Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch b/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch
new file mode 100644 (file)
index 0000000..674e8b4
--- /dev/null
+++ b/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch
@@ -0,0 +1,97 @@
+From 406de9ced74f49bbfac384903542cb52af4aa567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 21:23:09 +0800
+Subject: ACPI: tools: pfrut: Check if the input of level and type is in the
+ right numeric range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit 0bc23d8b2237a104d7f8379d687aa4cb82e2968b ]
+
+The user provides arbitrary non-numeic value to level and type,
+which could bring unexpected behavior. In this case the expected
+behavior would be to throw an error.
+
+ pfrut -h
+usage: pfrut [OPTIONS]
+code injection:
+-l, --load
+-s, --stage
+-a, --activate
+-u, --update [stage and activate]
+-q, --query
+-d, --revid
+update telemetry:
+-G, --getloginfo
+-T, --type(0:execution, 1:history)
+-L, --level(0, 1, 2, 4)
+-R, --read
+-D, --revid log
+
+ pfrut -T A
+ pfrut -G
+log_level:0
+log_type:0
+log_revid:2
+max_data_size:65536
+chunk1_size:0
+chunk2_size:1530
+rollover_cnt:0
+reset_cnt:17
+
+Fix this by restricting the input to be in the expected range.
+
+Reported-by: Hariganesh Govindarajulu <hariganesh.govindarajulu@intel.com>
+Suggested-by: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/acpi/tools/pfrut/pfrut.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/acpi/tools/pfrut/pfrut.c b/tools/power/acpi/tools/pfrut/pfrut.c
+index 52aa0351533c3..388c9e3ad0407 100644
+--- a/tools/power/acpi/tools/pfrut/pfrut.c
++++ b/tools/power/acpi/tools/pfrut/pfrut.c
+@@ -97,7 +97,7 @@ static struct option long_options[] = {
+ static void parse_options(int argc, char **argv)
+ {
+       int option_index = 0;
+-      char *pathname;
++      char *pathname, *endptr;
+       int opt;
+ 
+       pathname = strdup(argv[0]);
+@@ -125,11 +125,23 @@ static void parse_options(int argc, char **argv)
+                       log_getinfo = 1;
+                       break;
+               case 'T':
+-                      log_type = atoi(optarg);
++                      log_type = strtol(optarg, &endptr, 0);
++                      if (*endptr || (log_type != 0 && log_type != 1)) {
++                              printf("Number expected: type(0:execution, 1:history) - Quit.\n");
++                              exit(1);
++                      }
++
+                       set_log_type = 1;
+                       break;
+               case 'L':
+-                      log_level = atoi(optarg);
++                      log_level = strtol(optarg, &endptr, 0);
++                      if (*endptr ||
++                          (log_level != 0 && log_level != 1 &&
++                           log_level != 2 && log_level != 4)) {
++                              printf("Number expected: level(0, 1, 2, 4) - Quit.\n");
++                              exit(1);
++                      }
++
+                       set_log_level = 1;
+                       break;
+               case 'R':
+-- 
+2.39.2
+

diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch
new file mode 100644 (file)
index 0000000..7657392
--- /dev/null
+++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch
@@ -0,0 +1,41 @@
+From cc036f40a73c23369d89e9cb6704f35650b2cad8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 17:33:00 +0800
+Subject: ACPI: video: Add backlight=native DMI quirk for Dell Vostro 15 3535
+
+From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+
+[ Upstream commit 89b0411481967a2e8c91190a211a359966cfcf4b ]
+
+Sometimes the system boots up with a acpi_video0 backlight interface
+which doesn't work. So add Dell Vostro 15 3535 into the
+video_detect_dmi_table to set it to native explicitly.
+
+Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rjw@rjwysocki.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 7f0ed845cd6ad..f06b3d3556710 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -714,6 +714,13 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+               DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5515"),
+               },
+       },
++      {
++       .callback = video_detect_force_native,
++       .matches = {
++              DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++              DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 15 3535"),
++              },
++      },
+ 
+       /*
+        * Desktops which falsely report a backlight and which our heuristics
+-- 
+2.39.2
+

diff --git a/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch b/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch
new file mode 100644 (file)
index 0000000..dd77660
--- /dev/null
+++ b/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch
@@ -0,0 +1,72 @@
+From 2e99f1279e29cb442623e6dde00422a8da4b6850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:49:24 +0000
+Subject: ALSA: asihpi: check pao in control_message()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ]
+
+control_message() might be called with pao = NULL.
+Here indicates control_message() as sample.
+
+(B)    static void control_message(struct hpi_adapter_obj *pao, ...)
+       {                                                   ^^^
+               struct hpi_hw_obj *phw = pao->priv;
+               ...                      ^^^
+       }
+
+(A)    void _HPI_6205(struct hpi_adapter_obj *pao, ...)
+       {                                      ^^^
+               ...
+               case HPI_OBJ_CONTROL:
+(B)                    control_message(pao, phm, phr);
+                       break;          ^^^
+               ...
+       }
+
+       void HPI_6205(...)
+       {
+               ...
+(A)            _HPI_6205(NULL, phm, phr);
+               ...       ^^^^
+       }
+
+Therefore, We will get too many warning via cppcheck, like below
+
+       sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer]
+                struct hpi_hw_obj *phw = pao->priv;
+                                         ^
+       sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0
+                 _HPI_6205(NULL, phm, phr);
+                           ^
+       sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0
+          control_message(pao, phm, phr);
+                          ^
+Set phr->error like many functions doing, and don't call _HPI_6205()
+with NULL.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpi6205.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c
+index 27e11b5f70b97..c7d7eff86727f 100644
+--- a/sound/pci/asihpi/hpi6205.c
++++ b/sound/pci/asihpi/hpi6205.c
+@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr)
+               pao = hpi_find_adapter(phm->adapter_index);
+       } else {
+               /* subsys messages don't address an adapter */
+-              _HPI_6205(NULL, phm, phr);
++              phr->error = HPI_ERROR_INVALID_OBJ_INDEX;
+               return;
+       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch b/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch
new file mode 100644 (file)
index 0000000..87efc61
--- /dev/null
+++ b/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch
@@ -0,0 +1,62 @@
+From 8521235e020ba95566662203fe583a7445b83902 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:50:28 +0000
+Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
+
+tuning_ctl_set() might have buffer overrun at (X) if it didn't break
+from loop by matching (A).
+
+       static int tuning_ctl_set(...)
+       {
+               for (i = 0; i < TUNING_CTLS_COUNT; i++)
+(A)                    if (nid == ca0132_tuning_ctls[i].nid)
+                               break;
+
+               snd_hda_power_up(...);
+(X)            dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
+               snd_hda_power_down(...);                ^
+
+               return 1;
+       }
+
+We will get below error by cppcheck
+
+       sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
+        for (i = 0; i < TUNING_CTLS_COUNT; i++)
+        ^
+       sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
+        dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+                                                  ^
+This patch cares non match case.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index acde4cd58785e..099722ebaed83 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4228,8 +4228,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
+ 
+       for (i = 0; i < TUNING_CTLS_COUNT; i++)
+               if (nid == ca0132_tuning_ctls[i].nid)
+-                      break;
++                      goto found;
+ 
++      return -EINVAL;
++found:
+       snd_hda_power_up(codec);
+       dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+                       ca0132_tuning_ctls[i].req,
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch b/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch
new file mode 100644 (file)
index 0000000..f9f2622
--- /dev/null
+++ b/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch
@@ -0,0 +1,93 @@
+From 4bf00f852586aa2901db7651e94a731e99d0c01f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 13:37:02 +0530
+Subject: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
+
+From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
+
+[ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ]
+
+When we run syzkaller we get below Out of Bound.
+    "KASAN: slab-out-of-bounds Read in regcache_flat_read"
+
+    Below is the backtrace of the issue:
+
+    dump_backtrace+0x0/0x4c8
+    show_stack+0x34/0x44
+    dump_stack_lvl+0xd8/0x118
+    print_address_description+0x30/0x2d8
+    kasan_report+0x158/0x198
+    __asan_report_load4_noabort+0x44/0x50
+    regcache_flat_read+0x10c/0x110
+    regcache_read+0xf4/0x180
+    _regmap_read+0xc4/0x278
+    _regmap_update_bits+0x130/0x290
+    regmap_update_bits_base+0xc0/0x15c
+    snd_soc_component_update_bits+0xa8/0x22c
+    snd_soc_component_write_field+0x68/0xd4
+    tx_macro_digital_mute+0xec/0x140
+
+    Actually There is no need to have decimator with 32 bits.
+    By limiting the variable with short type u8 issue is resolved.
