stop() depending upon + suspend/close +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 225c657945c4a6307741cb3cc89467eadcc26e9b + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index f28ffc31..eca0c92c 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3450,7 +3450,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -3465,6 +3465,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3485,7 +3487,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -4303,7 +4305,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-262-ice-Fix-stats-after-PF-reset.patch b/patches.kernel.org/6.3.4-262-ice-Fix-stats-after-PF-reset.patch new file mode 100644 index 0000000..e9485b3 --- /dev/null +++ b/patches.kernel.org/6.3.4-262-ice-Fix-stats-after-PF-reset.patch @@ -0,0 +1,52 @@ +From: Ahmed Zaki +Date: Mon, 17 Apr 2023 17:44:45 -0600 +Subject: [PATCH] ice: Fix stats after PF reset +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ab7470bc6d8fb5f3004ccc8e4dfd49aab0f27561 + +[ Upstream commit ab7470bc6d8fb5f3004ccc8e4dfd49aab0f27561 ] + +After a core PF reset, the VFs were showing wrong Rx/Tx stats. This is a +regression in commit 6624e780a577 ("ice: split ice_vsi_setup into smaller +functions") caused by missing to set "stat_offsets_loaded = false" in the +ice_vsi_rebuild() path. + +Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") +Signed-off-by: Ahmed Zaki +Reviewed-by: Alexander Lobakin +Tested-by: Rafal Romanowski +Reviewed-by: Leon Romanovsky +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 450317df..11ae0e41 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2745,6 +2745,8 @@ ice_vsi_cfg_def(struct ice_vsi *vsi, struct ice_vsi_cfg_params *params) + goto unroll_vector_base; + + ice_vsi_map_rings_to_vectors(vsi); ++ vsi->stat_offsets_loaded = false; ++ + if (ice_is_xdp_ena_vsi(vsi)) { + ret = ice_vsi_determine_xdp_res(vsi); + if (ret) +@@ -2793,6 +2795,9 @@ ice_vsi_cfg_def(struct ice_vsi *vsi, struct ice_vsi_cfg_params *params) + ret = ice_vsi_alloc_ring_stats(vsi); + if (ret) + goto unroll_vector_base; ++ ++ vsi->stat_offsets_loaded = false; ++ + /* Do not exit if configuring RSS had an issue, at least + * receive traffic on first queue. Hence no need to capture + * return value +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-263-ice-Fix-ice-VF-reset-during-iavf-initialization.patch b/patches.kernel.org/6.3.4-263-ice-Fix-ice-VF-reset-during-iavf-initialization.patch new file mode 100644 index 0000000..5dc1236 --- /dev/null +++ b/patches.kernel.org/6.3.4-263-ice-Fix-ice-VF-reset-during-iavf-initialization.patch @@ -0,0 +1,169 @@ +From: Dawid Wesierski +Date: Tue, 18 Apr 2023 11:52:55 +0200 +Subject: [PATCH] ice: Fix ice VF reset during iavf initialization +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7255355a0636b4eff08d5e8139c77d98f151c4fc + +[ Upstream commit 7255355a0636b4eff08d5e8139c77d98f151c4fc ] + +Fix the current implementation that causes ice_trigger_vf_reset() +to start resetting the VF even when the VF-NIC is still initializing. + +When we reset NIC with ice driver it can interfere with +iavf-vf initialization e.g. during consecutive resets induced by ice + +iavf ice + | | + |<-----------------| + | ice resets vf + iavf | + reset | + start | + |<-----------------| + | ice resets vf + | causing iavf + | initialization + | error + | | + iavf + reset + end + +This leads to a series of -53 errors +(failed to init adminq) from the IAVF. + +Change the state of the vf_state field to be not active when the IAVF +is still initializing. Make sure to wait until receiving the message on +the message box to ensure that the vf is ready and initializded. + +In simple terms we use the ACTIVE flag to make sure that the ice +driver knows if the iavf is ready for another reset + + iavf ice + | | + | | + |<------------- ice resets vf + iavf vf_state != ACTIVE + reset | + start | + | | + | | + iavf | + reset-------> vf_state == ACTIVE + end ice resets vf + | | + | | + +Fixes: c54d209c78b8 ("ice: Wait for VF to be reset/ready before configuration") +Signed-off-by: Dawid Wesierski +Signed-off-by: Kamil Maziarz +Acked-by: Jacob Keller +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/intel/ice/ice_sriov.c | 8 ++++---- + drivers/net/ethernet/intel/ice/ice_vf_lib.c | 19 +++++++++++++++++++ + drivers/net/ethernet/intel/ice/ice_vf_lib.h | 1 + + drivers/net/ethernet/intel/ice/ice_virtchnl.c | 1 + + 4 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c +index 0cc05e54..d4206db7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sriov.c ++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c +@@ -1181,7 +1181,7 @@ int ice_set_vf_spoofchk(struct net_device *netdev, int vf_id, bool ena) + if (!vf) + return -EINVAL; + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1296,7 +1296,7 @@ int ice_set_vf_mac(struct net_device *netdev, int vf_id, u8 *mac) + goto out_put_vf; + } + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1350,7 +1350,7 @@ int ice_set_vf_trust(struct net_device *netdev, int vf_id, bool trusted) + return -EOPNOTSUPP; + } + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +@@ -1663,7 +1663,7 @@ ice_set_vf_port_vlan(struct net_device *netdev, int vf_id, u16 vlan_id, u8 qos, + if (!vf) + return -EINVAL; + +- ret = ice_check_vf_ready_for_cfg(vf); ++ ret = ice_check_vf_ready_for_reset(vf); + if (ret) + goto out_put_vf; + +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +index 0e57bd1b..59524a7c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c +@@ -185,6 +185,25 @@ int ice_check_vf_ready_for_cfg(struct ice_vf *vf) + return 0; + } + ++/** ++ * ice_check_vf_ready_for_reset - check if VF is ready to be reset ++ * @vf: VF to check if it's ready to be reset ++ * ++ * The purpose of this function is to ensure that the VF is not in reset, ++ * disabled, and is both initialized and active, thus enabling us to safely ++ * initialize another reset. ++ */ ++int ice_check_vf_ready_for_reset(struct ice_vf *vf) ++{ ++ int ret; ++ ++ ret = ice_check_vf_ready_for_cfg(vf); ++ if (!ret && !test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) ++ ret = -EAGAIN; ++ ++ return ret; ++} ++ + /** + * ice_trigger_vf_reset - Reset a VF on HW + * @vf: pointer to the VF structure +diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +index ef30f05b..3fc6a0a8 100644 +--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h ++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h +@@ -215,6 +215,7 @@ u16 ice_get_num_vfs(struct ice_pf *pf); + struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf); + bool ice_is_vf_disabled(struct ice_vf *vf); + int ice_check_vf_ready_for_cfg(struct ice_vf *vf); ++int ice_check_vf_ready_for_reset(struct ice_vf *vf); + void ice_set_vf_state_dis(struct ice_vf *vf); + bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf); + void +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +index e24e3f50..d8c66baf 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +@@ -3908,6 +3908,7 @@ void ice_vc_process_vf_msg(struct ice_pf *pf, struct ice_rq_event_info *event) + ice_vc_notify_vf_link_state(vf); + break; + case VIRTCHNL_OP_RESET_VF: ++ clear_bit(ICE_VF_STATE_ACTIVE, vf->vf_states); + ops->reset_vf(vf); + break; + case VIRTCHNL_OP_ADD_ETH_ADDR: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-264-iavf-send-VLAN-offloading-caps-once-after-VFR.patch b/patches.kernel.org/6.3.4-264-iavf-send-VLAN-offloading-caps-once-after-VFR.patch new file mode 100644 index 0000000..bc717c2 --- /dev/null +++ b/patches.kernel.org/6.3.4-264-iavf-send-VLAN-offloading-caps-once-after-VFR.patch @@ -0,0 +1,66 @@ +From: Ahmed Zaki +Date: Mon, 17 Apr 2023 12:09:39 -0600 +Subject: [PATCH] iavf: send VLAN offloading caps once after VFR +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 7dcbdf29282fbcdb646dc785e8a57ed2c2fec8ba + +[ Upstream commit 7dcbdf29282fbcdb646dc785e8a57ed2c2fec8ba ] + +When the user disables rxvlan offloading and then changes the number of +channels, all VLAN ports are unable to receive traffic. + +Changing the number of channels triggers a VFR reset. During re-init, when +VIRTCHNL_OP_GET_OFFLOAD_VLAN_V2_CAPS is received, we do: +1 - set the IAVF_FLAG_SETUP_NETDEV_FEATURES flag +2 - call + iavf_set_vlan_offload_features(adapter, 0, netdev->features); + +The second step sends to the PF the __default__ features, in this case +aq_required |= IAVF_FLAG_AQ_ENABLE_CTAG_VLAN_STRIPPING + +While the first step forces the watchdog task to call +netdev_update_features() -> iavf_set_features() -> +iavf_set_vlan_offload_features(adapter, netdev->features, features). +Since the user disabled the "rxvlan", this sets: +aq_required |= IAVF_FLAG_AQ_DISABLE_CTAG_VLAN_STRIPPING + +When we start processing the AQ commands, both flags are enabled. Since we +process DISABLE_XTAG first then ENABLE_XTAG, this results in the PF +enabling the rxvlan offload. This breaks all communications on the VLAN +net devices. + +Fix by removing the call to iavf_set_vlan_offload_features() (second +step). Calling netdev_update_features() from watchdog task is enough for +both init and reset paths. + +Fixes: 7598f4b40bd6 ("iavf: Move netdev_update_features() into watchdog task") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Reviewed-by: Leon Romanovsky +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 9afbbdac..7c0578b5 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2238,11 +2238,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; + +- /* Request VLAN offload settings */ +- if (VLAN_V2_ALLOWED(adapter)) +- iavf_set_vlan_offload_features(adapter, 0, +- netdev->features); +- + iavf_set_queue_vlan_tag_loc(adapter); + + was_mac_changed = !ether_addr_equal(netdev->dev_addr, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-265-wifi-cfg80211-Drop-entries-with-invalid-BSSIDs-.patch b/patches.kernel.org/6.3.4-265-wifi-cfg80211-Drop-entries-with-invalid-BSSIDs-.patch new file mode 100644 index 0000000..ec251be --- /dev/null +++ b/patches.kernel.org/6.3.4-265-wifi-cfg80211-Drop-entries-with-invalid-BSSIDs-.patch @@ -0,0 +1,50 @@ +From: Ilan Peer +Date: Mon, 24 Apr 2023 10:32:24 +0300 +Subject: [PATCH] wifi: cfg80211: Drop entries with invalid BSSIDs in RNR +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1b6b4ed01493b7ea2205ab83c49198f7d13ca9d2 + +[ Upstream commit 1b6b4ed01493b7ea2205ab83c49198f7d13ca9d2 ] + +Ignore AP information for entries that include an invalid +BSSID in the TBTT information field, e.g., all zeros BSSIDs. + +Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning") +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230424103224.5e65d04d1448.Ic10c8577ae4a85272c407106c9d0a2ecb5372743@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/wireless/scan.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 790bc31c..b3829ed8 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -5,7 +5,7 @@ + * Copyright 2008 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright 2016 Intel Deutschland GmbH +- * Copyright (C) 2018-2022 Intel Corporation ++ * Copyright (C) 2018-2023 Intel Corporation + */ + #include + #include +@@ -540,6 +540,10 @@ static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, + /* skip the TBTT offset */ + pos++; + ++ /* ignore entries with invalid BSSID */ ++ if (!is_valid_ether_addr(pos)) ++ return -EINVAL; ++ + memcpy(entry->bssid, pos, ETH_ALEN); + pos += ETH_ALEN; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-266-wifi-mac80211-fortify-the-spinlock-against-dead.patch b/patches.kernel.org/6.3.4-266-wifi-mac80211-fortify-the-spinlock-against-dead.patch new file mode 100644 index 0000000..e2fe511 --- /dev/null +++ b/patches.kernel.org/6.3.4-266-wifi-mac80211-fortify-the-spinlock-against-dead.patch @@ -0,0 +1,223 @@ +From: Mirsad Goran Todorovac +Date: Tue, 25 Apr 2023 18:40:08 +0200 +Subject: [PATCH] wifi: mac80211: fortify the spinlock against deadlock by + interrupt +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 + +[ Upstream commit ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 ] + +In the function ieee80211_tx_dequeue() there is a particular locking +sequence: + +begin: + spin_lock(&local->queue_stop_reason_lock); + q_stopped = local->queue_stop_reasons[q]; + spin_unlock(&local->queue_stop_reason_lock); + +However small the chance (increased by ftracetest), an asynchronous +interrupt can occur in between of spin_lock() and spin_unlock(), +and the interrupt routine will attempt to lock the same +&local->queue_stop_reason_lock again. + +This will cause a costly reset of the CPU and the wifi device or an +altogether hang in the single CPU and single core scenario. + +The only remaining spin_lock(&local->queue_stop_reason_lock) that +did not disable interrupts was patched, which should prevent any +deadlocks on the same CPU/core and the same wifi device. + +This is the probable trace of the deadlock: + +kernel: ================================ +kernel: WARNING: inconsistent lock state +kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W +kernel: -------------------------------- +kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: +kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 +kernel: {IN-SOFTIRQ-W} state was registered at: +kernel: lock_acquire+0xc7/0x2d0 +kernel: _raw_spin_lock+0x36/0x50 +kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] +kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] +kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] +kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] +kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] +kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] +kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] +kernel: dev_hard_start_xmit+0xb5/0x260 +kernel: __dev_queue_xmit+0xdbe/0x1200 +kernel: neigh_resolve_output+0x166/0x260 +kernel: ip_finish_output2+0x216/0xb80 +kernel: __ip_finish_output+0x2a4/0x4d0 +kernel: ip_finish_output+0x2d/0xd0 +kernel: ip_output+0x82/0x2b0 +kernel: ip_local_out+0xec/0x110 +kernel: igmpv3_sendpack+0x5c/0x90 +kernel: igmp_ifc_timer_expire+0x26e/0x4e0 +kernel: call_timer_fn+0xa5/0x230 +kernel: run_timer_softirq+0x27f/0x550 +kernel: __do_softirq+0xb4/0x3a4 +kernel: irq_exit_rcu+0x9b/0xc0 +kernel: sysvec_apic_timer_interrupt+0x80/0xa0 +kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 +kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 +kernel: free_to_partial_list+0x3d6/0x590 +kernel: __slab_free+0x1b7/0x310 +kernel: kmem_cache_free+0x52d/0x550 +kernel: putname+0x5d/0x70 +kernel: do_sys_openat2+0x1d7/0x310 +kernel: do_sys_open+0x51/0x80 +kernel: __x64_sys_openat+0x24/0x30 +kernel: do_syscall_64+0x5c/0x90 +kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc +kernel: irq event stamp: 5120729 +kernel: hardirqs last enabled at (5120729): [] trace_graph_return+0xd6/0x120 +kernel: hardirqs last disabled at (5120728): [] trace_graph_return+0xf0/0x120 +kernel: softirqs last enabled at (5069900): [] return_to_handler+0x0/0x40 +kernel: softirqs last disabled at (5067555): [] return_to_handler+0x0/0x40 +kernel: + other info that might help us debug this: +kernel: Possible unsafe locking scenario: +kernel: CPU0 +kernel: ---- +kernel: lock(&local->queue_stop_reason_lock); +kernel: +kernel: lock(&local->queue_stop_reason_lock); +kernel: + *** DEADLOCK *** +kernel: 8 locks held by kworker/5:0/25656: +kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 +kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 +kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #3: ffff9d6190778728 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #4: ffff9d619077b480 (&mvm->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #5: ffff9d61907bacd8 (&trans_pcie->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 +kernel: #6: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_queue_state_change+0x59/0x3a0 [iwlmvm] +kernel: #7: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm] +kernel: + stack backtrace: +kernel: CPU: 5 PID: 25656 Comm: kworker/5:0 Tainted: G W 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 +kernel: Hardware name: LENOVO 82H8/LNVNB161216, BIOS GGCN51WW 11/16/2022 +kernel: Workqueue: events_freezable ieee80211_restart_work [mac80211] +kernel: Call Trace: +kernel: +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: dump_stack_lvl+0x5f/0xa0 +kernel: dump_stack+0x14/0x20 +kernel: print_usage_bug.part.46+0x208/0x2a0 +kernel: mark_lock.part.47+0x605/0x630 +kernel: ? sched_clock+0xd/0x20 +kernel: ? trace_clock_local+0x14/0x30 +kernel: ? __rb_reserve_next+0x5f/0x490 +kernel: ? _raw_spin_lock+0x1b/0x50 +kernel: __lock_acquire+0x464/0x1990 +kernel: ? mark_held_locks+0x4e/0x80 +kernel: lock_acquire+0xc7/0x2d0 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ? ftrace_return_to_handler+0x8b/0x100 +kernel: ? preempt_count_add+0x4/0x70 +kernel: _raw_spin_lock+0x36/0x50 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] +kernel: ? prepare_ftrace_return+0xc5/0x190 +kernel: ? ftrace_graph_func+0x16/0x20 +kernel: ? 0xffffffffc02ab0b1 +kernel: ? lock_acquire+0xc7/0x2d0 +kernel: ? iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm] +kernel: ? ieee80211_tx_dequeue+0x9/0x1330 [mac80211] +kernel: ? __rcu_read_lock+0x4/0x40 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_queue_state_change+0x311/0x3a0 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_wake_sw_queue+0x17/0x20 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_unmap+0x1c9/0x1f0 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_free+0x55/0x130 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_txq_gen2_tx_free+0x63/0x80 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: _iwl_trans_pcie_gen2_stop_device+0x3f3/0x5b0 [iwlwifi] +kernel: ? _iwl_trans_pcie_gen2_stop_device+0x9/0x5b0 [iwlwifi] +kernel: ? mutex_lock_nested+0x4/0x30 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_trans_pcie_gen2_stop_device+0x5f/0x90 [iwlwifi] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_stop_device+0x78/0xd0 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: __iwl_mvm_mac_start+0x114/0x210 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: iwl_mvm_mac_start+0x76/0x150 [iwlmvm] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: drv_start+0x79/0x180 [mac80211] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_reconfig+0x1523/0x1ce0 [mac80211] +kernel: ? synchronize_net+0x4/0x50 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: ieee80211_restart_work+0x108/0x170 [mac80211] +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: process_one_work+0x250/0x530 +kernel: ? ftrace_regs_caller_end+0x66/0x66 +kernel: worker_thread+0x48/0x3a0 +kernel: ? __pfx_worker_thread+0x10/0x10 +kernel: kthread+0x10f/0x140 +kernel: ? __pfx_kthread+0x10/0x10 +kernel: ret_from_fork+0x29/0x50 +kernel: + +Fixes: 4444bc2116ae ("wifi: mac80211: Proper mark iTXQs for resumption") +Link: https://lore.kernel.org/all/1f58a0d1-d2b9-d851-73c3-93fcc607501c@alu.unizg.hr/ +Reported-by: Mirsad Goran Todorovac +Cc: Gregory Greenman +Cc: Johannes Berg +Link: https://lore.kernel.org/all/cdc80531-f25f-6f9d-b15f-25e16130b53a@alu.unizg.hr/ +Cc: David S. Miller +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Leon Romanovsky +Cc: Alexander Wetzel +Signed-off-by: Mirsad Goran Todorovac +Reviewed-by: Leon Romanovsky +Reviewed-by: tag, or it goes automatically? +Link: https://lore.kernel.org/r/20230425164005.25272-1-mirsad.todorovac@alu.unizg.hr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/mac80211/tx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 7699fb41..45cb8e7b 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3781,6 +3781,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + ieee80211_tx_result r; + struct ieee80211_vif *vif = txq->vif; + int q = vif->hw_queue[txq->ac]; ++ unsigned long flags; + bool q_stopped; + + WARN_ON_ONCE(softirq_count() == 0); +@@ -3789,9 +3790,9 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + return NULL; + + begin: +- spin_lock(&local->queue_stop_reason_lock); ++ spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + q_stopped = local->queue_stop_reasons[q]; +- spin_unlock(&local->queue_stop_reason_lock); ++ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags); + + if (unlikely(q_stopped)) { + /* mark for waking later */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-267-wifi-mac80211-Fix-puncturing-bitmap-handling-in.patch b/patches.kernel.org/6.3.4-267-wifi-mac80211-Fix-puncturing-bitmap-handling-in.patch new file mode 100644 index 0000000..0ac4b49 --- /dev/null +++ b/patches.kernel.org/6.3.4-267-wifi-mac80211-Fix-puncturing-bitmap-handling-in.patch @@ -0,0 +1,53 @@ +From: Christophe JAILLET +Date: Mon, 24 Apr 2023 19:42:04 +0200 +Subject: [PATCH] wifi: mac80211: Fix puncturing bitmap handling in + __ieee80211_csa_finalize() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 13ad2b1eeacd48ec0f31f55964e6dc7dfc2c0299 + +[ Upstream commit 13ad2b1eeacd48ec0f31f55964e6dc7dfc2c0299 ] + +'changed' can be OR'ed with BSS_CHANGED_EHT_PUNCTURING which is larger than +an u32. +So, turn 'changed' into an u64 and update ieee80211_set_after_csa_beacon() +accordingly. + +In the commit in Fixes, only ieee80211_start_ap() was updated. + +Fixes: 2cc25e4b2a04 ("wifi: mac80211: configure puncturing bitmap") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/e84a3f80fe536787f7a2c7180507efc36cd14f95.1682358088.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index d3d86191..fb8d80eb 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3502,7 +3502,7 @@ void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif, bool block_t + EXPORT_SYMBOL(ieee80211_channel_switch_disconnect); + + static int ieee80211_set_after_csa_beacon(struct ieee80211_sub_if_data *sdata, +- u32 *changed) ++ u64 *changed) + { + int err; + +@@ -3545,7 +3545,7 @@ static int ieee80211_set_after_csa_beacon(struct ieee80211_sub_if_data *sdata, + static int __ieee80211_csa_finalize(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_local *local = sdata->local; +- u32 changed = 0; ++ u64 changed = 0; + int err; + + sdata_assert_lock(sdata); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-268-wifi-mac80211-fix-min-center-freq-offset-tracin.patch b/patches.kernel.org/6.3.4-268-wifi-mac80211-fix-min-center-freq-offset-tracin.patch new file mode 100644 index 0000000..0be9b74 --- /dev/null +++ b/patches.kernel.org/6.3.4-268-wifi-mac80211-fix-min-center-freq-offset-tracin.patch @@ -0,0 +1,40 @@ +From: Johannes Berg +Date: Thu, 4 May 2023 16:45:01 +0300 +Subject: [PATCH] wifi: mac80211: fix min center freq offset tracing +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 248e4776514bf70236e6b1a54c65aa5324c8b1eb + +[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ] + +We need to set the correct trace variable, otherwise we're +overwriting something else instead and the right one that +we print later is not initialized. + +Fixes: b6011960f392 ("mac80211: handle channel frequency offset") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/mac80211/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 9f437756..c85367a4 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -67,7 +67,7 @@ + __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \ + __entry->min_chan_width = (c)->width; \ + __entry->min_center_freq1 = (c)->center_freq1; \ +- __entry->freq1_offset = (c)->freq1_offset; \ ++ __entry->min_freq1_offset = (c)->freq1_offset; \ + __entry->min_center_freq2 = (c)->center_freq2; + #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz" + #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-269-wifi-mac80211-Abort-running-color-change-when-s.patch b/patches.kernel.org/6.3.4-269-wifi-mac80211-Abort-running-color-change-when-s.patch new file mode 100644 index 0000000..4378329 --- /dev/null +++ b/patches.kernel.org/6.3.4-269-wifi-mac80211-Abort-running-color-change-when-s.patch @@ -0,0 +1,43 @@ +From: Michael Lee +Date: Thu, 4 May 2023 16:04:41 +0800 +Subject: [PATCH] wifi: mac80211: Abort running color change when stopping the + AP +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a23d7f5b2fbda114de60c4b53311e052281d7533 + +[ Upstream commit a23d7f5b2fbda114de60c4b53311e052281d7533 ] + +When stopping the AP, there might be a color change in progress. It +should be deactivated here, or the driver might later finalize a color +change on a stopped AP. + +Fixes: 5f9404abdf2a (mac80211: add support for BSS color change) +Signed-off-by: Michael Lee +Link: https://lore.kernel.org/r/20230504080441.22958-1-michael-cy.lee@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/mac80211/cfg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index fb8d80eb..5ddbe0c8 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1512,9 +1512,10 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + sdata_dereference(link->u.ap.unsol_bcast_probe_resp, + sdata); + +- /* abort any running channel switch */ ++ /* abort any running channel switch or color change */ + mutex_lock(&local->mtx); + link_conf->csa_active = false; ++ link_conf->color_change_active = false; + if (link->csa_block_tx) { + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_CSA); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-270-wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-d.patch b/patches.kernel.org/6.3.4-270-wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-d.patch new file mode 100644 index 0000000..0655c12 --- /dev/null +++ b/patches.kernel.org/6.3.4-270-wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-d.patch @@ -0,0 +1,45 @@ +From: Johannes Berg +Date: Sun, 14 May 2023 12:15:46 +0300 +Subject: [PATCH] wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c2d8b7f257b2398f2d866205365895e038beca12 + +[ Upstream commit c2d8b7f257b2398f2d866205365895e038beca12 ] + +Lockdep points out that we can deadlock here by calling +cancel_delayed_work_sync() because that might be already +running and gotten interrupted by the NAPI soft-IRQ. +Even just calling something that can sleep is wrong in +this context though. + +Luckily, it doesn't even really matter since the things +we need to do are idempotent, so just drop the _sync(). + +Fixes: e5d153ec54f0 ("iwlwifi: mvm: fix CSA AP side") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.b1813c823b4d.I9d20cc06d24fa40b6774d3dd95ea5e2bf8dd015b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index e6851131..ad410b6e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -1967,7 +1967,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi, + RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL); + /* Unblock BCAST / MCAST station */ + iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, false); +- cancel_delayed_work_sync(&mvm->cs_tx_unblock_dwork); ++ cancel_delayed_work(&mvm->cs_tx_unblock_dwork); + } + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-271-wifi-iwlwifi-fw-fix-DBGI-dump.patch b/patches.kernel.org/6.3.4-271-wifi-iwlwifi-fw-fix-DBGI-dump.patch new file mode 100644 index 0000000..ccf188c --- /dev/null +++ b/patches.kernel.org/6.3.4-271-wifi-iwlwifi-fw-fix-DBGI-dump.patch @@ -0,0 +1,91 @@ +From: Johannes Berg +Date: Sun, 14 May 2023 12:15:48 +0300 +Subject: [PATCH] wifi: iwlwifi: fw: fix DBGI dump +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d3ae69180bbd74bcbc03a2b6d10ed7eccbe98c23 + +[ Upstream commit d3ae69180bbd74bcbc03a2b6d10ed7eccbe98c23 ] + +The DBGI dump is (unsurprisingly) of type DBGI, not SRAM. +This leads to bad register accesses because the union is +built differently, there's no allocation ID, and thus the +allocation ID ends up being 0x8000. + +Note that this was already wrong for DRAM vs. SMEM since +they use different parts of the union, but the allocation +ID is at the same place, so it worked. + +Fix all of this but set the allocation ID in a way that +the offset calculation ends up without any offset. + +Fixes: 34bc27783a31 ("iwlwifi: yoyo: fix DBGI_SRAM ini dump header.") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.19a302ae4c65.I12272599f7c1930666157b9d5e7f81fe9ec4c421@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index 027360e6..3ef0b776 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -1664,14 +1664,10 @@ static __le32 iwl_get_mon_reg(struct iwl_fw_runtime *fwrt, u32 alloc_id, + } + + static void * +-iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt, +- struct iwl_dump_ini_region_data *reg_data, ++iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt, u32 alloc_id, + struct iwl_fw_ini_monitor_dump *data, + const struct iwl_fw_mon_regs *addrs) + { +- struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; +- u32 alloc_id = le32_to_cpu(reg->dram_alloc_id); +- + if (!iwl_trans_grab_nic_access(fwrt->trans)) { + IWL_ERR(fwrt, "Failed to get monitor header\n"); + return NULL; +@@ -1702,8 +1698,10 @@ iwl_dump_ini_mon_dram_fill_header(struct iwl_fw_runtime *fwrt, + void *data, u32 data_len) + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; ++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; ++ u32 alloc_id = le32_to_cpu(reg->dram_alloc_id); + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump, + &fwrt->trans->cfg->mon_dram_regs); + } + +@@ -1713,8 +1711,10 @@ iwl_dump_ini_mon_smem_fill_header(struct iwl_fw_runtime *fwrt, + void *data, u32 data_len) + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; ++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data; ++ u32 alloc_id = le32_to_cpu(reg->internal_buffer.alloc_id); + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump, + &fwrt->trans->cfg->mon_smem_regs); + } + +@@ -1725,7 +1725,10 @@ iwl_dump_ini_mon_dbgi_fill_header(struct iwl_fw_runtime *fwrt, + { + struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data; + +- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump, ++ return iwl_dump_ini_mon_fill_header(fwrt, ++ /* no offset calculation later */ ++ IWL_FW_INI_ALLOCATION_ID_DBGC1, ++ mon_dump, + &fwrt->trans->cfg->mon_dbgi_regs); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-272-wifi-iwlwifi-fix-OEM-s-name-in-the-ppag-approve.patch b/patches.kernel.org/6.3.4-272-wifi-iwlwifi-fix-OEM-s-name-in-the-ppag-approve.patch new file mode 100644 index 0000000..59e57b3 --- /dev/null +++ b/patches.kernel.org/6.3.4-272-wifi-iwlwifi-fix-OEM-s-name-in-the-ppag-approve.patch @@ -0,0 +1,38 @@ +From: Alon Giladi +Date: Sun, 14 May 2023 12:15:51 +0300 +Subject: [PATCH] wifi: iwlwifi: fix OEM's name in the ppag approved list +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: eca7296d9a671e9961834d2ace9cc0ce21fc15b3 + +[ Upstream commit eca7296d9a671e9961834d2ace9cc0ce21fc15b3 ] + +Fix a spelling mistake. + +Fixes: e8e10a37c51c ("iwlwifi: acpi: move ppag code from mvm to fw/acpi") +Signed-off-by: Alon Giladi +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.fdd07f36a8bf.I223e5fb16ab5c95d504c3fdaffd0bd70affad1c2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +index a02e5a67..585e8cd2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -38,7 +38,7 @@ static const struct dmi_system_id dmi_ppag_approved_list[] = { + }, + { .ident = "ASUS", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek COMPUTER INC."), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + }, + }, + {} +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-273-wifi-iwlwifi-mvm-fix-OEM-s-name-in-the-tas-appr.patch b/patches.kernel.org/6.3.4-273-wifi-iwlwifi-mvm-fix-OEM-s-name-in-the-tas-appr.patch new file mode 100644 index 0000000..f7d5089 --- /dev/null +++ b/patches.kernel.org/6.3.4-273-wifi-iwlwifi-mvm-fix-OEM-s-name-in-the-tas-appr.patch @@ -0,0 +1,38 @@ +From: Alon Giladi +Date: Sun, 14 May 2023 12:15:52 +0300 +Subject: [PATCH] wifi: iwlwifi: mvm: fix OEM's name in the tas approved list +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d0246a0e49efee0f8649d0e4f2350614cdfe6565 + +[ Upstream commit d0246a0e49efee0f8649d0e4f2350614cdfe6565 ] + +Fix a spelling mistake. + +Fixes: 2856f623ce48 ("iwlwifi: mvm: Add list of OEMs allowed to use TAS") +Signed-off-by: Alon Giladi +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.4090de6d1878.If9391ef6da78f1b2cc5eb6cb8f6965816bb7a7f5@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 0c6b49fc..0ce0f228 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -1076,7 +1076,7 @@ static const struct dmi_system_id dmi_tas_approved_list[] = { + }, + { .ident = "LENOVO", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Lenovo"), ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + }, + }, + { .ident = "DELL", +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-274-wifi-iwlwifi-mvm-don-t-trust-firmware-n_channel.patch b/patches.kernel.org/6.3.4-274-wifi-iwlwifi-mvm-don-t-trust-firmware-n_channel.patch new file mode 100644 index 0000000..c1d911d --- /dev/null +++ b/patches.kernel.org/6.3.4-274-wifi-iwlwifi-mvm-don-t-trust-firmware-n_channel.patch @@ -0,0 +1,61 @@ +From: Johannes Berg +Date: Sun, 14 May 2023 12:15:53 +0300 +Subject: [PATCH] wifi: iwlwifi: mvm: don't trust firmware n_channels +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 + +[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ] + +If the firmware sends us a corrupted MCC response with +n_channels much larger than the command response can be, +we might copy far too much (uninitialized) memory and +even crash if the n_channels is large enough to make it +run out of the one page allocated for the FW response. + +Fix that by checking the lengths. Doing a < comparison +would be sufficient, but the firmware should be doing +it correctly, so check more strictly. + +Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index 6d18a1fd..fdf60afb 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL); +@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp_v3->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp_v3, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kzalloc(resp_len, GFP_KERNEL); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-275-scsi-storvsc-Don-t-pass-unused-PFNs-to-Hyper-V-.patch b/patches.kernel.org/6.3.4-275-scsi-storvsc-Don-t-pass-unused-PFNs-to-Hyper-V-.patch new file mode 100644 index 0000000..0734785 --- /dev/null +++ b/patches.kernel.org/6.3.4-275-scsi-storvsc-Don-t-pass-unused-PFNs-to-Hyper-V-.patch @@ -0,0 +1,66 @@ +From: Michael Kelley +Date: Mon, 15 May 2023 10:20:41 -0700 +Subject: [PATCH] scsi: storvsc: Don't pass unused PFNs to Hyper-V host +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4e81a6cba517cb33584308a331f14f5e3fec369b + +[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ] + +In a SCSI request, storvsc pre-allocates space for up to +MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If +the size of the I/O request requires more PFNs, a separate memory area of +exactly the correct size is dynamically allocated. + +But when the pre-allocated area is used, current code always passes +MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While +this doesn't break anything because the additional PFNs are always zero, +more bytes than necessary are copied into the VMBus channel ring buffer. +This takes CPU cycles and wastes space in the ring buffer. For a typical 4 +Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are +copied. + +Fix this by setting the payload_sz based on the actual number of PFNs +required, not the size of the pre-allocated space. + +Reported-by: John Starks +Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K") +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/scsi/storvsc_drv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index d9ce379c..e6bc6229 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1780,7 +1780,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; +- payload_sz = sizeof(cmd_request->mpb); ++ payload_sz = 0; + + if (scsi_sg_count(scmnd)) { + unsigned long offset_in_hvpg = offset_in_hvpage(sgl->offset); +@@ -1789,10 +1789,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + unsigned long hvpfn, hvpfns_to_add; + int j, i = 0, sg_count; + +- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { ++ payload_sz = (hvpg_count * sizeof(u64) + ++ sizeof(struct vmbus_packet_mpb_array)); + +- payload_sz = (hvpg_count * sizeof(u64) + +- sizeof(struct vmbus_packet_mpb_array)); ++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { + payload = kzalloc(payload_sz, GFP_ATOMIC); + if (!payload) + return SCSI_MLQUEUE_DEVICE_BUSY; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-276-devlink-Fix-crash-with-CONFIG_NET_NS-n.patch b/patches.kernel.org/6.3.4-276-devlink-Fix-crash-with-CONFIG_NET_NS-n.patch new file mode 100644 index 0000000..380f92d --- /dev/null +++ b/patches.kernel.org/6.3.4-276-devlink-Fix-crash-with-CONFIG_NET_NS-n.patch @@ -0,0 +1,69 @@ +From: Ido Schimmel +Date: Mon, 15 May 2023 19:29:25 +0300 +Subject: [PATCH] devlink: Fix crash with CONFIG_NET_NS=n +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d6352dae0903fe8beae4c007dc320e9e9f1fed45 + +[ Upstream commit d6352dae0903fe8beae4c007dc320e9e9f1fed45 ] + +'__net_initdata' becomes a no-op with CONFIG_NET_NS=y, but when this +option is disabled it becomes '__initdata', which means the data can be +freed after the initialization phase. This annotation is obviously +incorrect for the devlink net device notifier block which is still +registered after the initialization phase [1]. + +Fix this crash by removing the '__net_initdata' annotation. + +[1] +general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] PREEMPT SMP +CPU: 3 PID: 117 Comm: (udev-worker) Not tainted 6.4.0-rc1-custom-gdf0acdc59b09 #64 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +RIP: 0010:notifier_call_chain+0x58/0xc0 +[...] +Call Trace: + + dev_set_mac_address+0x85/0x120 + dev_set_mac_address_user+0x30/0x50 + do_setlink+0x219/0x1270 + rtnl_setlink+0xf7/0x1a0 + rtnetlink_rcv_msg+0x142/0x390 + netlink_rcv_skb+0x58/0x100 + netlink_unicast+0x188/0x270 + netlink_sendmsg+0x214/0x470 + __sys_sendto+0x12f/0x1a0 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: e93c9378e33f ("devlink: change per-devlink netdev notifier to static one") +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/netdev/600ddf9e-589a-2aa0-7b69-a438f833ca10@samsung.com/ +Tested-by: Marek Szyprowski +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230515162925.1144416-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/devlink/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/core.c b/net/devlink/core.c +index 0e58eee4..c23ebaba 100644 +--- a/net/devlink/core.c ++++ b/net/devlink/core.c +@@ -294,7 +294,7 @@ static struct pernet_operations devlink_pernet_ops __net_initdata = { + .pre_exit = devlink_pernet_pre_exit, + }; + +-static struct notifier_block devlink_port_netdevice_nb __net_initdata = { ++static struct notifier_block devlink_port_netdevice_nb = { + .notifier_call = devlink_port_netdevice_event, + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-277-tun-Fix-memory-leak-for-detached-NAPI-queue.patch b/patches.kernel.org/6.3.4-277-tun-Fix-memory-leak-for-detached-NAPI-queue.patch new file mode 100644 index 0000000..0ba99ee --- /dev/null +++ b/patches.kernel.org/6.3.4-277-tun-Fix-memory-leak-for-detached-NAPI-queue.patch @@ -0,0 +1,145 @@ +From: Kuniyuki Iwashima +Date: Mon, 15 May 2023 11:42:04 -0700 +Subject: [PATCH] tun: Fix memory leak for detached NAPI queue. +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 82b2bc279467c875ec36f8ef820f00997c2a4e8e + +[ Upstream commit 82b2bc279467c875ec36f8ef820f00997c2a4e8e ] + +syzkaller reported [0] memory leaks of sk and skb related to the TUN +device with no repro, but we can reproduce it easily with: + + struct ifreq ifr = {} + int fd_tun, fd_tmp; + char buf[4] = {}; + + fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_WRONLY, 0); + ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE; + ioctl(fd_tun, TUNSETIFF, &ifr); + + ifr.ifr_flags = IFF_DETACH_QUEUE; + ioctl(fd_tun, TUNSETQUEUE, &ifr); + + fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0); + ifr.ifr_flags = IFF_UP; + ioctl(fd_tmp, SIOCSIFFLAGS, &ifr); + + write(fd_tun, buf, sizeof(buf)); + close(fd_tun); + +If we enable NAPI and multi-queue on a TUN device, we can put skb into +tfile->sk.sk_write_queue after the queue is detached. We should prevent +it by checking tfile->detached before queuing skb. + +Note this must be done under tfile->sk.sk_write_queue.lock because write() +and ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would +be a small race window: + + write() ioctl(IFF_DETACH_QUEUE) + `- tun_get_user `- __tun_detach + |- if (tfile->detached) |- tun_disable_queue + | `-> false | `- tfile->detached = tun + | `- tun_queue_purge + |- spin_lock_bh(&queue->lock) + `- __skb_queue_tail(queue, skb) + +Another solution is to call tun_queue_purge() when closing and +reattaching the detached queue, but it could paper over another +problems. Also, we do the same kind of test for IFF_NAPI_FRAGS. + +[0]: +unreferenced object 0xffff88801edbc800 (size 2048): + comm "syz-executor.1", pid 33269, jiffies 4295743834 (age 18.756s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline] + [<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979 + [<000000003addde56>] kmalloc include/linux/slab.h:563 [inline] + [<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035 + [<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088 + [<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438 + [<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165 + [<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414 + [<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920 + [<000000008eb24774>] do_open fs/namei.c:3636 [inline] + [<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791 + [<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818 + [<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356 + [<00000000057be699>] do_sys_open fs/open.c:1372 [inline] + [<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline] + [<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline] + [<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383 + [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80 + [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +unreferenced object 0xffff88802f671700 (size 240): + comm "syz-executor.1", pid 33269, jiffies 4295743854 (age 18.736s) + hex dump (first 32 bytes): + 68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h....... + 00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............ + backtrace: + [<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644 + [<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline] + [<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378 + [<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729 + [<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline] + [<00000000e9eb3df3>] tun_get_user+0x5e1/0x1f90 drivers/net/tun.c:1841 + [<0000000053096912>] tun_chr_write_iter+0xac/0x120 drivers/net/tun.c:2035 + [<00000000b9282ae0>] call_write_iter include/linux/fs.h:1868 [inline] + [<00000000b9282ae0>] new_sync_write fs/read_write.c:491 [inline] + [<00000000b9282ae0>] vfs_write+0x40f/0x530 fs/read_write.c:584 + [<00000000524566e4>] ksys_write+0xa1/0x170 fs/read_write.c:637 + [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80 + [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: cde8b15f1aab ("tuntap: add ioctl to attach or detach a file form tuntap device") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/tun.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index ad653b32..44087db2 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1976,6 +1976,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + int queue_len; + + spin_lock_bh(&queue->lock); ++ ++ if (unlikely(tfile->detached)) { ++ spin_unlock_bh(&queue->lock); ++ rcu_read_unlock(); ++ err = -EBUSY; ++ goto free_skb; ++ } ++ + __skb_queue_tail(queue, skb); + queue_len = skb_queue_len(queue); + spin_unlock(&queue->lock); +@@ -2511,6 +2519,13 @@ static int tun_xdp_one(struct tun_struct *tun, + if (tfile->napi_enabled) { + queue = &tfile->sk.sk_write_queue; + spin_lock(&queue->lock); ++ ++ if (unlikely(tfile->detached)) { ++ spin_unlock(&queue->lock); ++ kfree_skb(skb); ++ return -EBUSY; ++ } ++ + __skb_queue_tail(queue, skb); + spin_unlock(&queue->lock); + ret = 1; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-278-cassini-Fix-a-memory-leak-in-the-error-handling.patch b/patches.kernel.org/6.3.4-278-cassini-Fix-a-memory-leak-in-the-error-handling.patch new file mode 100644 index 0000000..666c2c2 --- /dev/null +++ b/patches.kernel.org/6.3.4-278-cassini-Fix-a-memory-leak-in-the-error-handling.patch @@ -0,0 +1,43 @@ +From: Christophe JAILLET +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: [PATCH] cassini: Fix a memory leak in the error handling path of + cas_init_one() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 412cd77a2c24b191c65ea53025222418db09817c + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index 4ef05bad..d61dfa25 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5077,6 +5077,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-279-net-dsa-mv88e6xxx-Fix-mv88e6393x-EPC-write-comm.patch b/patches.kernel.org/6.3.4-279-net-dsa-mv88e6xxx-Fix-mv88e6393x-EPC-write-comm.patch new file mode 100644 index 0000000..d7bfe3c --- /dev/null +++ b/patches.kernel.org/6.3.4-279-net-dsa-mv88e6xxx-Fix-mv88e6393x-EPC-write-comm.patch @@ -0,0 +1,38 @@ +From: Marco Migliore +Date: Tue, 16 May 2023 09:38:54 +0200 +Subject: [PATCH] net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1323e0c6e1d7e103d59384c3ac50f72b17a6936c + +[ Upstream commit 1323e0c6e1d7e103d59384c3ac50f72b17a6936c ] + +According to datasheet, the command opcode must be specified +into bits [14:12] of the Extended Port Control register (EPC). + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family") +Signed-off-by: Marco Migliore +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/dsa/mv88e6xxx/port.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h +index aec9d4fd..d19b6303 100644 +--- a/drivers/net/dsa/mv88e6xxx/port.h ++++ b/drivers/net/dsa/mv88e6xxx/port.h +@@ -276,7 +276,7 @@ + /* Offset 0x10: Extended Port Control Command */ + #define MV88E6393X_PORT_EPC_CMD 0x10 + #define MV88E6393X_PORT_EPC_CMD_BUSY 0x8000 +-#define MV88E6393X_PORT_EPC_CMD_WRITE 0x0300 ++#define MV88E6393X_PORT_EPC_CMD_WRITE 0x3000 + #define MV88E6393X_PORT_EPC_INDEX_PORT_ETYPE 0x02 + + /* Offset 0x11: Extended Port Control Data */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-280-igb-fix-bit_shift-to-be-in-1.8-range.patch b/patches.kernel.org/6.3.4-280-igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 0000000..ecf850a --- /dev/null +++ b/patches.kernel.org/6.3.4-280-igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,51 @@ +From: Aleksandr Loktionov +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: [PATCH] igb: fix bit_shift to be in [1..8] range +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 60d758659f1fb49e0d5b6ac2691ede8c0958795b + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index 205d577b..caf91c6f 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-281-vlan-fix-a-potential-uninit-value-in-vlan_dev_h.patch b/patches.kernel.org/6.3.4-281-vlan-fix-a-potential-uninit-value-in-vlan_dev_h.patch new file mode 100644 index 0000000..5d5f3e3 --- /dev/null +++ b/patches.kernel.org/6.3.4-281-vlan-fix-a-potential-uninit-value-in-vlan_dev_h.patch @@ -0,0 +1,95 @@ +From: Eric Dumazet +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: [PATCH] vlan: fix a potential uninit-value in + vlan_dev_hard_start_xmit() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dacab578c7c6cd06c50c89dfa36b0e0f10decd4e + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 5920544e..0fa52bcc 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-282-net-wwan-iosm-fix-NULL-pointer-dereference-when.patch b/patches.kernel.org/6.3.4-282-net-wwan-iosm-fix-NULL-pointer-dereference-when.patch new file mode 100644 index 0000000..c77c5c5 --- /dev/null +++ b/patches.kernel.org/6.3.4-282-net-wwan-iosm-fix-NULL-pointer-dereference-when.patch @@ -0,0 +1,156 @@ +From: M Chetan Kumar +Date: Tue, 16 May 2023 21:09:46 +0530 +Subject: [PATCH] net: wwan: iosm: fix NULL pointer dereference when removing + device +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 60829145f1e2650b31ebe6a0ec70a9725b38fa2c + +[ Upstream commit 60829145f1e2650b31ebe6a0ec70a9725b38fa2c ] + +In suspend and resume cycle, the removal and rescan of device ends +up in NULL pointer dereference. + +During driver initialization, if the ipc_imem_wwan_channel_init() +fails to get the valid device capabilities it returns an error and +further no resource (wwan struct) will be allocated. Now in this +situation if driver removal procedure is initiated it would result +in NULL pointer exception since unallocated wwan struct is dereferenced +inside ipc_wwan_deinit(). + +ipc_imem_run_state_worker() to handle the called functions return value +and to release the resource in failure case. It also reports the link +down event in failure cases. The user space application can handle this +event to do a device reset for restoring the device communication. + +Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface") +Reported-by: Samuel Wein PhD +Closes: https://lore.kernel.org/netdev/20230427140819.1310f4bd@kernel.org/T/ +Signed-off-by: M Chetan Kumar +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/wwan/iosm/iosm_ipc_imem.c | 27 ++++++++++++++++++----- + drivers/net/wwan/iosm/iosm_ipc_imem_ops.c | 12 ++++++---- + drivers/net/wwan/iosm/iosm_ipc_imem_ops.h | 6 +++-- + 3 files changed, 33 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c +index c066b004..829515a6 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c +@@ -565,24 +565,32 @@ static void ipc_imem_run_state_worker(struct work_struct *instance) + struct ipc_mux_config mux_cfg; + struct iosm_imem *ipc_imem; + u8 ctrl_chl_idx = 0; ++ int ret; + + ipc_imem = container_of(instance, struct iosm_imem, run_state_worker); + + if (ipc_imem->phase != IPC_P_RUN) { + dev_err(ipc_imem->dev, + "Modem link down. Exit run state worker."); +- return; ++ goto err_out; + } + + if (test_and_clear_bit(IOSM_DEVLINK_INIT, &ipc_imem->flag)) + ipc_devlink_deinit(ipc_imem->ipc_devlink); + +- if (!ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg)) +- ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem); ++ ret = ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg); ++ if (ret < 0) ++ goto err_out; ++ ++ ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem); ++ if (!ipc_imem->mux) ++ goto err_out; ++ ++ ret = ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol); ++ if (ret < 0) ++ goto err_ipc_mux_deinit; + +- ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol); +- if (ipc_imem->mux) +- ipc_imem->mux->wwan = ipc_imem->wwan; ++ ipc_imem->mux->wwan = ipc_imem->wwan; + + while (ctrl_chl_idx < IPC_MEM_MAX_CHANNELS) { + if (!ipc_chnl_cfg_get(&chnl_cfg_port, ctrl_chl_idx)) { +@@ -622,6 +630,13 @@ static void ipc_imem_run_state_worker(struct work_struct *instance) + + /* Complete all memory stores after setting bit */ + smp_mb__after_atomic(); ++ ++ return; ++ ++err_ipc_mux_deinit: ++ ipc_mux_deinit(ipc_imem->mux); ++err_out: ++ ipc_uevent_send(ipc_imem->dev, UEVENT_CD_READY_LINK_DOWN); + } + + static void ipc_imem_handle_irq(struct iosm_imem *ipc_imem, int irq) +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +index 66b90cc4..109cf893 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c +@@ -77,8 +77,8 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem, + } + + /* Initialize wwan channel */ +-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, +- enum ipc_mux_protocol mux_type) ++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, ++ enum ipc_mux_protocol mux_type) + { + struct ipc_chnl_cfg chnl_cfg = { 0 }; + +@@ -87,7 +87,7 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, + /* If modem version is invalid (0xffffffff), do not initialize WWAN. */ + if (ipc_imem->cp_version == -1) { + dev_err(ipc_imem->dev, "invalid CP version"); +- return; ++ return -EIO; + } + + ipc_chnl_cfg_get(&chnl_cfg, ipc_imem->nr_of_channels); +@@ -104,9 +104,13 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, + + /* WWAN registration. */ + ipc_imem->wwan = ipc_wwan_init(ipc_imem, ipc_imem->dev); +- if (!ipc_imem->wwan) ++ if (!ipc_imem->wwan) { + dev_err(ipc_imem->dev, + "failed to register the ipc_wwan interfaces"); ++ return -ENOMEM; ++ } ++ ++ return 0; + } + + /* Map SKB to DMA for transfer */ +diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h +index f8afb217..026c5bd0 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h ++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h +@@ -91,9 +91,11 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem, int if_id, + * MUX. + * @ipc_imem: Pointer to iosm_imem struct. + * @mux_type: Type of mux protocol. ++ * ++ * Return: 0 on success and failure value on error + */ +-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, +- enum ipc_mux_protocol mux_type); ++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem, ++ enum ipc_mux_protocol mux_type); + + /** + * ipc_imem_sys_devlink_open - Open a Flash/CD Channel link to CP +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-283-net-pcs-xpcs-fix-C73-AN-not-getting-enabled.patch b/patches.kernel.org/6.3.4-283-net-pcs-xpcs-fix-C73-AN-not-getting-enabled.patch new file mode 100644 index 0000000..c0556cc --- /dev/null +++ b/patches.kernel.org/6.3.4-283-net-pcs-xpcs-fix-C73-AN-not-getting-enabled.patch @@ -0,0 +1,47 @@ +From: Vladimir Oltean +Date: Tue, 16 May 2023 18:44:10 +0300 +Subject: [PATCH] net: pcs: xpcs: fix C73 AN not getting enabled +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c46e78ba9a7a09da4f192dc8df15c4e8a07fb9e0 + +[ Upstream commit c46e78ba9a7a09da4f192dc8df15c4e8a07fb9e0 ] + +The XPCS expects clause 73 (copper backplane) autoneg to follow the +ethtool autoneg bit. It actually did that until the blamed +commit inaptly replaced state->an_enabled (coming from ethtool) with +phylink_autoneg_inband() (coming from the device tree or struct +phylink_config), as part of an unrelated phylink_pcs API conversion. + +Russell King suggests that state->an_enabled from the original code was +just a proxy for the ethtool Autoneg bit, and that the correct way of +restoring the functionality is to check for this bit in the advertising +mask. + +Fixes: 11059740e616 ("net: pcs: xpcs: convert to phylink_pcs_ops") +Link: https://lore.kernel.org/netdev/ZGNt2MFeRolKGFck@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/net/pcs/pcs-xpcs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/pcs/pcs-xpcs.c b/drivers/net/pcs/pcs-xpcs.c +index 04a68535..2b84a466 100644 +--- a/drivers/net/pcs/pcs-xpcs.c ++++ b/drivers/net/pcs/pcs-xpcs.c +@@ -873,7 +873,7 @@ int xpcs_do_config(struct dw_xpcs *xpcs, phy_interface_t interface, + + switch (compat->an_mode) { + case DW_AN_C73: +- if (phylink_autoneg_inband(mode)) { ++ if (test_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, advertising)) { + ret = xpcs_config_aneg_c73(xpcs, compat); + if (ret) + return ret; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-284-net-selftests-Fix-optstring.patch b/patches.kernel.org/6.3.4-284-net-selftests-Fix-optstring.patch new file mode 100644 index 0000000..71e7f16 --- /dev/null +++ b/patches.kernel.org/6.3.4-284-net-selftests-Fix-optstring.patch @@ -0,0 +1,42 @@ +From: Benjamin Poirier +Date: Tue, 16 May 2023 14:49:24 -0400 +Subject: [PATCH] net: selftests: Fix optstring +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9ba9485b87ac97fd159abdb4cbd53099bc9f01c6 + +[ Upstream commit 9ba9485b87ac97fd159abdb4cbd53099bc9f01c6 ] + +The cited commit added a stray colon to the 'v' option. That makes the +option work incorrectly. + +ex: +tools/testing/selftests/net# ./fib_nexthops.sh -v +(should enable verbose mode, instead it shows help text due to missing arg) + +Fixes: 5feba4727395 ("selftests: fib_nexthops: Make ping timeout configurable") +Reviewed-by: Ido Schimmel +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + tools/testing/selftests/net/fib_nexthops.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh +index a47b26ab..0f5e88c8 100755 +--- a/tools/testing/selftests/net/fib_nexthops.sh ++++ b/tools/testing/selftests/net/fib_nexthops.sh +@@ -2283,7 +2283,7 @@ EOF + ################################################################################ + # main + +-while getopts :t:pP46hv:w: o ++while getopts :t:pP46hvw: o + do + case $o in + t) TESTS=$OPTARG;; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-285-netfilter-nf_tables-fix-nft_trans-type-confusio.patch b/patches.kernel.org/6.3.4-285-netfilter-nf_tables-fix-nft_trans-type-confusio.patch new file mode 100644 index 0000000..4fcd957 --- /dev/null +++ b/patches.kernel.org/6.3.4-285-netfilter-nf_tables-fix-nft_trans-type-confusio.patch @@ -0,0 +1,44 @@ +From: Florian Westphal +Date: Thu, 11 May 2023 14:15:15 +0200 +Subject: [PATCH] netfilter: nf_tables: fix nft_trans type confusion +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e3c361b8acd636f5fe80c02849ca175201edf10c + +[ Upstream commit e3c361b8acd636f5fe80c02849ca175201edf10c ] + +nft_trans_FOO objects all share a common nft_trans base structure, but +trailing fields depend on the real object size. Access is only safe after +trans->msg_type check. + +Check for rule type first. Found by code inspection. + +Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/netfilter/nf_tables_api.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 45f701fd..ef80504c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3802,12 +3802,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + struct nft_trans *trans; + + list_for_each_entry(trans, &nft_net->commit_list, list) { +- struct nft_rule *rule = nft_trans_rule(trans); +- + if (trans->msg_type == NFT_MSG_NEWRULE && + trans->ctx.chain == chain && + id == nft_trans_rule_id(trans)) +- return rule; ++ return nft_trans_rule(trans); + } + return ERR_PTR(-ENOENT); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-286-netfilter-nft_set_rbtree-fix-null-deref-on-elem.patch b/patches.kernel.org/6.3.4-286-netfilter-nft_set_rbtree-fix-null-deref-on-elem.patch new file mode 100644 index 0000000..5b01a0e --- /dev/null +++ b/patches.kernel.org/6.3.4-286-netfilter-nft_set_rbtree-fix-null-deref-on-elem.patch @@ -0,0 +1,90 @@ +From: Florian Westphal +Date: Thu, 11 May 2023 22:39:30 +0200 +Subject: [PATCH] netfilter: nft_set_rbtree: fix null deref on element + insertion +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 61ae320a29b0540c16931816299eb86bf2b66c08 + +[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ] + +There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem(): + +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + nft_add_set_elem+0x14b0/0x2990 + nf_tables_newsetelem+0x528/0xb30 + +Furthermore, there is a possible use-after-free while iterating, +'node' can be free'd so we need to cache the next value to use. + +Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/netfilter/nft_set_rbtree.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 19ea4d3c..2f114aa1 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -221,7 +221,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + { + struct nft_set *set = (struct nft_set *)__set; + struct rb_node *prev = rb_prev(&rbe->node); +- struct nft_rbtree_elem *rbe_prev; ++ struct nft_rbtree_elem *rbe_prev = NULL; + struct nft_set_gc_batch *gcb; + + gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC); +@@ -229,17 +229,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + return -ENOMEM; + + /* search for expired end interval coming before this element. */ +- do { ++ while (prev) { + rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); + if (nft_rbtree_interval_end(rbe_prev)) + break; + + prev = rb_prev(prev); +- } while (prev != NULL); ++ } ++ ++ if (rbe_prev) { ++ rb_erase(&rbe_prev->node, &priv->root); ++ atomic_dec(&set->nelems); ++ } + +- rb_erase(&rbe_prev->node, &priv->root); + rb_erase(&rbe->node, &priv->root); +- atomic_sub(2, &set->nelems); ++ atomic_dec(&set->nelems); + + nft_set_gc_batch_add(gcb, rbe); + nft_set_gc_batch_complete(gcb); +@@ -268,7 +272,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_set_ext **ext) + { + struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL; +- struct rb_node *node, *parent, **p, *first = NULL; ++ struct rb_node *node, *next, *parent, **p, *first = NULL; + struct nft_rbtree *priv = nft_set_priv(set); + u8 genmask = nft_genmask_next(net); + int d, err; +@@ -307,7 +311,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + * Values stored in the tree are in reversed order, starting from + * highest to lowest value. + */ +- for (node = first; node != NULL; node = rb_next(node)) { ++ for (node = first; node != NULL; node = next) { ++ next = rb_next(node); ++ + rbe = rb_entry(node, struct nft_rbtree_elem, node); + + if (!nft_set_elem_active(&rbe->ext, genmask)) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-287-bridge-always-declare-tunnel-functions.patch b/patches.kernel.org/6.3.4-287-bridge-always-declare-tunnel-functions.patch new file mode 100644 index 0000000..250eeeb --- /dev/null +++ b/patches.kernel.org/6.3.4-287-bridge-always-declare-tunnel-functions.patch @@ -0,0 +1,62 @@ +From: Arnd Bergmann +Date: Tue, 16 May 2023 21:45:35 +0200 +Subject: [PATCH] bridge: always declare tunnel functions +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 89dcd87ce534a3a7f267cfd58505803006f51301 + +[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ] + +When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still +defined but have no prototype or caller. This causes a W=1 warning for +the missing prototypes: + +net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes] +net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes] + +The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING, +and I coulnd't easily figure out the right set of #ifdefs, so just +move the declarations out of the #ifdef to avoid the warning, +at a small cost in code size over a more elaborate fix. + +Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping") +Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del") +Signed-off-by: Arnd Bergmann +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + net/bridge/br_private_tunnel.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h +index 2b053289..efb09602 100644 +--- a/net/bridge/br_private_tunnel.h ++++ b/net/bridge/br_private_tunnel.h +@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br, + int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg); + int br_fill_vlan_tunnel_info(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); ++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, ++ const struct net_bridge_vlan *v_last); ++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, ++ u16 vid, u32 tun_id, bool *changed); + + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + /* br_vlan_tunnel.c */ +@@ -43,10 +47,6 @@ void br_handle_ingress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); + int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan *vlan); +-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, +- const struct net_bridge_vlan *v_last); +-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, +- u16 vid, u32 tun_id, bool *changed); + #else + static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg) + { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-288-ALSA-usb-audio-Add-a-sample-rate-workaround-for.patch b/patches.kernel.org/6.3.4-288-ALSA-usb-audio-Add-a-sample-rate-workaround-for.patch new file mode 100644 index 0000000..80f8639 --- /dev/null +++ b/patches.kernel.org/6.3.4-288-ALSA-usb-audio-Add-a-sample-rate-workaround-for.patch @@ -0,0 +1,39 @@ +From: Takashi Iwai +Date: Fri, 12 May 2023 09:58:58 +0200 +Subject: [PATCH] ALSA: usb-audio: Add a sample rate workaround for Line6 Pod + Go +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 359b4315471181f108723c61612d96e383e56179 + +commit 359b4315471181f108723c61612d96e383e56179 upstream. + +Line6 Pod Go (0e41:424b) requires the similar workaround for the fixed +48k sample rate like other Line6 models. This patch adds the +corresponding entry to line6_parse_audio_format_rate_quirk(). + +Reported-by: John Humlick +Cc: +Link: https://lore.kernel.org/r/20230512075858.22813-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/usb/format.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 4b1c5ba1..ab5fed9f 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -423,6 +423,7 @@ static int line6_parse_audio_format_rates_quirk(struct snd_usb_audio *chip, + case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */ + case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */ + case USB_ID(0x0e41, 0x424a): /* Line6 Helix LT >= fw 2.82 */ ++ case USB_ID(0x0e41, 0x424b): /* Line6 Pod Go */ + case USB_ID(0x19f7, 0x0011): /* Rode Rodecaster Pro */ + return set_fixed_rate(fp, 48000, SNDRV_PCM_RATE_48000); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-289-USB-usbtmc-Fix-direction-for-0-length-ioctl-con.patch b/patches.kernel.org/6.3.4-289-USB-usbtmc-Fix-direction-for-0-length-ioctl-con.patch new file mode 100644 index 0000000..6e87708 --- /dev/null +++ b/patches.kernel.org/6.3.4-289-USB-usbtmc-Fix-direction-for-0-length-ioctl-con.patch @@ -0,0 +1,71 @@ +From: Alan Stern +Date: Mon, 1 May 2023 14:22:35 -0400 +Subject: [PATCH] USB: usbtmc: Fix direction for 0-length ioctl control + messages +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 94d25e9128988c6a1fc9070f6e98215a95795bd8 + +commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream. + +The syzbot fuzzer found a problem in the usbtmc driver: When a user +submits an ioctl for a 0-length control transfer, the driver does not +check that the direction is set to OUT: + +------------[ cut here ]------------ +usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd +WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Modules linked in: +CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 +Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 +RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 +RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 +RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 +R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 +FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 + usb_internal_control_msg drivers/usb/core/message.c:102 [inline] + usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 + usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] + usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 + +To fix this, we must override the direction in the bRequestType field +of the control request structure when the length is 0. + +Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/ +CC: +Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/class/usbtmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c +index 4bb6d304..311007b1 100644 +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1928,6 +1928,8 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, + + if (request.req.wLength > USBTMC_BUFSIZE) + return -EMSGSIZE; ++ if (request.req.wLength == 0) /* Length-0 requests are never IN */ ++ request.req.bRequestType &= ~USB_DIR_IN; + + is_in = request.req.bRequestType & USB_DIR_IN; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-290-usb-storage-fix-deadlock-when-a-scsi-command-ti.patch b/patches.kernel.org/6.3.4-290-usb-storage-fix-deadlock-when-a-scsi-command-ti.patch new file mode 100644 index 0000000..fd2616c --- /dev/null +++ b/patches.kernel.org/6.3.4-290-usb-storage-fix-deadlock-when-a-scsi-command-ti.patch @@ -0,0 +1,115 @@ +From: Maxime Bizon +Date: Fri, 5 May 2023 13:47:59 +0200 +Subject: [PATCH] usb-storage: fix deadlock when a scsi command timeouts more + than once +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a398d5eac6984316e71474e25b975688f282379b + +commit a398d5eac6984316e71474e25b975688f282379b upstream. + +With faulty usb-storage devices, read/write can timeout, in that case +the SCSI layer will abort and re-issue the command. USB storage has no +internal timeout, it relies on SCSI layer aborting commands via +.eh_abort_handler() for non those responsive devices. + +After two consecutive timeouts of the same command, SCSI layer calls +.eh_device_reset_handler(), without calling .eh_abort_handler() first. + +With usb-storage, this causes a deadlock: + + -> .eh_device_reset_handler + -> device_reset + -> mutex_lock(&(us->dev_mutex)); + +mutex already by usb_stor_control_thread(), which is waiting for +command completion: + + -> usb_stor_control_thread (mutex taken here) + -> usb_stor_invoke_transport + -> usb_stor_Bulk_transport + -> usb_stor_bulk_srb + -> usb_stor_bulk_transfer_sglist + -> usb_sg_wait + +Make sure we cancel any pending command in .eh_device_reset_handler() +to avoid this. + +Signed-off-by: Maxime Bizon +Cc: linux-usb@vger.kernel.org +Cc: stable +Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/ +Reviewed-by: Alan Stern +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index 8931df5a..c54e9805 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -406,22 +406,25 @@ static DEF_SCSI_QCMD(queuecommand) + ***********************************************************************/ + + /* Command timeout and abort */ +-static int command_abort(struct scsi_cmnd *srb) ++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match) + { +- struct us_data *us = host_to_us(srb->device->host); +- +- usb_stor_dbg(us, "%s called\n", __func__); +- + /* + * us->srb together with the TIMED_OUT, RESETTING, and ABORTING + * bits are protected by the host lock. + */ + scsi_lock(us_to_host(us)); + +- /* Is this command still active? */ +- if (us->srb != srb) { ++ /* is there any active pending command to abort ? */ ++ if (!us->srb) { + scsi_unlock(us_to_host(us)); + usb_stor_dbg(us, "-- nothing to abort\n"); ++ return SUCCESS; ++ } ++ ++ /* Does the command match the passed srb if any ? */ ++ if (srb_match && us->srb != srb_match) { ++ scsi_unlock(us_to_host(us)); ++ usb_stor_dbg(us, "-- pending command mismatch\n"); + return FAILED; + } + +@@ -444,6 +447,14 @@ static int command_abort(struct scsi_cmnd *srb) + return SUCCESS; + } + ++static int command_abort(struct scsi_cmnd *srb) ++{ ++ struct us_data *us = host_to_us(srb->device->host); ++ ++ usb_stor_dbg(us, "%s called\n", __func__); ++ return command_abort_matching(us, srb); ++} ++ + /* + * This invokes the transport reset mechanism to reset the state of the + * device +@@ -455,6 +466,9 @@ static int device_reset(struct scsi_cmnd *srb) + + usb_stor_dbg(us, "%s called\n", __func__); + ++ /* abort any pending command before reset */ ++ command_abort_matching(us, NULL); ++ + /* lock the device pointers and do the reset */ + mutex_lock(&(us->dev_mutex)); + result = us->transport_reset(us); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-291-USB-UHCI-adjust-zhaoxin-UHCI-controllers-OverCu.patch b/patches.kernel.org/6.3.4-291-USB-UHCI-adjust-zhaoxin-UHCI-controllers-OverCu.patch new file mode 100644 index 0000000..acdfb05 --- /dev/null +++ b/patches.kernel.org/6.3.4-291-USB-UHCI-adjust-zhaoxin-UHCI-controllers-OverCu.patch @@ -0,0 +1,51 @@ +From: Weitao Wang +Date: Sun, 23 Apr 2023 18:59:52 +0800 +Subject: [PATCH] USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit + value +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dddb342b5b9e482bb213aecc08cbdb201ea4f8da + +commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream. + +OverCurrent condition is not standardized in the UHCI spec. +Zhaoxin UHCI controllers report OverCurrent bit active off. +In order to handle OverCurrent condition correctly, the uhci-hcd +driver needs to be told to expect the active-off behavior. + +Suggested-by: Alan Stern +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/host/uhci-pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/uhci-pci.c b/drivers/usb/host/uhci-pci.c +index 3592f757..7bd2fddd 100644 +--- a/drivers/usb/host/uhci-pci.c ++++ b/drivers/usb/host/uhci-pci.c +@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd *hcd) + + uhci->rh_numports = uhci_count_ports(hcd); + +- /* Intel controllers report the OverCurrent bit active on. +- * VIA controllers report it active off, so we'll adjust the +- * bit value. (It's not standardized in the UHCI spec.) ++ /* ++ * Intel controllers report the OverCurrent bit active on. VIA ++ * and ZHAOXIN controllers report it active off, so we'll adjust ++ * the bit value. (It's not standardized in the UHCI spec.) + */ +- if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA) ++ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA || ++ to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN) + uhci->oc_low = 1; + + /* HP's server management chip requires a longer port reset delay. */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-292-usb-dwc3-gadget-Improve-dwc3_gadget_suspend-and.patch b/patches.kernel.org/6.3.4-292-usb-dwc3-gadget-Improve-dwc3_gadget_suspend-and.patch new file mode 100644 index 0000000..59398d6 --- /dev/null +++ b/patches.kernel.org/6.3.4-292-usb-dwc3-gadget-Improve-dwc3_gadget_suspend-and.patch @@ -0,0 +1,144 @@ +From: Roger Quadros +Date: Wed, 3 May 2023 14:00:48 +0300 +Subject: [PATCH] usb: dwc3: gadget: Improve dwc3_gadget_suspend() and + dwc3_gadget_resume() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c8540870af4ce6ddeb27a7bb5498b75fb29b643c + +commit c8540870af4ce6ddeb27a7bb5498b75fb29b643c upstream. + +Prevent -ETIMEDOUT error on .suspend(). +e.g. If gadget driver is loaded and we are connected to a USB host, +all transfers must be stopped before stopping the controller else +we will not get a clean stop i.e. dwc3_gadget_run_stop() will take +several seconds to complete and will return -ETIMEDOUT. + +Handle error cases properly in dwc3_gadget_suspend(). +Simplify dwc3_gadget_resume() by using the introduced helper function. + +Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") +Cc: stable@vger.kernel.org +Suggested-by: Thinh Nguyen +Signed-off-by: Roger Quadros +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230503110048.30617-1-rogerq@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/dwc3/gadget.c | 67 ++++++++++++++++++++------------------- + 1 file changed, 34 insertions(+), 33 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index e6370093..80ae3084 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2597,6 +2597,21 @@ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc) + return ret; + } + ++static int dwc3_gadget_soft_connect(struct dwc3 *dwc) ++{ ++ /* ++ * In the Synopsys DWC_usb31 1.90a programming guide section ++ * 4.1.9, it specifies that for a reconnect after a ++ * device-initiated disconnect requires a core soft reset ++ * (DCTL.CSftRst) before enabling the run/stop bit. ++ */ ++ dwc3_core_soft_reset(dwc); ++ ++ dwc3_event_buffers_setup(dwc); ++ __dwc3_gadget_start(dwc); ++ return dwc3_gadget_run_stop(dwc, true); ++} ++ + static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on) + { + struct dwc3 *dwc = gadget_to_dwc(g); +@@ -2635,21 +2650,10 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on) + + synchronize_irq(dwc->irq_gadget); + +- if (!is_on) { ++ if (!is_on) + ret = dwc3_gadget_soft_disconnect(dwc); +- } else { +- /* +- * In the Synopsys DWC_usb31 1.90a programming guide section +- * 4.1.9, it specifies that for a reconnect after a +- * device-initiated disconnect requires a core soft reset +- * (DCTL.CSftRst) before enabling the run/stop bit. +- */ +- dwc3_core_soft_reset(dwc); +- +- dwc3_event_buffers_setup(dwc); +- __dwc3_gadget_start(dwc); +- ret = dwc3_gadget_run_stop(dwc, true); +- } ++ else ++ ret = dwc3_gadget_soft_connect(dwc); + + pm_runtime_put(dwc->dev); + +@@ -4565,42 +4569,39 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + int dwc3_gadget_suspend(struct dwc3 *dwc) + { + unsigned long flags; ++ int ret; + + if (!dwc->gadget_driver) + return 0; + +- dwc3_gadget_run_stop(dwc, false); ++ ret = dwc3_gadget_soft_disconnect(dwc); ++ if (ret) ++ goto err; + + spin_lock_irqsave(&dwc->lock, flags); + dwc3_disconnect_gadget(dwc); +- __dwc3_gadget_stop(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; ++ ++err: ++ /* ++ * Attempt to reset the controller's state. Likely no ++ * communication can be established until the host ++ * performs a port reset. ++ */ ++ if (dwc->softconnect) ++ dwc3_gadget_soft_connect(dwc); ++ ++ return ret; + } + + int dwc3_gadget_resume(struct dwc3 *dwc) + { +- int ret; +- + if (!dwc->gadget_driver || !dwc->softconnect) + return 0; + +- ret = __dwc3_gadget_start(dwc); +- if (ret < 0) +- goto err0; +- +- ret = dwc3_gadget_run_stop(dwc, true); +- if (ret < 0) +- goto err1; +- +- return 0; +- +-err1: +- __dwc3_gadget_stop(dwc); +- +-err0: +- return ret; ++ return dwc3_gadget_soft_connect(dwc); + } + + void dwc3_gadget_process_pending_events(struct dwc3 *dwc) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-293-usb-dwc3-debugfs-Resume-dwc3-before-accessing-r.patch b/patches.kernel.org/6.3.4-293-usb-dwc3-debugfs-Resume-dwc3-before-accessing-r.patch new file mode 100644 index 0000000..2e217b7 --- /dev/null +++ b/patches.kernel.org/6.3.4-293-usb-dwc3-debugfs-Resume-dwc3-before-accessing-r.patch @@ -0,0 +1,385 @@ +From: Udipto Goswami +Date: Tue, 9 May 2023 20:18:36 +0530 +Subject: [PATCH] usb: dwc3: debugfs: Resume dwc3 before accessing registers +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 614ce6a2ea50068b45339257891e51e639ac9001 + +commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream. + +When the dwc3 device is runtime suspended, various required clocks are in +disabled state and it is not guaranteed that access to any registers would +work. Depending on the SoC glue, a register read could be as benign as +returning 0 or be fatal enough to hang the system. + +In order to prevent such scenarios of fatal errors, make sure to resume +dwc3 then allow the function to proceed. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Signed-off-by: Udipto Goswami +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/dwc3/debugfs.c | 109 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 109 insertions(+) + +diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c +index 850df0e6..f0ffd2e5 100644 +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file *s, void *unused) + unsigned int current_mode; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); +@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file *s, void *unused) + } + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GCTL); +@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_file *s, void *unused) + seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg)); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -458,6 +472,11 @@ static int dwc3_testmode_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = s->private; + unsigned long flags; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_DCTL); +@@ -488,6 +507,8 @@ static int dwc3_testmode_show(struct seq_file *s, void *unused) + seq_printf(s, "UNKNOWN %d\n", reg); + } + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -504,6 +525,7 @@ static ssize_t dwc3_testmode_write(struct file *file, + unsigned long flags; + u32 testmode = 0; + char buf[32]; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -521,10 +543,16 @@ static ssize_t dwc3_testmode_write(struct file *file, + else + testmode = 0; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + dwc3_gadget_set_test_mode(dwc, testmode); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -543,12 +571,18 @@ static int dwc3_link_state_show(struct seq_file *s, void *unused) + enum dwc3_link_state state; + u32 reg; + u8 speed; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + seq_puts(s, "Not available\n"); + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return 0; + } + +@@ -561,6 +595,8 @@ static int dwc3_link_state_show(struct seq_file *s, void *unused) + dwc3_gadget_hs_link_string(state)); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -579,6 +615,7 @@ static ssize_t dwc3_link_state_write(struct file *file, + char buf[32]; + u32 reg; + u8 speed; ++ int ret; + + if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) + return -EFAULT; +@@ -598,10 +635,15 @@ static ssize_t dwc3_link_state_write(struct file *file, + else + return -EINVAL; + ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; ++ + spin_lock_irqsave(&dwc->lock, flags); + reg = dwc3_readl(dwc->regs, DWC3_GSTS); + if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + +@@ -611,12 +653,15 @@ static ssize_t dwc3_link_state_write(struct file *file, + if (speed < DWC3_DSTS_SUPERSPEED && + state != DWC3_LINK_STATE_RECOV) { + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put_sync(dwc->dev); + return -EINVAL; + } + + dwc3_gadget_set_link_state(dwc, state); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return count; + } + +@@ -640,6 +685,11 @@ static int dwc3_tx_fifo_size_show(struct seq_file *s, void *unused) + unsigned long flags; + u32 mdwidth; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXFIFO); +@@ -652,6 +702,8 @@ static int dwc3_tx_fifo_size_show(struct seq_file *s, void *unused) + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -662,6 +714,11 @@ static int dwc3_rx_fifo_size_show(struct seq_file *s, void *unused) + unsigned long flags; + u32 mdwidth; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXFIFO); +@@ -674,6 +731,8 @@ static int dwc3_rx_fifo_size_show(struct seq_file *s, void *unused) + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -683,12 +742,19 @@ static int dwc3_tx_request_queue_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_TXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -698,12 +764,19 @@ static int dwc3_rx_request_queue_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXREQQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -713,12 +786,19 @@ static int dwc3_rx_info_queue_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -728,12 +808,19 @@ static int dwc3_descriptor_fetch_queue_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -743,12 +830,19 @@ static int dwc3_event_queue_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + u32 val; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + val = dwc3_core_fifo_space(dep, DWC3_EVENTQ); + seq_printf(s, "%u\n", val); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -793,6 +887,11 @@ static int dwc3_trb_ring_show(struct seq_file *s, void *unused) + struct dwc3 *dwc = dep->dwc; + unsigned long flags; + int i; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + if (dep->number <= 1) { +@@ -822,6 +921,8 @@ static int dwc3_trb_ring_show(struct seq_file *s, void *unused) + out: + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -834,6 +935,11 @@ static int dwc3_ep_info_register_show(struct seq_file *s, void *unused) + u32 lower_32_bits; + u32 upper_32_bits; + u32 reg; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(dwc->dev); ++ if (ret < 0) ++ return ret; + + spin_lock_irqsave(&dwc->lock, flags); + reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number); +@@ -846,6 +952,8 @@ static int dwc3_ep_info_register_show(struct seq_file *s, void *unused) + seq_printf(s, "0x%016llx\n", ep_info); + spin_unlock_irqrestore(&dwc->lock, flags); + ++ pm_runtime_put_sync(dwc->dev); ++ + return 0; + } + +@@ -905,6 +1013,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc) + dwc->regset->regs = dwc3_regs; + dwc->regset->nregs = ARRAY_SIZE(dwc3_regs); + dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START; ++ dwc->regset->dev = dwc->dev; + + root = debugfs_create_dir(dev_name(dwc->dev), usb_debug_root); + dwc->debug_root = root; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-294-usb-gadget-u_ether-Fix-host-MAC-address-case.patch b/patches.kernel.org/6.3.4-294-usb-gadget-u_ether-Fix-host-MAC-address-case.patch new file mode 100644 index 0000000..a610232 --- /dev/null +++ b/patches.kernel.org/6.3.4-294-usb-gadget-u_ether-Fix-host-MAC-address-case.patch @@ -0,0 +1,64 @@ +From: =?UTF-8?q?Konrad=20Gr=C3=A4fe?= +Date: Fri, 5 May 2023 16:36:40 +0200 +Subject: [PATCH] usb: gadget: u_ether: Fix host MAC address case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3c0f4f09c063e143822393d99cb2b19a85451c07 + +commit 3c0f4f09c063e143822393d99cb2b19a85451c07 upstream. + +The CDC-ECM specification [1] requires to send the host MAC address as +an uppercase hexadecimal string in chapter "5.4 Ethernet Networking +Functional Descriptor": + The Unicode character is chosen from the set of values 30h through + 39h and 41h through 46h (0-9 and A-F). + +However, snprintf(.., "%pm", ..) generates a lowercase MAC address +string. While most host drivers are tolerant to this, UsbNcm.sys on +Windows 10 is not. Instead it uses a different MAC address with all +bytes set to zero including and after the first byte containing a +lowercase letter. On Windows 11 Microsoft fixed it, but apparently they +did not backport the fix. + +This change fixes the issue by upper-casing the MAC to comply with the +specification. + +[1]: https://www.usb.org/document-library/class-definitions-communication-devices-12, file ECM120.pdf + +Fixes: bcd4a1c40bee ("usb: gadget: u_ether: construct with default values and add setters/getters") +Cc: stable@vger.kernel.org +Signed-off-by: Konrad Gräfe +Link: https://lore.kernel.org/r/20230505143640.443014-1-k.graefe@gateware.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/gadget/function/u_ether.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index f259975d..d67d071c 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + + #include "u_ether.h" +@@ -942,6 +943,8 @@ int gether_get_host_addr_cdc(struct net_device *net, char *host_addr, int len) + dev = netdev_priv(net); + snprintf(host_addr, len, "%pm", dev->host_mac); + ++ string_upper(host_addr, host_addr); ++ + return strlen(host_addr); + } + EXPORT_SYMBOL_GPL(gether_get_host_addr_cdc); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-295-usb-typec-altmodes-displayport-fix-pin_assignme.patch b/patches.kernel.org/6.3.4-295-usb-typec-altmodes-displayport-fix-pin_assignme.patch new file mode 100644 index 0000000..34f471e --- /dev/null +++ b/patches.kernel.org/6.3.4-295-usb-typec-altmodes-displayport-fix-pin_assignme.patch @@ -0,0 +1,59 @@ +From: Badhri Jagan Sridharan +Date: Mon, 8 May 2023 21:44:43 +0000 +Subject: [PATCH] usb: typec: altmodes/displayport: fix pin_assignment_show +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d8f28269dd4bf9b55c3fb376ae31512730a96fce + +commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream. + +This patch fixes negative indexing of buf array in pin_assignment_show +when get_current_pin_assignments returns 0 i.e. no compatible pin +assignments are found. + +BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c +... +Call trace: +dump_backtrace+0x110/0x204 +dump_stack_lvl+0x84/0xbc +print_report+0x358/0x974 +kasan_report+0x9c/0xfc +__do_kernel_fault+0xd4/0x2d4 +do_bad_area+0x48/0x168 +do_tag_check_fault+0x24/0x38 +do_mem_abort+0x6c/0x14c +el1_abort+0x44/0x68 +el1h_64_sync_handler+0x64/0xa4 +el1h_64_sync+0x78/0x7c +pin_assignment_show+0x26c/0x33c +dev_attr_show+0x50/0xc0 + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/typec/altmodes/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c +index 8f3e8842..66de880b 100644 +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -516,6 +516,10 @@ static ssize_t pin_assignment_show(struct device *dev, + + mutex_unlock(&dp->lock); + ++ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ ++ if (len == 0) ++ len++; ++ + buf[len - 1] = '\n'; + return len; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-296-Revert-usb-gadget-udc-core-Prevent-redundant-ca.patch b/patches.kernel.org/6.3.4-296-Revert-usb-gadget-udc-core-Prevent-redundant-ca.patch new file mode 100644 index 0000000..193d450 --- /dev/null +++ b/patches.kernel.org/6.3.4-296-Revert-usb-gadget-udc-core-Prevent-redundant-ca.patch @@ -0,0 +1,45 @@ +From: Francesco Dolcini +Date: Fri, 12 May 2023 15:14:34 +0200 +Subject: [PATCH] Revert "usb: gadget: udc: core: Prevent redundant calls to + pullup" +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5e1617210aede9f1b91bb9819c93097b6da481f9 + +commit 5e1617210aede9f1b91bb9819c93097b6da481f9 upstream. + +This reverts commit a3afbf5cc887fc3401f012fe629810998ed61859. + +This depends on commit 0db213ea8eed ("usb: gadget: udc: core: Invoke +usb_gadget_connect only when started") that introduces a regression, +revert it till the issue is fixed. + +Cc: stable@vger.kernel.org +Reported-by: Stephan Gerhold +Reported-by: Francesco Dolcini +Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/ +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20230512131435.205464-2-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/gadget/udc/core.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index b14cbd0a..ebb2b839 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -676,9 +676,6 @@ static int usb_gadget_connect_locked(struct usb_gadget *gadget) + goto out; + } + +- if (gadget->connected) +- goto out; +- + if (gadget->deactivated || !gadget->udc->started) { + /* + * If gadget is deactivated we only save new state. +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-297-Revert-usb-gadget-udc-core-Invoke-usb_gadget_co.patch b/patches.kernel.org/6.3.4-297-Revert-usb-gadget-udc-core-Invoke-usb_gadget_co.patch new file mode 100644 index 0000000..2b0f432 --- /dev/null +++ b/patches.kernel.org/6.3.4-297-Revert-usb-gadget-udc-core-Invoke-usb_gadget_co.patch @@ -0,0 +1,358 @@ +From: Francesco Dolcini +Date: Fri, 12 May 2023 15:14:35 +0200 +Subject: [PATCH] Revert "usb: gadget: udc: core: Invoke usb_gadget_connect + only when started" +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f22e9b67f19ccc73de1ae04375d4b30684e261f8 + +commit f22e9b67f19ccc73de1ae04375d4b30684e261f8 upstream. + +This reverts commit 0db213ea8eed5534a5169e807f28103cbc9d23df. + +It introduces an issues with configuring the USB gadget hangs forever +on multiple Qualcomm and NXP i.MX SoC at least. + +Cc: stable@vger.kernel.org +Fixes: 0db213ea8eed ("usb: gadget: udc: core: Invoke usb_gadget_connect only when started") +Reported-by: Stephan Gerhold +Reported-by: Francesco Dolcini +Link: https://lore.kernel.org/all/ZF4BvgsOyoKxdPFF@francesco-nb.int.toradex.com/ +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20230512131435.205464-3-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/gadget/udc/core.c | 148 ++++++++++------------------------ + 1 file changed, 44 insertions(+), 104 deletions(-) + +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index ebb2b839..23b0629a 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -37,10 +37,6 @@ static struct bus_type gadget_bus_type; + * @vbus: for udcs who care about vbus status, this value is real vbus status; + * for udcs who do not care about vbus status, this value is always true + * @started: the UDC's started state. True if the UDC had started. +- * @connect_lock: protects udc->vbus, udc->started, gadget->connect, gadget->deactivate related +- * functions. usb_gadget_connect_locked, usb_gadget_disconnect_locked, +- * usb_udc_connect_control_locked, usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are +- * called with this lock held. + * + * This represents the internal data structure which is used by the UDC-class + * to hold information about udc driver and gadget together. +@@ -52,7 +48,6 @@ struct usb_udc { + struct list_head list; + bool vbus; + bool started; +- struct mutex connect_lock; + }; + + static struct class *udc_class; +@@ -665,9 +660,17 @@ int usb_gadget_vbus_disconnect(struct usb_gadget *gadget) + } + EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect); + +-/* Internal version of usb_gadget_connect needs to be called with connect_lock held. */ +-static int usb_gadget_connect_locked(struct usb_gadget *gadget) +- __must_hold(&gadget->udc->connect_lock) ++/** ++ * usb_gadget_connect - software-controlled connect to USB host ++ * @gadget:the peripheral being connected ++ * ++ * Enables the D+ (or potentially D-) pullup. The host will start ++ * enumerating this gadget when the pullup is active and a VBUS session ++ * is active (the link is powered). ++ * ++ * Returns zero on success, else negative errno. ++ */ ++int usb_gadget_connect(struct usb_gadget *gadget) + { + int ret = 0; + +@@ -676,12 +679,10 @@ static int usb_gadget_connect_locked(struct usb_gadget *gadget) + goto out; + } + +- if (gadget->deactivated || !gadget->udc->started) { ++ if (gadget->deactivated) { + /* + * If gadget is deactivated we only save new state. + * Gadget will be connected automatically after activation. +- * +- * udc first needs to be started before gadget can be pulled up. + */ + gadget->connected = true; + goto out; +@@ -696,32 +697,22 @@ static int usb_gadget_connect_locked(struct usb_gadget *gadget) + + return ret; + } ++EXPORT_SYMBOL_GPL(usb_gadget_connect); + + /** +- * usb_gadget_connect - software-controlled connect to USB host +- * @gadget:the peripheral being connected ++ * usb_gadget_disconnect - software-controlled disconnect from USB host ++ * @gadget:the peripheral being disconnected + * +- * Enables the D+ (or potentially D-) pullup. The host will start +- * enumerating this gadget when the pullup is active and a VBUS session +- * is active (the link is powered). ++ * Disables the D+ (or potentially D-) pullup, which the host may see ++ * as a disconnect (when a VBUS session is active). Not all systems ++ * support software pullup controls. ++ * ++ * Following a successful disconnect, invoke the ->disconnect() callback ++ * for the current gadget driver so that UDC drivers don't need to. + * + * Returns zero on success, else negative errno. + */ +-int usb_gadget_connect(struct usb_gadget *gadget) +-{ +- int ret; +- +- mutex_lock(&gadget->udc->connect_lock); +- ret = usb_gadget_connect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); +- +- return ret; +-} +-EXPORT_SYMBOL_GPL(usb_gadget_connect); +- +-/* Internal version of usb_gadget_disconnect needs to be called with connect_lock held. */ +-static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) +- __must_hold(&gadget->udc->connect_lock) ++int usb_gadget_disconnect(struct usb_gadget *gadget) + { + int ret = 0; + +@@ -733,12 +724,10 @@ static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) + if (!gadget->connected) + goto out; + +- if (gadget->deactivated || !gadget->udc->started) { ++ if (gadget->deactivated) { + /* + * If gadget is deactivated we only save new state. + * Gadget will stay disconnected after activation. +- * +- * udc should have been started before gadget being pulled down. + */ + gadget->connected = false; + goto out; +@@ -758,30 +747,6 @@ static int usb_gadget_disconnect_locked(struct usb_gadget *gadget) + + return ret; + } +- +-/** +- * usb_gadget_disconnect - software-controlled disconnect from USB host +- * @gadget:the peripheral being disconnected +- * +- * Disables the D+ (or potentially D-) pullup, which the host may see +- * as a disconnect (when a VBUS session is active). Not all systems +- * support software pullup controls. +- * +- * Following a successful disconnect, invoke the ->disconnect() callback +- * for the current gadget driver so that UDC drivers don't need to. +- * +- * Returns zero on success, else negative errno. +- */ +-int usb_gadget_disconnect(struct usb_gadget *gadget) +-{ +- int ret; +- +- mutex_lock(&gadget->udc->connect_lock); +- ret = usb_gadget_disconnect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); +- +- return ret; +-} + EXPORT_SYMBOL_GPL(usb_gadget_disconnect); + + /** +@@ -802,11 +767,10 @@ int usb_gadget_deactivate(struct usb_gadget *gadget) + if (gadget->deactivated) + goto out; + +- mutex_lock(&gadget->udc->connect_lock); + if (gadget->connected) { +- ret = usb_gadget_disconnect_locked(gadget); ++ ret = usb_gadget_disconnect(gadget); + if (ret) +- goto unlock; ++ goto out; + + /* + * If gadget was being connected before deactivation, we want +@@ -816,8 +780,6 @@ int usb_gadget_deactivate(struct usb_gadget *gadget) + } + gadget->deactivated = true; + +-unlock: +- mutex_unlock(&gadget->udc->connect_lock); + out: + trace_usb_gadget_deactivate(gadget, ret); + +@@ -841,7 +803,6 @@ int usb_gadget_activate(struct usb_gadget *gadget) + if (!gadget->deactivated) + goto out; + +- mutex_lock(&gadget->udc->connect_lock); + gadget->deactivated = false; + + /* +@@ -849,8 +810,7 @@ int usb_gadget_activate(struct usb_gadget *gadget) + * while it was being deactivated, we call usb_gadget_connect(). + */ + if (gadget->connected) +- ret = usb_gadget_connect_locked(gadget); +- mutex_unlock(&gadget->udc->connect_lock); ++ ret = usb_gadget_connect(gadget); + + out: + trace_usb_gadget_activate(gadget, ret); +@@ -1091,13 +1051,12 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state); + + /* ------------------------------------------------------------------------- */ + +-/* Acquire connect_lock before calling this function. */ +-static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock) ++static void usb_udc_connect_control(struct usb_udc *udc) + { +- if (udc->vbus && udc->started) +- usb_gadget_connect_locked(udc->gadget); ++ if (udc->vbus) ++ usb_gadget_connect(udc->gadget); + else +- usb_gadget_disconnect_locked(udc->gadget); ++ usb_gadget_disconnect(udc->gadget); + } + + /** +@@ -1113,12 +1072,10 @@ void usb_udc_vbus_handler(struct usb_gadget *gadget, bool status) + { + struct usb_udc *udc = gadget->udc; + +- mutex_lock(&udc->connect_lock); + if (udc) { + udc->vbus = status; +- usb_udc_connect_control_locked(udc); ++ usb_udc_connect_control(udc); + } +- mutex_unlock(&udc->connect_lock); + } + EXPORT_SYMBOL_GPL(usb_udc_vbus_handler); + +@@ -1140,7 +1097,7 @@ void usb_gadget_udc_reset(struct usb_gadget *gadget, + EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + + /** +- * usb_gadget_udc_start_locked - tells usb device controller to start up ++ * usb_gadget_udc_start - tells usb device controller to start up + * @udc: The UDC to be started + * + * This call is issued by the UDC Class driver when it's about +@@ -1151,11 +1108,8 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset); + * necessary to have it powered on. + * + * Returns zero on success, else negative errno. +- * +- * Caller should acquire connect_lock before invoking this function. + */ +-static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) +- __must_hold(&udc->connect_lock) ++static inline int usb_gadget_udc_start(struct usb_udc *udc) + { + int ret; + +@@ -1172,7 +1126,7 @@ static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) + } + + /** +- * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore ++ * usb_gadget_udc_stop - tells usb device controller we don't need it anymore + * @udc: The UDC to be stopped + * + * This call is issued by the UDC Class driver after calling +@@ -1181,11 +1135,8 @@ static inline int usb_gadget_udc_start_locked(struct usb_udc *udc) + * The details are implementation specific, but it can go as + * far as powering off UDC completely and disable its data + * line pullups. +- * +- * Caller should acquire connect lock before invoking this function. + */ +-static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc) +- __must_hold(&udc->connect_lock) ++static inline void usb_gadget_udc_stop(struct usb_udc *udc) + { + if (!udc->started) { + dev_err(&udc->dev, "UDC had already stopped\n"); +@@ -1344,7 +1295,6 @@ int usb_add_gadget(struct usb_gadget *gadget) + + udc->gadget = gadget; + gadget->udc = udc; +- mutex_init(&udc->connect_lock); + + udc->started = false; + +@@ -1546,15 +1496,11 @@ static int gadget_bind_driver(struct device *dev) + if (ret) + goto err_bind; + +- mutex_lock(&udc->connect_lock); +- ret = usb_gadget_udc_start_locked(udc); +- if (ret) { +- mutex_unlock(&udc->connect_lock); ++ ret = usb_gadget_udc_start(udc); ++ if (ret) + goto err_start; +- } + usb_gadget_enable_async_callbacks(udc); +- usb_udc_connect_control_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_udc_connect_control(udc); + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + return 0; +@@ -1585,14 +1531,12 @@ static void gadget_unbind_driver(struct device *dev) + + kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE); + +- mutex_lock(&udc->connect_lock); +- usb_gadget_disconnect_locked(gadget); ++ usb_gadget_disconnect(gadget); + usb_gadget_disable_async_callbacks(udc); + if (gadget->irq) + synchronize_irq(gadget->irq); + udc->driver->unbind(gadget); +- usb_gadget_udc_stop_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_udc_stop(udc); + + mutex_lock(&udc_lock); + driver->is_bound = false; +@@ -1678,15 +1622,11 @@ static ssize_t soft_connect_store(struct device *dev, + } + + if (sysfs_streq(buf, "connect")) { +- mutex_lock(&udc->connect_lock); +- usb_gadget_udc_start_locked(udc); +- usb_gadget_connect_locked(udc->gadget); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_udc_start(udc); ++ usb_gadget_connect(udc->gadget); + } else if (sysfs_streq(buf, "disconnect")) { +- mutex_lock(&udc->connect_lock); +- usb_gadget_disconnect_locked(udc->gadget); +- usb_gadget_udc_stop_locked(udc); +- mutex_unlock(&udc->connect_lock); ++ usb_gadget_disconnect(udc->gadget); ++ usb_gadget_udc_stop(udc); + } else { + dev_err(dev, "unsupported command '%s'\n", buf); + ret = -EINVAL; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-298-xhci-pci-Only-run-d3cold-avoidance-quirk-for-s2.patch b/patches.kernel.org/6.3.4-298-xhci-pci-Only-run-d3cold-avoidance-quirk-for-s2.patch new file mode 100644 index 0000000..7230db7 --- /dev/null +++ b/patches.kernel.org/6.3.4-298-xhci-pci-Only-run-d3cold-avoidance-quirk-for-s2.patch @@ -0,0 +1,85 @@ +From: Mario Limonciello +Date: Mon, 15 May 2023 16:40:58 +0300 +Subject: [PATCH] xhci-pci: Only run d3cold avoidance quirk for s2idle +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2a821fc3136d5d99dcb9de152be8a052ca27d870 + +commit 2a821fc3136d5d99dcb9de152be8a052ca27d870 upstream. + +Donghun reports that a notebook that has an AMD Ryzen 5700U but supports +S3 has problems with USB after resuming from suspend. The issue was +bisected down to commit d1658268e439 ("usb: pci-quirks: disable D3cold on +xhci suspend for s2idle on AMD Renoir"). + +As this issue only happens on S3, narrow the broken D3cold quirk to only +run in s2idle. + +Fixes: d1658268e439 ("usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir") +Reported-and-tested-by: Donghun Yoon +Cc: stable@vger.kernel.org +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230515134059.161110-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/host/xhci-pci.c | 12 ++++++++++-- + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 6db07ca4..1fb727f5 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #include "xhci.h" + #include "xhci-trace.h" +@@ -194,7 +195,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + + if (pdev->vendor == PCI_VENDOR_ID_AMD && + pdev->device == PCI_DEVICE_ID_AMD_RENOIR_XHCI) +- xhci->quirks |= XHCI_BROKEN_D3COLD; ++ xhci->quirks |= XHCI_BROKEN_D3COLD_S2I; + + if (pdev->vendor == PCI_VENDOR_ID_INTEL) { + xhci->quirks |= XHCI_LPM_SUPPORT; +@@ -609,9 +610,16 @@ static int xhci_pci_suspend(struct usb_hcd *hcd, bool do_wakeup) + * Systems with the TI redriver that loses port status change events + * need to have the registers polled during D3, so avoid D3cold. + */ +- if (xhci->quirks & (XHCI_COMP_MODE_QUIRK | XHCI_BROKEN_D3COLD)) ++ if (xhci->quirks & XHCI_COMP_MODE_QUIRK) + pci_d3cold_disable(pdev); + ++#ifdef CONFIG_SUSPEND ++ /* d3cold is broken, but only when s2idle is used */ ++ if (pm_suspend_target_state == PM_SUSPEND_TO_IDLE && ++ xhci->quirks & (XHCI_BROKEN_D3COLD_S2I)) ++ pci_d3cold_disable(pdev); ++#endif ++ + if (xhci->quirks & XHCI_PME_STUCK_QUIRK) + xhci_pme_quirk(hcd); + +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 786002bb..38183596 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1901,7 +1901,7 @@ struct xhci_hcd { + #define XHCI_DISABLE_SPARSE BIT_ULL(38) + #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39) + #define XHCI_NO_SOFT_RETRY BIT_ULL(40) +-#define XHCI_BROKEN_D3COLD BIT_ULL(41) ++#define XHCI_BROKEN_D3COLD_S2I BIT_ULL(41) + #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) + #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) + #define XHCI_RESET_TO_DEFAULT BIT_ULL(44) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-299-xhci-Fix-incorrect-tracking-of-free-space-on-tr.patch b/patches.kernel.org/6.3.4-299-xhci-Fix-incorrect-tracking-of-free-space-on-tr.patch new file mode 100644 index 0000000..3d368b1 --- /dev/null +++ b/patches.kernel.org/6.3.4-299-xhci-Fix-incorrect-tracking-of-free-space-on-tr.patch @@ -0,0 +1,96 @@ +From: Mathias Nyman +Date: Mon, 15 May 2023 16:40:59 +0300 +Subject: [PATCH] xhci: Fix incorrect tracking of free space on transfer rings +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: fe82f16aafdaf8002281d3b9524291d4a4a28460 + +commit fe82f16aafdaf8002281d3b9524291d4a4a28460 upstream. + +This incorrect tracking caused unnecessary ring expansion in some +usecases which over days of use consume a lot of memory. + +xhci driver tries to keep track of free transfer blocks (TRBs) on the +ring buffer, but failed to add back some cancelled transfers that were +turned into no-op operations instead of just moving past them. + +This can happen if there are several queued pending transfers which +then are cancelled in reverse order. + +Solve this by counting the numer of steps we move the dequeue pointer +once we complete a transfer, and add it to the number of free trbs +instead of just adding the trb number of the current transfer. +This way we ensure we count the no-op trbs on the way as well. + +Fixes: 55f6153d8cc8 ("xhci: remove extra loop in interrupt context") +Cc: stable@vger.kernel.org +Reported-by: Miller Hunter +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217242 +Tested-by: Miller Hunter +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20230515134059.161110-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/host/xhci-ring.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index eb788c60..5bd97c5a 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -276,6 +276,26 @@ static void inc_enq(struct xhci_hcd *xhci, struct xhci_ring *ring, + trace_xhci_inc_enq(ring); + } + ++static int xhci_num_trbs_to(struct xhci_segment *start_seg, union xhci_trb *start, ++ struct xhci_segment *end_seg, union xhci_trb *end, ++ unsigned int num_segs) ++{ ++ union xhci_trb *last_on_seg; ++ int num = 0; ++ int i = 0; ++ ++ do { ++ if (start_seg == end_seg && end >= start) ++ return num + (end - start); ++ last_on_seg = &start_seg->trbs[TRBS_PER_SEGMENT - 1]; ++ num += last_on_seg - start; ++ start_seg = start_seg->next; ++ start = start_seg->trbs; ++ } while (i++ <= num_segs); ++ ++ return -EINVAL; ++} ++ + /* + * Check to see if there's room to enqueue num_trbs on the ring and make sure + * enqueue pointer will not advance into dequeue segment. See rules above. +@@ -2140,6 +2160,7 @@ static int finish_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + u32 trb_comp_code) + { + struct xhci_ep_ctx *ep_ctx; ++ int trbs_freed; + + ep_ctx = xhci_get_ep_ctx(xhci, ep->vdev->out_ctx, ep->ep_index); + +@@ -2209,9 +2230,15 @@ static int finish_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + } + + /* Update ring dequeue pointer */ ++ trbs_freed = xhci_num_trbs_to(ep_ring->deq_seg, ep_ring->dequeue, ++ td->last_trb_seg, td->last_trb, ++ ep_ring->num_segs); ++ if (trbs_freed < 0) ++ xhci_dbg(xhci, "Failed to count freed trbs at TD finish\n"); ++ else ++ ep_ring->num_trbs_free += trbs_freed; + ep_ring->dequeue = td->last_trb; + ep_ring->deq_seg = td->last_trb_seg; +- ep_ring->num_trbs_free += td->num_trbs - 1; + inc_deq(xhci, ep_ring); + + return xhci_td_cleanup(xhci, td, ep_ring, td->status); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-300-ALSA-hda-Fix-Oops-by-9.1-surround-channel-names.patch b/patches.kernel.org/6.3.4-300-ALSA-hda-Fix-Oops-by-9.1-surround-channel-names.patch new file mode 100644 index 0000000..dcb71d3 --- /dev/null +++ b/patches.kernel.org/6.3.4-300-ALSA-hda-Fix-Oops-by-9.1-surround-channel-names.patch @@ -0,0 +1,63 @@ +From: Takashi Iwai +Date: Tue, 16 May 2023 20:44:12 +0200 +Subject: [PATCH] ALSA: hda: Fix Oops by 9.1 surround channel names +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3b44ec8c5c44790a82f07e90db45643c762878c6 + +commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream. + +get_line_out_pfx() may trigger an Oops by overflowing the static array +with more than 8 channels. This was reported for MacBookPro 12,1 with +Cirrus codec. + +As a workaround, extend for the 9.1 channels and also fix the +potential Oops by unifying the code paths accessing the same array +with the proper size check. + +Reported-by: Olliver Schinagl +Cc: +Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl +Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/hda_generic.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index fc114e52..dbf7aa88 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1155,8 +1155,8 @@ static bool path_has_mixer(struct hda_codec *codec, int path_idx, int ctl_type) + return path && path->ctls[ctl_type]; + } + +-static const char * const channel_name[4] = { +- "Front", "Surround", "CLFE", "Side" ++static const char * const channel_name[] = { ++ "Front", "Surround", "CLFE", "Side", "Back", + }; + + /* give some appropriate ctl name prefix for the given line out channel */ +@@ -1182,7 +1182,7 @@ static const char *get_line_out_pfx(struct hda_codec *codec, int ch, + + /* multi-io channels */ + if (ch >= cfg->line_outs) +- return channel_name[ch]; ++ goto fixed_name; + + switch (cfg->line_out_type) { + case AUTO_PIN_SPEAKER_OUT: +@@ -1234,6 +1234,7 @@ static const char *get_line_out_pfx(struct hda_codec *codec, int ch, + if (cfg->line_outs == 1 && !spec->multi_ios) + return "Line Out"; + ++ fixed_name: + if (ch >= ARRAY_SIZE(channel_name)) { + snd_BUG(); + return "PCM"; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-301-ALSA-hda-Add-NVIDIA-codec-IDs-a3-through-a7-to-.patch b/patches.kernel.org/6.3.4-301-ALSA-hda-Add-NVIDIA-codec-IDs-a3-through-a7-to-.patch new file mode 100644 index 0000000..cd1cf34 --- /dev/null +++ b/patches.kernel.org/6.3.4-301-ALSA-hda-Add-NVIDIA-codec-IDs-a3-through-a7-to-.patch @@ -0,0 +1,44 @@ +From: Nikhil Mahale +Date: Wed, 17 May 2023 14:37:36 +0530 +Subject: [PATCH] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 + +commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream. + +These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with +audio functions that are largely similar to the existing ones. + +Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST +connections on AD106 gpu. + +Signed-off-by: Nikhil Mahale +Cc: +Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_hdmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 5c698039..be2c6cff 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4577,6 +4577,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-302-ALSA-hda-realtek-Add-quirk-for-Clevo-L140AU.patch b/patches.kernel.org/6.3.4-302-ALSA-hda-realtek-Add-quirk-for-Clevo-L140AU.patch new file mode 100644 index 0000000..d677be3 --- /dev/null +++ b/patches.kernel.org/6.3.4-302-ALSA-hda-realtek-Add-quirk-for-Clevo-L140AU.patch @@ -0,0 +1,37 @@ +From: Jeremy Soller +Date: Fri, 5 May 2023 10:36:51 -0600 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for Clevo L140AU +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 + +commit 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 upstream. + +Fixes headset detection on Clevo L140AU. + +Signed-off-by: Jeremy Soller +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20230505163651.21257-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5d78d4ba..88ca5341 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9618,6 +9618,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x7717, "Clevo NS70PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x7724, "Clevo L140AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-303-ALSA-hda-realtek-Add-a-quirk-for-HP-EliteDesk-8.patch b/patches.kernel.org/6.3.4-303-ALSA-hda-realtek-Add-a-quirk-for-HP-EliteDesk-8.patch new file mode 100644 index 0000000..ccc1d31 --- /dev/null +++ b/patches.kernel.org/6.3.4-303-ALSA-hda-realtek-Add-a-quirk-for-HP-EliteDesk-8.patch @@ -0,0 +1,36 @@ +From: Ai Chao +Date: Sat, 6 May 2023 10:26:53 +0800 +Subject: [PATCH] ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 90670ef774a8b6700c38ce1222e6aa263be54d5f + +commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream. + +Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound. + +Signed-off-by: Ai Chao +Cc: +Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 88ca5341..bfbbf588 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11664,6 +11664,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), ++ SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-304-ALSA-hda-realtek-Add-quirk-for-2nd-ASUS-GU603.patch b/patches.kernel.org/6.3.4-304-ALSA-hda-realtek-Add-quirk-for-2nd-ASUS-GU603.patch new file mode 100644 index 0000000..0e12b11 --- /dev/null +++ b/patches.kernel.org/6.3.4-304-ALSA-hda-realtek-Add-quirk-for-2nd-ASUS-GU603.patch @@ -0,0 +1,36 @@ +From: "Luke D. Jones" +Date: Sat, 6 May 2023 11:58:24 +1200 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a4671b7fba59775845ee60cfbdfc4ba64300211b + +commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream. + +Add quirk for GU603 with 0x1c62 variant of codec. + +Signed-off-by: Luke D. Jones +Cc: +Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index bfbbf588..a2a3e4fc 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9522,6 +9522,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-305-ALSA-hda-realtek-Add-quirk-for-HP-EliteBook-G10.patch b/patches.kernel.org/6.3.4-305-ALSA-hda-realtek-Add-quirk-for-HP-EliteBook-G10.patch new file mode 100644 index 0000000..ec9c4b7 --- /dev/null +++ b/patches.kernel.org/6.3.4-305-ALSA-hda-realtek-Add-quirk-for-HP-EliteBook-G10.patch @@ -0,0 +1,60 @@ +From: Vitaly Rodionov +Date: Wed, 10 May 2023 15:22:27 +0100 +Subject: [PATCH] ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3e10f6ca76c4d00019badebd235c9d7f0068261e + +commit 3e10f6ca76c4d00019badebd235c9d7f0068261e upstream. + +Add support for HP EliteBook 835/845/845W/865 G10 laptops +with CS35L41 amplifiers on I2C/SPI bus connected to Realtek codec. + +Signed-off-by: Vitaly Rodionov +Cc: +Link: https://lore.kernel.org/r/20230510142227.32945-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a2a3e4fc..7a8d9792 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9458,7 +9458,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED), +- SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), +@@ -9469,8 +9469,13 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b63, "HP Elite Dragonfly 13.5 inch G4", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b65, "HP ProBook 455 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b66, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b70, "HP EliteBook 835 G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b72, "HP EliteBook 845 G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b74, "HP EliteBook 845W G10", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8b77, "HP ElieBook 865 G10", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED), +@@ -9481,6 +9486,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-306-ALSA-hda-realtek-Fix-mute-and-micmute-LEDs-for-.patch b/patches.kernel.org/6.3.4-306-ALSA-hda-realtek-Fix-mute-and-micmute-LEDs-for-.patch new file mode 100644 index 0000000..1d4a26b --- /dev/null +++ b/patches.kernel.org/6.3.4-306-ALSA-hda-realtek-Fix-mute-and-micmute-LEDs-for-.patch @@ -0,0 +1,38 @@ +From: Kai-Heng Feng +Date: Fri, 12 May 2023 16:34:16 +0800 +Subject: [PATCH] ALSA: hda/realtek: Fix mute and micmute LEDs for yet another + HP laptop +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9dc68a4fe70893b000fb3c92c68b9f72369cf448 + +commit 9dc68a4fe70893b000fb3c92c68b9f72369cf448 upstream. + +There's yet another laptop that needs the fixup to enable mute and +micmute LEDs. So do it accordingly. + +Signed-off-by: Kai-Heng Feng +Cc: +Link: https://lore.kernel.org/r/20230512083417.157127-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7a8d9792..c7576071 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9485,6 +9485,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8b8f, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b92, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bf0, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c26, "HP HP EliteBook 800G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-307-can-j1939-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch b/patches.kernel.org/6.3.4-307-can-j1939-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch new file mode 100644 index 0000000..d1602e5 --- /dev/null +++ b/patches.kernel.org/6.3.4-307-can-j1939-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch @@ -0,0 +1,45 @@ +From: Oliver Hartkopp +Date: Thu, 6 Apr 2023 13:08:45 +0200 +Subject: [PATCH] can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1db080cbdbab28752bbb1c86d64daf96253a5da1 + +commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream. + +The control message provided by J1939 support MSG_CMSG_COMPAT but +blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user +space on 64 bit kernels. + +Link: https://github.com/hartkopp/can-isotp/issues/59 +Cc: Oleksij Rempel +Suggested-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/can/j1939/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 7e90f9e6..1790469b 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socket *sock, struct msghdr *msg, + struct j1939_sk_buff_cb *skcb; + int ret = 0; + +- if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE)) ++ if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT)) + return -EINVAL; + + if (flags & MSG_ERRQUEUE) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-308-can-isotp-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch b/patches.kernel.org/6.3.4-308-can-isotp-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch new file mode 100644 index 0000000..0db65af --- /dev/null +++ b/patches.kernel.org/6.3.4-308-can-isotp-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch @@ -0,0 +1,43 @@ +From: Oliver Hartkopp +Date: Thu, 6 Apr 2023 13:08:45 +0200 +Subject: [PATCH] can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: db2773d65b02aed319a93efdfb958087771d4e19 + +commit db2773d65b02aed319a93efdfb958087771d4e19 upstream. + +The control message provided by isotp support MSG_CMSG_COMPAT but +blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user +space on 64 bit kernels. + +Link: https://github.com/hartkopp/can-isotp/issues/59 +Cc: Oleksij Rempel +Suggested-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") +Link: https://lore.kernel.org/20230505110308.81087-2-mkl@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/can/isotp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 5761d4ab..1af62383 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1106,7 +1106,7 @@ static int isotp_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + struct isotp_sock *so = isotp_sk(sk); + int ret = 0; + +- if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK)) ++ if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK | MSG_CMSG_COMPAT)) + return -EINVAL; + + if (!so->bound) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-309-can-kvaser_pciefd-Set-CAN_STATE_STOPPED-in-kvas.patch b/patches.kernel.org/6.3.4-309-can-kvaser_pciefd-Set-CAN_STATE_STOPPED-in-kvas.patch new file mode 100644 index 0000000..3da2a21 --- /dev/null +++ b/patches.kernel.org/6.3.4-309-can-kvaser_pciefd-Set-CAN_STATE_STOPPED-in-kvas.patch @@ -0,0 +1,40 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:13 +0200 +Subject: [PATCH] can: kvaser_pciefd: Set CAN_STATE_STOPPED in + kvaser_pciefd_stop() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 + +commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream. + +Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop(). +Without this fix, wrong CAN state was repported after the interface was +brought down. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index bcad1170..589a4b04 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -719,6 +719,7 @@ static int kvaser_pciefd_stop(struct net_device *netdev) + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + del_timer(&can->bec_poll_timer); + } ++ can->can.state = CAN_STATE_STOPPED; + close_candev(netdev); + + return ret; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-310-can-kvaser_pciefd-Call-request_irq-before-enabl.patch b/patches.kernel.org/6.3.4-310-can-kvaser_pciefd-Call-request_irq-before-enabl.patch new file mode 100644 index 0000000..7104001 --- /dev/null +++ b/patches.kernel.org/6.3.4-310-can-kvaser_pciefd-Call-request_irq-before-enabl.patch @@ -0,0 +1,54 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:15 +0200 +Subject: [PATCH] can: kvaser_pciefd: Call request_irq() before enabling + interrupts +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 84762d8da89d29ba842317eb842973e628c27391 + +commit 84762d8da89d29ba842317eb842973e628c27391 upstream. + +Make sure the interrupt handler is registered before enabling interrupts. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 589a4b04..99d52a64 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1825,6 +1825,11 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, + if (err) + goto err_teardown_can_ctrls; + ++ err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, ++ IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); ++ if (err) ++ goto err_teardown_can_ctrls; ++ + iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1, + pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG); + +@@ -1845,11 +1850,6 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + +- err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler, +- IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie); +- if (err) +- goto err_teardown_can_ctrls; +- + err = kvaser_pciefd_reg_candev(pcie); + if (err) + goto err_free_irq; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-311-can-kvaser_pciefd-Empty-SRB-buffer-in-probe.patch b/patches.kernel.org/6.3.4-311-can-kvaser_pciefd-Empty-SRB-buffer-in-probe.patch new file mode 100644 index 0000000..848b220 --- /dev/null +++ b/patches.kernel.org/6.3.4-311-can-kvaser_pciefd-Empty-SRB-buffer-in-probe.patch @@ -0,0 +1,77 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:16 +0200 +Subject: [PATCH] can: kvaser_pciefd: Empty SRB buffer in probe +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c589557dd1426f5adf90c7a919d4fde5a3e4ef64 + +commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream. + +Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a +known state, and don't process any irrelevant packets. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 99d52a64..847816d1 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -71,10 +71,12 @@ MODULE_DESCRIPTION("CAN driver for Kvaser CAN/PCIe devices"); + #define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14) + /* Shared receive buffer registers */ + #define KVASER_PCIEFD_SRB_BASE 0x1f200 ++#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4) + #define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200) + #define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204) + #define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c) + #define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210) ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214) + #define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218) + /* EPCS flash controller registers */ + #define KVASER_PCIEFD_SPI_BASE 0x1fc00 +@@ -111,6 +113,9 @@ MODULE_DESCRIPTION("CAN driver for Kvaser CAN/PCIe devices"); + /* DMA support */ + #define KVASER_PCIEFD_SRB_STAT_DMA BIT(24) + ++/* SRB current packet level */ ++#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff ++ + /* DMA Enable */ + #define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0) + +@@ -1059,6 +1064,7 @@ static int kvaser_pciefd_setup_dma(struct kvaser_pciefd *pcie) + { + int i; + u32 srb_status; ++ u32 srb_packet_count; + dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT]; + + /* Disable the DMA */ +@@ -1086,6 +1092,15 @@ static int kvaser_pciefd_setup_dma(struct kvaser_pciefd *pcie) + KVASER_PCIEFD_SRB_CMD_RDB1, + pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG); + ++ /* Empty Rx FIFO */ ++ srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) & ++ KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK; ++ while (srb_packet_count) { ++ /* Drop current packet in FIFO */ ++ ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG); ++ srb_packet_count--; ++ } ++ + srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG); + if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) { + dev_err(&pcie->pci->dev, "DMA not idle before enabling\n"); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-312-can-kvaser_pciefd-Clear-listen-only-bit-if-not-.patch b/patches.kernel.org/6.3.4-312-can-kvaser_pciefd-Clear-listen-only-bit-if-not-.patch new file mode 100644 index 0000000..abd67b8 --- /dev/null +++ b/patches.kernel.org/6.3.4-312-can-kvaser_pciefd-Clear-listen-only-bit-if-not-.patch @@ -0,0 +1,40 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:14 +0200 +Subject: [PATCH] can: kvaser_pciefd: Clear listen-only bit if not explicitly + requested +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bf7ac55e991ca177f1ac16be51152f1ef291a4df + +commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream. + +The listen-only bit was never cleared, causing the controller to +always use listen-only mode, if previously set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 847816d1..4a0894a6 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -559,6 +559,8 @@ static void kvaser_pciefd_setup_controller(struct kvaser_pciefd_can *can) + + if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY) + mode |= KVASER_PCIEFD_KCAN_MODE_LOM; ++ else ++ mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM; + + mode |= KVASER_PCIEFD_KCAN_MODE_EEN; + mode |= KVASER_PCIEFD_KCAN_MODE_EPEN; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-313-can-kvaser_pciefd-Do-not-send-EFLUSH-command-on.patch b/patches.kernel.org/6.3.4-313-can-kvaser_pciefd-Do-not-send-EFLUSH-command-on.patch new file mode 100644 index 0000000..8e08996 --- /dev/null +++ b/patches.kernel.org/6.3.4-313-can-kvaser_pciefd-Do-not-send-EFLUSH-command-on.patch @@ -0,0 +1,100 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:17 +0200 +Subject: [PATCH] can: kvaser_pciefd: Do not send EFLUSH command on TFD + interrupt +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 262d7a52ba27525e3c1203230c9f0524e48bbb34 + +commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream. + +Under certain circumstances we send two EFLUSH commands, resulting in two +EFLUSH ack packets, while only expecting a single EFLUSH ack. +This can cause the driver Tx flush completion to get out of sync. + +To avoid this problem, don't enable the "Transmit buffer flush done" (TFD) +interrupt and remove the code handling it. +Now we only send EFLUSH command after receiving status packet with +"Init detected" (IDET) bit set. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 21 ++++----------------- + 1 file changed, 4 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 4a0894a6..d7b1a7e9 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -531,7 +531,7 @@ static int kvaser_pciefd_set_tx_irq(struct kvaser_pciefd_can *can) + KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD | + KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL | + KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP | +- KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD; ++ KVASER_PCIEFD_KCAN_IRQ_TAR; + + iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + +@@ -579,7 +579,7 @@ static void kvaser_pciefd_start_controller_flush(struct kvaser_pciefd_can *can) + + spin_lock_irqsave(&can->lock, irq); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG); +@@ -622,7 +622,7 @@ static int kvaser_pciefd_bus_on(struct kvaser_pciefd_can *can) + iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); + +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG); +@@ -1015,8 +1015,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) + SET_NETDEV_DEV(netdev, &pcie->pci->dev); + + iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG); +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | +- KVASER_PCIEFD_KCAN_IRQ_TFD, ++ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD, + can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + + pcie->can[i] = can; +@@ -1443,9 +1442,6 @@ static int kvaser_pciefd_handle_status_packet(struct kvaser_pciefd *pcie, + cmd = KVASER_PCIEFD_KCAN_CMD_AT; + cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT; + iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG); +- +- iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD, +- can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); + } else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET && + p->header[0] & KVASER_PCIEFD_SPACK_IRM && + cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) && +@@ -1732,15 +1728,6 @@ static int kvaser_pciefd_transmit_irq(struct kvaser_pciefd_can *can) + if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF) + netdev_err(can->can.dev, "Tx FIFO overflow\n"); + +- if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) { +- u8 count = ioread32(can->reg_base + +- KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff; +- +- if (count == 0) +- iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH, +- can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG); +- } +- + if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP) + netdev_err(can->can.dev, + "Fail to change bittiming, when not in reset mode\n"); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-314-can-kvaser_pciefd-Disable-interrupts-in-probe-e.patch b/patches.kernel.org/6.3.4-314-can-kvaser_pciefd-Disable-interrupts-in-probe-e.patch new file mode 100644 index 0000000..7b2bc3f --- /dev/null +++ b/patches.kernel.org/6.3.4-314-can-kvaser_pciefd-Disable-interrupts-in-probe-e.patch @@ -0,0 +1,38 @@ +From: Jimmy Assarsson +Date: Tue, 16 May 2023 15:43:18 +0200 +Subject: [PATCH] can: kvaser_pciefd: Disable interrupts in probe error path +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 11164bc39459335ab93c6e99d53b7e4292fba38b + +commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream. + +Disable interrupts in error path of probe function. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/can/kvaser_pciefd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index d7b1a7e9..956a4a57 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1861,6 +1861,8 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, + return 0; + + err_free_irq: ++ /* Disable PCI interrupts */ ++ iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG); + free_irq(pcie->pci->irq, pcie); + + err_teardown_can_ctrls: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-315-wifi-brcmfmac-Check-for-probe-id-argument-being.patch b/patches.kernel.org/6.3.4-315-wifi-brcmfmac-Check-for-probe-id-argument-being.patch new file mode 100644 index 0000000..bdfde41 --- /dev/null +++ b/patches.kernel.org/6.3.4-315-wifi-brcmfmac-Check-for-probe-id-argument-being.patch @@ -0,0 +1,138 @@ +From: Hans de Goede +Date: Wed, 10 May 2023 16:18:56 +0200 +Subject: [PATCH] wifi: brcmfmac: Check for probe() id argument being NULL +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 60fc756fc8e6954a5618eecac73b255d651602e4 + +commit 60fc756fc8e6954a5618eecac73b255d651602e4 upstream. + +The probe() id argument may be NULL in 2 scenarios: + +1. brcmf_pcie_pm_leave_D3() calling brcmf_pcie_probe() to reprobe + the device. + +2. If a user tries to manually bind the driver from sysfs then the sdio / + pcie / usb probe() function gets called with NULL as id argument. + +1. Is being hit by users causing the following oops on resume and causing +wifi to stop working: + +BUG: kernel NULL pointer dereference, address: 0000000000000018 + +Hardware name: Dell Inc. XPS 13 9350/0PWNCR, BIDS 1.13.0 02/10/2020 +Workgueue: events_unbound async_run_entry_fn +RIP: 0010:brcmf_pcie_probe+Ox16b/0x7a0 [brcmfmac] + +Call Trace: + + brcmf_pcie_pm_leave_D3+0xc5/8x1a0 [brcmfmac be3b4cefca451e190fa35be8f00db1bbec293887] + ? pci_pm_resume+0x5b/0xf0 + ? pci_legacy_resume+0x80/0x80 + dpm_run_callback+0x47/0x150 + device_resume+0xa2/0x1f0 + async_resume+0x1d/0x30 + + +Fix this by checking for id being NULL. + +In the PCI and USB cases try a manual lookup of the id so that manually +binding the driver through sysfs and more importantly brcmf_pcie_probe() +on resume will work. + +For the SDIO case there is no helper to do a manual sdio_device_id lookup, +so just directly error out on a NULL id there. + +Fixes: da6d9c8ecd00 ("wifi: brcmfmac: add firmware vendor info in driver info") +Reported-by: Felix +Link: https://lore.kernel.org/regressions/4ef3f252ff530cbfa336f5a0d80710020fc5cb1e.camel@gmail.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230510141856.46532-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 5 +++++ + .../net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 11 +++++++++++ + .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 11 +++++++++++ + 3 files changed, 27 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +index ff710b0b..00679a99 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -1039,6 +1039,11 @@ static int brcmf_ops_sdio_probe(struct sdio_func *func, + struct brcmf_sdio_dev *sdiodev; + struct brcmf_bus *bus_if; + ++ if (!id) { ++ dev_err(&func->dev, "Error no sdio_device_id passed for %x:%x\n", func->vendor, func->device); ++ return -ENODEV; ++ } ++ + brcmf_dbg(SDIO, "Enter\n"); + brcmf_dbg(SDIO, "Class=%x\n", func->class); + brcmf_dbg(SDIO, "sdio vendor ID: 0x%04x\n", func->vendor); +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index d2dad541..3fb333d5 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -2378,6 +2378,9 @@ static void brcmf_pcie_debugfs_create(struct device *dev) + } + #endif + ++/* Forward declaration for pci_match_id() call */ ++static const struct pci_device_id brcmf_pcie_devid_table[]; ++ + static int + brcmf_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { +@@ -2388,6 +2391,14 @@ brcmf_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id) + struct brcmf_core *core; + struct brcmf_bus *bus; + ++ if (!id) { ++ id = pci_match_id(brcmf_pcie_devid_table, pdev); ++ if (!id) { ++ pci_err(pdev, "Error could not find pci_device_id for %x:%x\n", pdev->vendor, pdev->device); ++ return -ENODEV; ++ } ++ } ++ + brcmf_dbg(PCIE, "Enter %x:%x\n", pdev->vendor, pdev->device); + + ret = -ENOMEM; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +index 246843ae..2178675a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -1331,6 +1331,9 @@ brcmf_usb_disconnect_cb(struct brcmf_usbdev_info *devinfo) + brcmf_usb_detach(devinfo); + } + ++/* Forward declaration for usb_match_id() call */ ++static const struct usb_device_id brcmf_usb_devid_table[]; ++ + static int + brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + { +@@ -1342,6 +1345,14 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + u32 num_of_eps; + u8 endpoint_num, ep; + ++ if (!id) { ++ id = usb_match_id(intf, brcmf_usb_devid_table); ++ if (!id) { ++ dev_err(&intf->dev, "Error could not find matching usb_device_id\n"); ++ return -ENODEV; ++ } ++ } ++ + brcmf_dbg(USB, "Enter 0x%04x:0x%04x\n", id->idVendor, id->idProduct); + + devinfo = kzalloc(sizeof(*devinfo), GFP_ATOMIC); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-316-wifi-rtw88-use-work-to-update-rate-to-avoid-RCU.patch b/patches.kernel.org/6.3.4-316-wifi-rtw88-use-work-to-update-rate-to-avoid-RCU.patch new file mode 100644 index 0000000..f6b304d --- /dev/null +++ b/patches.kernel.org/6.3.4-316-wifi-rtw88-use-work-to-update-rate-to-avoid-RCU.patch @@ -0,0 +1,146 @@ +From: Ping-Ke Shih +Date: Mon, 8 May 2023 16:54:29 +0800 +Subject: [PATCH] wifi: rtw88: use work to update rate to avoid RCU warning +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bcafcb959a57a6890e900199690c5fc47da1a304 + +commit bcafcb959a57a6890e900199690c5fc47da1a304 upstream. + +The ieee80211_ops::sta_rc_update must be atomic, because +ieee80211_chan_bw_change() holds rcu_read lock while calling +drv_sta_rc_update(), so create a work to do original things. + + Voluntary context switch within RCU read-side critical section! + WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 + rcu_note_context_switch+0x571/0x5d0 + CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE + Workqueue: phy3 ieee80211_chswitch_work [mac80211] + RIP: 0010:rcu_note_context_switch+0x571/0x5d0 + Call Trace: + + __schedule+0xb0/0x1460 + ? __mod_timer+0x116/0x360 + schedule+0x5a/0xc0 + schedule_timeout+0x87/0x150 + ? trace_raw_output_tick_stop+0x60/0x60 + wait_for_completion_timeout+0x7b/0x140 + usb_start_wait_urb+0x82/0x160 [usbcore + usb_control_msg+0xe3/0x140 [usbcore + rtw_usb_read+0x88/0xe0 [rtw_usb + rtw_usb_read8+0xf/0x10 [rtw_usb + rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core + rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core + drv_sta_rc_update+0x7c/0x160 [mac80211 + ieee80211_chan_bw_change+0xfb/0x110 [mac80211 + ieee80211_change_chanctx+0x38/0x130 [mac80211 + ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 + ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 + ieee80211_chswitch_work+0x95/0x170 [mac80211 + process_one_work+0x201/0x410 + worker_thread+0x4a/0x3b0 + ? process_one_work+0x410/0x410 + kthread+0xe1/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Cc: stable@vger.kernel.org +Fixes: c1edc86472fc ("rtw88: add ieee80211:sta_rc_update ops") +Reported-by: Larry Finger +Link: https://lore.kernel.org/linux-wireless/f1e31e8e-f84e-3791-50fb-663a83c5c6e9@lwfinger.net/T/#t +Signed-off-by: Ping-Ke Shih +Tested-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230508085429.46653-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/realtek/rtw88/mac80211.c | 2 +- + drivers/net/wireless/realtek/rtw88/main.c | 15 +++++++++++++++ + drivers/net/wireless/realtek/rtw88/main.h | 3 +++ + 3 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/mac80211.c b/drivers/net/wireless/realtek/rtw88/mac80211.c +index 3b92ac61..e29ca5dc 100644 +--- a/drivers/net/wireless/realtek/rtw88/mac80211.c ++++ b/drivers/net/wireless/realtek/rtw88/mac80211.c +@@ -893,7 +893,7 @@ static void rtw_ops_sta_rc_update(struct ieee80211_hw *hw, + struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv; + + if (changed & IEEE80211_RC_BW_CHANGED) +- rtw_update_sta_info(rtwdev, si, true); ++ ieee80211_queue_work(rtwdev->hw, &si->rc_work); + } + + const struct ieee80211_ops rtw_ops = { +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index b2e78737..76f7aade 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -298,6 +298,17 @@ static u8 rtw_acquire_macid(struct rtw_dev *rtwdev) + return mac_id; + } + ++static void rtw_sta_rc_work(struct work_struct *work) ++{ ++ struct rtw_sta_info *si = container_of(work, struct rtw_sta_info, ++ rc_work); ++ struct rtw_dev *rtwdev = si->rtwdev; ++ ++ mutex_lock(&rtwdev->mutex); ++ rtw_update_sta_info(rtwdev, si, true); ++ mutex_unlock(&rtwdev->mutex); ++} ++ + int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + struct ieee80211_vif *vif) + { +@@ -308,12 +319,14 @@ int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + if (si->mac_id >= RTW_MAX_MAC_ID_NUM) + return -ENOSPC; + ++ si->rtwdev = rtwdev; + si->sta = sta; + si->vif = vif; + si->init_ra_lv = 1; + ewma_rssi_init(&si->avg_rssi); + for (i = 0; i < ARRAY_SIZE(sta->txq); i++) + rtw_txq_init(rtwdev, sta->txq[i]); ++ INIT_WORK(&si->rc_work, rtw_sta_rc_work); + + rtw_update_sta_info(rtwdev, si, true); + rtw_fw_media_status_report(rtwdev, si->mac_id, true); +@@ -332,6 +345,8 @@ void rtw_sta_remove(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + struct rtw_sta_info *si = (struct rtw_sta_info *)sta->drv_priv; + int i; + ++ cancel_work_sync(&si->rc_work); ++ + rtw_release_macid(rtwdev, si->mac_id); + if (fw_exist) + rtw_fw_media_status_report(rtwdev, si->mac_id, false); +diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h +index d4a53d55..cdbcea28 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.h ++++ b/drivers/net/wireless/realtek/rtw88/main.h +@@ -734,6 +734,7 @@ struct rtw_txq { + DECLARE_EWMA(rssi, 10, 16); + + struct rtw_sta_info { ++ struct rtw_dev *rtwdev; + struct ieee80211_sta *sta; + struct ieee80211_vif *vif; + +@@ -758,6 +759,8 @@ struct rtw_sta_info { + + bool use_cfg_mask; + struct cfg80211_bitrate_mask *mask; ++ ++ struct work_struct rc_work; + }; + + enum rtw_bfee_role { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-317-wifi-rtw88-correct-qsel_to_ep-type-as-int.patch b/patches.kernel.org/6.3.4-317-wifi-rtw88-correct-qsel_to_ep-type-as-int.patch new file mode 100644 index 0000000..f282cdc --- /dev/null +++ b/patches.kernel.org/6.3.4-317-wifi-rtw88-correct-qsel_to_ep-type-as-int.patch @@ -0,0 +1,46 @@ +From: Ping-Ke Shih +Date: Mon, 8 May 2023 16:55:39 +0800 +Subject: [PATCH] wifi: rtw88: correct qsel_to_ep[] type as int +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8e4942db5f5ed7b7d9690d93235b3ca49c5c59ce + +commit 8e4942db5f5ed7b7d9690d93235b3ca49c5c59ce upstream. + +qsel_to_ep[] can be assigned negative value, so change type from 'u8' to +'int'. Otherwise, Smatch static checker warns: + drivers/net/wireless/realtek/rtw88/usb.c:219 rtw_usb_parse() warn: + assigning (-22) to unsigned variable 'rtwusb->qsel_to_ep[8]' + +Cc: stable@vger.kernel.org +Fixes: a6f187f92bcc ("wifi: rtw88: usb: fix priority queue to endpoint mapping") +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/linux-wireless/c3f70197-829d-48ed-ae15-66a9de80fa90@kili.mountain/ +Cc: Sascha Hauer +Signed-off-by: Ping-Ke Shih +Acked-by: Sascha Hauer +Tested-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230508085539.46795-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/wireless/realtek/rtw88/usb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/usb.h b/drivers/net/wireless/realtek/rtw88/usb.h +index 30647f0d..ad1d7955 100644 +--- a/drivers/net/wireless/realtek/rtw88/usb.h ++++ b/drivers/net/wireless/realtek/rtw88/usb.h +@@ -78,7 +78,7 @@ struct rtw_usb { + u8 pipe_interrupt; + u8 pipe_in; + u8 out_ep[RTW_USB_EP_MAX]; +- u8 qsel_to_ep[TX_DESC_QSEL_MAX]; ++ int qsel_to_ep[TX_DESC_QSEL_MAX]; + u8 usb_txagg_num; + + struct workqueue_struct *txwq, *rxwq; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-318-SMB3-Close-all-deferred-handles-of-inode-in-cas.patch b/patches.kernel.org/6.3.4-318-SMB3-Close-all-deferred-handles-of-inode-in-cas.patch new file mode 100644 index 0000000..c0b5302 --- /dev/null +++ b/patches.kernel.org/6.3.4-318-SMB3-Close-all-deferred-handles-of-inode-in-cas.patch @@ -0,0 +1,70 @@ +From: Bharath SM +Date: Wed, 3 May 2023 14:38:35 +0000 +Subject: [PATCH] SMB3: Close all deferred handles of inode in case of handle + lease break +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 47592fa8eb03742048b096b4696ec133384c45eb + +commit 47592fa8eb03742048b096b4696ec133384c45eb upstream. + +Oplock break may occur for different file handle than the deferred +handle. Check for inode deferred closes list, if it's not empty then +close all the deferred handles of inode because we should not cache +handles if we dont have handle lease. + +Eg: If openfilelist has one deferred file handle and another open file +handle from app for a same file, then on a lease break we choose the +first handle in openfile list. The first handle in list can be deferred +handle or actual open file handle from app. In case if it is actual open +handle then today, we don't close deferred handles if we lose handle lease +on a file. Problem with this is, later if app decides to close the existing +open handle then we still be caching deferred handles until deferred close +timeout. Leaving open handle may result in sharing violation when windows +client tries to open a file with limited file share access. + +So we should check for deferred list of inode and walk through the list of +deferred files in inode and close all deferred files. + +Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.") +Cc: stable@kernel.org +Signed-off-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/cifs/file.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index c5fcefdf..e7868e47 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -4882,8 +4882,6 @@ void cifs_oplock_break(struct work_struct *work) + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; + bool purge_cache = false; +- struct cifs_deferred_close *dclose; +- bool is_deferred = false; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); +@@ -4924,14 +4922,9 @@ void cifs_oplock_break(struct work_struct *work) + * file handles but cached, then schedule deferred close immediately. + * So, new open will not use cached handle. + */ +- spin_lock(&CIFS_I(inode)->deferred_lock); +- is_deferred = cifs_is_deferred_close(cfile, &dclose); +- spin_unlock(&CIFS_I(inode)->deferred_lock); + +- if (!CIFS_CACHE_HANDLE(cinode) && is_deferred && +- cfile->deferred_close_scheduled && delayed_work_pending(&cfile->deferred)) { ++ if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes)) + cifs_close_deferred_file(cinode); +- } + + /* + * releasing stale oplock after recent reconnect of smb session using +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-319-SMB3-drop-reference-to-cfile-before-sending-opl.patch b/patches.kernel.org/6.3.4-319-SMB3-drop-reference-to-cfile-before-sending-opl.patch new file mode 100644 index 0000000..c0a753c --- /dev/null +++ b/patches.kernel.org/6.3.4-319-SMB3-drop-reference-to-cfile-before-sending-opl.patch @@ -0,0 +1,140 @@ +From: Bharath SM +Date: Mon, 15 May 2023 21:25:12 +0000 +Subject: [PATCH] SMB3: drop reference to cfile before sending oplock break +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 59a556aebc43dded08535fe97d94ca3f657915e4 + +commit 59a556aebc43dded08535fe97d94ca3f657915e4 upstream. + +In cifs_oplock_break function we drop reference to a cfile at +the end of function, due to which close command goes on wire +after lease break acknowledgment even if file is already closed +by application but we had deferred the handle close. +If other client with limited file shareaccess waiting on lease +break ack proceeds operation on that file as soon as first client +sends ack, then we may encounter status sharing violation error +because of open handle. +Solution is to put reference to cfile(send close on wire if last ref) +and then send oplock acknowledgment to server. + +Fixes: 9e31678fb403 ("SMB3: fix lease break timeout when multiple deferred close handles for the same file.") +Cc: stable@kernel.org +Signed-off-by: Bharath SM +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/cifs/cifsglob.h | 4 ++-- + fs/cifs/file.c | 17 ++++++++++++----- + fs/cifs/smb1ops.c | 9 ++++----- + fs/cifs/smb2ops.c | 7 +++---- + 4 files changed, 21 insertions(+), 16 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 414685c5..5f8fd209 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -424,8 +424,8 @@ struct smb_version_operations { + /* check for STATUS_NETWORK_SESSION_EXPIRED */ + bool (*is_session_expired)(char *); + /* send oplock break response */ +- int (*oplock_response)(struct cifs_tcon *, struct cifs_fid *, +- struct cifsInodeInfo *); ++ int (*oplock_response)(struct cifs_tcon *tcon, __u64 persistent_fid, __u64 volatile_fid, ++ __u16 net_fid, struct cifsInodeInfo *cifs_inode); + /* query remote filesystem */ + int (*queryfs)(const unsigned int, struct cifs_tcon *, + struct cifs_sb_info *, struct kstatfs *); +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index e7868e47..ba7f2e09 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -4881,7 +4881,9 @@ void cifs_oplock_break(struct work_struct *work) + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; +- bool purge_cache = false; ++ bool purge_cache = false, oplock_break_cancelled; ++ __u64 persistent_fid, volatile_fid; ++ __u16 net_fid; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); +@@ -4926,19 +4928,24 @@ void cifs_oplock_break(struct work_struct *work) + if (!CIFS_CACHE_HANDLE(cinode) && !list_empty(&cinode->deferred_closes)) + cifs_close_deferred_file(cinode); + ++ persistent_fid = cfile->fid.persistent_fid; ++ volatile_fid = cfile->fid.volatile_fid; ++ net_fid = cfile->fid.netfid; ++ oplock_break_cancelled = cfile->oplock_break_cancelled; ++ ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false); + /* + * releasing stale oplock after recent reconnect of smb session using + * a now incorrect file handle is not a data integrity issue but do + * not bother sending an oplock release if session to server still is + * disconnected since oplock already released by the server + */ +- if (!cfile->oplock_break_cancelled) { +- rc = tcon->ses->server->ops->oplock_response(tcon, &cfile->fid, +- cinode); ++ if (!oplock_break_cancelled) { ++ rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid, ++ volatile_fid, net_fid, cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } + +- _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false); + cifs_done_oplock_break(cinode); + } + +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index abda6148..7d1b3fc0 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -897,12 +897,11 @@ cifs_close_dir(const unsigned int xid, struct cifs_tcon *tcon, + } + + static int +-cifs_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid, +- struct cifsInodeInfo *cinode) ++cifs_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid, ++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode) + { +- return CIFSSMBLock(0, tcon, fid->netfid, current->tgid, 0, 0, 0, 0, +- LOCKING_ANDX_OPLOCK_RELEASE, false, +- CIFS_CACHE_READ(cinode) ? 1 : 0); ++ return CIFSSMBLock(0, tcon, net_fid, current->tgid, 0, 0, 0, 0, ++ LOCKING_ANDX_OPLOCK_RELEASE, false, CIFS_CACHE_READ(cinode) ? 1 : 0); + } + + static int +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index a295e4c2..50653986 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2383,15 +2383,14 @@ smb2_is_network_name_deleted(char *buf, struct TCP_Server_Info *server) + } + + static int +-smb2_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid, +- struct cifsInodeInfo *cinode) ++smb2_oplock_response(struct cifs_tcon *tcon, __u64 persistent_fid, ++ __u64 volatile_fid, __u16 net_fid, struct cifsInodeInfo *cinode) + { + if (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING) + return SMB2_lease_break(0, tcon, cinode->lease_key, + smb2_get_lease_state(cinode)); + +- return SMB2_oplock_break(0, tcon, fid->persistent_fid, +- fid->volatile_fid, ++ return SMB2_oplock_break(0, tcon, persistent_fid, volatile_fid, + CIFS_CACHE_READ(cinode) ? 1 : 0); + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-320-ksmbd-smb2-Allow-messages-padded-to-8byte-bound.patch b/patches.kernel.org/6.3.4-320-ksmbd-smb2-Allow-messages-padded-to-8byte-bound.patch new file mode 100644 index 0000000..c4d183e --- /dev/null +++ b/patches.kernel.org/6.3.4-320-ksmbd-smb2-Allow-messages-padded-to-8byte-bound.patch @@ -0,0 +1,48 @@ +From: Gustav Johansson +Date: Sat, 6 May 2023 00:05:07 +0900 +Subject: [PATCH] ksmbd: smb2: Allow messages padded to 8byte boundary +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e7b8b8ed9960bf699bf4029f482d9e869c094ed6 + +commit e7b8b8ed9960bf699bf4029f482d9e869c094ed6 upstream. + +clc length is now accepted to <= 8 less than length, +rather than < 8. + +Solve issues on some of Axis's smb clients which send +messages where clc length is 8 bytes less than length. + +The specific client was running kernel 4.19.217 with +smb dialect 3.0.2 on armv7l. + +Cc: stable@vger.kernel.org +Signed-off-by: Gustav Johansson +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ksmbd/smb2misc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c +index fbdde426..0ffe663b 100644 +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -416,8 +416,11 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work) + + /* + * Allow a message that padded to 8byte boundary. ++ * Linux 4.19.217 with smb 3.0.2 are sometimes ++ * sending messages where the cls_len is exactly ++ * 8 bytes less than len. + */ +- if (clc_len < len && (len - clc_len) < 8) ++ if (clc_len < len && (len - clc_len) <= 8) + goto validate_credit; + + pr_err_ratelimited( +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-321-ksmbd-allocate-one-more-byte-for-implied-bcc-0.patch b/patches.kernel.org/6.3.4-321-ksmbd-allocate-one-more-byte-for-implied-bcc-0.patch new file mode 100644 index 0000000..af5578c --- /dev/null +++ b/patches.kernel.org/6.3.4-321-ksmbd-allocate-one-more-byte-for-implied-bcc-0.patch @@ -0,0 +1,40 @@ +From: Chih-Yen Chang +Date: Sat, 6 May 2023 00:03:54 +0900 +Subject: [PATCH] ksmbd: allocate one more byte for implied bcc[0] +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 443d61d1fa9faa60ef925513d83742902390100f + +commit 443d61d1fa9faa60ef925513d83742902390100f upstream. + +ksmbd_smb2_check_message allows client to return one byte more, so we +need to allocate additional memory in ksmbd_conn_handler_loop to avoid +out-of-bound access. + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ksmbd/connection.