--- /dev/null
+From a66dfaf18fd61bb75ef8cee83db46b2aadf153d0 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 21 Nov 2024 11:09:22 -0500
+Subject: Bluetooth: MGMT: Fix possible deadlocks
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit a66dfaf18fd61bb75ef8cee83db46b2aadf153d0 upstream.
+
+This fixes possible deadlocks like the following caused by
+hci_cmd_sync_dequeue causing the destroy function to run:
+
+ INFO: task kworker/u19:0:143 blocked for more than 120 seconds.
+ Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000
+ Workqueue: hci0 hci_cmd_sync_work [bluetooth]
+ Call Trace:
+ <TASK>
+ __schedule+0x374/0xaf0
+ schedule+0x3c/0xf0
+ schedule_preempt_disabled+0x1c/0x30
+ __mutex_lock.constprop.0+0x3ef/0x7a0
+ __mutex_lock_slowpath+0x13/0x20
+ mutex_lock+0x3c/0x50
+ mgmt_set_connectable_complete+0xa4/0x150 [bluetooth]
+ ? kfree+0x211/0x2a0
+ hci_cmd_sync_dequeue+0xae/0x130 [bluetooth]
+ ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth]
+ cmd_complete_rsp+0x26/0x80 [bluetooth]
+ mgmt_pending_foreach+0x4d/0x70 [bluetooth]
+ __mgmt_power_off+0x8d/0x180 [bluetooth]
+ ? _raw_spin_unlock_irq+0x23/0x40
+ hci_dev_close_sync+0x445/0x5b0 [bluetooth]
+ hci_set_powered_sync+0x149/0x250 [bluetooth]
+ set_powered_sync+0x24/0x60 [bluetooth]
+ hci_cmd_sync_work+0x90/0x150 [bluetooth]
+ process_one_work+0x13e/0x300
+ worker_thread+0x2f7/0x420
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x107/0x140
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x3d/0x60
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+Tested-by: Kiran K <kiran.k@intel.com>
+Fixes: f53e1c9c726d ("Bluetooth: MGMT: Fix possible crash on mgmt_index_removed")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1521,7 +1521,8 @@ static void mgmt_set_discoverable_comple
+ bt_dev_dbg(hdev, "err %d", err);
+
+ /* Make sure cmd still outstanding. */
+- if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
+ return;
+
+ hci_dev_lock(hdev);
+@@ -1695,7 +1696,8 @@ static void mgmt_set_connectable_complet
+ bt_dev_dbg(hdev, "err %d", err);
+
+ /* Make sure cmd still outstanding. */
+- if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
+ return;
+
+ hci_dev_lock(hdev);
+@@ -1928,7 +1930,7 @@ static void set_ssp_complete(struct hci_
+ bool changed;
+
+ /* Make sure cmd still outstanding. */
+- if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
++ if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
+ return;
+
+ if (err) {
+@@ -3853,7 +3855,8 @@ static void set_name_complete(struct hci
+
+ bt_dev_dbg(hdev, "err %d", err);
+
+- if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
+ return;
+
+ if (status) {
+@@ -4028,7 +4031,8 @@ static void set_default_phy_complete(str
+ struct sk_buff *skb = cmd->skb;
+ u8 status = mgmt_status(err);
+
+- if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
+ return;
+
+ if (!status) {
+@@ -5919,13 +5923,16 @@ static void start_discovery_complete(str
+ {
+ struct mgmt_pending_cmd *cmd = data;
+
++ bt_dev_dbg(hdev, "err %d", err);
++
++ if (err == -ECANCELED)
++ return;
++
+ if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
+ cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
+ cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
+ return;
+
+- bt_dev_dbg(hdev, "err %d", err);
+-
+ mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
+ cmd->param, 1);
+ mgmt_pending_remove(cmd);
+@@ -6158,7 +6165,8 @@ static void stop_discovery_complete(stru
+ {
+ struct mgmt_pending_cmd *cmd = data;
+
+- if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
+ return;
+
+ bt_dev_dbg(hdev, "err %d", err);
+@@ -8105,7 +8113,8 @@ static void read_local_oob_ext_data_comp
+ u8 status = mgmt_status(err);
+ u16 eir_len;
+
+- if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
+ return;
+
+ if (!status) {
+++ /dev/null
-From e62b1abfe399d2220fa072c493f54ee685d3fbdc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 25 Oct 2024 19:43:19 -0400
-Subject: checkpatch: always parse orig_commit in fixes tag
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Tamir Duberstein <tamird@gmail.com>
-
-[ Upstream commit 2f07b652384969f5d0b317e1daa5f2eb967bc73d ]
-
-Do not require the presence of `$balanced_parens` to get the commit SHA;
-this allows a `Fixes: deadbeef` tag to get a correct suggestion rather
-than a suggestion containing a reference to HEAD.
-
-Given this patch:
-
-: From: Tamir Duberstein <tamird@gmail.com>
-: Subject: Test patch
-: Date: Fri, 25 Oct 2024 19:30:51 -0400
-:
-: This is a test patch.
-:
-: Fixes: bd17e036b495
-: Signed-off-by: Tamir Duberstein <tamird@gmail.com>
-: --- /dev/null
-: +++ b/new-file
-: @@ -0,0 +1 @@
-: +Test.