+
+Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
+Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/lpass-tx-macro.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
+index 5d1c58df081ac..e5611f655beda 100644
+--- a/sound/soc/codecs/lpass-tx-macro.c
++++ b/sound/soc/codecs/lpass-tx-macro.c
+@@ -241,7 +241,7 @@ enum {
+ 
+ struct tx_mute_work {
+       struct tx_macro *tx;
+-      u32 decimator;
++      u8 decimator;
+       struct delayed_work dwork;
+ };
+ 
+@@ -634,7 +634,7 @@ static int tx_macro_mclk_enable(struct tx_macro *tx,
+       return 0;
+ }
+ 
+-static bool is_amic_enabled(struct snd_soc_component *component, int decimator)
++static bool is_amic_enabled(struct snd_soc_component *component, u8 decimator)
+ {
+       u16 adc_mux_reg, adc_reg, adc_n;
+ 
+@@ -845,7 +845,7 @@ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w,
+                              struct snd_kcontrol *kcontrol, int event)
+ {
+       struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
+-      unsigned int decimator;
++      u8 decimator;
+       u16 tx_vol_ctl_reg, dec_cfg_reg, hpf_gate_reg, tx_gain_ctl_reg;
+       u8 hpf_cut_off_freq;
+       int hpf_delay = TX_MACRO_DMIC_HPF_DELAY_MS;
+@@ -1060,7 +1060,8 @@ static int tx_macro_hw_params(struct snd_pcm_substream *substream,
+                             struct snd_soc_dai *dai)
+ {
+       struct snd_soc_component *component = dai->component;
+-      u32 decimator, sample_rate;
++      u32 sample_rate;
++      u8 decimator;
+       int tx_fs_rate;
+       struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+ 
+@@ -1124,7 +1125,7 @@ static int tx_macro_digital_mute(struct snd_soc_dai *dai, int mute, int stream)
+ {
+       struct snd_soc_component *component = dai->component;
+       struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+-      u16 decimator;
++      u8 decimator;
+ 
+       /* active decimator not set yet */
+       if (tx->active_decimator[dai->id] == -1)
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch b/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch
new file mode 100644 (file)
index 0000000..563e0dd
--- /dev/null
+++ b/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch
@@ -0,0 +1,66 @@
+From c09404a7e647f585d21274b5020edde51b000663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 14:48:51 +0100
+Subject: ASoC: Intel: avs: da7219: Explicitly define codec format
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit 61f368624fe4d0c25c6e9c917574b8ace51d776e ]
+
+da7219 is headset codec configured in 48000/2/S24_LE format regardless
+of front end format, so force it to be so.
+
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20230303134854.2277146-3-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/da7219.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/sound/soc/intel/avs/boards/da7219.c b/sound/soc/intel/avs/boards/da7219.c
+index 02ae542ad7792..a63563594b4cd 100644
+--- a/sound/soc/intel/avs/boards/da7219.c
++++ b/sound/soc/intel/avs/boards/da7219.c
+@@ -111,6 +111,26 @@ static int avs_da7219_codec_init(struct snd_soc_pcm_runtime *runtime)
+       return 0;
+ }
+ 
++static int
++avs_da7219_be_fixup(struct snd_soc_pcm_runtime *runrime, struct snd_pcm_hw_params *params)
++{
++      struct snd_interval *rate, *channels;
++      struct snd_mask *fmt;
++
++      rate = hw_param_interval(params, SNDRV_PCM_HW_PARAM_RATE);
++      channels = hw_param_interval(params, SNDRV_PCM_HW_PARAM_CHANNELS);
++      fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
++
++      /* The ADSP will convert the FE rate to 48k, stereo */
++      rate->min = rate->max = 48000;
++      channels->min = channels->max = 2;
++
++      /* set SSP0 to 24 bit */
++      snd_mask_none(fmt);
++      snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S24_LE);
++      return 0;
++}
++
+ static int avs_create_dai_link(struct device *dev, const char *platform_name, int ssp_port,
+                              struct snd_soc_dai_link **dai_link)
+ {
+@@ -142,6 +162,7 @@ static int avs_create_dai_link(struct device *dev, const char *platform_name, in
+       dl->num_platforms = 1;
+       dl->id = 0;
+       dl->dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS;
++      dl->be_hw_params_fixup = avs_da7219_be_fixup;
+       dl->init = avs_da7219_codec_init;
+       dl->nonatomic = 1;
+       dl->no_pcm = 1;
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch b/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch
new file mode 100644 (file)
index 0000000..4e2d123
--- /dev/null
+++ b/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch
@@ -0,0 +1,74 @@
+From 3993c440d44d5243cdb4cdd293b151438692918c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 14:48:50 +0100
+Subject: ASoC: Intel: avs: max98357a: Explicitly define codec format
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit d16c893425d07ada1fdd817ec06d322efcf69480 ]
+
+max98357a is speaker codec configured in 48000/2/S16_LE format
+regardless of front end format, so force it to be so.
+
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20230303134854.2277146-2-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/max98357a.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/sound/soc/intel/avs/boards/max98357a.c b/sound/soc/intel/avs/boards/max98357a.c
+index 921f42caf7e09..183123d08c5a3 100644
+--- a/sound/soc/intel/avs/boards/max98357a.c
++++ b/sound/soc/intel/avs/boards/max98357a.c
+@@ -8,6 +8,7 @@
+ 
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
++#include <sound/pcm_params.h>
+ #include <sound/soc.h>
+ #include <sound/soc-acpi.h>
+ #include <sound/soc-dapm.h>
+@@ -24,6 +25,26 @@ static const struct snd_soc_dapm_route card_base_routes[] = {
+       { "Spk", NULL, "Speaker" },
+ };
+ 
++static int
++avs_max98357a_be_fixup(struct snd_soc_pcm_runtime *runrime, struct snd_pcm_hw_params *params)
++{
++      struct snd_interval *rate, *channels;
++      struct snd_mask *fmt;
++
++      rate = hw_param_interval(params, SNDRV_PCM_HW_PARAM_RATE);
++      channels = hw_param_interval(params, SNDRV_PCM_HW_PARAM_CHANNELS);
++      fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
++
++      /* The ADSP will convert the FE rate to 48k, stereo */
++      rate->min = rate->max = 48000;
++      channels->min = channels->max = 2;
++
++      /* set SSP0 to 16 bit */
++      snd_mask_none(fmt);
++      snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE);
++      return 0;
++}
++
+ static int avs_create_dai_link(struct device *dev, const char *platform_name, int ssp_port,
+                              struct snd_soc_dai_link **dai_link)
+ {
+@@ -55,6 +76,7 @@ static int avs_create_dai_link(struct device *dev, const char *platform_name, in
+       dl->num_platforms = 1;
+       dl->id = 0;
+       dl->dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS;
++      dl->be_hw_params_fixup = avs_max98357a_be_fixup;
+       dl->nonatomic = 1;
+       dl->no_pcm = 1;
+       dl->dpcm_playback = 1;
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch b/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch
new file mode 100644 (file)
index 0000000..aa11464
--- /dev/null
+++ b/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch
@@ -0,0 +1,54 @@
+From d0797c6ec91033bb70c51066e4e4056bd17f4ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 14:48:54 +0100
+Subject: ASoC: Intel: avs: nau8825: Adjust clock control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 6206b2e787da2ed567922c37bb588a44f6fb6705 ]
+
+Internal clock shall be adjusted also in cases when DAPM event other
+than 'ON' is triggered.
+
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20230303134854.2277146-6-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/nau8825.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/intel/avs/boards/nau8825.c b/sound/soc/intel/avs/boards/nau8825.c
+index f76909e9f990a..8392d8fac8f9c 100644
+--- a/sound/soc/intel/avs/boards/nau8825.c
++++ b/sound/soc/intel/avs/boards/nau8825.c
+@@ -33,15 +33,15 @@ avs_nau8825_clock_control(struct snd_soc_dapm_widget *w, struct snd_kcontrol *co
+               return -EINVAL;
+       }
+ 
+-      if (!SND_SOC_DAPM_EVENT_ON(event)) {
++      if (SND_SOC_DAPM_EVENT_ON(event))
++              ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_MCLK, 24000000,
++                                           SND_SOC_CLOCK_IN);
++      else
+               ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_INTERNAL, 0, SND_SOC_CLOCK_IN);
+-              if (ret < 0) {
+-                      dev_err(card->dev, "set sysclk err = %d\n", ret);
+-                      return ret;
+-              }
+-      }
++      if (ret < 0)
++              dev_err(card->dev, "Set sysclk failed: %d\n", ret);
+ 
+-      return 0;
++      return ret;
+ }
+ 
+ static const struct snd_kcontrol_new card_controls[] = {
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch b/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch
new file mode 100644 (file)
index 0000000..e5c7afd
--- /dev/null
+++ b/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch
@@ -0,0 +1,80 @@
+From 7fb447172287a8fc3ef02a8a2f940ec22ba5366f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 14:48:53 +0100
+Subject: ASoC: Intel: avs: ssm4567: Remove nau8825 bits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 933de2d127281731166cf2880fa1e23c5a0f7faa ]
+
+Some of the nau8825 clock control got into the ssm4567, remove it.