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/connection.c b/fs/ksmbd/connection.c +index 4ed379f9..4882a812 100644 +--- a/fs/ksmbd/connection.c ++++ b/fs/ksmbd/connection.c +@@ -351,7 +351,8 @@ int ksmbd_conn_handler_loop(void *p) + break; + + /* 4 for rfc1002 length field */ +- size = pdu_size + 4; ++ /* 1 for implied bcc[0] */ ++ size = pdu_size + 4 + 1; + conn->request_buf = kvmalloc(size, GFP_KERNEL); + if (!conn->request_buf) + break; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-322-ksmbd-fix-wrong-UserName-check-in-session_user.patch b/patches.kernel.org/6.3.4-322-ksmbd-fix-wrong-UserName-check-in-session_user.patch new file mode 100644 index 0000000..50478a4 --- /dev/null +++ b/patches.kernel.org/6.3.4-322-ksmbd-fix-wrong-UserName-check-in-session_user.patch @@ -0,0 +1,69 @@ +From: Chih-Yen Chang +Date: Sat, 6 May 2023 00:01:54 +0900 +Subject: [PATCH] ksmbd: fix wrong UserName check in session_user +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f + +commit f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f upstream. + +The offset of UserName is related to the address of security +buffer. To ensure the validaty of UserName, we need to compare name_off ++ name_len with secbuf_len instead of auth_msg_len. + +[ 27.096243] ================================================================== +[ 27.096890] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x188/0x350 +[ 27.097609] Read of size 2 at addr ffff888005e3b542 by task kworker/0:0/7 +... +[ 27.099950] Call Trace: +[ 27.100194] +[ 27.100397] dump_stack_lvl+0x33/0x50 +[ 27.100752] print_report+0xcc/0x620 +[ 27.102305] kasan_report+0xae/0xe0 +[ 27.103072] kasan_check_range+0x35/0x1b0 +[ 27.103757] smb_strndup_from_utf16+0x188/0x350 +[ 27.105474] smb2_sess_setup+0xaf8/0x19c0 +[ 27.107935] handle_ksmbd_work+0x274/0x810 +[ 27.108315] process_one_work+0x419/0x760 +[ 27.108689] worker_thread+0x2a2/0x6f0 +[ 27.109385] kthread+0x160/0x190 +[ 27.110129] ret_from_fork+0x1f/0x30 +[ 27.110454] + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ksmbd/smb2pdu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index da66abc7..c652cea7 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1384,7 +1384,7 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, + struct authenticate_message *authblob; + struct ksmbd_user *user; + char *name; +- unsigned int auth_msg_len, name_off, name_len, secbuf_len; ++ unsigned int name_off, name_len, secbuf_len; + + secbuf_len = le16_to_cpu(req->SecurityBufferLength); + if (secbuf_len < sizeof(struct authenticate_message)) { +@@ -1394,9 +1394,8 @@ static struct ksmbd_user *session_user(struct ksmbd_conn *conn, + authblob = user_authblob(conn, req); + name_off = le32_to_cpu(authblob->UserName.BufferOffset); + name_len = le16_to_cpu(authblob->UserName.Length); +- auth_msg_len = le16_to_cpu(req->SecurityBufferOffset) + secbuf_len; + +- if (auth_msg_len < (u64)name_off + name_len) ++ if (secbuf_len < (u64)name_off + name_len) + return NULL; + + name = smb_strndup_from_utf16((const char *)authblob + name_off, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-323-ksmbd-fix-global-out-of-bounds-in-smb2_find_con.patch b/patches.kernel.org/6.3.4-323-ksmbd-fix-global-out-of-bounds-in-smb2_find_con.patch new file mode 100644 index 0000000..504747f --- /dev/null +++ b/patches.kernel.org/6.3.4-323-ksmbd-fix-global-out-of-bounds-in-smb2_find_con.patch @@ -0,0 +1,154 @@ +From: Chih-Yen Chang +Date: Sun, 14 May 2023 12:05:05 +0900 +Subject: [PATCH] ksmbd: fix global-out-of-bounds in smb2_find_context_vals +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 02f76c401d17e409ed45bf7887148fcc22c93c85 + +commit 02f76c401d17e409ed45bf7887148fcc22c93c85 upstream. + +Add tag_len argument in smb2_find_context_vals() to avoid out-of-bound +read when create_context's name_len is larger than tag length. + +[ 7.995411] ================================================================== +[ 7.995866] BUG: KASAN: global-out-of-bounds in memcmp+0x83/0xa0 +[ 7.996248] Read of size 8 at addr ffffffff8258d940 by task kworker/0:0/7 +... +[ 7.998191] Call Trace: +[ 7.998358] +[ 7.998503] dump_stack_lvl+0x33/0x50 +[ 7.998743] print_report+0xcc/0x620 +[ 7.999458] kasan_report+0xae/0xe0 +[ 7.999895] kasan_check_range+0x35/0x1b0 +[ 8.000152] memcmp+0x83/0xa0 +[ 8.000347] smb2_find_context_vals+0xf7/0x1e0 +[ 8.000635] smb2_open+0x1df2/0x43a0 +[ 8.006398] handle_ksmbd_work+0x274/0x810 +[ 8.006666] process_one_work+0x419/0x760 +[ 8.006922] worker_thread+0x2a2/0x6f0 +[ 8.007429] kthread+0x160/0x190 +[ 8.007946] ret_from_fork+0x1f/0x30 +[ 8.008181] + +Cc: stable@vger.kernel.org +Signed-off-by: Chih-Yen Chang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ksmbd/oplock.c | 5 +++-- + fs/ksmbd/oplock.h | 2 +- + fs/ksmbd/smb2pdu.c | 14 +++++++------- + 3 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/fs/ksmbd/oplock.c b/fs/ksmbd/oplock.c +index 2e54ded4..6d1ccb99 100644 +--- a/fs/ksmbd/oplock.c ++++ b/fs/ksmbd/oplock.c +@@ -1449,11 +1449,12 @@ struct lease_ctx_info *parse_lease_state(void *open_req) + * smb2_find_context_vals() - find a particular context info in open request + * @open_req: buffer containing smb2 file open(create) request + * @tag: context name to search for ++ * @tag_len: the length of tag + * + * Return: pointer to requested context, NULL if @str context not found + * or error pointer if name length is invalid. + */ +-struct create_context *smb2_find_context_vals(void *open_req, const char *tag) ++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len) + { + struct create_context *cc; + unsigned int next = 0; +@@ -1492,7 +1493,7 @@ struct create_context *smb2_find_context_vals(void *open_req, const char *tag) + return ERR_PTR(-EINVAL); + + name = (char *)cc + name_off; +- if (memcmp(name, tag, name_len) == 0) ++ if (name_len == tag_len && !memcmp(name, tag, name_len)) + return cc; + + remain_len -= next; +diff --git a/fs/ksmbd/oplock.h b/fs/ksmbd/oplock.h +index 09753448..4b0fe6da 100644 +--- a/fs/ksmbd/oplock.h ++++ b/fs/ksmbd/oplock.h +@@ -118,7 +118,7 @@ void create_durable_v2_rsp_buf(char *cc, struct ksmbd_file *fp); + void create_mxac_rsp_buf(char *cc, int maximal_access); + void create_disk_id_rsp_buf(char *cc, __u64 file_id, __u64 vol_id); + void create_posix_rsp_buf(char *cc, struct ksmbd_file *fp); +-struct create_context *smb2_find_context_vals(void *open_req, const char *str); ++struct create_context *smb2_find_context_vals(void *open_req, const char *tag, int tag_len); + struct oplock_info *lookup_lease_in_table(struct ksmbd_conn *conn, + char *lease_key); + int find_same_lease_key(struct ksmbd_session *sess, struct ksmbd_inode *ci, +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index c652cea7..cca593e3 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2491,7 +2491,7 @@ static int smb2_create_sd_buffer(struct ksmbd_work *work, + return -ENOENT; + + /* Parse SD BUFFER create contexts */ +- context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER); ++ context = smb2_find_context_vals(req, SMB2_CREATE_SD_BUFFER, 4); + if (!context) + return -ENOENT; + else if (IS_ERR(context)) +@@ -2693,7 +2693,7 @@ int smb2_open(struct ksmbd_work *work) + + if (req->CreateContextsOffset) { + /* Parse non-durable handle create contexts */ +- context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER); ++ context = smb2_find_context_vals(req, SMB2_CREATE_EA_BUFFER, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2713,7 +2713,7 @@ int smb2_open(struct ksmbd_work *work) + } + + context = smb2_find_context_vals(req, +- SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST); ++ SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2724,7 +2724,7 @@ int smb2_open(struct ksmbd_work *work) + } + + context = smb2_find_context_vals(req, +- SMB2_CREATE_TIMEWARP_REQUEST); ++ SMB2_CREATE_TIMEWARP_REQUEST, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -2736,7 +2736,7 @@ int smb2_open(struct ksmbd_work *work) + + if (tcon->posix_extensions) { + context = smb2_find_context_vals(req, +- SMB2_CREATE_TAG_POSIX); ++ SMB2_CREATE_TAG_POSIX, 16); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out1; +@@ -3135,7 +3135,7 @@ int smb2_open(struct ksmbd_work *work) + struct create_alloc_size_req *az_req; + + az_req = (struct create_alloc_size_req *)smb2_find_context_vals(req, +- SMB2_CREATE_ALLOCATION_SIZE); ++ SMB2_CREATE_ALLOCATION_SIZE, 4); + if (IS_ERR(az_req)) { + rc = PTR_ERR(az_req); + goto err_out; +@@ -3162,7 +3162,7 @@ int smb2_open(struct ksmbd_work *work) + err); + } + +- context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID); ++ context = smb2_find_context_vals(req, SMB2_CREATE_QUERY_ON_DISK_ID, 4); + if (IS_ERR(context)) { + rc = PTR_ERR(context); + goto err_out; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-324-KVM-arm64-Infer-the-PA-offset-from-IPA-in-stage.patch b/patches.kernel.org/6.3.4-324-KVM-arm64-Infer-the-PA-offset-from-IPA-in-stage.patch new file mode 100644 index 0000000..174de8b --- /dev/null +++ b/patches.kernel.org/6.3.4-324-KVM-arm64-Infer-the-PA-offset-from-IPA-in-stage.patch @@ -0,0 +1,163 @@ +From: Oliver Upton +Date: Fri, 21 Apr 2023 07:16:05 +0000 +Subject: [PATCH] KVM: arm64: Infer the PA offset from IPA in stage-2 map + walker +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1f0f4a2ef7a5693b135ce174e71f116db4bd684d + +commit 1f0f4a2ef7a5693b135ce174e71f116db4bd684d upstream. + +Until now, the page table walker counted increments to the PA and IPA +of a walk in two separate places. While the PA is incremented as soon as +a leaf PTE is installed in stage2_map_walker_try_leaf(), the IPA is +actually bumped in the generic table walker context. Critically, +__kvm_pgtable_visit() rereads the PTE after the LEAF callback returns +to work out if a table or leaf was installed, and only bumps the IPA for +a leaf PTE. + +This arrangement worked fine when we handled faults behind the write lock, +as the walker had exclusive access to the stage-2 page tables. However, +commit 1577cb5823ce ("KVM: arm64: Handle stage-2 faults in parallel") +started handling all stage-2 faults behind the read lock, opening up a +race where a walker could increment the PA but not the IPA of a walk. +Nothing good ensues, as the walker starts mapping with the incorrect +IPA -> PA relationship. + +For example, assume that two vCPUs took a data abort on the same IPA. +One observes that dirty logging is disabled, and the other observed that +it is enabled: + + vCPU attempting PMD mapping vCPU attempting PTE mapping + ====================================== ===================================== + /* install PMD */ + stage2_make_pte(ctx, leaf); + data->phys += granule; + /* replace PMD with a table */ + stage2_try_break_pte(ctx, data->mmu); + stage2_make_pte(ctx, table); + /* table is observed */ + ctx.old = READ_ONCE(*ptep); + table = kvm_pte_table(ctx.old, level); + + /* + * map walk continues w/o incrementing + * IPA. + */ + __kvm_pgtable_walk(..., level + 1); + +Bring an end to the whole mess by using the IPA as the single source of +truth for how far along a walk has gotten. Work out the correct PA to +map by calculating the IPA offset from the beginning of the walk and add +that to the starting physical address. + +Cc: stable@vger.kernel.org +Fixes: 1577cb5823ce ("KVM: arm64: Handle stage-2 faults in parallel") +Signed-off-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230421071606.1603916-2-oliver.upton@linux.dev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/arm64/include/asm/kvm_pgtable.h | 1 + + arch/arm64/kvm/hyp/pgtable.c | 32 ++++++++++++++++++++++++---- + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/include/asm/kvm_pgtable.h b/arch/arm64/include/asm/kvm_pgtable.h +index 4cd6762b..dc3c072e 100644 +--- a/arch/arm64/include/asm/kvm_pgtable.h ++++ b/arch/arm64/include/asm/kvm_pgtable.h +@@ -209,6 +209,7 @@ struct kvm_pgtable_visit_ctx { + kvm_pte_t old; + void *arg; + struct kvm_pgtable_mm_ops *mm_ops; ++ u64 start; + u64 addr; + u64 end; + u32 level; +diff --git a/arch/arm64/kvm/hyp/pgtable.c b/arch/arm64/kvm/hyp/pgtable.c +index 3d61bd3e..140f8230 100644 +--- a/arch/arm64/kvm/hyp/pgtable.c ++++ b/arch/arm64/kvm/hyp/pgtable.c +@@ -58,6 +58,7 @@ + struct kvm_pgtable_walk_data { + struct kvm_pgtable_walker *walker; + ++ u64 start; + u64 addr; + u64 end; + }; +@@ -201,6 +202,7 @@ static inline int __kvm_pgtable_visit(struct kvm_pgtable_walk_data *data, + .old = READ_ONCE(*ptep), + .arg = data->walker->arg, + .mm_ops = mm_ops, ++ .start = data->start, + .addr = data->addr, + .end = data->end, + .level = level, +@@ -293,6 +295,7 @@ int kvm_pgtable_walk(struct kvm_pgtable *pgt, u64 addr, u64 size, + struct kvm_pgtable_walker *walker) + { + struct kvm_pgtable_walk_data walk_data = { ++ .start = ALIGN_DOWN(addr, PAGE_SIZE), + .addr = ALIGN_DOWN(addr, PAGE_SIZE), + .end = PAGE_ALIGN(walk_data.addr + size), + .walker = walker, +@@ -794,20 +797,43 @@ static bool stage2_pte_executable(kvm_pte_t pte) + return !(pte & KVM_PTE_LEAF_ATTR_HI_S2_XN); + } + ++static u64 stage2_map_walker_phys_addr(const struct kvm_pgtable_visit_ctx *ctx, ++ const struct stage2_map_data *data) ++{ ++ u64 phys = data->phys; ++ ++ /* ++ * Stage-2 walks to update ownership data are communicated to the map ++ * walker using an invalid PA. Avoid offsetting an already invalid PA, ++ * which could overflow and make the address valid again. ++ */ ++ if (!kvm_phys_is_valid(phys)) ++ return phys; ++ ++ /* ++ * Otherwise, work out the correct PA based on how far the walk has ++ * gotten. ++ */ ++ return phys + (ctx->addr - ctx->start); ++} ++ + static bool stage2_leaf_mapping_allowed(const struct kvm_pgtable_visit_ctx *ctx, + struct stage2_map_data *data) + { ++ u64 phys = stage2_map_walker_phys_addr(ctx, data); ++ + if (data->force_pte && (ctx->level < (KVM_PGTABLE_MAX_LEVELS - 1))) + return false; + +- return kvm_block_mapping_supported(ctx, data->phys); ++ return kvm_block_mapping_supported(ctx, phys); + } + + static int stage2_map_walker_try_leaf(const struct kvm_pgtable_visit_ctx *ctx, + struct stage2_map_data *data) + { + kvm_pte_t new; +- u64 granule = kvm_granule_size(ctx->level), phys = data->phys; ++ u64 phys = stage2_map_walker_phys_addr(ctx, data); ++ u64 granule = kvm_granule_size(ctx->level); + struct kvm_pgtable *pgt = data->mmu->pgt; + struct kvm_pgtable_mm_ops *mm_ops = ctx->mm_ops; + +@@ -841,8 +867,6 @@ static int stage2_map_walker_try_leaf(const struct kvm_pgtable_visit_ctx *ctx, + + stage2_make_pte(ctx, new); + +- if (kvm_phys_is_valid(phys)) +- data->phys += granule; + return 0; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-325-KVM-Fix-vcpu_array-0-races.patch b/patches.kernel.org/6.3.4-325-KVM-Fix-vcpu_array-0-races.patch new file mode 100644 index 0000000..e9573e9 --- /dev/null +++ b/patches.kernel.org/6.3.4-325-KVM-Fix-vcpu_array-0-races.patch @@ -0,0 +1,111 @@ +From: Michal Luczaj +Date: Wed, 10 May 2023 16:04:09 +0200 +Subject: [PATCH] KVM: Fix vcpu_array[0] races +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 + +commit afb2acb2e3a32e4d56f7fbd819769b98ed1b7520 upstream. + +In kvm_vm_ioctl_create_vcpu(), add vcpu to vcpu_array iff it's safe to +access vcpu via kvm_get_vcpu() and kvm_for_each_vcpu(), i.e. when there's +no failure path requiring vcpu removal and destruction. Such order is +important because vcpu_array accessors may end up referencing vcpu at +vcpu_array[0] even before online_vcpus is set to 1. + +When online_vcpus=0, any call to kvm_get_vcpu() goes through +array_index_nospec() and ends with an attempt to xa_load(vcpu_array, 0): + + int num_vcpus = atomic_read(&kvm->online_vcpus); + i = array_index_nospec(i, num_vcpus); + return xa_load(&kvm->vcpu_array, i); + +Similarly, when online_vcpus=0, a kvm_for_each_vcpu() does not iterate over +an "empty" range, but actually [0, ULONG_MAX]: + + xa_for_each_range(&kvm->vcpu_array, idx, vcpup, 0, \ + (atomic_read(&kvm->online_vcpus) - 1)) + +In both cases, such online_vcpus=0 edge case, even if leading to +unnecessary calls to XArray API, should not be an issue; requesting +unpopulated indexes/ranges is handled by xa_load() and xa_for_each_range(). + +However, this means that when the first vCPU is created and inserted in +vcpu_array *and* before online_vcpus is incremented, code calling +kvm_get_vcpu()/kvm_for_each_vcpu() already has access to that first vCPU. + +This should not pose a problem assuming that once a vcpu is stored in +vcpu_array, it will remain there, but that's not the case: +kvm_vm_ioctl_create_vcpu() first inserts to vcpu_array, then requests a +file descriptor. If create_vcpu_fd() fails, newly inserted vcpu is removed +from the vcpu_array, then destroyed: + + vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); + r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); + kvm_get_kvm(kvm); + r = create_vcpu_fd(vcpu); + if (r < 0) { + xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); + kvm_put_kvm_no_destroy(kvm); + goto unlock_vcpu_destroy; + } + atomic_inc(&kvm->online_vcpus); + +This results in a possible race condition when a reference to a vcpu is +acquired (via kvm_get_vcpu() or kvm_for_each_vcpu()) moments before said +vcpu is destroyed. + +Signed-off-by: Michal Luczaj +Message-Id: <20230510140410.1093987-2-mhal@rbox.co> +Cc: stable@vger.kernel.org +Fixes: c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray", 2021-12-08) +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + virt/kvm/kvm_main.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index b1679d08..4ec97f72 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3959,18 +3959,19 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + } + + vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus); +- r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT); +- BUG_ON(r == -EBUSY); ++ r = xa_reserve(&kvm->vcpu_array, vcpu->vcpu_idx, GFP_KERNEL_ACCOUNT); + if (r) + goto unlock_vcpu_destroy; + + /* Now it's all set up, let userspace reach it */ + kvm_get_kvm(kvm); + r = create_vcpu_fd(vcpu); +- if (r < 0) { +- xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx); +- kvm_put_kvm_no_destroy(kvm); +- goto unlock_vcpu_destroy; ++ if (r < 0) ++ goto kvm_put_xa_release; ++ ++ if (KVM_BUG_ON(!!xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) { ++ r = -EINVAL; ++ goto kvm_put_xa_release; + } + + /* +@@ -3985,6 +3986,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + kvm_create_vcpu_debugfs(vcpu); + return r; + ++kvm_put_xa_release: ++ kvm_put_kvm_no_destroy(kvm); ++ xa_release(&kvm->vcpu_array, vcpu->vcpu_idx); + unlock_vcpu_destroy: + mutex_unlock(&kvm->lock); + kvm_dirty_ring_free(&vcpu->dirty_ring); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-326-statfs-enforce-statfs-64-structure-initializati.patch b/patches.kernel.org/6.3.4-326-statfs-enforce-statfs-64-structure-initializati.patch new file mode 100644 index 0000000..7d8db78 --- /dev/null +++ b/patches.kernel.org/6.3.4-326-statfs-enforce-statfs-64-structure-initializati.patch @@ -0,0 +1,68 @@ +From: Ilya Leoshkevich +Date: Thu, 4 May 2023 16:40:20 +0200 +Subject: [PATCH] statfs: enforce statfs[64] structure initialization +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: ed40866ec7d328b3dfb70db7e2011640a16202c3 + +commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream. + +s390's struct statfs and struct statfs64 contain padding, which +field-by-field copying does not set. Initialize the respective structs +with zeros before filling them and copying them to userspace, like it's +already done for the compat versions of these structs. + +Found by KMSAN. + +[agordeev@linux.ibm.com: fixed typo in patch description] +Acked-by: Heiko Carstens +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Andrew Morton +Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/statfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/statfs.c b/fs/statfs.c +index 0ba34c13..96d1c3ed 100644 +--- a/fs/statfs.c ++++ b/fs/statfs.c +@@ -130,6 +130,7 @@ static int do_statfs_native(struct kstatfs *st, struct statfs __user *p) + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + if (sizeof buf.f_blocks == 4) { + if ((st->f_blocks | st->f_bfree | st->f_bavail | + st->f_bsize | st->f_frsize) & +@@ -158,7 +159,6 @@ static int do_statfs_native(struct kstatfs *st, struct statfs __user *p) + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; +@@ -171,6 +171,7 @@ static int do_statfs64(struct kstatfs *st, struct statfs64 __user *p) + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + buf.f_type = st->f_type; + buf.f_bsize = st->f_bsize; + buf.f_blocks = st->f_blocks; +@@ -182,7 +183,6 @@ static int do_statfs64(struct kstatfs *st, struct statfs64 __user *p) + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-327-maple_tree-make-maple-state-reusable-after-mas_.patch b/patches.kernel.org/6.3.4-327-maple_tree-make-maple-state-reusable-after-mas_.patch new file mode 100644 index 0000000..3a50f56 --- /dev/null +++ b/patches.kernel.org/6.3.4-327-maple_tree-make-maple-state-reusable-after-mas_.patch @@ -0,0 +1,61 @@ +From: Peng Zhang +Date: Fri, 5 May 2023 22:58:29 +0800 +Subject: [PATCH] maple_tree: make maple state reusable after mas_empty_area() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 + +commit 0257d9908d38c0b1669af4bb1bc4dbca1f273fe6 upstream. + +Make mas->min and mas->max point to a node range instead of a leaf entry +range. This allows mas to still be usable after mas_empty_area() returns. +Users would get unexpected results from other operations on the maple +state after calling the affected function. + +For example, x86 MAP_32BIT mmap() acts as if there is no suitable gap when +there should be one. + +Link: https://lkml.kernel.org/r/20230505145829.74574-1-zhangpeng.00@bytedance.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Peng Zhang +Reported-by: "Edgecombe, Rick P" +Reported-by: Tad +Reported-by: Michael Keyes + Link: https://lore.kernel.org/linux-mm/32f156ba80010fd97dbaf0a0cdfc84366608624d.camel@intel.com/ + Link: https://lore.kernel.org/linux-mm/e6108286ac025c268964a7ead3aab9899f9bc6e9.camel@spotco.us/ +Reviewed-by: Liam R. Howlett +Tested-by: Rick Edgecombe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + lib/maple_tree.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/lib/maple_tree.c b/lib/maple_tree.c +index 1281a40d..a614129d 100644 +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -5340,15 +5340,9 @@ int mas_empty_area(struct ma_state *mas, unsigned long min, + + mt = mte_node_type(mas->node); + pivots = ma_pivots(mas_mn(mas), mt); +- if (offset) +- mas->min = pivots[offset - 1] + 1; +- +- if (offset < mt_pivots[mt]) +- mas->max = pivots[offset]; +- +- if (mas->index < mas->min) +- mas->index = mas->min; +- ++ min = mas_safe_min(mas, pivots, offset); ++ if (mas->index < min) ++ mas->index = min; + mas->last = mas->index + size - 1; + return 0; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-328-mm-fix-zswap-writeback-race-condition.patch b/patches.kernel.org/6.3.4-328-mm-fix-zswap-writeback-race-condition.patch new file mode 100644 index 0000000..430c5f9 --- /dev/null +++ b/patches.kernel.org/6.3.4-328-mm-fix-zswap-writeback-race-condition.patch @@ -0,0 +1,98 @@ +From: Domenico Cerasuolo +Date: Wed, 3 May 2023 17:12:00 +0200 +Subject: [PATCH] mm: fix zswap writeback race condition +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 04fc7816089c5a32c29a04ec94b998e219dfb946 + +commit 04fc7816089c5a32c29a04ec94b998e219dfb946 upstream. + +The zswap writeback mechanism can cause a race condition resulting in +memory corruption, where a swapped out page gets swapped in with data that +was written to a different page. + +The race unfolds like this: +1. a page with data A and swap offset X is stored in zswap +2. page A is removed off the LRU by zpool driver for writeback in + zswap-shrink work, data for A is mapped by zpool driver +3. user space program faults and invalidates page entry A, offset X is + considered free +4. kswapd stores page B at offset X in zswap (zswap could also be + full, if so, page B would then be IOed to X, then skip step 5.) +5. entry A is replaced by B in tree->rbroot, this doesn't affect the + local reference held by zswap-shrink work +6. zswap-shrink work writes back A at X, and frees zswap entry A +7. swapin of slot X brings A in memory instead of B + +The fix: +Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), +zswap-shrink work just checks that the local zswap_entry reference is +still the same as the one in the tree. If it's not the same it means that +it's either been invalidated or replaced, in both cases the writeback is +aborted because the local entry contains stale data. + +Reproducer: +I originally found this by running `stress` overnight to validate my work +on the zswap writeback mechanism, it manifested after hours on my test +machine. The key to make it happen is having zswap writebacks, so +whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do +the trick. + +In order to reproduce this faster on a vm, I setup a system with ~100M of +available memory and a 500M swap file, then running `stress --vm 1 +--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens +of minutes. One can speed things up even more by swinging +/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 +and 1; this makes it reproduce in tens of seconds. It's crucial to set +`--vm-stride` to something other than 4096 otherwise `stress` won't +realize that memory has been corrupted because all pages would have the +same data. + +Link: https://lkml.kernel.org/r/20230503151200.19707-1-cerasuolodomenico@gmail.com +Signed-off-by: Domenico Cerasuolo +Acked-by: Johannes Weiner +Reviewed-by: Chris Li (Google) +Cc: Dan Streetman +Cc: Johannes Weiner +Cc: Minchan Kim +Cc: Nitin Gupta +Cc: Seth Jennings +Cc: Vitaly Wool +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + mm/zswap.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/mm/zswap.c b/mm/zswap.c +index f6c89049..5d5977c9 100644 +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -995,6 +995,22 @@ static int zswap_writeback_entry(struct zpool *pool, unsigned long handle) + goto fail; + + case ZSWAP_SWAPCACHE_NEW: /* page is locked */ ++ /* ++ * Having a local reference to the zswap entry doesn't exclude ++ * swapping from invalidating and recycling the swap slot. Once ++ * the swapcache is secured against concurrent swapping to and ++ * from the slot, recheck that the entry is still current before ++ * writing. ++ */ ++ spin_lock(&tree->lock); ++ if (zswap_rb_search(&tree->rbroot, entry->offset) != entry) { ++ spin_unlock(&tree->lock); ++ delete_from_swap_cache(page_folio(page)); ++ ret = -ENOMEM; ++ goto fail; ++ } ++ spin_unlock(&tree->lock); ++ + /* decompress */ + acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + dlen = PAGE_SIZE; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-329-perf-script-Skip-aggregation-for-stat-events.patch b/patches.kernel.org/6.3.4-329-perf-script-Skip-aggregation-for-stat-events.patch new file mode 100644 index 0000000..5cfa2f1 --- /dev/null +++ b/patches.kernel.org/6.3.4-329-perf-script-Skip-aggregation-for-stat-events.patch @@ -0,0 +1,75 @@ +From: Sandipan Das +Date: Fri, 5 May 2023 15:32:53 +0530 +Subject: [PATCH] perf script: Skip aggregation for stat events +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2fe6575924612f1014a0539ab3053b106aded926 + +commit 2fe6575924612f1014a0539ab3053b106aded926 upstream. + +The script command does not support aggregation modes by itself although +that can be achieved using post-processing scripts. Because of this, it +does not allocate memory for aggregated event values. + +Upon running perf stat record, the aggregation mode is set in the perf +data file. If the mode is AGGR_GLOBAL, the aggregated event values are +accessed and this leads to a segmentation fault since these were never +allocated to begin with. Set the mode to AGGR_NONE explicitly to avoid +this. + +E.g. + + $ perf stat record -e cycles true + $ perf script + +Before: + Segmentation fault (core dumped) + +After: + CPU THREAD VAL ENA RUN TIME EVENT + -1 231919 162831 362069 362069 935289 cycles:u + +Fixes: 8b76a3188b85724f ("perf stat: Remove unused perf_counts.aggr field") +Signed-off-by: Sandipan Das +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ananth Narayan +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nick Terrell +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: stable@vger.kernel.org # v6.2+ +Link: https://lore.kernel.org/r/83d6c6c05c54bf00c5a9df32ac160718efca0c7a.1683280603.git.sandipan.das@amd.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + tools/perf/builtin-script.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 6f085602..d8c174a7 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -3652,6 +3652,13 @@ static int process_stat_config_event(struct perf_session *session __maybe_unused + union perf_event *event) + { + perf_event__read_stat_config(&stat_config, &event->stat_config); ++ ++ /* ++ * Aggregation modes are not used since post-processing scripts are ++ * supposed to take care of such requirements ++ */ ++ stat_config.aggr_mode = AGGR_NONE; ++ + return 0; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-330-serial-Add-support-for-Advantech-PCI-1611U-card.patch b/patches.kernel.org/6.3.4-330-serial-Add-support-for-Advantech-PCI-1611U-card.patch new file mode 100644 index 0000000..38dfc15 --- /dev/null +++ b/patches.kernel.org/6.3.4-330-serial-Add-support-for-Advantech-PCI-1611U-card.patch @@ -0,0 +1,54 @@ +From: Vitaliy Tomin +Date: Sun, 23 Apr 2023 11:45:12 +0800 +Subject: [PATCH] serial: Add support for Advantech PCI-1611U card +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d2b00516de0e1d696724247098f6733a6ea53908 + +commit d2b00516de0e1d696724247098f6733a6ea53908 upstream. + +Add support for Advantech PCI-1611U card + +Advantech provides opensource drivers for this and many others card +based on legacy copy of 8250_pci driver called adv950 + +https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ + +It is hard to maintain to run as out of tree module on newer kernels. +Just adding PCI ID to kernel 8250_pci works perfect. + +Signed-off-by: Vitaliy Tomin +Cc: stable +Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/8250/8250_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index c55be6fd..e80c4f65 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1920,6 +1920,8 @@ pci_moxa_setup(struct serial_private *priv, + #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530 + #define PCI_VENDOR_ID_ADVANTECH 0x13fe + #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611 + #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620 + #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618 + #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618 +@@ -4085,6 +4087,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_ops, pciserial_suspend_one, + pciserial_resume_one); + + static const struct pci_device_id serial_pci_tbl[] = { ++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600, ++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0, ++ pbn_b0_4_921600 }, + /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */ + { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620, + PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-331-serial-8250_exar-Add-support-for-USR298x-PCI-Mo.patch b/patches.kernel.org/6.3.4-331-serial-8250_exar-Add-support-for-USR298x-PCI-Mo.patch new file mode 100644 index 0000000..646517d --- /dev/null +++ b/patches.kernel.org/6.3.4-331-serial-8250_exar-Add-support-for-USR298x-PCI-Mo.patch @@ -0,0 +1,79 @@ +From: Andrew Davis +Date: Thu, 20 Apr 2023 11:02:09 -0500 +Subject: [PATCH] serial: 8250_exar: Add support for USR298x PCI Modems +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 95d698869b404772cc8b72560df71548491c10bc + +commit 95d698869b404772cc8b72560df71548491c10bc upstream. + +Possibly the last PCI controller-based (i.e. not a soft/winmodem) +dial-up modem one can still buy. + +Looks to have a stock XR17C154 PCI UART chip for communication, but for +some reason when provisioning the PCI IDs they swapped the vendor and +subvendor IDs. Otherwise this card would have worked out of the box. + +Searching online, some folks seem to not have this issue and others do, +so it is possible only some batches of cards have this error. + +Create a new macro to handle the switched IDs and add support here. + +Signed-off-by: Andrew Davis +Cc: stable +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230420160209.28221-1-afd@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/8250/8250_exar.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c +index 64770c62..b406cba1 100644 +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -40,9 +40,13 @@ + #define PCI_DEVICE_ID_COMMTECH_4224PCIE 0x0020 + #define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021 + #define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022 ++ + #define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 + #define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 + ++#define PCI_SUBDEVICE_ID_USR_2980 0x0128 ++#define PCI_SUBDEVICE_ID_USR_2981 0x0129 ++ + #define PCI_DEVICE_ID_SEALEVEL_710xC 0x1001 + #define PCI_DEVICE_ID_SEALEVEL_720xC 0x1002 + #define PCI_DEVICE_ID_SEALEVEL_740xC 0x1004 +@@ -829,6 +833,15 @@ static const struct exar8250_board pbn_exar_XR17V8358 = { + (kernel_ulong_t)&bd \ + } + ++#define USR_DEVICE(devid, sdevid, bd) { \ ++ PCI_DEVICE_SUB( \ ++ PCI_VENDOR_ID_USR, \ ++ PCI_DEVICE_ID_EXAR_##devid, \ ++ PCI_VENDOR_ID_EXAR, \ ++ PCI_SUBDEVICE_ID_USR_##sdevid), 0, 0, \ ++ (kernel_ulong_t)&bd \ ++ } ++ + static const struct pci_device_id exar_pci_tbl[] = { + EXAR_DEVICE(ACCESSIO, COM_2S, pbn_exar_XR17C15x), + EXAR_DEVICE(ACCESSIO, COM_4S, pbn_exar_XR17C15x), +@@ -853,6 +866,10 @@ static const struct pci_device_id exar_pci_tbl[] = { + + IBM_DEVICE(XR17C152, SATURN_SERIAL_ONE_PORT, pbn_exar_ibm_saturn), + ++ /* USRobotics USR298x-OEM PCI Modems */ ++ USR_DEVICE(XR17C152, 2980, pbn_exar_XR17C15x), ++ USR_DEVICE(XR17C152, 2981, pbn_exar_XR17C15x), ++ + /* Exar Corp. XR17C15[248] Dual/Quad/Octal UART */ + EXAR_DEVICE(EXAR, XR17C152, pbn_exar_XR17C15x), + EXAR_DEVICE(EXAR, XR17C154, pbn_exar_XR17C15x), +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-332-serial-qcom-geni-fix-enabling-deactivated-inter.patch b/patches.kernel.org/6.3.4-332-serial-qcom-geni-fix-enabling-deactivated-inter.patch new file mode 100644 index 0000000..5c08389 --- /dev/null +++ b/patches.kernel.org/6.3.4-332-serial-qcom-geni-fix-enabling-deactivated-inter.patch @@ -0,0 +1,90 @@ +From: Krzysztof Kozlowski +Date: Fri, 5 May 2023 17:23:01 +0200 +Subject: [PATCH] serial: qcom-geni: fix enabling deactivated interrupt +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5f949f140f73696f64acb89a1f16ff9153d017e0 + +commit 5f949f140f73696f64acb89a1f16ff9153d017e0 upstream. + +The driver have a race, experienced only with PREEMPT_RT patchset: + +CPU0 | CPU1 +================================================================== +qcom_geni_serial_probe | + uart_add_one_port | + | serdev_drv_probe + | qca_serdev_probe + | serdev_device_open + | uart_open + | uart_startup + | qcom_geni_serial_startup + | enable_irq + | __irq_startup + | WARN_ON() + | IRQ not activated + request_threaded_irq | + irq_domain_activate_irq | + +The warning: + + 894000.serial: ttyHS1 at MMIO 0x894000 (irq = 144, base_baud = 0) is a MSM + serial serial0: tty port ttyHS1 registered + WARNING: CPU: 7 PID: 107 at kernel/irq/chip.c:241 __irq_startup+0x78/0xd8 + ... + qcom_geni_serial 894000.serial: serial engine reports 0 RX bytes in! + +Adding UART port triggers probe of child serial devices - serdev and +eventually Qualcomm Bluetooth hci_qca driver. This opens UART port +which enables the interrupt before it got activated in +request_threaded_irq(). The issue originates in commit f3974413cf02 +("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") and discussion on +mailing list [1]. However the above commit does not explain why the +uart_add_one_port() is moved above requesting interrupt. + +[1] https://lore.kernel.org/all/5d9f3dfa.1c69fb81.84c4b.30bf@mx.google.com/ + +Fixes: f3974413cf02 ("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup") +Cc: +Cc: Stephen Boyd +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230505152301.2181270-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/tty/serial/qcom_geni_serial.