+
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20230303134854.2277146-5-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/ssm4567.c | 31 ----------------------------
+ 1 file changed, 31 deletions(-)
+
+diff --git a/sound/soc/intel/avs/boards/ssm4567.c b/sound/soc/intel/avs/boards/ssm4567.c
+index 9f84c8ab34478..51a8867326b47 100644
+--- a/sound/soc/intel/avs/boards/ssm4567.c
++++ b/sound/soc/intel/avs/boards/ssm4567.c
+@@ -15,7 +15,6 @@
+ #include <sound/soc-acpi.h>
+ #include "../../../codecs/nau8825.h"
+ 
+-#define SKL_NUVOTON_CODEC_DAI "nau8825-hifi"
+ #define SKL_SSM_CODEC_DAI     "ssm4567-hifi"
+ 
+ static struct snd_soc_codec_conf card_codec_conf[] = {
+@@ -34,41 +33,11 @@ static const struct snd_kcontrol_new card_controls[] = {
+       SOC_DAPM_PIN_SWITCH("Right Speaker"),
+ };
+ 
+-static int
+-platform_clock_control(struct snd_soc_dapm_widget *w, struct snd_kcontrol *control, int event)
+-{
+-      struct snd_soc_dapm_context *dapm = w->dapm;
+-      struct snd_soc_card *card = dapm->card;
+-      struct snd_soc_dai *codec_dai;
+-      int ret;
+-
+-      codec_dai = snd_soc_card_get_codec_dai(card, SKL_NUVOTON_CODEC_DAI);
+-      if (!codec_dai) {
+-              dev_err(card->dev, "Codec dai not found\n");
+-              return -EINVAL;
+-      }
+-
+-      if (SND_SOC_DAPM_EVENT_ON(event)) {
+-              ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_MCLK, 24000000,
+-                                           SND_SOC_CLOCK_IN);
+-              if (ret < 0)
+-                      dev_err(card->dev, "set sysclk err = %d\n", ret);
+-      } else {
+-              ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_INTERNAL, 0, SND_SOC_CLOCK_IN);
+-              if (ret < 0)
+-                      dev_err(card->dev, "set sysclk err = %d\n", ret);
+-      }
+-
+-      return ret;
+-}
+-
+ static const struct snd_soc_dapm_widget card_widgets[] = {
+       SND_SOC_DAPM_SPK("Left Speaker", NULL),
+       SND_SOC_DAPM_SPK("Right Speaker", NULL),
+       SND_SOC_DAPM_SPK("DP1", NULL),
+       SND_SOC_DAPM_SPK("DP2", NULL),
+-      SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0, platform_clock_control,
+-                          SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
+ };
+ 
+ static const struct snd_soc_dapm_route card_base_routes[] = {
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch b/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch
new file mode 100644 (file)
index 0000000..c57cc7e
--- /dev/null
+++ b/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch
@@ -0,0 +1,60 @@
+From 26966d2d8afa2f9f5203fe666e882f3dc0b30c85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 11:53:41 +0200
+Subject: ASoC: SOF: Intel: pci-tng: revert invalid bar size setting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit ca09e2a351fbc7836ba9418304ff0c3e72addfe0 ]
+
+The logic for the ioremap is to find the resource index 3 (IRAM) and
+infer the BAR address by subtracting the IRAM offset. The BAR size
+defined in hardware specifications is 2MB.
+
+The commit 5947b2726beb6 ("ASoC: SOF: Intel: Check the bar size before
+remapping") tried to find the BAR size by querying the resource length
+instead of a pre-canned value, but by requesting the size for index 3
+it only gets the size of the IRAM. That's obviously wrong and prevents
+the probe from proceeding.
+
+This commit attempted to fix an issue in a fuzzing/simulated
+environment but created another on actual devices, so the best course
+of action is to revert that change.
+
+Reported-by: Ferry Toth <fntoth@gmail.com>
+Tested-by: Ferry Toth <fntoth@gmail.com> (Intel Edison-Arduino)
+Link: https://github.com/thesofproject/linux/issues/3901
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230307095341.3222-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/pci-tng.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/sound/soc/sof/intel/pci-tng.c b/sound/soc/sof/intel/pci-tng.c
+index f0f6d9ba88037..0b17d1bb225e2 100644
+--- a/sound/soc/sof/intel/pci-tng.c
++++ b/sound/soc/sof/intel/pci-tng.c
+@@ -75,11 +75,7 @@ static int tangier_pci_probe(struct snd_sof_dev *sdev)
+ 
+       /* LPE base */
+       base = pci_resource_start(pci, desc->resindex_lpe_base) - IRAM_OFFSET;
+-      size = pci_resource_len(pci, desc->resindex_lpe_base);
+-      if (size < PCI_BAR_SIZE) {
+-              dev_err(sdev->dev, "error: I/O region is too small.\n");
+-              return -ENODEV;
+-      }
++      size = PCI_BAR_SIZE;
+ 
+       dev_dbg(sdev->dev, "LPE PHY base at 0x%x size 0x%x", base, size);
+       sdev->bar[DSP_BAR] = devm_ioremap(sdev->dev, base, size);
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch b/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch
new file mode 100644 (file)
index 0000000..0240b45
--- /dev/null
+++ b/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch
@@ -0,0 +1,45 @@
+From 7825616fffd90bbecd9bbf669d1eef42d89a4a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:49:17 +0200
+Subject: ASoC: SOF: ipc3: Check for upper size limit for the received message
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 989a3e4479177d0f4afab8be1960731bc0ffbbd0 ]
+
+The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is
+missing the check for upper limit.
+Corrupted or compromised firmware might be able to take advantage of this
+to cause out of bounds reads outside of the message area.
+
+Reported-by: Curtis Malainey <cujomalainey@chromium.org>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Curtis Malainey <curtis@malainey.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc3.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
+index b28af3a48b707..60b96b0c2412f 100644
+--- a/sound/soc/sof/ipc3.c
++++ b/sound/soc/sof/ipc3.c
+@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev)
+               return;
+       }
+ 
+-      if (hdr.size < sizeof(hdr)) {
+-              dev_err(sdev->dev, "The received message size is invalid\n");
++      if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) {
++              dev_err(sdev->dev, "The received message size is invalid: %u\n",
++                      hdr.size);
+               return;
+       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch b/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch
new file mode 100644 (file)
index 0000000..922edc3
--- /dev/null
+++ b/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch
@@ -0,0 +1,39 @@
+From 030ffd72d9ea90d6222145554f1475e00fbd9fba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:07:51 +0200
+Subject: ASoC: SOF: ipc4-topology: Fix incorrect sample rate print unit
+
+From: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
+
+[ Upstream commit 9e269e3aa9006440de639597079ee7140ef5b5f3 ]
+
+This patch fixes the sample rate print unit from KHz to Hz.
+E.g. 48000KHz becomes 48000Hz.
+
+Signed-off-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230307110751.2053-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
+index a81af5f73a4b4..41617569f50fb 100644
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -154,7 +154,7 @@ static void sof_ipc4_dbg_audio_format(struct device *dev,
+       for (i = 0; i < num_format; i++, ptr = (u8 *)ptr + object_size) {
+               fmt = ptr;
+               dev_dbg(dev,
+-                      " #%d: %uKHz, %ubit (ch_map %#x ch_cfg %u interleaving_style %u fmt_cfg %#x)\n",
++                      " #%d: %uHz, %ubit (ch_map %#x ch_cfg %u interleaving_style %u fmt_cfg %#x)\n",
+                       i, fmt->sampling_frequency, fmt->bit_depth, fmt->ch_map,
+                       fmt->ch_cfg, fmt->interleaving_style, fmt->fmt_cfg);
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch b/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch
new file mode 100644 (file)
index 0000000..93d4f84
--- /dev/null
+++ b/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch
@@ -0,0 +1,103 @@
+From 00ce3ca84d50a0914fad30c44e77a709107e231e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:06:56 +0200
+Subject: ASoC: SOF: IPC4: update gain ipc msg definition to align with fw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rander Wang <rander.wang@intel.com>
+
+[ Upstream commit e45cd86c3a78bfb9875a5eb8ab5dab459b59bbe2 ]
+
+Recent firmware changes modified the curve duration from 32 to 64 bits,
+which breaks volume ramps. A simple solution would be to change the
+definition, but unfortunately the ASoC topology framework only supports
+up to 32 bit tokens.
+
+This patch suggests breaking the 64 bit value in low and high parts, with
+only the low-part extracted from topology and high-part only zeroes. Since
+the curve duration is represented in hundred of nanoseconds, we can still
+represent a 400s ramp, which is just fine. The defacto ABI change has no
+effect on existing users since the IPC4 firmware has not been released just
+yet.
+
+Link: https://github.com/thesofproject/linux/issues/4026
+
+Signed-off-by: Rander Wang <rander.wang@intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230307110656.1816-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4-control.c  | 3 ++-
+ sound/soc/sof/ipc4-topology.c | 4 ++--
+ sound/soc/sof/ipc4-topology.h | 6 ++++--
+ 3 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/sof/ipc4-control.c b/sound/soc/sof/ipc4-control.c
+index 0d5a578c34962..7442ec1c5a4d4 100644
+--- a/sound/soc/sof/ipc4-control.c
++++ b/sound/soc/sof/ipc4-control.c
+@@ -84,7 +84,8 @@ sof_ipc4_set_volume_data(struct snd_sof_dev *sdev, struct snd_sof_widget *swidge
+               }
+ 
+               /* set curve type and duration from topology */
+-              data.curve_duration = gain->data.curve_duration;
++              data.curve_duration_l = gain->data.curve_duration_l;
++              data.curve_duration_h = gain->data.curve_duration_h;
+               data.curve_type = gain->data.curve_type;
+ 
+               msg->data_ptr = &data;
+diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
+index 41617569f50fb..49289932ba7e6 100644
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -106,7 +106,7 @@ static const struct sof_topology_token gain_tokens[] = {
+               get_token_u32, offsetof(struct sof_ipc4_gain_data, curve_type)},
+       {SOF_TKN_GAIN_RAMP_DURATION,
+               SND_SOC_TPLG_TUPLE_TYPE_WORD, get_token_u32,
+-              offsetof(struct sof_ipc4_gain_data, curve_duration)},
++              offsetof(struct sof_ipc4_gain_data, curve_duration_l)},
+       {SOF_TKN_GAIN_VAL, SND_SOC_TPLG_TUPLE_TYPE_WORD,
+               get_token_u32, offsetof(struct sof_ipc4_gain_data, init_val)},
+ };
+@@ -682,7 +682,7 @@ static int sof_ipc4_widget_setup_comp_pga(struct snd_sof_widget *swidget)
+ 
+       dev_dbg(scomp->dev,
+               "pga widget %s: ramp type: %d, ramp duration %d, initial gain value: %#x, cpc %d\n",
+-              swidget->widget->name, gain->data.curve_type, gain->data.curve_duration,
++              swidget->widget->name, gain->data.curve_type, gain->data.curve_duration_l,
+               gain->data.init_val, gain->base_config.cpc);
+ 
+       ret = sof_ipc4_widget_setup_msg(swidget, &gain->msg);
+diff --git a/sound/soc/sof/ipc4-topology.h b/sound/soc/sof/ipc4-topology.h
+index 2363a7cc0b57d..cf9d278524572 100644
+--- a/sound/soc/sof/ipc4-topology.h
++++ b/sound/soc/sof/ipc4-topology.h
+@@ -217,14 +217,16 @@ struct sof_ipc4_control_data {
+  * @init_val: Initial value
+  * @curve_type: Curve type
+  * @reserved: reserved for future use
+- * @curve_duration: Curve duration
++ * @curve_duration_l: Curve duration low part
++ * @curve_duration_h: Curve duration high part
+  */
+ struct sof_ipc4_gain_data {
+       uint32_t channels;
+       uint32_t init_val;
+       uint32_t curve_type;
+       uint32_t reserved;
+-      uint32_t curve_duration;
++      uint32_t curve_duration_l;
++      uint32_t curve_duration_h;
+ } __aligned(8);
+ 
+ /**
+-- 
+2.39.2
+

diff --git a/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch b/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch
new file mode 100644 (file)
index 0000000..8e54fc4
--- /dev/null
+++ b/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch
@@ -0,0 +1,54 @@
+From bac794eed3f9012ee360c554340e4af8048bb677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 16:05:19 -0300
+Subject: cifs: fix missing unload_nls() in smb2_reconnect()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit c24bb1a87dc3f2d77d410eaac2c6a295961bf50e ]
+
+Make sure to unload_nls() @nls_codepage if we no longer need it.
+
+Fixes: bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects")
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Cc: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index f0b1ae0835d71..b37379b62cc77 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -144,7 +144,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+              struct TCP_Server_Info *server)
+ {
+       int rc = 0;
+-      struct nls_table *nls_codepage;
++      struct nls_table *nls_codepage = NULL;
+       struct cifs_ses *ses;
+ 
+       /*
+@@ -216,8 +216,6 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+                tcon->ses->chans_need_reconnect,
+                tcon->need_reconnect);
+ 
+-      nls_codepage = load_nls_default();
+-
+       mutex_lock(&ses->session_mutex);
+       /*
+        * Recheck after acquire mutex. If another thread is negotiating
+@@ -237,6 +235,8 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+       }
+       spin_unlock(&server->srv_lock);
+ 
++      nls_codepage = load_nls_default();
++
+       /*
+        * need to prevent multiple threads trying to simultaneously
+        * reconnect the same SMB session
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch b/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch
new file mode 100644 (file)
index 0000000..5fb37e4
--- /dev/null
+++ b/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch
@@ -0,0 +1,39 @@
+From e0e7ffd7d641e7ed9f53c8e5e337267062d24620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:19:02 -0800
+Subject: drm/amdkfd: fix a potential double free in pqm_create_queue
+
+From: Chia-I Wu <olvaffe@gmail.com>
+
+[ Upstream commit b2ca5c5d416b4e72d1e9d0293fc720e2d525fd42 ]
+
+Set *q to NULL on errors, otherwise pqm_create_queue would free it
+again.
+
+Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+index 5137476ec18e6..4236539d9f932 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+@@ -218,8 +218,8 @@ static int init_user_queue(struct process_queue_manager *pqm,
+       return 0;
+ 
+ cleanup:
+-      if (dev->shared_resources.enable_mes)
+-              uninit_queue(*q);
++      uninit_queue(*q);
++      *q = NULL;
+       return retval;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch b/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch
new file mode 100644 (file)
index 0000000..f36b3e4
--- /dev/null
+++ b/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch
@@ -0,0 +1,109 @@
+From 815b2b37852599024a4bfcc862c5f8dd8a36085d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 10:21:06 -0600
+Subject: drm/amdkfd: Fix BO offset for multi-VMA page migration
+
+From: Xiaogang Chen <Xiaogang.Chen@amd.com>
+
+[ Upstream commit b4ee9606378bb9520c94d8b96f0305c3696f5c29 ]
+
+svm_migrate_ram_to_vram migrates a prange from sys ram to vram. The prange may
+cross multiple vma. Need remember current dst vram offset in the TTM resource for
+each migration.
+
+v2: squash in warning fix (Alex)
+
+Signed-off-by: Xiaogang Chen <Xiaogang.Chen@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
+index 22b077ac9a196..fad500dd224d8 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
+@@ -295,7 +295,7 @@ static unsigned long svm_migrate_unsuccessful_pages(struct migrate_vma *migrate)
+ static int
+ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+                        struct migrate_vma *migrate, struct dma_fence **mfence,
+-                       dma_addr_t *scratch)
++                       dma_addr_t *scratch, uint64_t ttm_res_offset)
+ {
+       uint64_t npages = migrate->npages;
+       struct device *dev = adev->dev;
+@@ -305,8 +305,8 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+       uint64_t i, j;
+       int r;
+ 
+-      pr_debug("svms 0x%p [0x%lx 0x%lx]\n", prange->svms, prange->start,
+-               prange->last);
++      pr_debug("svms 0x%p [0x%lx 0x%lx 0x%llx]\n", prange->svms, prange->start,
++               prange->last, ttm_res_offset);
+ 
+       src = scratch;
+       dst = (uint64_t *)(scratch + npages);
+@@ -317,7 +317,7 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+               goto out;
+       }
+ 
+-      amdgpu_res_first(prange->ttm_res, prange->offset << PAGE_SHIFT,
++      amdgpu_res_first(prange->ttm_res, ttm_res_offset,
+                        npages << PAGE_SHIFT, &cursor);
+       for (i = j = 0; i < npages; i++) {
+               struct page *spage;
+@@ -404,7 +404,7 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+ static long
+ svm_migrate_vma_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+                       struct vm_area_struct *vma, uint64_t start,
+-                      uint64_t end, uint32_t trigger)
++                      uint64_t end, uint32_t trigger, uint64_t ttm_res_offset)
+ {
+       struct kfd_process *p = container_of(prange->svms, struct kfd_process, svms);
+       uint64_t npages = (end - start) >> PAGE_SHIFT;
+@@ -457,7 +457,7 @@ svm_migrate_vma_to_vram(struct amdgpu_device *adev, struct svm_range *prange,
+       else
+               pr_debug("0x%lx pages migrated\n", cpages);
+ 
+-      r = svm_migrate_copy_to_vram(adev, prange, &migrate, &mfence, scratch);
++      r = svm_migrate_copy_to_vram(adev, prange, &migrate, &mfence, scratch, ttm_res_offset);
+       migrate_vma_pages(&migrate);
+ 
+       pr_debug("successful/cpages/npages 0x%lx/0x%lx/0x%lx\n",
+@@ -505,6 +505,7 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc,
+       unsigned long addr, start, end;
+       struct vm_area_struct *vma;
+       struct amdgpu_device *adev;
++      uint64_t ttm_res_offset;
+       unsigned long cpages = 0;
+       long r = 0;
+ 
+@@ -525,6 +526,7 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc,
+ 
+       start = prange->start << PAGE_SHIFT;
+       end = (prange->last + 1) << PAGE_SHIFT;
++      ttm_res_offset = prange->offset << PAGE_SHIFT;
+ 
+       for (addr = start; addr < end;) {
+               unsigned long next;
+@@ -534,13 +536,14 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc,
+                       break;
+ 
+               next = min(vma->vm_end, end);
+-              r = svm_migrate_vma_to_vram(adev, prange, vma, addr, next, trigger);
++              r = svm_migrate_vma_to_vram(adev, prange, vma, addr, next, trigger, ttm_res_offset);
+               if (r < 0) {
+                       pr_debug("failed %ld to migrate\n", r);
+                       break;
+               } else {
+                       cpages += r;
+               }
++              ttm_res_offset += next - addr;
+               addr = next;
+       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch b/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch
new file mode 100644 (file)
index 0000000..cde6df6
--- /dev/null
+++ b/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch
@@ -0,0 +1,98 @@
+From 24f132f16144585a944e487597647f970083e7fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 13:37:24 -0800
+Subject: drm/amdkfd: fix potential kgd_mem UAFs
+
+From: Chia-I Wu <olvaffe@gmail.com>
+
+[ Upstream commit 9da050b0d9e04439d225a2ec3044af70cdfb3933 ]
+
+kgd_mem pointers returned by kfd_process_device_translate_handle are
+only guaranteed to be valid while p->mutex is held. As soon as the mutex
+is unlocked, another thread can free the BO.