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c +index 28fbc927..0ae29723 100644 +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1665,19 +1665,18 @@ static int qcom_geni_serial_probe(struct platform_device *pdev) + uport->private_data = &port->private_data; + platform_set_drvdata(pdev, port); + +- ret = uart_add_one_port(drv, uport); +- if (ret) +- return ret; +- + irq_set_status_flags(uport->irq, IRQ_NOAUTOEN); + ret = devm_request_irq(uport->dev, uport->irq, qcom_geni_serial_isr, + IRQF_TRIGGER_HIGH, port->name, uport); + if (ret) { + dev_err(uport->dev, "Failed to get IRQ ret %d\n", ret); +- uart_remove_one_port(drv, uport); + return ret; + } + ++ ret = uart_add_one_port(drv, uport); ++ if (ret) ++ return ret; ++ + /* + * Set pm_runtime status as ACTIVE so that wakeup_irq gets + * enabled/disabled from dev_pm_arm_wake_irq during system +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-333-thunderbolt-Clear-registers-properly-when-auto-.patch b/patches.kernel.org/6.3.4-333-thunderbolt-Clear-registers-properly-when-auto-.patch new file mode 100644 index 0000000..c0e5652 --- /dev/null +++ b/patches.kernel.org/6.3.4-333-thunderbolt-Clear-registers-properly-when-auto-.patch @@ -0,0 +1,110 @@ +From: Mario Limonciello +Date: Mon, 24 Apr 2023 14:55:54 -0500 +Subject: [PATCH] thunderbolt: Clear registers properly when auto clear isn't + in use +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c4af8e3fecd03b0aedcd38145955605cfebe7e3a + +commit c4af8e3fecd03b0aedcd38145955605cfebe7e3a upstream. + +When `QUIRK_AUTO_CLEAR_INT` isn't set, interrupt masking should be +cleared by writing to Interrupt Mask Clear (IMR) and interrupt +status should be cleared properly at shutdown/init. + +This fixes an error where interrupts are left enabled during resume +from hibernation with `CONFIG_USB4=y`. + +Fixes: 468c49f44759 ("thunderbolt: Disable interrupt auto clear for rings") +Cc: stable@vger.kernel.org # v6.3 +Reported-by: Takashi Iwai +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217343 +Signed-off-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/thunderbolt/nhi.c | 29 ++++++++++++++++++++++++----- + drivers/thunderbolt/nhi_regs.h | 2 ++ + 2 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c +index cfebec10..0a525f44 100644 +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -54,6 +54,21 @@ static int ring_interrupt_index(const struct tb_ring *ring) + return bit; + } + ++static void nhi_mask_interrupt(struct tb_nhi *nhi, int mask, int ring) ++{ ++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) ++ return; ++ iowrite32(mask, nhi->iobase + REG_RING_INTERRUPT_MASK_CLEAR_BASE + ring); ++} ++ ++static void nhi_clear_interrupt(struct tb_nhi *nhi, int ring) ++{ ++ if (nhi->quirks & QUIRK_AUTO_CLEAR_INT) ++ ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + ring); ++ else ++ iowrite32(~0, nhi->iobase + REG_RING_INT_CLEAR + ring); ++} ++ + /* + * ring_interrupt_active() - activate/deactivate interrupts for a single ring + * +@@ -61,8 +76,8 @@ static int ring_interrupt_index(const struct tb_ring *ring) + */ + static void ring_interrupt_active(struct tb_ring *ring, bool active) + { +- int reg = REG_RING_INTERRUPT_BASE + +- ring_interrupt_index(ring) / 32 * 4; ++ int index = ring_interrupt_index(ring) / 32 * 4; ++ int reg = REG_RING_INTERRUPT_BASE + index; + int interrupt_bit = ring_interrupt_index(ring) & 31; + int mask = 1 << interrupt_bit; + u32 old, new; +@@ -123,7 +138,11 @@ static void ring_interrupt_active(struct tb_ring *ring, bool active) + "interrupt for %s %d is already %s\n", + RING_TYPE(ring), ring->hop, + active ? "enabled" : "disabled"); +- iowrite32(new, ring->nhi->iobase + reg); ++ ++ if (active) ++ iowrite32(new, ring->nhi->iobase + reg); ++ else ++ nhi_mask_interrupt(ring->nhi, mask, index); + } + + /* +@@ -136,11 +155,11 @@ static void nhi_disable_interrupts(struct tb_nhi *nhi) + int i = 0; + /* disable interrupts */ + for (i = 0; i < RING_INTERRUPT_REG_COUNT(nhi); i++) +- iowrite32(0, nhi->iobase + REG_RING_INTERRUPT_BASE + 4 * i); ++ nhi_mask_interrupt(nhi, ~0, 4 * i); + + /* clear interrupt status bits */ + for (i = 0; i < RING_NOTIFY_REG_COUNT(nhi); i++) +- ioread32(nhi->iobase + REG_RING_NOTIFY_BASE + 4 * i); ++ nhi_clear_interrupt(nhi, 4 * i); + } + + /* ring helper methods */ +diff --git a/drivers/thunderbolt/nhi_regs.h b/drivers/thunderbolt/nhi_regs.h +index faef165a..6ba29581 100644 +--- a/drivers/thunderbolt/nhi_regs.h ++++ b/drivers/thunderbolt/nhi_regs.h +@@ -93,6 +93,8 @@ struct ring_desc { + #define REG_RING_INTERRUPT_BASE 0x38200 + #define RING_INTERRUPT_REG_COUNT(nhi) ((31 + 2 * nhi->hop_count) / 32) + ++#define REG_RING_INTERRUPT_MASK_CLEAR_BASE 0x38208 ++ + #define REG_INT_THROTTLING_RATE 0x38c00 + + /* Interrupt Vector Allocation */ +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-334-vc_screen-reload-load-of-struct-vc_data-pointer.patch b/patches.kernel.org/6.3.4-334-vc_screen-reload-load-of-struct-vc_data-pointer.patch new file mode 100644 index 0000000..d1b6799 --- /dev/null +++ b/patches.kernel.org/6.3.4-334-vc_screen-reload-load-of-struct-vc_data-pointer.patch @@ -0,0 +1,120 @@ +From: George Kennedy +Date: Fri, 12 May 2023 06:08:48 -0500 +Subject: [PATCH] vc_screen: reload load of struct vc_data pointer in + vcs_write() to avoid UAF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 + +commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 upstream. + +After a call to console_unlock() in vcs_write() the vc_data struct can be +freed by vc_port_destruct(). Because of that, the struct vc_data pointer +must be reloaded in the while loop in vcs_write() after console_lock() to +avoid a UAF when vcs_size() is called. + +Syzkaller reported a UAF in vcs_size(). + +BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) +Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 + +Call Trace: + +__asan_report_load4_noabort (mm/kasan/report_generic.c:380) +vcs_size (drivers/tty/vt/vc_screen.c:215) +vcs_write (drivers/tty/vt/vc_screen.c:664) +vfs_write (fs/read_write.c:582 fs/read_write.c:564) +... + + +Allocated by task 1213: +kmalloc_trace (mm/slab_common.c:1064) +vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 + drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) +con_install (drivers/tty/vt/vt.c:3334) +tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 + drivers/tty/tty_io.c:1392) +tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) +chrdev_open (fs/char_dev.c:415) +do_dentry_open (fs/open.c:921) +vfs_open (fs/open.c:1052) +... + +Freed by task 4116: +kfree (mm/slab_common.c:1016) +vc_port_destruct (drivers/tty/vt/vt.c:1044) +tty_port_destructor (drivers/tty/tty_port.c:296) +tty_port_put (drivers/tty/tty_port.c:312) +vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) +vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) +tty_ioctl (drivers/tty/tty_io.c:2778) +... + +The buggy address belongs to the object at ffff8880beab8800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 424 bytes inside of + freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) + +The buggy address belongs to the physical page: +page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 + index:0x0 pfn:0xbeab8 +head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 + pincount:0 +flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: 0xffffffff() +raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== +Disabling lock debugging due to kernel taint + +Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") +Cc: stable +Reported-by: syzkaller +Signed-off-by: George Kennedy +Reviewed-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/1683889728-10411-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/tty/vt/vc_screen.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c +index 1dc07f92..01c96537 100644 +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -656,10 +656,17 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) + } + } + +- /* The vcs_size might have changed while we slept to grab +- * the user buffer, so recheck. ++ /* The vc might have been freed or vcs_size might have changed ++ * while we slept to grab the user buffer, so recheck. + * Return data written up to now on failure. + */ ++ vc = vcs_vc(inode, &viewed); ++ if (!vc) { ++ if (written) ++ break; ++ ret = -ENXIO; ++ goto unlock_out; ++ } + size = vcs_size(vc, attr, false); + if (size < 0) { + if (written) +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-335-ceph-force-updating-the-msg-pointer-in-non-spli.patch b/patches.kernel.org/6.3.4-335-ceph-force-updating-the-msg-pointer-in-non-spli.patch new file mode 100644 index 0000000..24f9321 --- /dev/null +++ b/patches.kernel.org/6.3.4-335-ceph-force-updating-the-msg-pointer-in-non-spli.patch @@ -0,0 +1,52 @@ +From: Xiubo Li +Date: Thu, 18 May 2023 09:47:23 +0800 +Subject: [PATCH] ceph: force updating the msg pointer in non-split case +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 + +commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream. + +When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the +request may still contain a list of 'split_realms', and we need +to skip it anyway. Or it will be parsed as a corrupt snaptrace. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61200 +Reported-by: Frank Schilder +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/ceph/snap.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index 87007203..0b236ebd 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -1111,6 +1111,19 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, + continue; + adjust_snap_realm_parent(mdsc, child, realm->ino); + } ++ } else { ++ /* ++ * In the non-split case both 'num_split_inos' and ++ * 'num_split_realms' should be 0, making this a no-op. ++ * However the MDS happens to populate 'split_realms' list ++ * in one of the UPDATE op cases by mistake. ++ * ++ * Skip both lists just in case to ensure that 'p' is ++ * positioned at the start of realm info, as expected by ++ * ceph_update_snap_trace(). ++ */ ++ p += sizeof(u64) * num_split_inos; ++ p += sizeof(u64) * num_split_realms; + } + + /* +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-336-drm-amd-pm-fix-possible-power-mode-mismatch-bet.patch b/patches.kernel.org/6.3.4-336-drm-amd-pm-fix-possible-power-mode-mismatch-bet.patch new file mode 100644 index 0000000..f398aed --- /dev/null +++ b/patches.kernel.org/6.3.4-336-drm-amd-pm-fix-possible-power-mode-mismatch-bet.patch @@ -0,0 +1,102 @@ +From: Evan Quan +Date: Thu, 11 May 2023 15:41:27 +0800 +Subject: [PATCH] drm/amd/pm: fix possible power mode mismatch between driver + and PMFW +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: bf4823267a817f7c155876a125b94336d7113e77 + +commit bf4823267a817f7c155876a125b94336d7113e77 upstream. + +PMFW may boots the ASIC with a different power mode from the system's +real one. Notify PMFW explicitly the power mode the system in. This +is needed only when ACDC switch via gpio is not supported. + +Signed-off-by: Evan Quan +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 18 +++++++++++++++++ + .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 20 +------------------ + .../drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 1 + + 3 files changed, 20 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +index 62ea5711..485c054b 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +@@ -727,6 +727,24 @@ static int smu_late_init(void *handle) + return ret; + } + ++ /* ++ * Explicitly notify PMFW the power mode the system in. Since ++ * the PMFW may boot the ASIC with a different mode. ++ * For those supporting ACDC switch via gpio, PMFW will ++ * handle the switch automatically. Driver involvement ++ * is unnecessary. ++ */ ++ if (!smu->dc_controlled_by_gpio) { ++ ret = smu_set_power_source(smu, ++ adev->pm.ac_power ? SMU_POWER_SOURCE_AC : ++ SMU_POWER_SOURCE_DC); ++ if (ret) { ++ dev_err(adev->dev, "Failed to switch to %s mode!\n", ++ adev->pm.ac_power ? "AC" : "DC"); ++ return ret; ++ } ++ } ++ + if ((adev->ip_versions[MP1_HWIP][0] == IP_VERSION(13, 0, 1)) || + (adev->ip_versions[MP1_HWIP][0] == IP_VERSION(13, 0, 3))) + return 0; +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +index 95da6dd1..ab7e7dc1 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +@@ -3412,26 +3412,8 @@ static int navi10_post_smu_init(struct smu_context *smu) + return 0; + + ret = navi10_run_umc_cdr_workaround(smu); +- if (ret) { ++ if (ret) + dev_err(adev->dev, "Failed to apply umc cdr workaround!\n"); +- return ret; +- } +- +- if (!smu->dc_controlled_by_gpio) { +- /* +- * For Navi1X, manually switch it to AC mode as PMFW +- * may boot it with DC mode. +- */ +- ret = smu_v11_0_set_power_source(smu, +- adev->pm.ac_power ? +- SMU_POWER_SOURCE_AC : +- SMU_POWER_SOURCE_DC); +- if (ret) { +- dev_err(adev->dev, "Failed to switch to %s mode!\n", +- adev->pm.ac_power ? "AC" : "DC"); +- return ret; +- } +- } + + return ret; + } +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +index 4399416d..ca0fca7d 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -1768,6 +1768,7 @@ static const struct pptable_funcs smu_v13_0_7_ppt_funcs = { + .enable_mgpu_fan_boost = smu_v13_0_7_enable_mgpu_fan_boost, + .get_power_limit = smu_v13_0_7_get_power_limit, + .set_power_limit = smu_v13_0_set_power_limit, ++ .set_power_source = smu_v13_0_set_power_source, + .get_power_profile_mode = smu_v13_0_7_get_power_profile_mode, + .set_power_profile_mode = smu_v13_0_7_set_power_profile_mode, + .set_tool_table_location = smu_v13_0_set_tool_table_location, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-337-drm-amdgpu-gmc11-implement-get_vbios_fb_size.patch b/patches.kernel.org/6.3.4-337-drm-amdgpu-gmc11-implement-get_vbios_fb_size.patch new file mode 100644 index 0000000..bcd8a18 --- /dev/null +++ b/patches.kernel.org/6.3.4-337-drm-amdgpu-gmc11-implement-get_vbios_fb_size.patch @@ -0,0 +1,65 @@ +From: Alex Deucher +Date: Thu, 11 May 2023 10:40:03 -0400 +Subject: [PATCH] drm/amdgpu/gmc11: implement get_vbios_fb_size() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 68518294d00da6a2433357af75a63abc6030676e + +commit 68518294d00da6a2433357af75a63abc6030676e upstream. + +Implement get_vbios_fb_size() so we can properly reserve +the vbios splash screen to avoid potential artifacts on the +screen during the transition from the pre-OS console to the +OS console. + +Acked-by: Sunil Khatri +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c +index abdb8d84..14ca327b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c +@@ -31,6 +31,8 @@ + #include "umc_v8_10.h" + #include "athub/athub_3_0_0_sh_mask.h" + #include "athub/athub_3_0_0_offset.h" ++#include "dcn/dcn_3_2_0_offset.h" ++#include "dcn/dcn_3_2_0_sh_mask.h" + #include "oss/osssys_6_0_0_offset.h" + #include "ivsrcid/vmc/irqsrcs_vmc_1_0.h" + #include "navi10_enum.h" +@@ -542,7 +544,24 @@ static void gmc_v11_0_get_vm_pte(struct amdgpu_device *adev, + + static unsigned gmc_v11_0_get_vbios_fb_size(struct amdgpu_device *adev) + { +- return 0; ++ u32 d1vga_control = RREG32_SOC15(DCE, 0, regD1VGA_CONTROL); ++ unsigned size; ++ ++ if (REG_GET_FIELD(d1vga_control, D1VGA_CONTROL, D1VGA_MODE_ENABLE)) { ++ size = AMDGPU_VBIOS_VGA_ALLOCATION; ++ } else { ++ u32 viewport; ++ u32 pitch; ++ ++ viewport = RREG32_SOC15(DCE, 0, regHUBP0_DCSURF_PRI_VIEWPORT_DIMENSION); ++ pitch = RREG32_SOC15(DCE, 0, regHUBPREQ0_DCSURF_SURFACE_PITCH); ++ size = (REG_GET_FIELD(viewport, ++ HUBP0_DCSURF_PRI_VIEWPORT_DIMENSION, PRI_VIEWPORT_HEIGHT) * ++ REG_GET_FIELD(pitch, HUBPREQ0_DCSURF_SURFACE_PITCH, PITCH) * ++ 4); ++ } ++ ++ return size; + } + + static const struct amdgpu_gmc_funcs gmc_v11_0_gmc_funcs = { +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-338-drm-amdgpu-gfx10-Disable-gfxoff-before-disablin.patch b/patches.kernel.org/6.3.4-338-drm-amdgpu-gfx10-Disable-gfxoff-before-disablin.patch new file mode 100644 index 0000000..45090e5 --- /dev/null +++ b/patches.kernel.org/6.3.4-338-drm-amdgpu-gfx10-Disable-gfxoff-before-disablin.patch @@ -0,0 +1,50 @@ +From: Bas Nieuwenhuizen +Date: Tue, 9 May 2023 18:49:46 +0200 +Subject: [PATCH] drm/amdgpu/gfx10: Disable gfxoff before disabling + powergating. +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8173cab3368a13cdc3cad0bd5cf14e9399b0f501 + +commit 8173cab3368a13cdc3cad0bd5cf14e9399b0f501 upstream. + +Otherwise we get a full system lock (looks like a FW mess). + +Copied the order from the GFX9 powergating code. + +Fixes: 366468ff6c34 ("drm/amdgpu: Allow GfxOff on Vangogh as default") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2545 +Signed-off-by: Bas Nieuwenhuizen +Tested-by: Guilherme G. Piccoli +Cc: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 6983acc4..b1428068 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -8159,8 +8159,14 @@ static int gfx_v10_0_set_powergating_state(void *handle, + case IP_VERSION(10, 3, 3): + case IP_VERSION(10, 3, 6): + case IP_VERSION(10, 3, 7): ++ if (!enable) ++ amdgpu_gfx_off_ctrl(adev, false); ++ + gfx_v10_cntl_pg(adev, enable); +- amdgpu_gfx_off_ctrl(adev, enable); ++ ++ if (enable) ++ amdgpu_gfx_off_ctrl(adev, true); ++ + break; + default: + break; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-339-drm-amdgpu-gfx11-Adjust-gfxoff-before-powergati.patch b/patches.kernel.org/6.3.4-339-drm-amdgpu-gfx11-Adjust-gfxoff-before-powergati.patch new file mode 100644 index 0000000..5499c11 --- /dev/null +++ b/patches.kernel.org/6.3.4-339-drm-amdgpu-gfx11-Adjust-gfxoff-before-powergati.patch @@ -0,0 +1,46 @@ +From: "Guilherme G. Piccoli" +Date: Tue, 9 May 2023 18:49:47 +0200 +Subject: [PATCH] drm/amdgpu/gfx11: Adjust gfxoff before powergating on gfx11 + as well +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 11fbdda2ab6bf049e2869139c07016022b4e045b + +commit 11fbdda2ab6bf049e2869139c07016022b4e045b upstream. + +(Bas: speculative change to mirror gfx10/gfx9) + +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Bas Nieuwenhuizen +Cc: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 7609d206..d4768138 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -5135,8 +5135,14 @@ static int gfx_v11_0_set_powergating_state(void *handle, + break; + case IP_VERSION(11, 0, 1): + case IP_VERSION(11, 0, 4): ++ if (!enable) ++ amdgpu_gfx_off_ctrl(adev, false); ++ + gfx_v11_cntl_pg(adev, enable); +- amdgpu_gfx_off_ctrl(adev, enable); ++ ++ if (enable) ++ amdgpu_gfx_off_ctrl(adev, true); ++ + break; + default: + break; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-340-drm-amdgpu-refine-get-gpu-clock-counter-method.patch b/patches.kernel.org/6.3.4-340-drm-amdgpu-refine-get-gpu-clock-counter-method.patch new file mode 100644 index 0000000..09a6dc1 --- /dev/null +++ b/patches.kernel.org/6.3.4-340-drm-amdgpu-refine-get-gpu-clock-counter-method.patch @@ -0,0 +1,62 @@ +From: Tong Liu01 +Date: Thu, 6 Apr 2023 15:58:31 +0800 +Subject: [PATCH] drm/amdgpu: refine get gpu clock counter method +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 5591a051b86be170a84943698ab140342602ff7b + +commit 5591a051b86be170a84943698ab140342602ff7b upstream. + +[why] +regGOLDEN_TSC_COUNT_LOWER/regGOLDEN_TSC_COUNT_UPPER are protected and +unaccessible under sriov. +The clock counter high bit may update during reading process. + +[How] +Replace regGOLDEN_TSC_COUNT_LOWER/regGOLDEN_TSC_COUNT_UPPER with +regCP_MES_MTIME_LO/regCP_MES_MTIME_HI to get gpu clock under sriov. +Refine get gpu clock counter method to make the result more precise. + +Signed-off-by: Tong Liu01 +Acked-by: Luben Tuikov +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index d4768138..376a7286 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -4663,11 +4663,24 @@ static int gfx_v11_0_post_soft_reset(void *handle) + static uint64_t gfx_v11_0_get_gpu_clock_counter(struct amdgpu_device *adev) + { + uint64_t clock; ++ uint64_t clock_counter_lo, clock_counter_hi_pre, clock_counter_hi_after; + + amdgpu_gfx_off_ctrl(adev, false); + mutex_lock(&adev->gfx.gpu_clock_mutex); +- clock = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER) | +- ((uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER) << 32ULL); ++ if (amdgpu_sriov_vf(adev)) { ++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI); ++ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO); ++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI); ++ if (clock_counter_hi_pre != clock_counter_hi_after) ++ clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO); ++ } else { ++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); ++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); ++ if (clock_counter_hi_pre != clock_counter_hi_after) ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); ++ } ++ clock = clock_counter_lo | (clock_counter_hi_after << 32ULL); + mutex_unlock(&adev->gfx.gpu_clock_mutex); + amdgpu_gfx_off_ctrl(adev, true); + return clock; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-341-drm-amdgpu-gfx11-update-gpu_clock_counter-logic.patch b/patches.kernel.org/6.3.4-341-drm-amdgpu-gfx11-update-gpu_clock_counter-logic.patch new file mode 100644 index 0000000..00e0786 --- /dev/null +++ b/patches.kernel.org/6.3.4-341-drm-amdgpu-gfx11-update-gpu_clock_counter-logic.patch @@ -0,0 +1,67 @@ +From: Alex Deucher +Date: Mon, 10 Apr 2023 12:02:29 -0400 +Subject: [PATCH] drm/amdgpu/gfx11: update gpu_clock_counter logic +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: d5aa417808cf14c052ca042920b3c6b9f1dc6aa4 + +commit d5aa417808cf14c052ca042920b3c6b9f1dc6aa4 upstream. + +This code was written prior to previous updates to this +logic for other chips. The RSC registers are part of +SMUIO which is an always on block so there is no need +to disable gfxoff. Additionally add the carryover and +preemption checks. + +v2: rebase + +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method +Cc: stable@vger.kernel.org # 6.2.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method +Cc: stable@vger.kernel.org # 6.3.y: 5591a051b86b: drm/amdgpu: refine get gpu clock counter method +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 376a7286..6b6a06d7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -4665,24 +4665,27 @@ static uint64_t gfx_v11_0_get_gpu_clock_counter(struct amdgpu_device *adev) + uint64_t clock; + uint64_t clock_counter_lo, clock_counter_hi_pre, clock_counter_hi_after; + +- amdgpu_gfx_off_ctrl(adev, false); +- mutex_lock(&adev->gfx.gpu_clock_mutex); + if (amdgpu_sriov_vf(adev)) { ++ amdgpu_gfx_off_ctrl(adev, false); ++ mutex_lock(&adev->gfx.gpu_clock_mutex); + clock_counter_hi_pre = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI); + clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO); + clock_counter_hi_after = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_HI); + if (clock_counter_hi_pre != clock_counter_hi_after) + clock_counter_lo = (uint64_t)RREG32_SOC15(GC, 0, regCP_MES_MTIME_LO); ++ mutex_unlock(&adev->gfx.gpu_clock_mutex); ++ amdgpu_gfx_off_ctrl(adev, true); + } else { ++ preempt_disable(); + clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); + clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); + clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); + if (clock_counter_hi_pre != clock_counter_hi_after) + clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); ++ preempt_enable(); + } + clock = clock_counter_lo | (clock_counter_hi_after << 32ULL); +- mutex_unlock(&adev->gfx.gpu_clock_mutex); +- amdgpu_gfx_off_ctrl(adev, true); ++ + return clock; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-342-iommu-arm-smmu-qcom-Fix-missing-adreno_smmu-s.patch b/patches.kernel.org/6.3.4-342-iommu-arm-smmu-qcom-Fix-missing-adreno_smmu-s.patch new file mode 100644 index 0000000..fdde607 --- /dev/null +++ b/patches.kernel.org/6.3.4-342-iommu-arm-smmu-qcom-Fix-missing-adreno_smmu-s.patch @@ -0,0 +1,58 @@ +From: Rob Clark +Date: Tue, 16 May 2023 15:20:36 -0700 +Subject: [PATCH] iommu/arm-smmu-qcom: Fix missing adreno_smmu's +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e36ca2fad6bb4ef0603bdb5556578e9082fe0056 + +commit e36ca2fad6bb4ef0603bdb5556578e9082fe0056 upstream. + +When the special handling of qcom,adreno-smmu was moved into +qcom_smmu_create(), it was overlooked that we didn't have all the +required entries in qcom_smmu_impl_of_match. So we stopped getting +adreno_smmu_priv on sc7180, breaking per-process pgtables. + +Fixes: 30b912a03d91 ("iommu/arm-smmu-qcom: Move the qcom,adreno-smmu check into qcom_smmu_create") +Cc: +Suggested-by: Lepton Wu +Signed-off-by: Rob Clark +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/537357/ +Link: https://lore.kernel.org/r/20230516222039.907690-1-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index ae09c627..c71afda7 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -517,6 +517,7 @@ static const struct of_device_id __maybe_unused qcom_smmu_impl_of_match[] = { + { .compatible = "qcom,qcm2290-smmu-500", .data = &qcom_smmu_500_impl0_data }, + { .compatible = "qcom,qdu1000-smmu-500", .data = &qcom_smmu_500_impl0_data }, + { .compatible = "qcom,sc7180-smmu-500", .data = &qcom_smmu_500_impl0_data }, ++ { .compatible = "qcom,sc7180-smmu-v2", .data = &qcom_smmu_v2_data }, + { .compatible = "qcom,sc7280-smmu-500", .data = &qcom_smmu_500_impl0_data }, + { .compatible = "qcom,sc8180x-smmu-500", .data = &qcom_smmu_500_impl0_data }, + { .compatible = "qcom,sc8280xp-smmu-500", .data = &qcom_smmu_500_impl0_data }, +@@ -561,5 +562,14 @@ struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu) + if (match) + return qcom_smmu_create(smmu, match->data); + ++ /* ++ * If you hit this WARN_ON() you are missing an entry in the ++ * qcom_smmu_impl_of_match[] table, and GPU per-process page- ++ * tables will be broken. ++ */ ++ WARN(of_device_is_compatible(np, "qcom,adreno-smmu"), ++ "Missing qcom_smmu_impl_of_match entry for: %s", ++ dev_name(smmu->dev)); ++ + return smmu; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-343-dt-bindings-ata-ahci-ceva-Cover-all-4-iommus-en.patch b/patches.kernel.org/6.3.4-343-dt-bindings-ata-ahci-ceva-Cover-all-4-iommus-en.patch new file mode 100644 index 0000000..3d97382 --- /dev/null +++ b/patches.kernel.org/6.3.4-343-dt-bindings-ata-ahci-ceva-Cover-all-4-iommus-en.patch @@ -0,0 +1,46 @@ +From: Michal Simek +Date: Fri, 12 May 2023 13:52:04 +0200 +Subject: [PATCH] dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: a7844528722619d2f97740ae5ec747afff18c4be + +commit a7844528722619d2f97740ae5ec747afff18c4be upstream. + +Current only one entry is enabled but IP itself is using 4 different IDs +which are already listed in zynqmp.dtsi. + +sata: ahci@fd0c0000 { + compatible = "ceva,ahci-1v84"; + ... + iommus = <&smmu 0x4c0>, <&smmu 0x4c1>, + <&smmu 0x4c2>, <&smmu 0x4c3>; +}; + +Fixes: 8ac47837f0e0 ("arm64: dts: zynqmp: Add missing iommu IDs") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Michal Simek +Acked-by: Krzysztof Kozlowski +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml b/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml +index 9b31f864..71364c60 100644 +--- a/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml ++++ b/Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml +@@ -32,7 +32,7 @@ properties: + maxItems: 1 + + iommus: +- maxItems: 1 ++ maxItems: 4 + + power-domains: + maxItems: 1 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-344-powerpc-iommu-DMA-address-offset-is-incorrectly.patch b/patches.kernel.org/6.3.4-344-powerpc-iommu-DMA-address-offset-is-incorrectly.patch new file mode 100644 index 0000000..307c64c --- /dev/null +++ b/patches.kernel.org/6.3.4-344-powerpc-iommu-DMA-address-offset-is-incorrectly.patch @@ -0,0 +1,84 @@ +From: Gaurav Batra +Date: Thu, 4 May 2023 12:59:13 -0500 +Subject: [PATCH] powerpc/iommu: DMA address offset is incorrectly calculated + with 2MB TCEs +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 096339ab84f36beae0b1db25e0ce63fb3873e8b2 + +commit 096339ab84f36beae0b1db25e0ce63fb3873e8b2 upstream. + +When DMA window is backed by 2MB TCEs, the DMA address for the mapped +page should be the offset of the page relative to the 2MB TCE. The code +was incorrectly setting the DMA address to the beginning of the TCE +range. + +Mellanox driver is reporting timeout trying to ENABLE_HCA for an SR-IOV +ethernet port, when DMA window is backed by 2MB TCEs. + +Fixes: 387273118714 ("powerps/pseries/dma: Add support for 2M IOMMU page size") +Cc: stable@vger.kernel.org # v5.16+ +Signed-off-by: Gaurav Batra +Reviewed-by: Greg Joyce +Reviewed-by: Brian King +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230504175913.83844-1-gbatra@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/powerpc/kernel/iommu.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index ee95937b..b8b7a189 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -517,7 +517,7 @@ int ppc_iommu_map_sg(struct device *dev, struct iommu_table *tbl, + /* Convert entry to a dma_addr_t */ + entry += tbl->it_offset; + dma_addr = entry << tbl->it_page_shift; +- dma_addr |= (s->offset & ~IOMMU_PAGE_MASK(tbl)); ++ dma_addr |= (vaddr & ~IOMMU_PAGE_MASK(tbl)); + + DBG(" - %lu pages, entry: %lx, dma_addr: %lx\n", + npages, entry, dma_addr); +@@ -904,6 +904,7 @@ void *iommu_alloc_coherent(struct device *dev, struct iommu_table *tbl, + unsigned int order; + unsigned int nio_pages, io_order; + struct page *page; ++ int tcesize = (1 << tbl->it_page_shift); + + size = PAGE_ALIGN(size); + order = get_order(size); +@@ -930,7 +931,8 @@ void *iommu_alloc_coherent(struct device *dev, struct iommu_table *tbl, + memset(ret, 0, size); + + /* Set up tces to cover the allocated range */ +- nio_pages = size >> tbl->it_page_shift; ++ nio_pages = IOMMU_PAGE_ALIGN(size, tbl) >> tbl->it_page_shift; ++ + io_order = get_iommu_order(size, tbl); + mapping = iommu_alloc(dev, tbl, ret, nio_pages, DMA_BIDIRECTIONAL, + mask >> tbl->it_page_shift, io_order, 0); +@@ -938,7 +940,8 @@ void *iommu_alloc_coherent(struct device *dev, struct iommu_table *tbl, + free_pages((unsigned long)ret, order); + return NULL; + } +- *dma_handle = mapping; ++ ++ *dma_handle = mapping | ((u64)ret & (tcesize - 1)); + return ret; + } + +@@ -949,7 +952,7 @@ void iommu_free_coherent(struct iommu_table *tbl, size_t size, + unsigned int nio_pages; + + size = PAGE_ALIGN(size); +- nio_pages = size >> tbl->it_page_shift; ++ nio_pages = IOMMU_PAGE_ALIGN(size, tbl) >> tbl->it_page_shift; + iommu_free(tbl, dma_handle, nio_pages); + size = PAGE_ALIGN(size); + free_pages((unsigned long)vaddr, get_order(size)); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-345-powerpc-iommu-Incorrect-DDW-Table-is-referenced.patch b/patches.kernel.org/6.3.4-345-powerpc-iommu-Incorrect-DDW-Table-is-referenced.patch new file mode 100644 index 0000000..50a5236 --- /dev/null +++ b/patches.kernel.org/6.3.4-345-powerpc-iommu-Incorrect-DDW-Table-is-referenced.patch @@ -0,0 +1,99 @@ +From: Gaurav Batra +Date: Fri, 5 May 2023 13:47:01 -0500 +Subject: [PATCH] powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV + device +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 1f7aacc5eb9ed2cc17be7a90da5cd559effb9d59 + +commit 1f7aacc5eb9ed2cc17be7a90da5cd559effb9d59 upstream. + +For an SR-IOV device, while enabling DDW, a new table is created and +added at index 1 in the group. In the below 2 scenarios, the table is +incorrectly referenced at index 0 (which is where the table is for +default DMA window). + +1. When adding DDW + + This issue is exposed with "slub_debug". Error thrown out from + dma_iommu_dma_supported() + + Warning: IOMMU offset too big for device mask + mask: 0xffffffff, table offset: 0x800000000000000 + +2. During Dynamic removal of the PCI device. + + Error is from iommu_tce_table_put() since a NULL table pointer is + passed in. + +Fixes: 381ceda88c4c ("powerpc/pseries/iommu: Make use of DDW for indirect mapping") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Gaurav Batra +Reviewed-by: Brian King +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230505184701.91613-1-gbatra@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/powerpc/kernel/dma-iommu.c | 4 +++- + arch/powerpc/platforms/pseries/iommu.c | 13 +++++++++---- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kernel/dma-iommu.c b/arch/powerpc/kernel/dma-iommu.c +index 038ce8d9..8920862f 100644 +--- a/arch/powerpc/kernel/dma-iommu.c ++++ b/arch/powerpc/kernel/dma-iommu.c +@@ -144,7 +144,7 @@ static bool dma_iommu_bypass_supported(struct device *dev, u64 mask) + /* We support DMA to/from any memory page via the iommu */ + int dma_iommu_dma_supported(struct device *dev, u64 mask) + { +- struct iommu_table *tbl = get_iommu_table_base(dev); ++ struct iommu_table *tbl; + + if (dev_is_pci(dev) && dma_iommu_bypass_supported(dev, mask)) { + /* +@@ -162,6 +162,8 @@ int dma_iommu_dma_supported(struct device *dev, u64 mask) + return 1; + } + ++ tbl = get_iommu_table_base(dev); ++ + if (!tbl) { + dev_err(dev, "Warning: IOMMU dma not supported: mask 0x%08llx, table unavailable\n", mask); + return 0; +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index c74b71d4..a8acd3b4 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -85,19 +85,24 @@ static struct iommu_table_group *iommu_pseries_alloc_group(int node) + static void iommu_pseries_free_group(struct iommu_table_group *table_group, + const char *node_name) + { +- struct iommu_table *tbl; +- + if (!table_group) + return; + +- tbl = table_group->tables[0]; + #ifdef CONFIG_IOMMU_API + if (table_group->group) { + iommu_group_put(table_group->group); + BUG_ON(table_group->group); + } + #endif +- iommu_tce_table_put(tbl); ++ ++ /* Default DMA window table is at index 0, while DDW at 1. SR-IOV ++ * adapters only have table on index 1. ++ */ ++ if (table_group->tables[0]) ++ iommu_tce_table_put(table_group->tables[0]); ++ ++ if (table_group->tables[1]) ++ iommu_tce_table_put(table_group->tables[1]); + + kfree(table_group); + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-346-tpm-tpm_tis-Disable-interrupts-for-more-Lenovo-.patch b/patches.kernel.org/6.3.4-346-tpm-tpm_tis-Disable-interrupts-for-more-Lenovo-.patch new file mode 100644 index 0000000..4a025e7 --- /dev/null +++ b/patches.kernel.org/6.3.4-346-tpm-tpm_tis-Disable-interrupts-for-more-Lenovo-.patch @@ -0,0 +1,55 @@ +From: Jerry Snitselaar +Date: Wed, 10 May 2023 17:54:03 -0700 +Subject: [PATCH] tpm/tpm_tis: Disable interrupts for more Lenovo devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: e7d3e5c4b1dd50a70b31524c3228c62bb41bbab2 + +commit e7d3e5c4b1dd50a70b31524c3228c62bb41bbab2 upstream. + +The P360 Tiny suffers from an irq storm issue like the T490s, so add +an entry for it to tpm_tis_dmi_table, and force polling. There also +previously was a report from the previous attempt to enable interrupts +that involved a ThinkPad L490. So an entry is added for it as well. + +Cc: stable@vger.kernel.org +Reported-by: Peter Zijlstra # P360 Tiny +Closes: https://lore.kernel.org/linux-integrity/20230505130731.GO83892@hirez.programming.kicks-ass.net/ +Signed-off-by: Jerry Snitselaar +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/char/tpm/tpm_tis.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c +index ed5dabd3..4be19d8f 100644 +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -83,6 +83,22 @@ static const struct dmi_system_id tpm_tis_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T490s"), + }, + }, ++ { ++ .callback = tpm_tis_disable_irq, ++ .ident = "ThinkStation P360 Tiny", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkStation P360 Tiny"), ++ }, ++ }, ++ { ++ .callback = tpm_tis_disable_irq, ++ .ident = "ThinkPad L490", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L490"), ++ }, ++ }, + {} + }; + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-347-powerpc-64s-radix-Fix-soft-dirty-tracking.patch b/patches.kernel.org/6.3.4-347-powerpc-64s-radix-Fix-soft-dirty-tracking.patch new file mode 100644 index 0000000..cd0fd38 --- /dev/null +++ b/patches.kernel.org/6.3.4-347-powerpc-64s-radix-Fix-soft-dirty-tracking.patch @@ -0,0 +1,62 @@ +From: Michael Ellerman +Date: Thu, 11 May 2023 21:42:24 +1000 +Subject: [PATCH] powerpc/64s/radix: Fix soft dirty tracking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 66b2ca086210732954a7790d63d35542936fc664 + +commit 66b2ca086210732954a7790d63d35542936fc664 upstream. + +It was reported that soft dirty tracking doesn't work when using the +Radix MMU. + +The tracking is supposed to work by clearing the soft dirty bit for a +mapping and then write protecting the PTE. If/when the page is written +to, a page fault occurs and the soft dirty bit is added back via +pte_mkdirty(). For example in wp_page_reuse(): + + entry = maybe_mkwrite(pte_mkdirty(entry), vma); + if (ptep_set_access_flags(vma, vmf->address, vmf->pte, entry, 1)) + update_mmu_cache(vma, vmf->address, vmf->pte); + +Unfortunately on radix _PAGE_SOFTDIRTY is being dropped by +radix__ptep_set_access_flags(), called from ptep_set_access_flags(), +meaning the soft dirty bit is not set even though the page has been +written to. + +Fix it by adding _PAGE_SOFTDIRTY to the set of bits that are able to be +changed in radix__ptep_set_access_flags(). + +Fixes: b0b5e9b13047 ("powerpc/mm/radix: Add radix pte #defines") +Cc: stable@vger.kernel.org # v4.7+ +Reported-by: Dan Horák +Link: https://lore.kernel.org/r/20230511095558.56663a50f86bdc4cd97700b7@danny.cz +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230511114224.977423-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/powerpc/mm/book3s64/radix_pgtable.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index 26245aaf..2297aa76 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -1040,8 +1040,8 @@ void radix__ptep_set_access_flags(struct vm_area_struct *vma, pte_t *ptep, + pte_t entry, unsigned long address, int psize) + { + struct mm_struct *mm = vma->vm_mm; +- unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_ACCESSED | +- _PAGE_RW | _PAGE_EXEC); ++ unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_SOFT_DIRTY | ++ _PAGE_ACCESSED | _PAGE_RW | _PAGE_EXEC); + + unsigned long change = pte_val(entry) ^ pte_val(*ptep); + /* +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-348-powerpc-bpf-populate-extable-entries-only-durin.patch b/patches.kernel.org/6.3.4-348-powerpc-bpf-populate-extable-entries-only-durin.patch new file mode 100644 index 0000000..65cde2c --- /dev/null +++ b/patches.kernel.org/6.3.4-348-powerpc-bpf-populate-extable-entries-only-durin.patch @@ -0,0 +1,46 @@ +From: Hari Bathini +Date: Tue, 25 Apr 2023 12:28:29 +0530 +Subject: [PATCH] powerpc/bpf: populate extable entries only during the last + pass +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 35a4b8ce4ac00e940b46b1034916ccb22ce9bdef + +commit 35a4b8ce4ac00e940b46b1034916ccb22ce9bdef upstream. + +Since commit 85e031154c7c ("powerpc/bpf: Perform complete extra passes +to update addresses"), two additional passes are performed to avoid +space and CPU time wastage on powerpc. But these extra passes led to +WARN_ON_ONCE() hits in bpf_add_extable_entry() as extable entries are +populated again, during the extra pass, without resetting the index. +Fix it by resetting entry index before repopulating extable entries, +if and when there is an additional pass. + +Fixes: 85e031154c7c ("powerpc/bpf: Perform complete extra passes to update addresses") +Cc: stable@vger.kernel.org # v6.3+ +Signed-off-by: Hari Bathini +Reviewed-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230425065829.18189-1-hbathini@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/powerpc/net/bpf_jit_comp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c +index e93aefcf..37043dfc 100644 +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -101,6 +101,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp) + bpf_hdr = jit_data->header; + proglen = jit_data->proglen; + extra_pass = true; ++ /* During extra pass, ensure index is reset before repopulating extable entries */ ++ cgctx.exentry_idx = 0; + goto skip_init_ctx; + } + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-349-nfp-fix-NFP_NET_MAX_DSCP-definition-error.patch b/patches.kernel.org/6.3.4-349-nfp-fix-NFP_NET_MAX_DSCP-definition-error.patch new file mode 100644 index 0000000..b1d8dfa --- /dev/null +++ b/patches.kernel.org/6.3.4-349-nfp-fix-NFP_NET_MAX_DSCP-definition-error.patch @@ -0,0 +1,43 @@ +From: Huayu Chen +Date: Thu, 11 May 2023 08:50:56 +0200 +Subject: [PATCH] nfp: fix NFP_NET_MAX_DSCP definition error +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: de9c1a23add9e7842ce63ce6f498a05c66344311 + +commit de9c1a23add9e7842ce63ce6f498a05c66344311 upstream. + +The patch corrects the NFP_NET_MAX_DSCP definition in the main.h file. + +The incorrect definition result DSCP bits not being mapped properly when +DCB is set. When NFP_NET_MAX_DSCP was defined as 4, the next 60 DSCP +bits failed to be set. + +Fixes: 9b7fe8046d74 ("nfp: add DCB IEEE support") +Cc: stable@vger.kernel.org +Signed-off-by: Huayu Chen +Acked-by: Simon Horman +Signed-off-by: Louis Peens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/net/ethernet/netronome/nfp/nic/main.