+
+Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+index f79b8e964140e..e191d38f3da62 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -1298,14 +1298,14 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
+               args->n_success = i+1;
+       }
+ 
+-      mutex_unlock(&p->mutex);
+-
+       err = amdgpu_amdkfd_gpuvm_sync_memory(dev->adev, (struct kgd_mem *) mem, true);
+       if (err) {
+               pr_debug("Sync memory failed, wait interrupted by user signal\n");
+               goto sync_memory_failed;
+       }
+ 
++      mutex_unlock(&p->mutex);
++
+       /* Flush TLBs after waiting for the page table updates to complete */
+       for (i = 0; i < args->n_devices; i++) {
+               peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]);
+@@ -1321,9 +1321,9 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep,
+ bind_process_to_device_failed:
+ get_mem_obj_from_handle_failed:
+ map_memory_to_gpu_failed:
++sync_memory_failed:
+       mutex_unlock(&p->mutex);
+ copy_from_user_failed:
+-sync_memory_failed:
+       kfree(devices_arr);
+ 
+       return err;
+@@ -1337,6 +1337,7 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
+       void *mem;
+       long err = 0;
+       uint32_t *devices_arr = NULL, i;
++      bool flush_tlb;
+ 
+       if (!args->n_devices) {
+               pr_debug("Device IDs array empty\n");
+@@ -1389,16 +1390,19 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
+               }
+               args->n_success = i+1;
+       }
+-      mutex_unlock(&p->mutex);
+ 
+-      if (kfd_flush_tlb_after_unmap(pdd->dev)) {
++      flush_tlb = kfd_flush_tlb_after_unmap(pdd->dev);
++      if (flush_tlb) {
+               err = amdgpu_amdkfd_gpuvm_sync_memory(pdd->dev->adev,
+                               (struct kgd_mem *) mem, true);
+               if (err) {
+                       pr_debug("Sync memory failed, wait interrupted by user signal\n");
+                       goto sync_memory_failed;
+               }
++      }
++      mutex_unlock(&p->mutex);
+ 
++      if (flush_tlb) {
+               /* Flush TLBs after waiting for the page table updates to complete */
+               for (i = 0; i < args->n_devices; i++) {
+                       peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]);
+@@ -1414,9 +1418,9 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep,
+ bind_process_to_device_failed:
+ get_mem_obj_from_handle_failed:
+ unmap_memory_from_gpu_failed:
++sync_memory_failed:
+       mutex_unlock(&p->mutex);
+ copy_from_user_failed:
+-sync_memory_failed:
+       kfree(devices_arr);
+       return err;
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch b/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch
new file mode 100644 (file)
index 0000000..a8db25e
--- /dev/null
+++ b/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch
@@ -0,0 +1,150 @@
+From 6bb203694b2d1465be7f6fe3e8039c5f1ea48a94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 14:11:24 -0500
+Subject: drm/amdkfd: Fixed kfd_process cleanup on module exit.
+
+From: David Belanger <david.belanger@amd.com>
+
+[ Upstream commit 20bc9f76b6a2455c6b54b91ae7634f147f64987f ]
+
+Handle case when module is unloaded (kfd_exit) before a process space
+(mm_struct) is released.
+
+v2: Fixed potential race conditions by removing all kfd_process from
+the process table first, then working on releasing the resources.
+
+v3: Fixed loop element access / synchronization.  Fixed extra empty lines.
+
+Signed-off-by: David Belanger <david.belanger@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_module.c  |  1 +
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h    |  1 +
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 67 +++++++++++++++++++++---
+ 3 files changed, 62 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_module.c b/drivers/gpu/drm/amd/amdkfd/kfd_module.c
+index 09b966dc37681..aee2212e52f69 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_module.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_module.c
+@@ -77,6 +77,7 @@ static int kfd_init(void)
+ 
+ static void kfd_exit(void)
+ {
++      kfd_cleanup_processes();
+       kfd_debugfs_fini();
+       kfd_process_destroy_wq();
+       kfd_procfs_shutdown();
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+index bf610e3b683bb..6d6588b9beed7 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -928,6 +928,7 @@ bool kfd_dev_is_large_bar(struct kfd_dev *dev);
+ 
+ int kfd_process_create_wq(void);
+ void kfd_process_destroy_wq(void);
++void kfd_cleanup_processes(void);
+ struct kfd_process *kfd_create_process(struct file *filep);
+ struct kfd_process *kfd_get_process(const struct task_struct *task);
+ struct kfd_process *kfd_lookup_process_by_pasid(u32 pasid);
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+index dd351105c1bcf..7f68d51541e8e 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -1167,6 +1167,17 @@ static void kfd_process_free_notifier(struct mmu_notifier *mn)
+       kfd_unref_process(container_of(mn, struct kfd_process, mmu_notifier));
+ }
+ 
++static void kfd_process_notifier_release_internal(struct kfd_process *p)
++{
++      cancel_delayed_work_sync(&p->eviction_work);
++      cancel_delayed_work_sync(&p->restore_work);
++
++      /* Indicate to other users that MM is no longer valid */
++      p->mm = NULL;
++
++      mmu_notifier_put(&p->mmu_notifier);
++}
++
+ static void kfd_process_notifier_release(struct mmu_notifier *mn,
+                                       struct mm_struct *mm)
+ {
+@@ -1181,17 +1192,22 @@ static void kfd_process_notifier_release(struct mmu_notifier *mn,
+               return;
+ 
+       mutex_lock(&kfd_processes_mutex);
++      /*
++       * Do early return if table is empty.
++       *
++       * This could potentially happen if this function is called concurrently
++       * by mmu_notifier and by kfd_cleanup_pocesses.
++       *
++       */
++      if (hash_empty(kfd_processes_table)) {
++              mutex_unlock(&kfd_processes_mutex);
++              return;
++      }
+       hash_del_rcu(&p->kfd_processes);
+       mutex_unlock(&kfd_processes_mutex);
+       synchronize_srcu(&kfd_processes_srcu);
+ 
+-      cancel_delayed_work_sync(&p->eviction_work);
+-      cancel_delayed_work_sync(&p->restore_work);
+-
+-      /* Indicate to other users that MM is no longer valid */
+-      p->mm = NULL;
+-
+-      mmu_notifier_put(&p->mmu_notifier);
++      kfd_process_notifier_release_internal(p);
+ }
+ 
+ static const struct mmu_notifier_ops kfd_process_mmu_notifier_ops = {
+@@ -1200,6 +1216,43 @@ static const struct mmu_notifier_ops kfd_process_mmu_notifier_ops = {
+       .free_notifier = kfd_process_free_notifier,
+ };
+ 
++/*
++ * This code handles the case when driver is being unloaded before all
++ * mm_struct are released.  We need to safely free the kfd_process and
++ * avoid race conditions with mmu_notifier that might try to free them.
++ *
++ */
++void kfd_cleanup_processes(void)
++{
++      struct kfd_process *p;
++      struct hlist_node *p_temp;
++      unsigned int temp;
++      HLIST_HEAD(cleanup_list);
++
++      /*
++       * Move all remaining kfd_process from the process table to a
++       * temp list for processing.   Once done, callback from mmu_notifier
++       * release will not see the kfd_process in the table and do early return,
++       * avoiding double free issues.
++       */
++      mutex_lock(&kfd_processes_mutex);
++      hash_for_each_safe(kfd_processes_table, temp, p_temp, p, kfd_processes) {
++              hash_del_rcu(&p->kfd_processes);
++              synchronize_srcu(&kfd_processes_srcu);
++              hlist_add_head(&p->kfd_processes, &cleanup_list);
++      }
++      mutex_unlock(&kfd_processes_mutex);
++
++      hlist_for_each_entry_safe(p, p_temp, &cleanup_list, kfd_processes)
++              kfd_process_notifier_release_internal(p);
++
++      /*
++       * Ensures that all outstanding free_notifier get called, triggering
++       * the release of the kfd_process struct.
++       */
++      mmu_notifier_synchronize();
++}
++
+ static int kfd_process_init_cwsr_apu(struct kfd_process *p, struct file *filep)
+ {
+       unsigned long  offset;
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch
new file mode 100644 (file)
index 0000000..77be2e5
--- /dev/null
+++ b/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch
@@ -0,0 +1,39 @@
+From fcddd6ad4a76e1d2616ebee671fa0b28dada5ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:22:54 +0000
+Subject: fbdev: au1200fb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ]
+
+var->pixclock can be assigned to zero by user. Without
+proper check, divide by zero would occur when invoking
+macro PICOS2KHZ in au1200fb_fb_check_var.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c
+index 81c3154544287..b6b22fa4a8a01 100644
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1040,6 +1040,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var,
+       u32 pixclock;
+       int screen_size, plane;
+ 
++      if (!var->pixclock)
++              return -EINVAL;
++
+       plane = fbdev->plane;
+ 
+       /* Make sure that the mode respect all LCD controller and
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch
new file mode 100644 (file)
index 0000000..b0452e9
--- /dev/null
+++ b/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch
@@ -0,0 +1,39 @@
+From 5095dae39f2cd2e74a45e92a87a4d0f46d76b453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:33:47 +0000
+Subject: fbdev: intelfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ]
+
+Variable var->pixclock is controlled by user and can be assigned
+to zero. Without proper check, divide by zero would occur in
+intelfbhw_validate_mode and intelfbhw_mode_to_hw.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c
+index d4a2891a9a7ac..a93dd531d00df 100644
+--- a/drivers/video/fbdev/intelfb/intelfbdrv.c
++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c
+@@ -1219,6 +1219,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var,
+ 
+       dinfo = GET_DINFO(info);
+ 
++      if (!var->pixclock)
++              return -EINVAL;
++
+       /* update the pitch */
+       if (intelfbhw_validate_mode(dinfo, var) != 0)
+               return -EINVAL;
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch
new file mode 100644 (file)
index 0000000..53df88d
--- /dev/null
+++ b/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch
@@ -0,0 +1,38 @@
+From ffe15fa85fec6a0ee103109303b743442b200816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:05:18 +0000
+Subject: fbdev: lxfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ]
+
+var->pixclock can be assigned to zero by user. Without proper
+check, divide by zero would occur in lx_set_clock.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/geode/lxfb_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c
+index 9d26592dbfce9..41fda498406c1 100644
+--- a/drivers/video/fbdev/geode/lxfb_core.c
++++ b/drivers/video/fbdev/geode/lxfb_core.c
+@@ -235,6 +235,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size)
+ 
+ static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
++      if (!var->pixclock)
++              return -EINVAL;
++
+       if (var->xres > 1920 || var->yres > 1440)
+               return -EINVAL;
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch
new file mode 100644 (file)
index 0000000..190c46c
--- /dev/null
+++ b/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch
@@ -0,0 +1,40 @@
+From f84f4f6bef0bc94d4ee4d29b3edd998cb28c92e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 07:18:31 +0000
+Subject: fbdev: nvidia: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ]
+
+variable var->pixclock can be set by user. In case it
+equals to zero, divide by zero would occur in nvidiafb_set_par.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to nvidia_check_var and nvidiafb_set_par. We believe it
+could also be triggered in driver nvidia from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/nvidia/nvidia.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
+index a6c3bc2222463..1b8904824ad83 100644
+--- a/drivers/video/fbdev/nvidia/nvidia.c
++++ b/drivers/video/fbdev/nvidia/nvidia.c
+@@ -764,6 +764,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var,
+       int pitch, err = 0;
+ 
+       NVTRACE_ENTER();
++      if (!var->pixclock)
++              return -EINVAL;
+ 
+       var->transp.offset = 0;
+       var->transp.length = 0;
+-- 
+2.39.2
+

diff --git a/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch
new file mode 100644 (file)
index 0000000..0432750
--- /dev/null
+++ b/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch
@@ -0,0 +1,44 @@
+From 30951bb7f4be88accaf8ecb3d8cb716402cf8c19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:08:56 +0000
+Subject: fbdev: tgafb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ]
+
+fb_set_var would by called when user invokes ioctl with cmd
+FBIOPUT_VSCREENINFO. User-provided data would finally reach
+tgafb_check_var. In case var->pixclock is assigned to zero,
+divide by zero would occur when checking whether reciprocal
+of var->pixclock is too high.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to tgafb_check_var. We believe it could also be triggered
+in driver tgafb from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/tgafb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
+index 251dbd282f5ed..84d5daef97666 100644
+--- a/drivers/video/fbdev/tgafb.c
++++ b/drivers/video/fbdev/tgafb.c
+@@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+       struct tga_par *par = (struct tga_par *)info->par;
+ 
++      if (!var->pixclock)
++              return -EINVAL;
++
+       if (par->tga_type == TGA_TYPE_8PLANE) {
+               if (var->bits_per_pixel != 8)
+                       return -EINVAL;
+-- 
+2.39.2
+

diff --git a/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch b/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch
new file mode 100644 (file)
index 0000000..bd82b68
--- /dev/null
+++ b/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch
@@ -0,0 +1,44 @@
+From 4ec013df50959c702142eb8b97465c8b34c7262f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 09:36:25 +1100
+Subject: md: avoid signed overflow in slot_store()
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ]
+
+slot_store() uses kstrtouint() to get a slot number, but stores the
+result in an "int" variable (by casting a pointer).
+This can result in a negative slot number if the unsigned int value is
+very large.
+
+A negative number means that the slot is empty, but setting a negative
+slot number this way will not remove the device from the array.  I don't
+think this is a serious problem, but it could cause confusion and it is
+best to fix it.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 0368b3c51c7f7..d5c362b1602b6 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3152,6 +3152,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
+               err = kstrtouint(buf, 10, (unsigned int *)&slot);
+               if (err < 0)
+                       return err;
++              if (slot < 0)
++                      /* overflow */
++                      return -ENOSPC;
+       }
+       if (rdev->mddev->pers && slot == -1) {
+               /* Setting 'slot' on an active array requires also
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch b/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch
new file mode 100644 (file)
index 0000000..9122eec
--- /dev/null
+++ b/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch
@@ -0,0 +1,40 @@
+From 8ac242011145a2d5d1aa758009e6c46585efd5ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 14:32:29 +0100
+Subject: net: hsr: Don't log netdev_err message on unknown prp dst node
+
+From: Kristian Overskeid <koverskeid@gmail.com>
+
+[ Upstream commit 28e8cabe80f3e6e3c98121576eda898eeb20f1b1 ]
+
+If no frames has been exchanged with a node for HSR_NODE_FORGET_TIME, the
+node will be deleted from the node_db list. If a frame is sent to the node
+after it is deleted, a netdev_err message for each slave interface is
+produced. This should not happen with dan nodes because of supervision
+frames, but can happen often with san nodes, which clutters the kernel
+log. Since the hsr protocol does not support sans, this is only relevant
+for the prp protocol.
+
+Signed-off-by: Kristian Overskeid <koverskeid@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 39a6088080e93..bd0afb8991174 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -422,7 +422,7 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb,
+       node_dst = find_node_by_addr_A(&port->hsr->node_db,
+                                      eth_hdr(skb)->h_dest);
+       if (!node_dst) {
+-              if (net_ratelimit())
++              if (net_ratelimit() && port->hsr->prot_version != PRP_V1)
+                       netdev_err(skb->dev, "%s: Unknown node\n", __func__);
+               return;
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch b/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch
new file mode 100644 (file)
index 0000000..4e77682
--- /dev/null
+++ b/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch
@@ -0,0 +1,72 @@
+From 455536e949d2e58938370e85180cf5245424ddcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 10:09:01 +0200
+Subject: net/mlx5e: Lower maximum allowed MTU in XSK to match XDP
+ prerequisites
+
+From: Adham Faris <afaris@nvidia.com>
+
+[ Upstream commit 78dee7befd56987283c13877b834c0aa97ad51b9 ]
+
+XSK redirecting XDP programs require linearity, hence applies
+restrictions on the MTU. For PAGE_SIZE=4K, MTU shouldn't exceed 3498.
+
+Features that contradict with XDP such HW-LRO and HW-GRO are enforced
+by the driver in advance, during XSK params validation, except for MTU,
+which was not enforced before this patch.
+
+This has been spotted during test scenario described below:
+Attaching xdpsock program (PAGE_SIZE=4K), with MTU < 3498, detaching
+XDP program, changing the MTU to arbitrary value in the range
+[3499, 3754], attaching XDP program again, which ended up with failure
+since MTU is > 3498.
+
+This commit lowers the XSK MTU limitation to be aligned with XDP MTU
+limitation, since XSK socket is meaningless without XDP program.
+
+Signed-off-by: Adham Faris <afaris@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 3b5c5064cfafc..5e01de4c32037 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4104,13 +4104,17 @@ static bool mlx5e_xsk_validate_mtu(struct net_device *netdev,
+               struct xsk_buff_pool *xsk_pool =
+                       mlx5e_xsk_get_pool(&chs->params, chs->params.xsk, ix);
+               struct mlx5e_xsk_param xsk;
++              int max_xdp_mtu;
+ 
+               if (!xsk_pool)
+                       continue;
+ 
+               mlx5e_build_xsk_param(xsk_pool, &xsk);
++              max_xdp_mtu = mlx5e_xdp_max_mtu(new_params, &xsk);
+ 
+-              if (!mlx5e_validate_xsk_param(new_params, &xsk, mdev)) {
++              /* Validate XSK params and XDP MTU in advance */
++              if (!mlx5e_validate_xsk_param(new_params, &xsk, mdev) ||
++                  new_params->sw_mtu > max_xdp_mtu) {
+                       u32 hr = mlx5e_get_linear_rq_headroom(new_params, &xsk);
+                       int max_mtu_frame, max_mtu_page, max_mtu;
+ 
+@@ -4120,9 +4124,9 @@ static bool mlx5e_xsk_validate_mtu(struct net_device *netdev,
+                        */
+                       max_mtu_frame = MLX5E_HW2SW_MTU(new_params, xsk.chunk_size - hr);
+                       max_mtu_page = MLX5E_HW2SW_MTU(new_params, SKB_MAX_HEAD(0));
+-                      max_mtu = min(max_mtu_frame, max_mtu_page);
++                      max_mtu = min3(max_mtu_frame, max_mtu_page, max_xdp_mtu);
+ 
+-                      netdev_err(netdev, "MTU %d is too big for an XSK running on channel %u. Try MTU <= %d\n",
++                      netdev_err(netdev, "MTU %d is too big for an XSK running on channel %u or its redirection XDP program. Try MTU <= %d\n",
+                                  new_params->sw_mtu, ix, max_mtu);
+                       return false;
+               }
+-- 
+2.39.2
+

diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch
new file mode 100644 (file)
index 0000000..96c1cde
--- /dev/null
+++ b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch
@@ -0,0 +1,35 @@
+From 19de71b62853afe99b7a83df9640d0336815af67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 11:11:50 +0100
+Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM620
+
+From: Philipp Geulen <p.geulen@js-elektronik.de>
+
+[ Upstream commit b65d44fa0fe072c91bf41cd8756baa2b4c77eff2 ]
+
+Added a quirk to fix Lexar NM620 1TB SSD reporting duplicate NGUIDs.