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nic/main.h b/drivers/net/ethernet/netronome/nfp/nic/main.h +index 094374df..38b8b10b 100644 +--- a/drivers/net/ethernet/netronome/nfp/nic/main.h ++++ b/drivers/net/ethernet/netronome/nfp/nic/main.h +@@ -8,7 +8,7 @@ + + #ifdef CONFIG_DCB + /* DCB feature definitions */ +-#define NFP_NET_MAX_DSCP 4 ++#define NFP_NET_MAX_DSCP 64 + #define NFP_NET_MAX_TC IEEE_8021QAZ_MAX_TCS + #define NFP_NET_MAX_PRIO 8 + #define NFP_DCB_CFG_STRIDE 256 +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-350-nilfs2-fix-use-after-free-bug-of-nilfs_root-in-.patch b/patches.kernel.org/6.3.4-350-nilfs2-fix-use-after-free-bug-of-nilfs_root-in-.patch new file mode 100644 index 0000000..14752ac --- /dev/null +++ b/patches.kernel.org/6.3.4-350-nilfs2-fix-use-after-free-bug-of-nilfs_root-in-.patch @@ -0,0 +1,72 @@ +From: Ryusuke Konishi +Date: Wed, 10 May 2023 00:29:56 +0900 +Subject: [PATCH] nilfs2: fix use-after-free bug of nilfs_root in + nilfs_evict_inode() +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e + +commit 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e upstream. + +During unmount process of nilfs2, nothing holds nilfs_root structure after +nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since +nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may +cause use-after-free read if inodes are left in "garbage_list" and +released by nilfs_dispose_list() at the end of nilfs_detach_log_writer(). + +Fix this issue by modifying nilfs_evict_inode() to only clear inode +without additional metadata changes that use nilfs_root if the file system +is degraded to read-only or the writer is detached. + +Link: https://lkml.kernel.org/r/20230509152956.8313-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+78d4495558999f55d1da@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/00000000000099e5ac05fb1c3b85@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + fs/nilfs2/inode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c +index 1310d2d5..a8ce522a 100644 +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -917,6 +917,7 @@ void nilfs_evict_inode(struct inode *inode) + struct nilfs_transaction_info ti; + struct super_block *sb = inode->i_sb; + struct nilfs_inode_info *ii = NILFS_I(inode); ++ struct the_nilfs *nilfs; + int ret; + + if (inode->i_nlink || !ii->i_root || unlikely(is_bad_inode(inode))) { +@@ -929,6 +930,23 @@ void nilfs_evict_inode(struct inode *inode) + + truncate_inode_pages_final(&inode->i_data); + ++ nilfs = sb->s_fs_info; ++ if (unlikely(sb_rdonly(sb) || !nilfs->ns_writer)) { ++ /* ++ * If this inode is about to be disposed after the file system ++ * has been degraded to read-only due to file system corruption ++ * or after the writer has been detached, do not make any ++ * changes that cause writes, just clear it. ++ * Do this check after read-locking ns_segctor_sem by ++ * nilfs_transaction_begin() in order to avoid a race with ++ * the writer detach operation. ++ */ ++ clear_inode(inode); ++ nilfs_clear_inode(inode); ++ nilfs_transaction_abort(sb); ++ return; ++ } ++ + /* TODO: some of the following operations may fail. */ + nilfs_truncate_bmap(ii, 0); + nilfs_mark_inode_dirty(inode); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-351-s390-dasd-fix-command-reject-error-on-ESE-devic.patch b/patches.kernel.org/6.3.4-351-s390-dasd-fix-command-reject-error-on-ESE-devic.patch new file mode 100644 index 0000000..bf1b14c --- /dev/null +++ b/patches.kernel.org/6.3.4-351-s390-dasd-fix-command-reject-error-on-ESE-devic.patch @@ -0,0 +1,112 @@ +From: Stefan Haberland +Date: Fri, 19 May 2023 12:23:40 +0200 +Subject: [PATCH] s390/dasd: fix command reject error on ESE devices +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c99bff34290f1b994073557b754aff86e4c7b22e + +commit c99bff34290f1b994073557b754aff86e4c7b22e upstream. + +Formatting a thin-provisioned (ESE) device that is part of a PPRC copy +relation might fail with the following error: + +dasd-eckd 0.0.f500: An error occurred in the DASD device driver, reason=09 +[...] +24 Byte: 0 MSG 4, no MSGb to SYSOP + +During format of an ESE disk the Release Allocated Space command is used. +A bit in the payload of the command is set that is not allowed to be set +for devices in a copy relation. This bit is set to allow the partial +release of an extent. + +Check for the existence of a copy relation before setting the respective +bit. + +Fixes: 91dc4a197569 ("s390/dasd: Add new ioctl to release space") +Cc: stable@kernel.org # 5.3+ +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Link: https://lore.kernel.org/r/20230519102340.3854819-2-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/s390/block/dasd_eckd.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 1a69f97e..1baf548c 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -127,6 +127,8 @@ static int prepare_itcw(struct itcw *, unsigned int, unsigned int, int, + struct dasd_device *, struct dasd_device *, + unsigned int, int, unsigned int, unsigned int, + unsigned int, unsigned int); ++static int dasd_eckd_query_pprc_status(struct dasd_device *, ++ struct dasd_pprc_data_sc4 *); + + /* initial attempt at a probe function. this can be simplified once + * the other detection code is gone */ +@@ -3732,6 +3734,26 @@ static int count_exts(unsigned int from, unsigned int to, int trks_per_ext) + return count; + } + ++static int dasd_in_copy_relation(struct dasd_device *device) ++{ ++ struct dasd_pprc_data_sc4 *temp; ++ int rc; ++ ++ if (!dasd_eckd_pprc_enabled(device)) ++ return 0; ++ ++ temp = kzalloc(sizeof(*temp), GFP_KERNEL); ++ if (!temp) ++ return -ENOMEM; ++ ++ rc = dasd_eckd_query_pprc_status(device, temp); ++ if (!rc) ++ rc = temp->dev_info[0].state; ++ ++ kfree(temp); ++ return rc; ++} ++ + /* + * Release allocated space for a given range or an entire volume. + */ +@@ -3748,6 +3770,7 @@ dasd_eckd_dso_ras(struct dasd_device *device, struct dasd_block *block, + int cur_to_trk, cur_from_trk; + struct dasd_ccw_req *cqr; + u32 beg_cyl, end_cyl; ++ int copy_relation; + struct ccw1 *ccw; + int trks_per_ext; + size_t ras_size; +@@ -3759,6 +3782,10 @@ dasd_eckd_dso_ras(struct dasd_device *device, struct dasd_block *block, + if (dasd_eckd_ras_sanity_checks(device, first_trk, last_trk)) + return ERR_PTR(-EINVAL); + ++ copy_relation = dasd_in_copy_relation(device); ++ if (copy_relation < 0) ++ return ERR_PTR(copy_relation); ++ + rq = req ? blk_mq_rq_to_pdu(req) : NULL; + + features = &private->features; +@@ -3787,9 +3814,11 @@ dasd_eckd_dso_ras(struct dasd_device *device, struct dasd_block *block, + /* + * This bit guarantees initialisation of tracks within an extent that is + * not fully specified, but is only supported with a certain feature +- * subset. ++ * subset and for devices not in a copy relation. + */ +- ras_data->op_flags.guarantee_init = !!(features->feature[56] & 0x01); ++ if (features->feature[56] & 0x01 && !copy_relation) ++ ras_data->op_flags.guarantee_init = 1; ++ + ras_data->lss = private->conf.ned->ID; + ras_data->dev_addr = private->conf.ned->unit_addr; + ras_data->nr_exts = nr_exts; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-352-s390-crypto-use-vector-instructions-only-if-ava.patch b/patches.kernel.org/6.3.4-352-s390-crypto-use-vector-instructions-only-if-ava.patch new file mode 100644 index 0000000..44c429d --- /dev/null +++ b/patches.kernel.org/6.3.4-352-s390-crypto-use-vector-instructions-only-if-ava.patch @@ -0,0 +1,74 @@ +From: Heiko Carstens +Date: Thu, 20 Apr 2023 13:31:29 +0200 +Subject: [PATCH] s390/crypto: use vector instructions only if available for + ChaCha20 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8703dd6b238da0ec6c276e53836f8200983d3d9b + +commit 8703dd6b238da0ec6c276e53836f8200983d3d9b upstream. + +Commit 349d03ffd5f6 ("crypto: s390 - add crypto library interface for +ChaCha20") added a library interface to the s390 specific ChaCha20 +implementation. However no check was added to verify if the required +facilities are installed before branching into the assembler code. + +If compiled into the kernel, this will lead to the following crash, +if vector instructions are not available: + +data exception: 0007 ilc:3 [#1] SMP +Modules linked in: +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7+ #11 +Hardware name: IBM 3931 A01 704 (KVM/Linux) +Krnl PSW : 0704e00180000000 000000001857277a (chacha20_vx+0x32/0x818) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 +Krnl GPRS: 0000037f0000000a ffffffffffffff60 000000008184b000 0000000019f5c8e6 + 0000000000000109 0000037fffb13c58 0000037fffb13c78 0000000019bb1780 + 0000037fffb13c58 0000000019f5c8e6 000000008184b000 0000000000000109 + 00000000802d8000 0000000000000109 0000000018571ebc 0000037fffb13718 +Krnl Code: 000000001857276a: c07000b1f80b larl %r7,0000000019bb1780 + 0000000018572770: a708000a lhi %r0,10 + #0000000018572774: e78950000c36 vlm %v24,%v25,0(%r5),0 + >000000001857277a: e7a060000806 vl %v26,0(%r6),0 + 0000000018572780: e7bf70004c36 vlm %v27,%v31,0(%r7),4 + 0000000018572786: e70b00000456 vlr %v0,%v27 + 000000001857278c: e71800000456 vlr %v1,%v24 + 0000000018572792: e74b00000456 vlr %v4,%v27 +Call Trace: + [<000000001857277a>] chacha20_vx+0x32/0x818 +Last Breaking-Event-Address: + [<0000000018571eb6>] chacha20_crypt_s390.constprop.0+0x6e/0xd8 +---[ end trace 0000000000000000 ]--- +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Fix this by adding a missing MACHINE_HAS_VX check. + +Fixes: 349d03ffd5f6 ("crypto: s390 - add crypto library interface for ChaCha20") +Reported-by: Marc Hartmayer +Cc: # 5.19+ +Reviewed-by: Harald Freudenberger +[agordeev@linux.ibm.com: remove duplicates in commit message] +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/s390/crypto/chacha-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/crypto/chacha-glue.c b/arch/s390/crypto/chacha-glue.c +index 7752bd31..5fae187f 100644 +--- a/arch/s390/crypto/chacha-glue.c ++++ b/arch/s390/crypto/chacha-glue.c +@@ -82,7 +82,7 @@ void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, + * it cannot handle a block of data or less, but otherwise + * it can handle data of arbitrary size + */ +- if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20) ++ if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20 || !MACHINE_HAS_VX) + chacha_crypt_generic(state, dst, src, bytes, nrounds); + else + chacha20_crypt_s390(state, dst, src, bytes, +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-353-s390-qdio-fix-do_sqbs-inline-assembly-constrain.patch b/patches.kernel.org/6.3.4-353-s390-qdio-fix-do_sqbs-inline-assembly-constrain.patch new file mode 100644 index 0000000..5f9b6de --- /dev/null +++ b/patches.kernel.org/6.3.4-353-s390-qdio-fix-do_sqbs-inline-assembly-constrain.patch @@ -0,0 +1,67 @@ +From: Heiko Carstens +Date: Thu, 11 May 2023 17:04:41 +0200 +Subject: [PATCH] s390/qdio: fix do_sqbs() inline assembly constraint +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2862a2fdfae875888e3c1c3634e3422e01d98147 + +commit 2862a2fdfae875888e3c1c3634e3422e01d98147 upstream. + +Use "a" constraint instead of "d" constraint to pass the state parameter to +the do_sqbs() inline assembly. This prevents that general purpose register +zero is used for the state parameter. + +If the compiler would select general purpose register zero this would be +problematic for the used instruction in rsy format: the register used for +the state parameter is a base register. If the base register is general +purpose register zero the contents of the register are unexpectedly ignored +when the instruction is executed. + +This only applies to z/VM guests using QIOASSIST with dedicated (pass through) +QDIO-based devices such as FCP [zfcp driver] as well as real OSA or +HiperSockets [qeth driver]. + +A possible symptom for this case using zfcp is the following repeating kernel +message pattern: + +zfcp : A QDIO problem occurred +zfcp : A QDIO problem occurred +zfcp : qdio: ZFCP on SC using AI:1 QEBSM:1 PRI:1 TDD:1 SIGA: W +zfcp : A QDIO problem occurred +zfcp : A QDIO problem occurred + +Each of the qdio problem message can be accompanied by the following entries +for the affected subchannel in +/sys/kernel/debug/s390dbf/qdio_error/hex_ascii for zfcp or qeth: + + ccq: 69.... + SQBS ERROR. + +Reviewed-by: Benjamin Block +Cc: Steffen Maier +Fixes: 8129ee164267 ("[PATCH] s390: qdio V=V pass-through") +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/s390/cio/qdio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h +index 5ea6249d..641f0dbb 100644 +--- a/drivers/s390/cio/qdio.h ++++ b/drivers/s390/cio/qdio.h +@@ -95,7 +95,7 @@ static inline int do_sqbs(u64 token, unsigned char state, int queue, + " lgr 1,%[token]\n" + " .insn rsy,0xeb000000008a,%[qs],%[ccq],0(%[state])" + : [ccq] "+&d" (_ccq), [qs] "+&d" (_queuestart) +- : [state] "d" ((unsigned long)state), [token] "d" (token) ++ : [state] "a" ((unsigned long)state), [token] "d" (token) + : "memory", "cc", "1"); + *count = _ccq & 0xff; + *start = _queuestart & 0xff; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-354-arm64-Also-reset-KASAN-tag-if-page-is-not-PG_mt.patch b/patches.kernel.org/6.3.4-354-arm64-Also-reset-KASAN-tag-if-page-is-not-PG_mt.patch new file mode 100644 index 0000000..8fcc1fa --- /dev/null +++ b/patches.kernel.org/6.3.4-354-arm64-Also-reset-KASAN-tag-if-page-is-not-PG_mt.patch @@ -0,0 +1,61 @@ +From: Peter Collingbourne +Date: Thu, 20 Apr 2023 14:09:45 -0700 +Subject: [PATCH] arm64: Also reset KASAN tag if page is not PG_mte_tagged +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 + +commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 upstream. + +Consider the following sequence of events: + +1) A page in a PROT_READ|PROT_WRITE VMA is faulted. +2) Page migration allocates a page with the KASAN allocator, + causing it to receive a non-match-all tag, and uses it + to replace the page faulted in 1. +3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1. + +As a result of step 3, we are left with a non-match-all tag for a page +with tags accessible to userspace, which can lead to the same kind of +tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in +copy_highpage with HW tags only") intended to fix. + +The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED +is that they cannot have a non-match-all tag. As a result of step 2, the +invariant is broken. This means that the fix in the referenced commit +was incomplete and we also need to reset the tag for pages without +PG_mte_tagged. + +Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags") +Cc: # 5.15 +Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff +Signed-off-by: Peter Collingbourne +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/arm64/mm/copypage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/copypage.c b/arch/arm64/mm/copypage.c +index 4aadcfb0..a7bb2005 100644 +--- a/arch/arm64/mm/copypage.c ++++ b/arch/arm64/mm/copypage.c +@@ -21,9 +21,10 @@ void copy_highpage(struct page *to, struct page *from) + + copy_page(kto, kfrom); + ++ if (kasan_hw_tags_enabled()) ++ page_kasan_tag_reset(to); ++ + if (system_supports_mte() && page_mte_tagged(from)) { +- if (kasan_hw_tags_enabled()) +- page_kasan_tag_reset(to); + /* It's a new page, shouldn't have been tagged yet */ + WARN_ON_ONCE(!try_page_mte_tagging(to)); + mte_copy_page_tags(kto, kfrom); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-355-arm64-mte-Do-not-set-PG_mte_tagged-if-tags-were.patch b/patches.kernel.org/6.3.4-355-arm64-mte-Do-not-set-PG_mte_tagged-if-tags-were.patch new file mode 100644 index 0000000..1a8cca8 --- /dev/null +++ b/patches.kernel.org/6.3.4-355-arm64-mte-Do-not-set-PG_mte_tagged-if-tags-were.patch @@ -0,0 +1,61 @@ +From: Peter Collingbourne +Date: Thu, 20 Apr 2023 14:43:27 -0700 +Subject: [PATCH] arm64: mte: Do not set PG_mte_tagged if tags were not + initialized +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c4c597f1b367433c52c531dccd6859a39b4580fb + +commit c4c597f1b367433c52c531dccd6859a39b4580fb upstream. + +The mte_sync_page_tags() function sets PG_mte_tagged if it initializes +page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged +again. At best, this is redundant. However, it is possible for +mte_sync_page_tags() to return without having initialized tags for the +page, i.e. in the case where check_swap is true (non-compound page), +is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst, +we set PG_mte_tagged on a page with uninitialized tags. This can happen +if, for example, page migration causes a PTE for an untagged page to +be replaced. If the userspace program subsequently uses mprotect() to +enable PROT_MTE for that page, the uninitialized tags will be exposed +to userspace. + +Fix it by removing the redundant call to set_page_mte_tagged(). + +Fixes: e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics") +Signed-off-by: Peter Collingbourne +Cc: # 6.1 +Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b1463052 +Reviewed-by: Catalin Marinas +Reviewed-by: Alexandru Elisei +Link: https://lore.kernel.org/r/20230420214327.2357985-1-pcc@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/arm64/kernel/mte.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c +index f5bcb0dc..7e89968b 100644 +--- a/arch/arm64/kernel/mte.c ++++ b/arch/arm64/kernel/mte.c +@@ -66,13 +66,10 @@ void mte_sync_tags(pte_t old_pte, pte_t pte) + return; + + /* if PG_mte_tagged is set, tags have already been initialised */ +- for (i = 0; i < nr_pages; i++, page++) { +- if (!page_mte_tagged(page)) { ++ for (i = 0; i < nr_pages; i++, page++) ++ if (!page_mte_tagged(page)) + mte_sync_page_tags(page, old_pte, check_swap, + pte_is_tagged); +- set_page_mte_tagged(page); +- } +- } + + /* ensure the tags are visible before the PTE is set */ + smp_wmb(); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-356-rethook-use-preempt_-disable-enable-_notrace-in.patch b/patches.kernel.org/6.3.4-356-rethook-use-preempt_-disable-enable-_notrace-in.patch new file mode 100644 index 0000000..e6e4a48 --- /dev/null +++ b/patches.kernel.org/6.3.4-356-rethook-use-preempt_-disable-enable-_notrace-in.patch @@ -0,0 +1,53 @@ +From: Ze Gao +Date: Wed, 17 May 2023 11:45:06 +0800 +Subject: [PATCH] rethook: use preempt_{disable, enable}_notrace in + rethook_trampoline_handler +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: be243bacfb25f5219f2396d787408e8cf1301dd1 + +commit be243bacfb25f5219f2396d787408e8cf1301dd1 upstream. + +This patch replaces preempt_{disable, enable} with its corresponding +notrace version in rethook_trampoline_handler so no worries about stack +recursion or overflow introduced by preempt_count_{add, sub} under +fprobe + rethook context. + +Link: https://lore.kernel.org/all/20230517034510.15639-2-zegao@tencent.com/ + +Fixes: 54ecbe6f1ed5 ("rethook: Add a generic return hook") +Signed-off-by: Ze Gao +Acked-by: Masami Hiramatsu (Google) +Cc: +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + kernel/trace/rethook.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/rethook.c b/kernel/trace/rethook.c +index 32c3dfdb..60f6cb2b 100644 +--- a/kernel/trace/rethook.c ++++ b/kernel/trace/rethook.c +@@ -288,7 +288,7 @@ unsigned long rethook_trampoline_handler(struct pt_regs *regs, + * These loops must be protected from rethook_free_rcu() because those + * are accessing 'rhn->rethook'. + */ +- preempt_disable(); ++ preempt_disable_notrace(); + + /* + * Run the handler on the shadow stack. Do not unlink the list here because +@@ -321,7 +321,7 @@ unsigned long rethook_trampoline_handler(struct pt_regs *regs, + first = first->next; + rethook_recycle(rhn); + } +- preempt_enable(); ++ preempt_enable_notrace(); + + return correct_ret_addr; + } +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-357-rethook-fprobe-do-not-trace-rethook-related-fun.patch b/patches.kernel.org/6.3.4-357-rethook-fprobe-do-not-trace-rethook-related-fun.patch new file mode 100644 index 0000000..d52b439 --- /dev/null +++ b/patches.kernel.org/6.3.4-357-rethook-fprobe-do-not-trace-rethook-related-fun.patch @@ -0,0 +1,66 @@ +From: Ze Gao +Date: Wed, 17 May 2023 11:45:09 +0800 +Subject: [PATCH] rethook, fprobe: do not trace rethook related functions +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 571a2a50a8fc546145ffd3bf673547e9fe128ed2 + +commit 571a2a50a8fc546145ffd3bf673547e9fe128ed2 upstream. + +These functions are already marked as NOKPROBE to prevent recursion and +we have the same reason to blacklist them if rethook is used with fprobe, +since they are beyond the recursion-free region ftrace can guard. + +Link: https://lore.kernel.org/all/20230517034510.15639-5-zegao@tencent.com/ + +Fixes: f3a112c0c40d ("x86,rethook,kprobes: Replace kretprobe with rethook on x86") +Signed-off-by: Ze Gao +Reviewed-by: Steven Rostedt (Google) +Acked-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + arch/riscv/kernel/probes/Makefile | 2 ++ + arch/s390/kernel/Makefile | 1 + + arch/x86/kernel/Makefile | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/arch/riscv/kernel/probes/Makefile b/arch/riscv/kernel/probes/Makefile +index c40139e9..8265ff49 100644 +--- a/arch/riscv/kernel/probes/Makefile ++++ b/arch/riscv/kernel/probes/Makefile +@@ -4,3 +4,5 @@ obj-$(CONFIG_RETHOOK) += rethook.o rethook_trampoline.o + obj-$(CONFIG_KPROBES_ON_FTRACE) += ftrace.o + obj-$(CONFIG_UPROBES) += uprobes.o decode-insn.o simulate-insn.o + CFLAGS_REMOVE_simulate-insn.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_rethook.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_rethook_trampoline.o = $(CC_FLAGS_FTRACE) +diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile +index 8983837b..6b2a051e 100644 +--- a/arch/s390/kernel/Makefile ++++ b/arch/s390/kernel/Makefile +@@ -10,6 +10,7 @@ CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTRACE) + + # Do not trace early setup code + CFLAGS_REMOVE_early.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_rethook.o = $(CC_FLAGS_FTRACE) + + endif + +diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile +index dd61752f..4070a01c 100644 +--- a/arch/x86/kernel/Makefile ++++ b/arch/x86/kernel/Makefile +@@ -17,6 +17,7 @@ CFLAGS_REMOVE_ftrace.o = -pg + CFLAGS_REMOVE_early_printk.o = -pg + CFLAGS_REMOVE_head64.o = -pg + CFLAGS_REMOVE_sev.o = -pg ++CFLAGS_REMOVE_rethook.o = -pg + endif + + KASAN_SANITIZE_head$(BITS).o := n +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-358-remoteproc-imx_dsp_rproc-Fix-kernel-test-robot-.patch b/patches.kernel.org/6.3.4-358-remoteproc-imx_dsp_rproc-Fix-kernel-test-robot-.patch new file mode 100644 index 0000000..7f4ae65 --- /dev/null +++ b/patches.kernel.org/6.3.4-358-remoteproc-imx_dsp_rproc-Fix-kernel-test-robot-.patch @@ -0,0 +1,66 @@ +From: Mathieu Poirier +Date: Fri, 7 Apr 2023 10:14:29 -0600 +Subject: [PATCH] remoteproc: imx_dsp_rproc: Fix kernel test robot sparse + warning +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 3c497f624d40171ebead1a6705793100d92ecb85 + +[ Upstream commit 3c497f624d40171ebead1a6705793100d92ecb85 ] + +This patch fixes the kernel test robot warning reported here: + +https://lore.kernel.org/bpf/642f916b.pPIKZ%2Fl%2F%2Fbw8tvIH%25lkp@intel.com/T/ + +Fixes: 408ec1ff0caa ("remoteproc: imx_dsp_rproc: Add custom memory copy implementation for i.MX DSP Cores") +Link: https://lore.kernel.org/r/20230407161429.3973177-1-mathieu.poirier@linaro.org +Tested-by: Iuliana Prodan +Reviewed-by: Iuliana Prodan +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + drivers/remoteproc/imx_dsp_rproc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/remoteproc/imx_dsp_rproc.c b/drivers/remoteproc/imx_dsp_rproc.c +index e8e23f6b..dcd07a6a 100644 +--- a/drivers/remoteproc/imx_dsp_rproc.c ++++ b/drivers/remoteproc/imx_dsp_rproc.c +@@ -727,12 +727,12 @@ static void imx_dsp_rproc_kick(struct rproc *rproc, int vqid) + * The IRAM is part of the HiFi DSP. + * According to hw specs only 32-bits writes are allowed. + */ +-static int imx_dsp_rproc_memcpy(void *dest, const void *src, size_t size) ++static int imx_dsp_rproc_memcpy(void *dst, const void *src, size_t size) + { ++ void __iomem *dest = (void __iomem *)dst; + const u8 *src_byte = src; + const u32 *source = src; + u32 affected_mask; +- u32 *dst = dest; + int i, q, r; + u32 tmp; + +@@ -745,7 +745,7 @@ static int imx_dsp_rproc_memcpy(void *dest, const void *src, size_t size) + + /* copy data in units of 32 bits at a time */ + for (i = 0; i < q; i++) +- writel(source[i], &dst[i]); ++ writel(source[i], dest + i * 4); + + if (r) { + affected_mask = GENMASK(8 * r, 0); +@@ -776,8 +776,8 @@ static int imx_dsp_rproc_memcpy(void *dest, const void *src, size_t size) + */ + static int imx_dsp_rproc_memset(void *addr, u8 value, size_t size) + { ++ void __iomem *tmp_dst = (void __iomem *)addr; + u32 tmp_val = value; +- u32 *tmp_dst = addr; + u32 affected_mask; + int q, r; + u32 tmp; +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-359-ARM-9294-2-vfp-Fix-broken-softirq-handling-with.patch b/patches.kernel.org/6.3.4-359-ARM-9294-2-vfp-Fix-broken-softirq-handling-with.patch new file mode 100644 index 0000000..d247173 --- /dev/null +++ b/patches.kernel.org/6.3.4-359-ARM-9294-2-vfp-Fix-broken-softirq-handling-with.patch @@ -0,0 +1,188 @@ +From: Ard Biesheuvel +Date: Wed, 12 Apr 2023 09:50:20 +0100 +Subject: [PATCH] ARM: 9294/2: vfp: Fix broken softirq handling with + instrumentation enabled +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: c76c6c4ecbec0deb56a4f9e932b26866024a508f + +[ Upstream commit c76c6c4ecbec0deb56a4f9e932b26866024a508f ] + +Commit 62b95a7b44d1 ("ARM: 9282/1: vfp: Manipulate task VFP state with +softirqs disabled") replaced the en/disable preemption calls inside the +VFP state handling code with en/disabling of soft IRQs, which is +necessary to allow kernel use of the VFP/SIMD unit when handling a soft +IRQ. + +Unfortunately, when lockdep is enabled (or other instrumentation that +enables TRACE_IRQFLAGS), the disable path implemented in asm fails to +perform the lockdep and RCU related bookkeeping, resulting in spurious +warnings and other badness. + +Set let's rework the VFP entry code a little bit so we can make the +local_bh_disable() call from C, with all the instrumentations that +happen to have been configured. Calling local_bh_enable() can be done +from asm, as it is a simple wrapper around __local_bh_enable_ip(), which +is always a callable function. + +Link: https://lore.kernel.org/all/ZBBYCSZUJOWBg1s8@localhost.localdomain/ + +Fixes: 62b95a7b44d1 ("ARM: 9282/1: vfp: Manipulate task VFP state with softirqs disabled") +Signed-off-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Tested-by: Guenter Roeck +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm/include/asm/assembler.h | 13 ------------- + arch/arm/vfp/entry.S | 11 +---------- + arch/arm/vfp/vfphw.S | 12 ++++++------ + arch/arm/vfp/vfpmodule.c | 27 ++++++++++++++++++++++----- + 4 files changed, 29 insertions(+), 34 deletions(-) + +diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h +index 06b48ce2..505a306e 100644 +--- a/arch/arm/include/asm/assembler.h ++++ b/arch/arm/include/asm/assembler.h +@@ -244,19 +244,6 @@ THUMB( fpreg .req r7 ) + .endm + #endif + +- .macro local_bh_disable, ti, tmp +- ldr \tmp, [\ti, #TI_PREEMPT] +- add \tmp, \tmp, #SOFTIRQ_DISABLE_OFFSET +- str \tmp, [\ti, #TI_PREEMPT] +- .endm +- +- .macro local_bh_enable_ti, ti, tmp +- get_thread_info \ti +- ldr \tmp, [\ti, #TI_PREEMPT] +- sub \tmp, \tmp, #SOFTIRQ_DISABLE_OFFSET +- str \tmp, [\ti, #TI_PREEMPT] +- .endm +- + #define USERL(l, x...) \ + 9999: x; \ + .pushsection __ex_table,"a"; \ +diff --git a/arch/arm/vfp/entry.S b/arch/arm/vfp/entry.S +index 6dabb476..7483ef8b 100644 +--- a/arch/arm/vfp/entry.S ++++ b/arch/arm/vfp/entry.S +@@ -24,14 +24,5 @@ + ENTRY(do_vfp) + mov r1, r10 + mov r3, r9 +- ldr r4, .LCvfp +- ldr pc, [r4] @ call VFP entry point ++ b vfp_entry + ENDPROC(do_vfp) +- +-ENTRY(vfp_null_entry) +- ret lr +-ENDPROC(vfp_null_entry) +- +- .align 2 +-.LCvfp: +- .word vfp_vector +diff --git a/arch/arm/vfp/vfphw.S b/arch/arm/vfp/vfphw.S +index 60acd42e..4d847826 100644 +--- a/arch/arm/vfp/vfphw.S ++++ b/arch/arm/vfp/vfphw.S +@@ -75,8 +75,6 @@ + @ lr = unrecognised instruction return address + @ IRQs enabled. + ENTRY(vfp_support_entry) +- local_bh_disable r1, r4 +- + ldr r11, [r1, #TI_CPU] @ CPU number + add r10, r1, #TI_VFPSTATE @ r10 = workspace + +@@ -179,9 +177,12 @@ vfp_hw_state_valid: + @ else it's one 32-bit instruction, so + @ always subtract 4 from the following + @ instruction address. +- local_bh_enable_ti r10, r4 +- ret r3 @ we think we have handled things + ++ mov lr, r3 @ we think we have handled things ++local_bh_enable_and_ret: ++ adr r0, . ++ mov r1, #SOFTIRQ_DISABLE_OFFSET ++ b __local_bh_enable_ip @ tail call + + look_for_VFP_exceptions: + @ Check for synchronous or asynchronous exception +@@ -204,8 +205,7 @@ skip: + @ not recognised by VFP + + DBGSTR "not VFP" +- local_bh_enable_ti r10, r4 +- ret lr ++ b local_bh_enable_and_ret + + process_exception: + DBGSTR "bounce" +diff --git a/arch/arm/vfp/vfpmodule.c b/arch/arm/vfp/vfpmodule.c +index 01bc48d7..349dcb94 100644 +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -32,10 +32,9 @@ + /* + * Our undef handlers (in entry.S) + */ +-asmlinkage void vfp_support_entry(void); +-asmlinkage void vfp_null_entry(void); ++asmlinkage void vfp_support_entry(u32, void *, u32, u32); + +-asmlinkage void (*vfp_vector)(void) = vfp_null_entry; ++static bool have_vfp __ro_after_init; + + /* + * Dual-use variable. +@@ -645,6 +644,25 @@ static int vfp_starting_cpu(unsigned int unused) + return 0; + } + ++/* ++ * Entered with: ++ * ++ * r0 = instruction opcode (32-bit ARM or two 16-bit Thumb) ++ * r1 = thread_info pointer ++ * r2 = PC value to resume execution after successful emulation ++ * r3 = normal "successful" return address ++ * lr = unrecognised instruction return address ++ */ ++asmlinkage void vfp_entry(u32 trigger, struct thread_info *ti, u32 resume_pc, ++ u32 resume_return_address) ++{ ++ if (unlikely(!have_vfp)) ++ return; ++ ++ local_bh_disable(); ++ vfp_support_entry(trigger, ti, resume_pc, resume_return_address); ++} ++ + #ifdef CONFIG_KERNEL_MODE_NEON + + static int vfp_kmode_exception(struct pt_regs *regs, unsigned int instr) +@@ -798,7 +816,6 @@ static int __init vfp_init(void) + vfpsid = fmrx(FPSID); + barrier(); + unregister_undef_hook(&vfp_detect_hook); +- vfp_vector = vfp_null_entry; + + pr_info("VFP support v0.3: "); + if (VFP_arch) { +@@ -883,7 +900,7 @@ static int __init vfp_init(void) + "arm/vfp:starting", vfp_starting_cpu, + vfp_dying_cpu); + +- vfp_vector = vfp_support_entry; ++ have_vfp = true; + + thread_register_notifier(&vfp_notifier_block); + vfp_pm_init(); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-360-ARM-9297-1-vfp-avoid-unbalanced-stack-on-succes.patch b/patches.kernel.org/6.3.4-360-ARM-9297-1-vfp-avoid-unbalanced-stack-on-succes.patch new file mode 100644 index 0000000..b2ef1f6 --- /dev/null +++ b/patches.kernel.org/6.3.4-360-ARM-9297-1-vfp-avoid-unbalanced-stack-on-succes.patch @@ -0,0 +1,96 @@ +From: Ard Biesheuvel +Date: Mon, 8 May 2023 13:40:19 +0100 +Subject: [PATCH] ARM: 9297/1: vfp: avoid unbalanced stack on 'success' return + path +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 2b951b0efbaa6c805854b60c11f08811054d50cd + +[ Upstream commit 2b951b0efbaa6c805854b60c11f08811054d50cd ] + +Commit c76c6c4ecbec0deb5 ("ARM: 9294/2: vfp: Fix broken softirq handling +with instrumentation enabled") updated the VFP exception entry logic to +go via a C function, so that we get the compiler's version of +local_bh_disable(), which may be instrumented, and isn't generally +callable from assembler. + +However, this assumes that passing an alternative 'success' return +address works in C as it does in asm, and this is only the case if the C +calls in question are tail calls, as otherwise, the stack will need some +unwinding as well. + +I have already sent patches to the list that replace most of the asm +logic with C code, and so it is preferable to have a minimal fix that +addresses the issue and can be backported along with the commit that it + +fixes to v6.3 from v6.4. Hopefully, we can land the C conversion for v6.5. + +So instead of passing the 'success' return address as a function +argument, pass the stack address from where to pop it so that both LR +and SP have the expected value. + +Fixes: c76c6c4ecbec0deb5 ("ARM: 9294/2: vfp: Fix broken softirq handling with ...") +Reported-by: syzbot+d4b00edc2d0c910d4bf4@syzkaller.appspotmail.com +Tested-by: syzbot+d4b00edc2d0c910d4bf4@syzkaller.appspotmail.com +Reviewed-by: Linus Walleij +Tested-by: Andrew Lunn +Signed-off-by: Ard Biesheuvel +Tested-by: Andre Przywara +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + arch/arm/vfp/entry.S | 7 +++++-- + arch/arm/vfp/vfphw.S | 6 ++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/vfp/entry.S b/arch/arm/vfp/entry.S +index 7483ef8b..62206ef2 100644 +--- a/arch/arm/vfp/entry.S ++++ b/arch/arm/vfp/entry.S +@@ -23,6 +23,9 @@ + @ + ENTRY(do_vfp) + mov r1, r10 +- mov r3, r9 +- b vfp_entry ++ str lr, [sp, #-8]! ++ add r3, sp, #4 ++ str r9, [r3] ++ bl vfp_entry ++ ldr pc, [sp], #8 + ENDPROC(do_vfp) +diff --git a/arch/arm/vfp/vfphw.S b/arch/arm/vfp/vfphw.S +index 4d847826..a4610d0f 100644 +--- a/arch/arm/vfp/vfphw.S ++++ b/arch/arm/vfp/vfphw.S +@@ -172,13 +172,14 @@ vfp_hw_state_valid: + @ out before setting an FPEXC that + @ stops us reading stuff + VFPFMXR FPEXC, r1 @ Restore FPEXC last ++ mov sp, r3 @ we think we have handled things ++ pop {lr} + sub r2, r2, #4 @ Retry current instruction - if Thumb + str r2, [sp, #S_PC] @ mode it's two 16-bit instructions, + @ else it's one 32-bit instruction, so + @ always subtract 4 from the following + @ instruction address. + +- mov lr, r3 @ we think we have handled things + local_bh_enable_and_ret: + adr r0, . + mov r1, #SOFTIRQ_DISABLE_OFFSET +@@ -209,8 +210,9 @@ skip: + + process_exception: + DBGSTR "bounce" ++ mov sp, r3 @ setup for a return to the user code. ++ pop {lr} + mov r2, sp @ nothing stacked - regdump is at TOS +- mov lr, r3 @ setup for a return to the user code. + + @ Now call the C code to package up the bounce to the support code + @ r0 holds the trigger instruction +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-361-drm-amd-amdgpu-introduce-gc_-_mes_2.bin-v2.patch b/patches.kernel.org/6.3.4-361-drm-amd-amdgpu-introduce-gc_-_mes_2.bin-v2.patch new file mode 100644 index 0000000..de6ba8e --- /dev/null +++ b/patches.kernel.org/6.3.4-361-drm-amd-amdgpu-introduce-gc_-_mes_2.bin-v2.patch @@ -0,0 +1,93 @@ +From: Jack Xiao +Date: Fri, 24 Mar 2023 16:55:15 +0800 +Subject: [PATCH] drm/amd/amdgpu: introduce gc_*_mes_2.bin v2 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 97998b893c3000b27a780a4982e16cfc8f4ea555 + +commit 97998b893c3000b27a780a4982e16cfc8f4ea555 upstream. + +To avoid new mes fw running with old driver, rename +mes schq fw to gc_*_mes_2.bin. + +v2: add MODULE_FIRMWARE declaration +v3: squash in fixup patch + +Signed-off-by: Jack Xiao +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 26 +++++++++++++++++++++---- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 10 +++++----- + 2 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +index 82e27bd4..7e8b7171 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c +@@ -1432,13 +1432,31 @@ int amdgpu_mes_init_microcode(struct amdgpu_device *adev, int pipe) + struct amdgpu_firmware_info *info; + char ucode_prefix[30]; + char fw_name[40]; ++ bool need_retry = false; + int r; + +- amdgpu_ucode_ip_version_decode(adev, GC_HWIP, ucode_prefix, sizeof(ucode_prefix)); +- snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mes%s.bin", +- ucode_prefix, +- pipe == AMDGPU_MES_SCHED_PIPE ? "" : "1"); ++ amdgpu_ucode_ip_version_decode(adev, GC_HWIP, ucode_prefix, ++ sizeof(ucode_prefix)); ++ if (adev->ip_versions[GC_HWIP][0] >= IP_VERSION(11, 0, 0)) { ++ snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mes%s.bin", ++ ucode_prefix, ++ pipe == AMDGPU_MES_SCHED_PIPE ? "_2" : "1"); ++ need_retry = true; ++ } else { ++ snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mes%s.bin", ++ ucode_prefix, ++ pipe == AMDGPU_MES_SCHED_PIPE ? "" : "1"); ++ } ++ + r = amdgpu_ucode_request(adev, &adev->mes.fw[pipe], fw_name); ++ if (r && need_retry && pipe == AMDGPU_MES_SCHED_PIPE) { ++ snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mes.bin", ++ ucode_prefix); ++ DRM_INFO("try to fall back to %s\n", fw_name); ++ r = amdgpu_ucode_request(adev, &adev->mes.fw[pipe], ++ fw_name); ++ } ++ + if (r) + goto out; + +diff --git a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +index 5826eac2..fad652c8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -32,15 +32,15 @@ + #include "v11_structs.h" + #include "mes_v11_api_def.h" + +-MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes1.bin"); +-MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes1.bin"); +-MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes1.bin"); +-MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes1.bin"); +-MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes1.bin"); + + static int mes_v11_0_hw_fini(void *handle); +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-362-drm-amdgpu-reserve-the-old-gc_11_0_-_mes.bin.patch b/patches.kernel.org/6.3.4-362-drm-amdgpu-reserve-the-old-gc_11_0_-_mes.bin.patch new file mode 100644 index 0000000..b63fe38 --- /dev/null +++ b/patches.kernel.org/6.3.4-362-drm-amdgpu-reserve-the-old-gc_11_0_-_mes.bin.patch @@ -0,0 +1,50 @@ +From: Li Ma +Date: Wed, 12 Apr 2023 22:06:34 +0800 +Subject: [PATCH] drm/amdgpu: reserve the old gc_11_0_*_mes.bin +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 8855818ce7554fb7420200187fac9c3b69500da0 + +commit 8855818ce7554fb7420200187fac9c3b69500da0 upstream. + +Reserve the MOUDLE_FIRMWARE declaration of gc_11_0_*_mes.bin +to fix falling back to old mes bin on failure via autoload. + +Fixes: 97998b893c30 ("drm/amd/amdgpu: introduce gc_*_mes_2.bin v2") +Signed-off-by: Li Ma +Reviewed-by: Yifan Zhang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +index fad652c8..d06b98f8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -32,14 +32,19 @@ + #include "v11_structs.h" + #include "mes_v11_api_def.h" + ++MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_0_mes1.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_1_mes1.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_2_mes1.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_3_mes1.bin"); ++MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes_2.bin"); + MODULE_FIRMWARE("amdgpu/gc_11_0_4_mes1.bin"); + +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-363-scsi-Revert-scsi-core-Do-not-increase-scsi_devi.patch b/patches.kernel.org/6.3.4-363-scsi-Revert-scsi-core-Do-not-increase-scsi_devi.patch new file mode 100644 index 0000000..b65afe6 --- /dev/null +++ b/patches.kernel.org/6.3.4-363-scsi-Revert-scsi-core-Do-not-increase-scsi_devi.patch @@ -0,0 +1,52 @@ +From: Wenchao Hao +Date: Mon, 15 May 2023 15:01:55 +0800 +Subject: [PATCH] scsi: Revert "scsi: core: Do not increase scsi_device's + iorequest_cnt if dispatch failed" +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 6ca9818d1624e136a76ae8faedb6b6c95ca66903 + +commit 6ca9818d1624e136a76ae8faedb6b6c95ca66903 upstream. + +The "atomic_inc(&cmd->device->iorequest_cnt)" in scsi_queue_rq() would +cause kernel panic because cmd->device may be freed after returning from +scsi_dispatch_cmd(). + +This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d. + +Signed-off-by: Wenchao Hao +Reported-by: Ming Lei +Closes: https://lore.kernel.org/r/ZF+zB+bB7iqe0wGd@ovpn-8-17.pek2.redhat.com +Link: https://lore.kernel.org/r/20230515070156.1790181-2-haowenchao2@huawei.com +Reviewed-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/scsi/scsi_lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index b7c569a4..03964b26 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1463,6 +1463,8 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + struct Scsi_Host *host = cmd->device->host; + int rtn = 0; + ++ atomic_inc(&cmd->device->iorequest_cnt); ++ + /* check if the device is still usable */ + if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { + /* in SDEV_DEL we error all commands. DID_NO_CONNECT +@@ -1761,7 +1763,6 @@ static blk_status_t scsi_queue_rq(struct blk_mq_hw_ctx *hctx, + goto out_dec_host_busy; + } + +- atomic_inc(&cmd->device->iorequest_cnt); + return BLK_STS_OK; + + out_dec_host_busy: +-- +2.35.3 + diff --git a/patches.kernel.org/6.3.4-364-Linux-6.3.4.patch b/patches.kernel.org/6.3.4-364-Linux-6.3.4.patch new file mode 100644 index 0000000..a347793 --- /dev/null +++ b/patches.kernel.org/6.3.4-364-Linux-6.3.4.patch @@ -0,0 +1,49 @@ +From: Greg Kroah-Hartman +Date: Wed, 24 May 2023 17:30:25 +0100 +Subject: [PATCH] Linux 6.3.4 +References: bsc#1012628 +Patch-mainline: 6.3.4 +Git-commit: 17f2d782f18c9a49943ea723d7628da1837c9204 + +Link: https://lore.kernel.org/r/20230522190412.801391872@linuxfoundation.org +Tested-by: Ronald Warsow +Tested-by: Florian Fainelli +Tested-by: Shuah Khan +Tested-by: Bagas Sanjaya +Tested-by: Ron Economos +Tested-by: Jon Hunter +Tested-by: Rudi Heitbaum +Tested-by: Justin M. Forbes +Tested-by: Conor Dooley +Tested-by: Markus Reichelt +Link: https://lore.kernel.org/r/20230523164950.435226211@linuxfoundation.org +Tested-by: Chris Paterson (CIP) +Tested-by: Ronald Warsow +Tested-by: Markus Reichelt +Tested-by: Linux Kernel Functional Testing +Tested-by: Rudi Heitbaum +Tested-by: Ron Economos +Tested-by: Guenter Roeck +Tested-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index a3108cf7..3c5b6066 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 6 + PATCHLEVEL = 3 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Hurr durr I'ma ninja sloth + +-- +2.35.3 + diff --git a/patches.suse/0001-firmware-sysfb-Fix-VESA-format-selection.patch b/patches.suse/0001-firmware-sysfb-Fix-VESA-format-selection.patch deleted file mode 100644 index 35c89b9..0000000 --- a/patches.suse/0001-firmware-sysfb-Fix-VESA-format-selection.