+
+Signed-off-by: Philipp Geulen <p.geulen@js-elektronik.de>
+Reviewed-by: Chaitanya Kulkarni <kkch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 100f774bc97fa..60452f6a9f711 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3547,6 +3547,8 @@ static const struct pci_device_id nvme_id_table[] = {
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(0x1d97, 0x2263), /* Lexar NM610 */
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
++      { PCI_DEVICE(0x1d97, 0x1d97), /* Lexar NM620 */
++              .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(0x1d97, 0x2269), /* Lexar NM760 */
+               .driver_data = NVME_QUIRK_BOGUS_NID, },
+       { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061),
+-- 
+2.39.2
+

diff --git a/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch b/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch
new file mode 100644 (file)
index 0000000..3af7132
--- /dev/null
+++ b/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch
@@ -0,0 +1,82 @@
+From fa210acb09e88a0733304812b93bda09f0315337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 19:32:38 -0700
+Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ]
+
+The getaffinity() system call uses 'cpumask_size()' to decide how big
+the CPU mask is - so far so good.  It is indeed the allocation size of a
+cpumask.
+
+But the code also assumes that the whole allocation is initialized
+without actually doing so itself.  That's wrong, because we might have
+fixed-size allocations (making copying and clearing more efficient), but
+not all of it is then necessarily used if 'nr_cpu_ids' is smaller.
+
+Having checked other users of 'cpumask_size()', they all seem to be ok,
+either using it purely for the allocation size, or explicitly zeroing
+the cpumask before using the size in bytes to copy it.
+
+See for example the ublk_ctrl_get_queue_affinity() function that uses
+the proper 'zalloc_cpumask_var()' to make sure that the whole mask is
+cleared, whether the storage is on the stack or if it was an external
+allocation.
+
+Fix this by just zeroing the allocation before using it.  Do the same
+for the compat version of sched_getaffinity(), which had the same logic.
+
+Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to
+access the bits.  For a cpumask_var_t, it ends up being a pointer to the
+same data either way, but it's just a good idea to treat it like you
+would a 'cpumask_t'.  The compat case already did that.
+
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/
+Cc: Yury Norov <yury.norov@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/compat.c     | 2 +-
+ kernel/sched/core.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/compat.c b/kernel/compat.c
+index 55551989d9da5..fb50f29d9b361 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -152,7 +152,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t,  pid, unsigned int, len,
+       if (len & (sizeof(compat_ulong_t)-1))
+               return -EINVAL;
+ 
+-      if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+               return -ENOMEM;
+ 
+       ret = sched_getaffinity(pid, mask);
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9ebfd484189b3..b23dcbeacdf33 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8304,14 +8304,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len,
+       if (len & (sizeof(unsigned long)-1))
+               return -EINVAL;
+ 
+-      if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+               return -ENOMEM;
+ 
+       ret = sched_getaffinity(pid, mask);
+       if (ret == 0) {
+               unsigned int retlen = min(len, cpumask_size());
+ 
+-              if (copy_to_user(user_mask_ptr, mask, retlen))
++              if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen))
+                       ret = -EFAULT;
+               else
+                       ret = retlen;
+-- 
+2.39.2
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 441c62da5b1756454495ac8f6954142aeb484f4e..d1252044b9ac96f0a8145d1c5bfaf9c4873d76b1 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -27,3 +27,37 @@ tracing-add-.graph-suffix-option-to-histogram-value.patch
 tracing-do-not-let-histogram-values-have-some-modifi.patch
 net-mscc-ocelot-fix-stats-region-batching.patch
 arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch
+cifs-fix-missing-unload_nls-in-smb2_reconnect.patch
+xfrm-zero-padding-when-dumping-algos-and-encap.patch
+asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch
+asoc-intel-avs-max98357a-explicitly-define-codec-for.patch
+asoc-intel-avs-da7219-explicitly-define-codec-format.patch
+asoc-intel-avs-ssm4567-remove-nau8825-bits.patch
+asoc-intel-avs-nau8825-adjust-clock-control.patch
+zstd-fix-definition-of-assert.patch
+acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch
+asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch
+asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch
+asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch
+asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch
+md-avoid-signed-overflow-in-slot_store.patch
+x86-pvh-obtain-vga-console-info-in-dom0.patch
+drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch
+drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch
+drm-amdkfd-fix-potential-kgd_mem-uafs.patch
+net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch
+alsa-asihpi-check-pao-in-control_message.patch
+alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch
+fbdev-tgafb-fix-potential-divide-by-zero.patch
+acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch
+sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch
+nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch
+drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch
+net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch
+fbdev-nvidia-fix-potential-divide-by-zero.patch
+fbdev-intelfb-fix-potential-divide-by-zero.patch
+fbdev-lxfb-fix-potential-divide-by-zero.patch
+fbdev-au1200fb-fix-potential-divide-by-zero.patch
+tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch
+tools-power-turbostat-fix-decoding-of-hwp_status.patch
+tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch

diff --git a/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch b/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch
new file mode 100644 (file)
index 0000000..5cbf781
--- /dev/null
+++ b/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch
@@ -0,0 +1,37 @@
+From 090ac5828b9a7cef1497e27550c0ba68f90b825f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 15:17:50 +0200
+Subject: tools/power turbostat: fix decoding of HWP_STATUS
+
+From: Antti Laakso <antti.laakso@intel.com>
+
+[ Upstream commit 92c25393586ac799b9b7d9e50434f3c44a7622c4 ]
+
+The "excursion to minimum" information is in bit2
+in HWP_STATUS MSR. Fix the bitmask used for
+decoding the register.
+
+Signed-off-by: Antti Laakso <antti.laakso@intel.com>
+Reviewed-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index c24054e3ef7ad..c61c6c704fbe6 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -4426,7 +4426,7 @@ int print_hwp(struct thread_data *t, struct core_data *c, struct pkg_data *p)
+ 
+       fprintf(outf, "cpu%d: MSR_HWP_STATUS: 0x%08llx "
+               "(%sGuaranteed_Perf_Change, %sExcursion_Min)\n",
+-              cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x2) ? "" : "No-");
++              cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x4) ? "" : "No-");
+ 
+       return 0;
+ }
+-- 
+2.39.2
+

diff --git a/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch b/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch
new file mode 100644 (file)
index 0000000..ce62082
--- /dev/null
+++ b/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch
@@ -0,0 +1,58 @@
+From 7b1873aca600b79103cf3018af357f0fb4db80cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:18:16 -0500
+Subject: tools/power turbostat: Fix /dev/cpu_dma_latency warnings
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+[ Upstream commit 40aafc7d58d3544f152a863a0e9863014b6d5d8c ]
+
+When running as non-root the following error is seen in turbostat:
+
+turbostat: fopen /dev/cpu_dma_latency
+: Permission denied
+
+turbostat and the man page have information on how to avoid other
+permission errors, so these can be fixed the same way.
+
+Provide better /dev/cpu_dma_latency warnings that provide instructions on
+how to avoid the error, and update the man page.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Cc: linux-pm@vger.kernel.org
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.8 | 2 ++
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8
+index c7b26a3603afe..3e1a4c4be001a 100644
+--- a/tools/power/x86/turbostat/turbostat.8
++++ b/tools/power/x86/turbostat/turbostat.8
+@@ -344,6 +344,8 @@ Alternatively, non-root users can be enabled to run turbostat this way:
+ 
+ # chmod +r /dev/cpu/*/msr
+ 
++# chmod +r /dev/cpu_dma_latency
++
+ .B "turbostat "
+ reads hardware counters, but doesn't write them.
+ So it will not interfere with the OS or other programs, including
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index aba460410dbd1..c24054e3ef7ad 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -5482,7 +5482,7 @@ void print_dev_latency(void)
+ 
+       retval = read(fd, (void *)&value, sizeof(int));
+       if (retval != sizeof(int)) {
+-              warn("read %s\n", path);
++              warn("read failed %s\n", path);
+               close(fd);
+               return;
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch b/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch
new file mode 100644 (file)
index 0000000..4898911
--- /dev/null
+++ b/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch
@@ -0,0 +1,53 @@
+From acdcdf044d9b96740e6ba957004ea1712182c4bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 10:58:18 +0300
+Subject: tracing: Fix wrong return in kprobe_event_gen_test.c
+
+From: Anton Gusev <aagusev@ispras.ru>
+
+[ Upstream commit bc4f359b3b607daac0290d0038561237a86b38cb ]
+
+Overwriting the error code with the deletion result may cause the
+function to return 0 despite encountering an error. Commit b111545d26c0
+("tracing: Remove the useless value assignment in
+test_create_synth_event()") solves a similar issue by
+returning the original error code, so this patch does the same.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230131075818.5322-1-aagusev@ispras.ru
+
+Signed-off-by: Anton Gusev <aagusev@ispras.ru>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c
+index c736487fc0e48..e0c420eb0b2b4 100644
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -146,7 +146,7 @@ static int __init test_gen_kprobe_cmd(void)
+       if (trace_event_file_is_valid(gen_kprobe_test))
+               gen_kprobe_test = NULL;
+       /* We got an error after creating the event, delete it */
+-      ret = kprobe_event_delete("gen_kprobe_test");
++      kprobe_event_delete("gen_kprobe_test");
+       goto out;
+ }
+ 
+@@ -211,7 +211,7 @@ static int __init test_gen_kretprobe_cmd(void)
+       if (trace_event_file_is_valid(gen_kretprobe_test))
+               gen_kretprobe_test = NULL;
+       /* We got an error after creating the event, delete it */
+-      ret = kprobe_event_delete("gen_kretprobe_test");
++      kprobe_event_delete("gen_kretprobe_test");
+       goto out;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch b/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch
new file mode 100644 (file)
index 0000000..df4c8cb
--- /dev/null
+++ b/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch
@@ -0,0 +1,139 @@
+From e7c18bc6ba0e1d0390d8660606f02a2f5ed00516 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:45:48 +0100
+Subject: x86/PVH: obtain VGA console info in Dom0
+
+From: Jan Beulich <jbeulich@suse.com>
+
+[ Upstream commit 934ef33ee75c3846f605f18b65048acd147e3918 ]
+
+A new platform-op was added to Xen to allow obtaining the same VGA
+console information PV Dom0 is handed. Invoke the new function and have
+the output data processed by xen_init_vga().
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+
+Link: https://lore.kernel.org/r/8f315e92-7bda-c124-71cc-478ab9c5e610@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/Makefile            |  2 +-
+ arch/x86/xen/enlighten_pv.c      |  3 ++-
+ arch/x86/xen/enlighten_pvh.c     | 13 +++++++++++++
+ arch/x86/xen/vga.c               |  5 ++---
+ arch/x86/xen/xen-ops.h           |  7 ++++---
+ include/xen/interface/platform.h |  3 +++
+ 6 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/xen/Makefile b/arch/x86/xen/Makefile
+index 3c5b52fbe4a7f..a9ec8c9f5c5dd 100644
+--- a/arch/x86/xen/Makefile
++++ b/arch/x86/xen/Makefile
+@@ -45,6 +45,6 @@ obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o
+ 
+ obj-$(CONFIG_XEN_DEBUG_FS)    += debugfs.o
+ 
+-obj-$(CONFIG_XEN_PV_DOM0)     += vga.o
++obj-$(CONFIG_XEN_DOM0)                += vga.o
+ 
+ obj-$(CONFIG_XEN_EFI)         += efi.o
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 8944726255c9c..333539bdbdaae 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1389,7 +1389,8 @@ asmlinkage __visible void __init xen_start_kernel(struct start_info *si)
+ 
+               x86_platform.set_legacy_features =
+                               xen_dom0_set_legacy_features;
+-              xen_init_vga(info, xen_start_info->console.dom0.info_size);
++              xen_init_vga(info, xen_start_info->console.dom0.info_size,
++                           &boot_params.screen_info);
+               xen_start_info->console.domU.mfn = 0;
+               xen_start_info->console.domU.evtchn = 0;
+ 
+diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c
+index bcae606bbc5cf..1da44aca896c6 100644
+--- a/arch/x86/xen/enlighten_pvh.c
++++ b/arch/x86/xen/enlighten_pvh.c
+@@ -43,6 +43,19 @@ void __init xen_pvh_init(struct boot_params *boot_params)
+       x86_init.oem.banner = xen_banner;
+ 
+       xen_efi_init(boot_params);
++
++      if (xen_initial_domain()) {
++              struct xen_platform_op op = {
++                      .cmd = XENPF_get_dom0_console,
++              };
++              long ret = HYPERVISOR_platform_op(&op);
++
++              if (ret > 0)
++                      xen_init_vga(&op.u.dom0_console,
++                                   min(ret * sizeof(char),
++                                       sizeof(op.u.dom0_console)),
++                                   &boot_params->screen_info);
++      }
+ }
+ 
+ void __init mem_map_via_hcall(struct boot_params *boot_params_p)
+diff --git a/arch/x86/xen/vga.c b/arch/x86/xen/vga.c
+index 14ea32e734d59..d97adab8420f4 100644
+--- a/arch/x86/xen/vga.c
++++ b/arch/x86/xen/vga.c
+@@ -9,10 +9,9 @@
+ 
+ #include "xen-ops.h"
+ 
+-void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size)
++void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size,
++                       struct screen_info *screen_info)
+ {
+-      struct screen_info *screen_info = &boot_params.screen_info;
+-
+       /* This is drawn from a dump from vgacon:startup in
+        * standard Linux. */
+       screen_info->orig_video_mode = 3;
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 9a8bb972193d8..a10903785a338 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -108,11 +108,12 @@ static inline void xen_uninit_lock_cpu(int cpu)
+ 
+ struct dom0_vga_console_info;
+ 
+-#ifdef CONFIG_XEN_PV_DOM0
+-void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size);
++#ifdef CONFIG_XEN_DOM0
++void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size,
++                       struct screen_info *);
+ #else
+ static inline void __init xen_init_vga(const struct dom0_vga_console_info *info,
+-                                     size_t size)
++                                     size_t size, struct screen_info *si)
+ {
+ }
+ #endif
+diff --git a/include/xen/interface/platform.h b/include/xen/interface/platform.h
+index 655d92e803e14..79a443c65ea93 100644
+--- a/include/xen/interface/platform.h
++++ b/include/xen/interface/platform.h
+@@ -483,6 +483,8 @@ struct xenpf_symdata {
+ };
+ DEFINE_GUEST_HANDLE_STRUCT(xenpf_symdata);
+ 
++#define XENPF_get_dom0_console 64
++
+ struct xen_platform_op {
+       uint32_t cmd;
+       uint32_t interface_version; /* XENPF_INTERFACE_VERSION */
+@@ -506,6 +508,7 @@ struct xen_platform_op {
+               struct xenpf_mem_hotadd        mem_add;
+               struct xenpf_core_parking      core_parking;
+               struct xenpf_symdata           symdata;
++              struct dom0_vga_console_info   dom0_console;
+               uint8_t                        pad[128];
+       } u;
+ };
+-- 
+2.39.2
+

diff --git a/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch b/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch
new file mode 100644 (file)
index 0000000..0b448bf
--- /dev/null
+++ b/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch
@@ -0,0 +1,111 @@
+From 53ceaf0d2b19808df145d6b4bb7469edbd7f7553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 09:09:52 +0800
+Subject: xfrm: Zero padding when dumping algos and encap
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ]
+
+When copying data to user-space we should ensure that only valid
+data is copied over.  Padding in structures may be filled with
+random (possibly sensitve) data and should never be given directly
+to user-space.
+
+This patch fixes the copying of xfrm algorithms and the encap
+template in xfrm_user so that padding is zeroed.
+
+Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 45 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index e73f9efc54c12..83f35ecacf24f 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -997,7 +997,9 @@ static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb)
+               return -EMSGSIZE;
+ 
+       ap = nla_data(nla);
+-      memcpy(ap, aead, sizeof(*aead));
++      strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name));
++      ap->alg_key_len = aead->alg_key_len;
++      ap->alg_icv_len = aead->alg_icv_len;
+ 
+       if (redact_secret && aead->alg_key_len)
+               memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8);
+@@ -1017,7 +1019,8 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
+               return -EMSGSIZE;
+ 
+       ap = nla_data(nla);
+-      memcpy(ap, ealg, sizeof(*ealg));
++      strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name));
++      ap->alg_key_len = ealg->alg_key_len;
+ 
+       if (redact_secret && ealg->alg_key_len)
+               memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8);
+@@ -1028,6 +1031,40 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
+       return 0;
+ }
+ 
++static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb)
++{
++      struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg));
++      struct xfrm_algo *ap;
++
++      if (!nla)
++              return -EMSGSIZE;
++
++      ap = nla_data(nla);
++      strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name));
++      ap->alg_key_len = 0;
++
++      return 0;
++}
++
++static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb)
++{
++      struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep));
++      struct xfrm_encap_tmpl *uep;
++
++      if (!nla)
++              return -EMSGSIZE;
++
++      uep = nla_data(nla);
++      memset(uep, 0, sizeof(*uep));
++
++      uep->encap_type = ep->encap_type;
++      uep->encap_sport = ep->encap_sport;
++      uep->encap_dport = ep->encap_dport;
++      uep->encap_oa = ep->encap_oa;
++
++      return 0;
++}
++
+ static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m)
+ {
+       int ret = 0;
+@@ -1083,12 +1120,12 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
+                       goto out;
+       }
+       if (x->calg) {
+-              ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
++              ret = copy_to_user_calg(x->calg, skb);
+               if (ret)
+                       goto out;
+       }
+       if (x->encap) {
+-              ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
++              ret = copy_to_user_encap(x->encap, skb);
+               if (ret)
+                       goto out;
+       }
+-- 
+2.39.2
+

diff --git a/queue-6.1/zstd-fix-definition-of-assert.patch b/queue-6.1/zstd-fix-definition-of-assert.patch
new file mode 100644 (file)
index 0000000..4a8451e
--- /dev/null
+++ b/queue-6.1/zstd-fix-definition-of-assert.patch
@@ -0,0 +1,39 @@
+From 20c83d02e1ab046e7927cb86043bf5667790a694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jan 2023 14:14:36 +0100
+Subject: zstd: Fix definition of assert()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+[ Upstream commit 6906598f1ce93761716d780b6e3f171e13f0f4ce ]
+
+assert(x) should emit a warning if x is false. WARN_ON(x) emits a
+warning if x is true. Thus, assert(x) should be defined as WARN_ON(!x)
+rather than WARN_ON(x).
+
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Signed-off-by: Nick Terrell <terrelln@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/zstd/common/zstd_deps.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/zstd/common/zstd_deps.h b/lib/zstd/common/zstd_deps.h
+index 7a5bf44839c9c..f06df065dec01 100644
+--- a/lib/zstd/common/zstd_deps.h
++++ b/lib/zstd/common/zstd_deps.h
+@@ -84,7 +84,7 @@ static uint64_t ZSTD_div64(uint64_t dividend, uint32_t divisor) {
+ 
+ #include <linux/kernel.h>
+ 
+-#define assert(x) WARN_ON((x))
++#define assert(x) WARN_ON(!(x))
+ 
+ #endif /* ZSTD_DEPS_ASSERT */
+ #endif /* ZSTD_DEPS_NEED_ASSERT */
+-- 
+2.39.2
+