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 1b617bc93178912fa36f87a957c15d1f1708c299 Mon Sep 17 00:00:00 2001 -From: Pierre Asselin -Date: Wed, 19 Apr 2023 00:48:34 -0400 -Subject: firmware/sysfb: Fix VESA format selection -Git-commit: 1b617bc93178912fa36f87a957c15d1f1708c299 -Git-repo: git://anongit.freedesktop.org/drm/drm-misc -Patch-mainline: Queued in subsystem maintainer repository -References: bsc#1211119 - -Some legacy BIOSes report no reserved bits in their 32-bit rgb mode, -breaking the calculation of bits_per_pixel in commit f35cd3fa7729 -("firmware/sysfb: Fix EFI/VESA format selection"). However they report -lfb_depth correctly for those modes. Keep the computation but -set bits_per_pixel to lfb_depth if the latter is larger. - -v2 fixes the warnings from a max3() macro with arguments of different -types; split the bits_per_pixel assignment to avoid uglyfing the code -with too many typecasts. - -v3 fixes space and formatting blips pointed out by Javier, and change -the bit_per_pixel assignment back to a single statement using two casts. - -v4 go back to v2 and use max_t() - -Signed-off-by: Pierre Asselin -Fixes: f35cd3fa7729 ("firmware/sysfb: Fix EFI/VESA format selection") -Link: https://lore.kernel.org/r/4Psm6B6Lqkz1QXM@panix3.panix.com -Link: https://lore.kernel.org/r/20230412150225.3757223-1-javierm@redhat.com -Tested-by: Thomas Zimmermann -Signed-off-by: Thomas Zimmermann -Link: https://patchwork.freedesktop.org/patch/msgid/20230419044834.10816-1-pa@panix.com -Acked-by: Thomas Zimmermann ---- - drivers/firmware/sysfb_simplefb.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/firmware/sysfb_simplefb.c b/drivers/firmware/sysfb_simplefb.c -index 82c64cb9f5316..74363ed7501f6 100644 ---- a/drivers/firmware/sysfb_simplefb.c -+++ b/drivers/firmware/sysfb_simplefb.c -@@ -51,7 +51,8 @@ __init bool sysfb_parse_mode(const struct screen_info *si, - * - * It's not easily possible to fix this in struct screen_info, - * as this could break UAPI. The best solution is to compute -- * bits_per_pixel here and ignore lfb_depth. In the loop below, -+ * bits_per_pixel from the color bits, reserved bits and -+ * reported lfb_depth, whichever is highest. In the loop below, - * ignore simplefb formats with alpha bits, as EFI and VESA - * don't specify alpha channels. - */ -@@ -60,6 +61,7 @@ __init bool sysfb_parse_mode(const struct screen_info *si, - si->green_size + si->green_pos, - si->blue_size + si->blue_pos), - si->rsvd_size + si->rsvd_pos); -+ bits_per_pixel = max_t(u32, bits_per_pixel, si->lfb_depth); - } else { - bits_per_pixel = si->lfb_depth; - } --- -2.40.1 - diff --git a/patches.suse/SUNRPC-Fix-encoding-of-rejected-RPCs.patch b/patches.suse/SUNRPC-Fix-encoding-of-rejected-RPCs.patch deleted file mode 100644 index 8de3fcb..0000000 --- a/patches.suse/SUNRPC-Fix-encoding-of-rejected-RPCs.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Chuck Lever -Date: Tue, 2 May 2023 14:59:10 -0400 -Subject: SUNRPC: Fix encoding of accepted but unsuccessful RPC replies -Git-commit: 29cd2927fb914cc53b5ba4f67d2b74695c994ba4 -Patch-mainline: 6.4-rc3 -References: bsc#1210995 - -Jiri Slaby says: -> I bisected to this ... as it breaks nfs3-only servers in 6.3. -> I.e. /etc/nfs.conf containing: -> [nfsd] -> vers4=no -> -> The client sees: -> mount("10.0.2.15:/tmp", "/mnt", "nfs", 0, "vers=4.2,addr=10.0.2.15,clientad"...) = -1 EIO (Input/output error) -> write(2, "mount.nfs: mount system call fai"..., 45 -> mount.nfs: mount system call failed for /mnt -> -> And the kernel says: -> nfs4_discover_server_trunking unhandled error -5. Exiting with error EIO - -Reported-by: Jiri Slaby -Link: https://bugzilla.suse.com/show_bug.cgi?id=1210995 -Fixes: 4bcf0343e8a6 ("SUNRPC: Set rq_accept_statp inside ->accept methods") -Tested-by: Jiri Slaby -Signed-off-by: Chuck Lever -Signed-off-by: Jiri Slaby ---- - net/sunrpc/svc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - ---- a/net/sunrpc/svc.c -+++ b/net/sunrpc/svc.c -@@ -1382,7 +1382,7 @@ err_bad_rpc: - /* Only RPCv2 supported */ - xdr_stream_encode_u32(xdr, RPC_VERSION); - xdr_stream_encode_u32(xdr, RPC_VERSION); -- goto sendit; -+ return 1; /* don't wrap */ - - err_bad_auth: - dprintk("svc: authentication failed (%d)\n", -@@ -1398,7 +1398,7 @@ err_bad_auth: - err_bad_prog: - dprintk("svc: unknown program %d\n", rqstp->rq_prog); - serv->sv_stats->rpcbadfmt++; -- xdr_stream_encode_u32(xdr, RPC_PROG_UNAVAIL); -+ *rqstp->rq_accept_statp = rpc_prog_unavail; - goto sendit; - - err_bad_vers: -@@ -1406,7 +1406,12 @@ err_bad_vers: - rqstp->rq_vers, rqstp->rq_prog, progp->pg_name); - - serv->sv_stats->rpcbadfmt++; -- xdr_stream_encode_u32(xdr, RPC_PROG_MISMATCH); -+ *rqstp->rq_accept_statp = rpc_prog_mismatch; -+ -+ /* -+ * svc_authenticate() has already added the verifier and -+ * advanced the stream just past rq_accept_statp. -+ */ - xdr_stream_encode_u32(xdr, process.mismatch.lovers); - xdr_stream_encode_u32(xdr, process.mismatch.hivers); - goto sendit; -@@ -1415,19 +1420,19 @@ err_bad_proc: - svc_printk(rqstp, "unknown procedure (%d)\n", rqstp->rq_proc); - - serv->sv_stats->rpcbadfmt++; -- xdr_stream_encode_u32(xdr, RPC_PROC_UNAVAIL); -+ *rqstp->rq_accept_statp = rpc_proc_unavail; - goto sendit; - - err_garbage_args: - svc_printk(rqstp, "failed to decode RPC header\n"); - - serv->sv_stats->rpcbadfmt++; -- xdr_stream_encode_u32(xdr, RPC_GARBAGE_ARGS); -+ *rqstp->rq_accept_statp = rpc_garbage_args; - goto sendit; - - err_system_err: - serv->sv_stats->rpcbadfmt++; -- xdr_stream_encode_u32(xdr, RPC_SYSTEM_ERR); -+ *rqstp->rq_accept_statp = rpc_system_err; - goto sendit; - } - diff --git a/series.conf b/series.conf index a2d22df..02cca69 100644 --- a/series.conf +++ b/series.conf @@ -980,6 +980,370 @@ patches.kernel.org/6.3.3-244-s390-mm-fix-direct-map-accounting.patch patches.kernel.org/6.3.3-245-drm-amd-display-Fix-hang-when-skipping-modeset.patch patches.kernel.org/6.3.3-246-Linux-6.3.3.patch + patches.kernel.org/6.3.4-001-drm-fbdev-generic-prohibit-potential-out-of-bou.patch + patches.kernel.org/6.3.4-002-firmware-sysfb-Fix-VESA-format-selection.patch + patches.kernel.org/6.3.4-003-drm-dsc-fix-DP_DSC_MAX_BPP_DELTA_-macro-values.patch + patches.kernel.org/6.3.4-004-drm-nouveau-disp-More-DP_RECEIVER_CAP_SIZE-arra.patch + patches.kernel.org/6.3.4-005-drm-mipi-dsi-Set-the-fwnode-for-mipi_dsi_device.patch + patches.kernel.org/6.3.4-006-ARM-9296-1-HP-Jornada-7XX-fix-kernel-doc-warnin.patch + patches.kernel.org/6.3.4-007-net-skb_partial_csum_set-fix-against-transport-.patch + patches.kernel.org/6.3.4-008-net-mdio-mvusb-Fix-an-error-handling-path-in-mv.patch + patches.kernel.org/6.3.4-009-perf-core-Fix-perf_sample_data-not-properly-ini.patch + patches.kernel.org/6.3.4-010-scsi-ufs-core-Fix-I-O-hang-that-occurs-when-BKO.patch + patches.kernel.org/6.3.4-011-tick-broadcast-Make-broadcast-device-replacemen.patch + patches.kernel.org/6.3.4-012-linux-dim-Do-nothing-if-no-time-delta-between-s.patch + patches.kernel.org/6.3.4-013-net-stmmac-Initialize-MAC_ONEUS_TIC_COUNTER-reg.patch + patches.kernel.org/6.3.4-014-net-Fix-load-tearing-on-sk-sk_stamp-in-sock_rec.patch + patches.kernel.org/6.3.4-015-net-phy-bcm7xx-Correct-read-from-expansion-regi.patch + patches.kernel.org/6.3.4-016-netfilter-nf_tables-always-release-netdev-hooks.patch + patches.kernel.org/6.3.4-017-netfilter-conntrack-fix-possible-bug_on-with-en.patch + patches.kernel.org/6.3.4-018-bonding-fix-send_peer_notif-overflow.patch + patches.kernel.org/6.3.4-019-netlink-annotate-accesses-to-nlk-cb_running.patch + patches.kernel.org/6.3.4-020-net-annotate-sk-sk_err-write-from-do_recvmmsg.patch + patches.kernel.org/6.3.4-021-net-deal-with-most-data-races-in-sk_wait_event.patch + patches.kernel.org/6.3.4-022-net-add-vlan_get_protocol_and_depth-helper.patch + patches.kernel.org/6.3.4-023-tcp-add-annotations-around-sk-sk_shutdown-acces.patch + patches.kernel.org/6.3.4-024-gve-Remove-the-code-of-clearing-PBA-bit.patch + patches.kernel.org/6.3.4-025-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-.patch + patches.kernel.org/6.3.4-026-net-mscc-ocelot-fix-stat-counter-register-value.patch + patches.kernel.org/6.3.4-027-drm-sched-Check-scheduler-work-queue-before-cal.patch + patches.kernel.org/6.3.4-028-net-datagram-fix-data-races-in-datagram_poll.patch + patches.kernel.org/6.3.4-029-af_unix-Fix-a-data-race-of-sk-sk_receive_queue-.patch + patches.kernel.org/6.3.4-030-af_unix-Fix-data-races-around-sk-sk_shutdown.patch + patches.kernel.org/6.3.4-031-drm-i915-guc-Don-t-capture-Gen8-regs-on-Xe-devi.patch + patches.kernel.org/6.3.4-032-drm-i915-Fix-NULL-ptr-deref-by-checking-new_crt.patch + patches.kernel.org/6.3.4-033-drm-i915-dp-prevent-potential-div-by-zero.patch + patches.kernel.org/6.3.4-034-drm-i915-taint-kernel-when-force-probing-unsupp.patch + patches.kernel.org/6.3.4-035-fbdev-arcfb-Fix-error-handling-in-arcfb_probe.patch + patches.kernel.org/6.3.4-036-ext4-reflect-error-codes-from-ext4_multi_mount_.patch + patches.kernel.org/6.3.4-037-ext4-don-t-clear-SB_RDONLY-when-remounting-r-w-.patch + patches.kernel.org/6.3.4-038-ext4-allow-to-find-by-goal-if-EXT4_MB_HINT_GOAL.patch + patches.kernel.org/6.3.4-039-ext4-allow-ext4_get_group_info-to-fail.patch + patches.kernel.org/6.3.4-040-refscale-Move-shutdown-from-wait_event-to-wait_.patch + patches.kernel.org/6.3.4-041-selftests-cgroup-Add-malloc-failures-checks-in-.patch + patches.kernel.org/6.3.4-042-rcu-Protect-rcu_print_task_exp_stall-exp_tasks-.patch + patches.kernel.org/6.3.4-043-open-return-EINVAL-for-O_DIRECTORY-O_CREAT.patch + patches.kernel.org/6.3.4-044-fs-hfsplus-remove-WARN_ON-from-hfsplus_cat_-rea.patch + patches.kernel.org/6.3.4-045-drm-displayid-add-displayid_get_header-and-chec.patch + patches.kernel.org/6.3.4-046-drm-amd-display-populate-subvp-cmd-info-only-fo.patch + patches.kernel.org/6.3.4-047-drm-amd-display-Correct-DML-calculation-to-alig.patch + patches.kernel.org/6.3.4-048-drm-amd-display-enable-DPG-when-disabling-plane.patch + patches.kernel.org/6.3.4-049-platform-x86-x86-android-tablets-Add-Acer-Iconi.patch + patches.kernel.org/6.3.4-050-drm-amd-display-Enable-HostVM-based-on-rIOMMU-a.patch + patches.kernel.org/6.3.4-051-drm-amd-display-Use-DC_LOG_DC-in-the-trasform-p.patch + patches.kernel.org/6.3.4-052-regmap-cache-Return-error-in-cache-sync-operati.patch + patches.kernel.org/6.3.4-053-remoteproc-imx_dsp_rproc-Add-custom-memory-copy.patch + patches.kernel.org/6.3.4-054-arm64-dts-qcom-msm8996-Add-missing-DWC3-quirks.patch + patches.kernel.org/6.3.4-055-accel-habanalabs-postpone-mem_mgr-IDR-destructi.patch + patches.kernel.org/6.3.4-056-drm-amd-display-reallocate-DET-for-dual-display.patch + patches.kernel.org/6.3.4-057-media-imx-jpeg-Bounds-check-sizeimage-access.patch + patches.kernel.org/6.3.4-058-media-cx23885-Fix-a-null-ptr-deref-bug-in-buffe.patch + patches.kernel.org/6.3.4-059-media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-pr.patch + patches.kernel.org/6.3.4-060-media-pvrusb2-VIDEO_PVRUSB2-depends-on-DVB_CORE.patch + patches.kernel.org/6.3.4-061-platform-x86-intel-vsec-Explicitly-enable-capab.patch + patches.kernel.org/6.3.4-062-ACPI-processor-Check-for-null-return-of-devm_kz.patch + patches.kernel.org/6.3.4-063-drm-rockchip-dw_hdmi-cleanup-drm-encoder-during.patch + patches.kernel.org/6.3.4-064-memstick-r592-Fix-UAF-bug-in-r592_remove-due-to.patch + patches.kernel.org/6.3.4-065-arm64-dts-imx8mq-librem5-Remove-dis_u3_susphy_q.patch + patches.kernel.org/6.3.4-066-firmware-arm_sdei-Fix-sleep-from-invalid-contex.patch + patches.kernel.org/6.3.4-067-ACPI-EC-Fix-oops-when-removing-custom-query-han.patch + patches.kernel.org/6.3.4-068-drm-amd-display-fixed-dcn30-underflow-issue.patch + patches.kernel.org/6.3.4-069-remoteproc-stm32_rproc-Add-mutex-protection-for.patch + patches.kernel.org/6.3.4-070-accel-ivpu-Remove-D3hot-delay-for-Meteorlake.patch + patches.kernel.org/6.3.4-071-drm-tegra-Avoid-potential-32-bit-integer-overfl.patch + patches.kernel.org/6.3.4-072-drm-msm-dp-Clean-up-handling-of-DP-AUX-interrup.patch + patches.kernel.org/6.3.4-073-ACPICA-Avoid-undefined-behavior-applying-zero-o.patch + patches.kernel.org/6.3.4-074-ACPICA-ACPICA-check-null-return-of-ACPI_ALLOCAT.patch + patches.kernel.org/6.3.4-075-arm64-dts-qcom-sdm845-polaris-Drop-inexistent-p.patch + patches.kernel.org/6.3.4-076-arm64-dts-qcom-sm6115-j606f-Add-ramoops-node.patch + patches.kernel.org/6.3.4-077-irqchip-gicv3-Workaround-for-NVIDIA-erratum-T24.patch + patches.kernel.org/6.3.4-078-media-ipu3-cio2-support-multiple-sensors-and-VC.patch + patches.kernel.org/6.3.4-079-ACPI-video-Remove-desktops-without-backlight-DM.patch + patches.kernel.org/6.3.4-080-drm-amd-display-Correct-DML-calculation-to-foll.patch + patches.kernel.org/6.3.4-081-drm-amd-Fix-an-out-of-bounds-error-in-BIOS-pars.patch + patches.kernel.org/6.3.4-082-drm-amdgpu-Fix-sdma-v4-sw-fini-error.patch + patches.kernel.org/6.3.4-083-media-Prefer-designated-initializers-over-memse.patch + patches.kernel.org/6.3.4-084-drm-amdgpu-Enable-IH-retry-CAM-on-GFX9.patch + patches.kernel.org/6.3.4-085-media-mediatek-vcodec-Fix-potential-array-out-o.patch + patches.kernel.org/6.3.4-086-platform-x86-amd-pmc-Fix-memory-leak-in-amd_pmc.patch + patches.kernel.org/6.3.4-087-hwmon-nzxt-smart2-add-another-USB-ID.patch + patches.kernel.org/6.3.4-088-wifi-ath-Silence-memcpy-run-time-false-positive.patch + patches.kernel.org/6.3.4-089-wifi-ath12k-Handle-lock-during-peer_id-find.patch + patches.kernel.org/6.3.4-090-wifi-ath12k-PCI-ops-for-wakeup-release-MHI.patch + patches.kernel.org/6.3.4-091-bpf-Annotate-data-races-in-bpf_local_storage.patch + patches.kernel.org/6.3.4-092-wifi-brcmfmac-pcie-Provide-a-buffer-of-random-b.patch + patches.kernel.org/6.3.4-093-wifi-brcmfmac-cfg80211-Pass-the-PMK-in-binary-i.patch + patches.kernel.org/6.3.4-094-wifi-brcmfmac-pcie-Add-IDs-properties-for-BCM43.patch + patches.kernel.org/6.3.4-095-ext2-Check-block-size-validity-during-mount.patch + patches.kernel.org/6.3.4-096-scsi-lpfc-Prevent-lpfc_debugfs_lockstat_write-b.patch + patches.kernel.org/6.3.4-097-scsi-lpfc-Correct-used_rpi-count-when-devloss-t.patch + patches.kernel.org/6.3.4-098-wifi-rtw88-fix-memory-leak-in-rtw_usb_probe.patch + patches.kernel.org/6.3.4-099-bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch + patches.kernel.org/6.3.4-100-net-pasemi-Fix-return-type-of-pasemi_mac_start_.patch + patches.kernel.org/6.3.4-101-wifi-ath12k-fix-memory-leak-in-ath12k_qmi_drive.patch + patches.kernel.org/6.3.4-102-net-Catch-invalid-index-in-XPS-mapping.patch + patches.kernel.org/6.3.4-103-netdev-Enforce-index-cap-in-netdev_get_tx_queue.patch + patches.kernel.org/6.3.4-104-scsi-target-iscsit-Free-cmds-before-session-fre.patch + patches.kernel.org/6.3.4-105-lib-cpu_rmap-Avoid-use-after-free-on-rmap-obj-a.patch + patches.kernel.org/6.3.4-106-scsi-message-mptlan-Fix-use-after-free-bug-in-m.patch + patches.kernel.org/6.3.4-107-gfs2-Fix-inode-height-consistency-check.patch + patches.kernel.org/6.3.4-108-scsi-ufs-ufs-pci-Add-support-for-Intel-Lunar-La.patch + patches.kernel.org/6.3.4-109-scsi-hisi_sas-Grab-sas_dev-lock-when-traversing.patch + patches.kernel.org/6.3.4-110-ext4-set-goal-start-correctly-in-ext4_mb_normal.patch + patches.kernel.org/6.3.4-111-ext4-Fix-best-extent-lstart-adjustment-logic-in.patch + patches.kernel.org/6.3.4-112-crypto-jitter-permanent-and-intermittent-health.patch + patches.kernel.org/6.3.4-113-f2fs-Fix-system-crash-due-to-lack-of-free-space.patch + patches.kernel.org/6.3.4-114-f2fs-fix-to-drop-all-dirty-pages-during-umount-.patch + patches.kernel.org/6.3.4-115-f2fs-fix-to-check-readonly-condition-correctly.patch + patches.kernel.org/6.3.4-116-samples-bpf-Fix-fout-leak-in-hbm-s-run_bpf_prog.patch + patches.kernel.org/6.3.4-117-bpf-Add-preempt_count_-sub-add-into-btf-id-deny.patch + patches.kernel.org/6.3.4-118-md-fix-soft-lockup-in-status_resync.patch + patches.kernel.org/6.3.4-119-net-sched-pass-netlink-extack-to-mqprio-and-tap.patch + patches.kernel.org/6.3.4-120-wifi-iwlwifi-pcie-fix-possible-NULL-pointer-der.patch + patches.kernel.org/6.3.4-121-wifi-iwlwifi-add-a-new-PCI-device-ID-for-BZ-dev.patch + patches.kernel.org/6.3.4-122-wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_w.patch + patches.kernel.org/6.3.4-123-wifi-iwlwifi-mvm-fix-ptk_pn-memory-leak.patch + patches.kernel.org/6.3.4-124-block-bfq-Fix-division-by-zero-error-on-zero-ws.patch + patches.kernel.org/6.3.4-125-wifi-ath11k-Ignore-frags-from-uninitialized-pee.patch + patches.kernel.org/6.3.4-126-wifi-mt76-mt7921-add-Netgear-AXE3000-A8000-supp.patch + patches.kernel.org/6.3.4-127-wifi-iwlwifi-fix-iwl_mvm_max_amsdu_size-for-MLO.patch + patches.kernel.org/6.3.4-128-f2fs-relax-sanity-check-if-checkpoint-is-corrup.patch + patches.kernel.org/6.3.4-129-null_blk-Always-check-queue-mode-setting-from-c.patch + patches.kernel.org/6.3.4-130-wifi-iwlwifi-dvm-Fix-memcpy-detected-field-span.patch + patches.kernel.org/6.3.4-131-wifi-ath11k-Fix-SKB-corruption-in-REO-destinati.patch + patches.kernel.org/6.3.4-132-wifi-rtw88-Fix-memory-leak-in-rtw88_usb.patch + patches.kernel.org/6.3.4-133-nbd-fix-incomplete-validation-of-ioctl-arg.patch + patches.kernel.org/6.3.4-134-ipvs-Update-width-of-source-for-ip_vs_sync_conn.patch + patches.kernel.org/6.3.4-135-Bluetooth-btusb-Add-new-PID-VID-04ca-3801-for-M.patch + patches.kernel.org/6.3.4-136-Bluetooth-Add-new-quirk-for-broken-local-ext-fe.patch + patches.kernel.org/6.3.4-137-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch + patches.kernel.org/6.3.4-138-Bluetooth-Improve-support-for-Actions-Semi-ATS2.patch + patches.kernel.org/6.3.4-139-Bluetooth-btrtl-check-for-NULL-in-btrtl_set_qui.patch + patches.kernel.org/6.3.4-140-Bluetooth-btintel-Add-LE-States-quirk-support.patch + patches.kernel.org/6.3.4-141-Bluetooth-hci_bcm-Fall-back-to-getting-bdaddr-f.patch + patches.kernel.org/6.3.4-142-Bluetooth-Add-new-quirk-for-broken-set-random-R.patch + patches.kernel.org/6.3.4-143-Bluetooth-L2CAP-fix-bad-unlock-balance-in-l2cap.patch + patches.kernel.org/6.3.4-144-Bluetooth-btrtl-Add-the-support-for-RTL8851B.patch + patches.kernel.org/6.3.4-145-staging-rtl8192e-Replace-macro-RTL_PCI_DEVICE-w.patch + patches.kernel.org/6.3.4-146-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch + patches.kernel.org/6.3.4-147-iio-imu-st_lsm6dsx-discard-samples-during-filte.patch + patches.kernel.org/6.3.4-148-staging-axis-fifo-initialize-timeouts-in-init-o.patch + patches.kernel.org/6.3.4-149-xhci-mem-Carefully-calculate-size-for-memory-al.patch + patches.kernel.org/6.3.4-150-spi-intel-pci-Add-support-for-Meteor-Lake-S-SPI.patch + patches.kernel.org/6.3.4-151-ASoC-amd-yc-Add-DMI-entries-to-support-HP-OMEN-.patch + patches.kernel.org/6.3.4-152-HID-logitech-hidpp-Don-t-use-the-USB-serial-for.patch + patches.kernel.org/6.3.4-153-HID-logitech-hidpp-Reconcile-USB-and-Unifying-s.patch + patches.kernel.org/6.3.4-154-spi-spi-imx-fix-MX51_ECSPI_-macros-when-cs-3.patch + patches.kernel.org/6.3.4-155-usb-typec-ucsi-acpi-add-quirk-for-ASUS-Zenbook-.patch + patches.kernel.org/6.3.4-156-ALSA-hda-LNL-add-HD-Audio-PCI-ID.patch + patches.kernel.org/6.3.4-157-ASoC-amd-Add-Dell-G15-5525-to-quirks-list.patch + patches.kernel.org/6.3.4-158-ASoC-amd-yc-Add-ThinkBook-14-G5-ARP-to-quirks-l.patch + patches.kernel.org/6.3.4-159-ASoC-amd-Add-check-for-acp-config-flags.patch + patches.kernel.org/6.3.4-160-HID-apple-Set-the-tilde-quirk-flag-on-the-Geyse.patch + patches.kernel.org/6.3.4-161-HID-Ignore-battery-for-ELAN-touchscreen-on-ROG-.patch + patches.kernel.org/6.3.4-162-HID-wacom-generic-Set-battery-quirk-only-when-w.patch + patches.kernel.org/6.3.4-163-usb-typec-tcpm-fix-multiple-times-discover-svid.patch + patches.kernel.org/6.3.4-164-serial-8250-Reinit-port-pm-on-port-specific-dri.patch + patches.kernel.org/6.3.4-165-mcb-pci-Reallocate-memory-region-to-avoid-memor.patch + patches.kernel.org/6.3.4-166-powerpc-Use-of_property_present-for-testing-DT-.patch + patches.kernel.org/6.3.4-167-sched-Fix-KCSAN-noinstr-violation.patch + patches.kernel.org/6.3.4-168-lkdtm-stackleak-Fix-noinstr-violation.patch + patches.kernel.org/6.3.4-169-riscv-Fix-EFI-stub-usage-of-KASAN-instrumented-.patch + patches.kernel.org/6.3.4-170-recordmcount-Fix-memory-leaks-in-the-uwrite-fun.patch + patches.kernel.org/6.3.4-171-RDMA-core-Fix-multiple-Warray-bounds-warnings.patch + patches.kernel.org/6.3.4-172-KVM-selftests-Add-malloc-failure-check-in-vcpu_.patch + patches.kernel.org/6.3.4-173-iommu-arm-smmu-qcom-Limit-the-SMR-groups-to-128.patch + patches.kernel.org/6.3.4-174-fs-ntfs3-Fix-NULL-pointer-dereference-in-ni_wri.patch + patches.kernel.org/6.3.4-175-fs-ntfs3-Enhance-the-attribute-size-check.patch + patches.kernel.org/6.3.4-176-fs-ntfs3-Fix-NULL-dereference-in-ni_write_inode.patch + patches.kernel.org/6.3.4-177-fs-ntfs3-Validate-MFT-flags-before-replaying-lo.patch + patches.kernel.org/6.3.4-178-fs-ntfs3-Add-length-check-in-indx_get_root.patch + patches.kernel.org/6.3.4-179-fs-ntfs3-Fix-a-possible-null-pointer-dereferenc.patch + patches.kernel.org/6.3.4-180-clk-tegra20-fix-gcc-7-constant-overflow-warning.patch + patches.kernel.org/6.3.4-181-iommu-arm-smmu-v3-Acknowledge-pri-event-queue-o.patch + patches.kernel.org/6.3.4-182-iommu-sprd-Release-dma-buffer-to-avoid-memory-l.patch + patches.kernel.org/6.3.4-183-power-supply-axp288_charger-Use-alt-usb-id-extc.patch + patches.kernel.org/6.3.4-184-Input-xpad-add-constants-for-GIP-interface-numb.patch + patches.kernel.org/6.3.4-185-RDMA-mlx5-Remove-pcie_relaxed_ordering_enabled-.patch + patches.kernel.org/6.3.4-186-clk-rockchip-rk3588-make-gate-linked-clocks-cri.patch + patches.kernel.org/6.3.4-187-cifs-missing-lock-when-updating-session-status.patch + patches.kernel.org/6.3.4-188-pinctrl-at91-use-devm_kasprintf-to-avoid-potent.patch + patches.kernel.org/6.3.4-189-soundwire-dmi-quirks-add-remapping-for-Intel-Ro.patch + patches.kernel.org/6.3.4-190-phy-st-miphy28lp-use-_poll_timeout-functions-fo.patch + patches.kernel.org/6.3.4-191-soundwire-qcom-gracefully-handle-too-many-ports.patch + patches.kernel.org/6.3.4-192-soundwire-bus-Fix-unbalanced-pm_runtime_put-cau.patch + patches.kernel.org/6.3.4-193-mfd-intel_soc_pmic_chtwc-Add-Lenovo-Yoga-Book-X.patch + patches.kernel.org/6.3.4-194-mfd-dln2-Fix-memory-leak-in-dln2_probe.patch + patches.kernel.org/6.3.4-195-mfd-intel-lpss-Add-Intel-Meteor-Lake-PCH-S-LPSS.patch + patches.kernel.org/6.3.4-196-parisc-Replace-regular-spinlock-with-spin_trylo.patch + patches.kernel.org/6.3.4-197-xfrm-don-t-check-the-default-policy-if-the-poli.patch + patches.kernel.org/6.3.4-198-xfrm-release-all-offloaded-policy-memory.patch + patches.kernel.org/6.3.4-199-xfrm-Fix-leak-of-dev-tracker.patch + patches.kernel.org/6.3.4-200-Revert-Fix-XFRM-I-support-for-nested-ESP-tunnel.patch + patches.kernel.org/6.3.4-201-drm-msm-dp-unregister-audio-driver-during-unbin.patch + patches.kernel.org/6.3.4-202-drm-msm-dpu-Assign-missing-writeback-log_mask.patch + patches.kernel.org/6.3.4-203-drm-msm-dpu-Move-non-MDP_TOP-INTF_INTR-offsets-.patch + patches.kernel.org/6.3.4-204-drm-msm-dpu-Reindent-REV_7xxx-interrupt-masks-w.patch + patches.kernel.org/6.3.4-205-drm-msm-dpu-populate-SmartDMA-features-in-hw-ca.patch + patches.kernel.org/6.3.4-206-drm-msm-dpu-drop-smart_dma_rev-from-dpu_caps.patch + patches.kernel.org/6.3.4-207-drm-msm-dpu-Allow-variable-SSPP_BLK-size.patch + patches.kernel.org/6.3.4-208-drm-msm-dpu-Allow-variable-INTF_BLK-size.patch + patches.kernel.org/6.3.4-209-drm-msm-dpu-move-UBWC-memory-configuration-to-s.patch + patches.kernel.org/6.3.4-210-drm-msm-dpu-split-SM8550-catalog-entry-to-the-s.patch + patches.kernel.org/6.3.4-211-drm-msm-dpu-Fix-PP_BLK_DIPHER-DITHER-typo.patch + patches.kernel.org/6.3.4-212-drm-msm-dpu-Remove-duplicate-register-defines-f.patch + patches.kernel.org/6.3.4-213-dt-bindings-display-msm-dsi-controller-main-Doc.patch + patches.kernel.org/6.3.4-214-SUNRPC-Fix-encoding-of-accepted-but-unsuccessfu.patch + patches.kernel.org/6.3.4-215-ASoC-fsl_micfil-Fix-error-handler-with-pm_runti.patch + patches.kernel.org/6.3.4-216-cpupower-Make-TSC-read-per-CPU-for-Mperf-monito.patch + patches.kernel.org/6.3.4-217-xfrm-Reject-optional-tunnel-BEET-mode-templates.patch + patches.kernel.org/6.3.4-218-af_key-Reject-optional-tunnel-BEET-mode-templat.patch + patches.kernel.org/6.3.4-219-drm-msm-Fix-submit-error-path-leaks.patch + patches.kernel.org/6.3.4-220-selftests-seg6-disable-DAD-on-IPv6-router-cfg-f.patch + patches.kernel.org/6.3.4-221-selftets-seg6-disable-rp_filter-by-default-in-s.patch + patches.kernel.org/6.3.4-222-devlink-change-per-devlink-netdev-notifier-to-s.patch + patches.kernel.org/6.3.4-223-net-fec-Better-handle-pm_runtime_get-failing-in.patch + patches.kernel.org/6.3.4-224-net-phy-dp83867-add-w-a-for-packet-errors-seen-.patch + patches.kernel.org/6.3.4-225-ALSA-firewire-digi00x-prevent-potential-use-aft.patch + patches.kernel.org/6.3.4-226-wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch + patches.kernel.org/6.3.4-227-ALSA-hda-realtek-Apply-HP-B-O-top-speaker-profi.patch + patches.kernel.org/6.3.4-228-ice-Fix-undersized-tx_flags-variable.patch + patches.kernel.org/6.3.4-229-sfc-disable-RXFCS-and-RXALL-features-by-default.patch + patches.kernel.org/6.3.4-230-vsock-avoid-to-close-connected-socket-after-the.patch + patches.kernel.org/6.3.4-231-tcp-fix-possible-sk_priority-leak-in-tcp_v4_sen.patch + patches.kernel.org/6.3.4-232-media-pvrusb2-fix-DVB_CORE-dependency.patch + patches.kernel.org/6.3.4-233-serial-arc_uart-fix-of_iomap-leak-in-arc_serial.patch + patches.kernel.org/6.3.4-234-serial-8250_bcm7271-balance-clk_enable-calls.patch + patches.kernel.org/6.3.4-235-serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch + patches.kernel.org/6.3.4-236-erspan-get-the-proto-with-the-md-version-for-co.patch + patches.kernel.org/6.3.4-237-net-dsa-rzn1-a5psw-enable-management-frames-for.patch + patches.kernel.org/6.3.4-238-net-dsa-rzn1-a5psw-fix-STP-states-handling.patch + patches.kernel.org/6.3.4-239-net-dsa-rzn1-a5psw-disable-learning-for-standal.patch + patches.kernel.org/6.3.4-240-net-hns3-fix-output-information-incomplete-for-.patch + patches.kernel.org/6.3.4-241-net-hns3-fix-sending-pfc-frames-after-reset-iss.patch + patches.kernel.org/6.3.4-242-net-hns3-fix-reset-delay-time-to-avoid-configur.patch + patches.kernel.org/6.3.4-243-net-hns3-fix-reset-timeout-when-enable-full-VF.patch + patches.kernel.org/6.3.4-244-media-netup_unidvb-fix-use-after-free-at-del_ti.patch + patches.kernel.org/6.3.4-245-SUNRPC-double-free-xprt_ctxt-while-still-in-use.patch + patches.kernel.org/6.3.4-246-SUNRPC-always-free-ctxt-when-freeing-deferred-r.patch + patches.kernel.org/6.3.4-247-SUNRPC-Fix-trace_svc_register-call-site.patch + patches.kernel.org/6.3.4-248-ASoC-SOF-ipc3-topology-Make-sure-that-only-one-.patch + patches.kernel.org/6.3.4-249-ASoC-mediatek-mt8186-Fix-use-after-free-in-driv.patch + patches.kernel.org/6.3.4-250-ASoC-SOF-topology-Fix-logic-for-copying-tuples.patch + patches.kernel.org/6.3.4-251-drm-exynos-fix-g2d_open-close-helper-function-d.patch + patches.kernel.org/6.3.4-252-net-nsh-Use-correct-mac_offset-to-unwind-gso-sk.patch + patches.kernel.org/6.3.4-253-net-fec-remove-the-xdp_return_frame-when-lack-o.patch + patches.kernel.org/6.3.4-254-virtio_net-Fix-error-unwinding-of-XDP-initializ.patch + patches.kernel.org/6.3.4-255-tipc-add-tipc_bearer_min_mtu-to-calculate-min-m.patch + patches.kernel.org/6.3.4-256-tipc-do-not-update-mtu-if-msg_max-is-too-small-.patch + patches.kernel.org/6.3.4-257-tipc-check-the-bearer-min-mtu-properly-when-set.patch + patches.kernel.org/6.3.4-258-s390-cio-include-subchannels-without-devices-al.patch + patches.kernel.org/6.3.4-259-can-dev-fix-missing-CAN-XL-support-in-can_put_e.patch + patches.kernel.org/6.3.4-260-net-bcmgenet-Remove-phy_stop-from-bcmgenet_neti.patch + patches.kernel.org/6.3.4-261-net-bcmgenet-Restore-phy_stop-depending-upon-su.patch + patches.kernel.org/6.3.4-262-ice-Fix-stats-after-PF-reset.patch + patches.kernel.org/6.3.4-263-ice-Fix-ice-VF-reset-during-iavf-initialization.patch + patches.kernel.org/6.3.4-264-iavf-send-VLAN-offloading-caps-once-after-VFR.patch + patches.kernel.org/6.3.4-265-wifi-cfg80211-Drop-entries-with-invalid-BSSIDs-.patch + patches.kernel.org/6.3.4-266-wifi-mac80211-fortify-the-spinlock-against-dead.patch + patches.kernel.org/6.3.4-267-wifi-mac80211-Fix-puncturing-bitmap-handling-in.patch + patches.kernel.org/6.3.4-268-wifi-mac80211-fix-min-center-freq-offset-tracin.patch + patches.kernel.org/6.3.4-269-wifi-mac80211-Abort-running-color-change-when-s.patch + patches.kernel.org/6.3.4-270-wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-d.patch + patches.kernel.org/6.3.4-271-wifi-iwlwifi-fw-fix-DBGI-dump.patch + patches.kernel.org/6.3.4-272-wifi-iwlwifi-fix-OEM-s-name-in-the-ppag-approve.patch + patches.kernel.org/6.3.4-273-wifi-iwlwifi-mvm-fix-OEM-s-name-in-the-tas-appr.patch + patches.kernel.org/6.3.4-274-wifi-iwlwifi-mvm-don-t-trust-firmware-n_channel.patch + patches.kernel.org/6.3.4-275-scsi-storvsc-Don-t-pass-unused-PFNs-to-Hyper-V-.patch + patches.kernel.org/6.3.4-276-devlink-Fix-crash-with-CONFIG_NET_NS-n.patch + patches.kernel.org/6.3.4-277-tun-Fix-memory-leak-for-detached-NAPI-queue.patch + patches.kernel.org/6.3.4-278-cassini-Fix-a-memory-leak-in-the-error-handling.patch + patches.kernel.org/6.3.4-279-net-dsa-mv88e6xxx-Fix-mv88e6393x-EPC-write-comm.patch + patches.kernel.org/6.3.4-280-igb-fix-bit_shift-to-be-in-1.8-range.patch + patches.kernel.org/6.3.4-281-vlan-fix-a-potential-uninit-value-in-vlan_dev_h.patch + patches.kernel.org/6.3.4-282-net-wwan-iosm-fix-NULL-pointer-dereference-when.patch + patches.kernel.org/6.3.4-283-net-pcs-xpcs-fix-C73-AN-not-getting-enabled.patch + patches.kernel.org/6.3.4-284-net-selftests-Fix-optstring.patch + patches.kernel.org/6.3.4-285-netfilter-nf_tables-fix-nft_trans-type-confusio.patch + patches.kernel.org/6.3.4-286-netfilter-nft_set_rbtree-fix-null-deref-on-elem.patch + patches.kernel.org/6.3.4-287-bridge-always-declare-tunnel-functions.patch + patches.kernel.org/6.3.4-288-ALSA-usb-audio-Add-a-sample-rate-workaround-for.patch + patches.kernel.org/6.3.4-289-USB-usbtmc-Fix-direction-for-0-length-ioctl-con.patch + patches.kernel.org/6.3.4-290-usb-storage-fix-deadlock-when-a-scsi-command-ti.patch + patches.kernel.org/6.3.4-291-USB-UHCI-adjust-zhaoxin-UHCI-controllers-OverCu.patch + patches.kernel.org/6.3.4-292-usb-dwc3-gadget-Improve-dwc3_gadget_suspend-and.patch + patches.kernel.org/6.3.4-293-usb-dwc3-debugfs-Resume-dwc3-before-accessing-r.patch + patches.kernel.org/6.3.4-294-usb-gadget-u_ether-Fix-host-MAC-address-case.patch + patches.kernel.org/6.3.4-295-usb-typec-altmodes-displayport-fix-pin_assignme.patch + patches.kernel.org/6.3.4-296-Revert-usb-gadget-udc-core-Prevent-redundant-ca.patch + patches.kernel.org/6.3.4-297-Revert-usb-gadget-udc-core-Invoke-usb_gadget_co.patch + patches.kernel.org/6.3.4-298-xhci-pci-Only-run-d3cold-avoidance-quirk-for-s2.patch + patches.kernel.org/6.3.4-299-xhci-Fix-incorrect-tracking-of-free-space-on-tr.patch + patches.kernel.org/6.3.4-300-ALSA-hda-Fix-Oops-by-9.1-surround-channel-names.patch + patches.kernel.org/6.3.4-301-ALSA-hda-Add-NVIDIA-codec-IDs-a3-through-a7-to-.patch + patches.kernel.org/6.3.4-302-ALSA-hda-realtek-Add-quirk-for-Clevo-L140AU.patch + patches.kernel.org/6.3.4-303-ALSA-hda-realtek-Add-a-quirk-for-HP-EliteDesk-8.patch + patches.kernel.org/6.3.4-304-ALSA-hda-realtek-Add-quirk-for-2nd-ASUS-GU603.patch + patches.kernel.org/6.3.4-305-ALSA-hda-realtek-Add-quirk-for-HP-EliteBook-G10.patch + patches.kernel.org/6.3.4-306-ALSA-hda-realtek-Fix-mute-and-micmute-LEDs-for-.patch + patches.kernel.org/6.3.4-307-can-j1939-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch + patches.kernel.org/6.3.4-308-can-isotp-recvmsg-allow-MSG_CMSG_COMPAT-flag.patch + patches.kernel.org/6.3.4-309-can-kvaser_pciefd-Set-CAN_STATE_STOPPED-in-kvas.patch + patches.kernel.org/6.3.4-310-can-kvaser_pciefd-Call-request_irq-before-enabl.patch + patches.kernel.org/6.3.4-311-can-kvaser_pciefd-Empty-SRB-buffer-in-probe.patch + patches.kernel.org/6.3.4-312-can-kvaser_pciefd-Clear-listen-only-bit-if-not-.patch + patches.kernel.org/6.3.4-313-can-kvaser_pciefd-Do-not-send-EFLUSH-command-on.patch + patches.kernel.org/6.3.4-314-can-kvaser_pciefd-Disable-interrupts-in-probe-e.patch + patches.kernel.org/6.3.4-315-wifi-brcmfmac-Check-for-probe-id-argument-being.patch + patches.kernel.org/6.3.4-316-wifi-rtw88-use-work-to-update-rate-to-avoid-RCU.patch + patches.kernel.org/6.3.4-317-wifi-rtw88-correct-qsel_to_ep-type-as-int.patch + patches.kernel.org/6.3.4-318-SMB3-Close-all-deferred-handles-of-inode-in-cas.patch + patches.kernel.org/6.3.4-319-SMB3-drop-reference-to-cfile-before-sending-opl.patch + patches.kernel.org/6.3.4-320-ksmbd-smb2-Allow-messages-padded-to-8byte-bound.patch + patches.kernel.org/6.3.4-321-ksmbd-allocate-one-more-byte-for-implied-bcc-0.patch + patches.kernel.org/6.3.4-322-ksmbd-fix-wrong-UserName-check-in-session_user.patch + patches.kernel.org/6.3.4-323-ksmbd-fix-global-out-of-bounds-in-smb2_find_con.patch + patches.kernel.org/6.3.4-324-KVM-arm64-Infer-the-PA-offset-from-IPA-in-stage.patch + patches.kernel.org/6.3.4-325-KVM-Fix-vcpu_array-0-races.patch + patches.kernel.org/6.3.4-326-statfs-enforce-statfs-64-structure-initializati.patch + patches.kernel.org/6.3.4-327-maple_tree-make-maple-state-reusable-after-mas_.patch + patches.kernel.org/6.3.4-328-mm-fix-zswap-writeback-race-condition.patch + patches.kernel.org/6.3.4-329-perf-script-Skip-aggregation-for-stat-events.patch + patches.kernel.org/6.3.4-330-serial-Add-support-for-Advantech-PCI-1611U-card.patch + patches.kernel.org/6.3.4-331-serial-8250_exar-Add-support-for-USR298x-PCI-Mo.patch + patches.kernel.org/6.3.4-332-serial-qcom-geni-fix-enabling-deactivated-inter.patch + patches.kernel.org/6.3.4-333-thunderbolt-Clear-registers-properly-when-auto-.patch + patches.kernel.org/6.3.4-334-vc_screen-reload-load-of-struct-vc_data-pointer.patch + patches.kernel.org/6.3.4-335-ceph-force-updating-the-msg-pointer-in-non-spli.patch + patches.kernel.org/6.3.4-336-drm-amd-pm-fix-possible-power-mode-mismatch-bet.patch + patches.kernel.org/6.3.4-337-drm-amdgpu-gmc11-implement-get_vbios_fb_size.patch + patches.kernel.org/6.3.4-338-drm-amdgpu-gfx10-Disable-gfxoff-before-disablin.patch + patches.kernel.org/6.3.4-339-drm-amdgpu-gfx11-Adjust-gfxoff-before-powergati.patch + patches.kernel.org/6.3.4-340-drm-amdgpu-refine-get-gpu-clock-counter-method.patch + patches.kernel.org/6.3.4-341-drm-amdgpu-gfx11-update-gpu_clock_counter-logic.patch + patches.kernel.org/6.3.4-342-iommu-arm-smmu-qcom-Fix-missing-adreno_smmu-s.patch + patches.kernel.org/6.3.4-343-dt-bindings-ata-ahci-ceva-Cover-all-4-iommus-en.patch + patches.kernel.org/6.3.4-344-powerpc-iommu-DMA-address-offset-is-incorrectly.patch + patches.kernel.org/6.3.4-345-powerpc-iommu-Incorrect-DDW-Table-is-referenced.patch + patches.kernel.org/6.3.4-346-tpm-tpm_tis-Disable-interrupts-for-more-Lenovo-.patch + patches.kernel.org/6.3.4-347-powerpc-64s-radix-Fix-soft-dirty-tracking.patch + patches.kernel.org/6.3.4-348-powerpc-bpf-populate-extable-entries-only-durin.patch + patches.kernel.org/6.3.4-349-nfp-fix-NFP_NET_MAX_DSCP-definition-error.patch + patches.kernel.org/6.3.4-350-nilfs2-fix-use-after-free-bug-of-nilfs_root-in-.patch + patches.kernel.org/6.3.4-351-s390-dasd-fix-command-reject-error-on-ESE-devic.patch + patches.kernel.org/6.3.4-352-s390-crypto-use-vector-instructions-only-if-ava.patch + patches.kernel.org/6.3.4-353-s390-qdio-fix-do_sqbs-inline-assembly-constrain.patch + patches.kernel.org/6.3.4-354-arm64-Also-reset-KASAN-tag-if-page-is-not-PG_mt.patch + patches.kernel.org/6.3.4-355-arm64-mte-Do-not-set-PG_mte_tagged-if-tags-were.patch + patches.kernel.org/6.3.4-356-rethook-use-preempt_-disable-enable-_notrace-in.patch + patches.kernel.org/6.3.4-357-rethook-fprobe-do-not-trace-rethook-related-fun.patch + patches.kernel.org/6.3.4-358-remoteproc-imx_dsp_rproc-Fix-kernel-test-robot-.patch + patches.kernel.org/6.3.4-359-ARM-9294-2-vfp-Fix-broken-softirq-handling-with.patch + patches.kernel.org/6.3.4-360-ARM-9297-1-vfp-avoid-unbalanced-stack-on-succes.patch + patches.kernel.org/6.3.4-361-drm-amd-amdgpu-introduce-gc_-_mes_2.bin-v2.patch + patches.kernel.org/6.3.4-362-drm-amdgpu-reserve-the-old-gc_11_0_-_mes.bin.patch + patches.kernel.org/6.3.4-363-scsi-Revert-scsi-core-Do-not-increase-scsi_devi.patch + patches.kernel.org/6.3.4-364-Linux-6.3.4.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -1009,7 +1373,6 @@ patches.suse/usbtv-usbtv_set_regs-the-pipe-is-output.patch patches.suse/ath11k-pci-Add-more-MODULE_FIRMWARE-entries.patch - patches.suse/SUNRPC-Fix-encoding-of-rejected-RPCs.patch ######################################################## # end of sorted patches ######################################################## @@ -1128,7 +1491,6 @@ patches.suse/drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch patches.suse/Add-parameter-to-disable-simple-framebuffer-devices.patch patches.suse/0001-bsc-1204315-Disable-sysfb-before-creating-simple-fra.patch - patches.suse/0001-firmware-sysfb-Fix-VESA-format-selection.patch ######################################################## # Storage