-
-Before:
-
-WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: c10a7d25e68f ("Test patch")'
-
-After:
-
-WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style")'
-
-The prior behavior incorrectly suggested the patch's own SHA and title
-line rather than the referenced commit's. This fixes that.
-
-Ironically this:
-
-Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style")
-Signed-off-by: Tamir Duberstein <tamird@gmail.com>
-Cc: Andy Whitcroft <apw@canonical.com>
-Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
-Cc: Joe Perches <joe@perches.com>
-Cc: Louis Peens <louis.peens@corigine.com>
-Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
-Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
-Cc: Philippe Schenker <philippe.schenker@toradex.com>
-Cc: Simon Horman <horms@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- scripts/checkpatch.pl | 37 ++++++++++++++++---------------------
- 1 file changed, 16 insertions(+), 21 deletions(-)
-
-diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
-index 9ec205e6d48e2..12742da6504e0 100755
---- a/scripts/checkpatch.pl
-+++ b/scripts/checkpatch.pl
-@@ -3177,36 +3177,31 @@ sub process {
-
- # Check Fixes: styles is correct
- if (!$in_header_lines &&
-- $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) {
-- my $orig_commit = "";
-- my $id = "0123456789ab";
-- my $title = "commit title";
-- my $tag_case = 1;
-- my $tag_space = 1;
-- my $id_length = 1;
-- my $id_case = 1;
-+ $line =~ /^\s*(fixes:?)\s*(?:commit\s*)?([0-9a-f]{5,40})(?:\s*($balanced_parens))?/i) {
-+ my $tag = $1;
-+ my $orig_commit = $2;
-+ my $title;
- my $title_has_quotes = 0;
- $fixes_tag = 1;
--
-- if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) {
-- my $tag = $1;
-- $orig_commit = $2;
-- $title = $3;
--
-- $tag_case = 0 if $tag eq "Fixes:";
-- $tag_space = 0 if ($line =~ /^fixes:? [0-9a-f]{5,} ($balanced_parens)/i);
--
-- $id_length = 0 if ($orig_commit =~ /^[0-9a-f]{12}$/i);
-- $id_case = 0 if ($orig_commit !~ /[A-F]/);
--
-+ if (defined $3) {
- # Always strip leading/trailing parens then double quotes if existing
-- $title = substr($title, 1, -1);
-+ $title = substr($3, 1, -1);
- if ($title =~ /^".*"$/) {
- $title = substr($title, 1, -1);
- $title_has_quotes = 1;
- }
-+ } else {
-+ $title = "commit title"
- }
-
-+
-+ my $tag_case = not ($tag eq "Fixes:");
-+ my $tag_space = not ($line =~ /^fixes:? [0-9a-f]{5,40} ($balanced_parens)/i);
-+
-+ my $id_length = not ($orig_commit =~ /^[0-9a-f]{12}$/i);
-+ my $id_case = not ($orig_commit !~ /[A-F]/);
-+
-+ my $id = "0123456789ab";
- my ($cid, $ctitle) = git_commit_info($orig_commit, $id,
- $title);
-
---
-2.43.0
-
+++ /dev/null
-From 96377d94dc9d87416d293a5c17ac5f9c0bc86336 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 11 Jun 2024 16:43:29 +0300
-Subject: checkpatch: check for missing Fixes tags
-
-From: Dan Carpenter <dan.carpenter@linaro.org>
-
-[ Upstream commit d5d6281ae8e0c929c3ff188652f5b12c680fe8bf ]
-
-This check looks for common words that probably indicate a patch
-is a fix. For now the regex is:
-
- (?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller)/)
-
-Why are stable patches encouraged to have a fixes tag? Some people mark
-their stable patches as "# 5.10" etc. This is useful but a Fixes tag is
-still a good idea. For example, the Fixes tag helps in review. It
-helps people to not cherry-pick buggy patches without also
-cherry-picking the fix.
-
-Also if a bug affects the 5.7 kernel some people will round it up to
-5.10+ because 5.7 is not supported on kernel.org. It's possible the Bad
-Binder bug was caused by this sort of gap where companies outside of
-kernel.org are supporting different kernels from kernel.org.
-
-Should it be counted as a Fix when a patch just silences harmless
-WARN_ON() stack trace. Yes. Definitely.
-
-Is silencing compiler warnings a fix? It seems unfair to the original
-authors, but we use -Werror now, and warnings break the build so let's
-just add Fixes tags. I tell people that silencing static checker
-warnings is not a fix but the rules on this vary by subsystem.
-
-Is fixing a minor LTP issue (Linux Test Project) a fix? Probably? It's
-hard to know what to do if the LTP test has technically always been
-broken.
-
-One clear false positive from this check is when someone updated their
-debug output and included before and after Call Traces. Or when crashes
-are introduced deliberately for testing. In those cases, you should
-just ignore checkpatch.
-
-Link: https://lkml.kernel.org/r/ZmhUgZBKeF_8ixA6@moroto
-Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
-Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Cc: Andy Whitcroft <apw@canonical.com>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
-Cc: Joe Perches <joe@perches.com>
-Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
-Cc: Sasha Levin <sashal@kernel.org>
-Cc: Thorsten Leemhuis <linux@leemhuis.info>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- scripts/checkpatch.pl | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
-index 32dc82c0c7ace..9ec205e6d48e2 100755
---- a/scripts/checkpatch.pl
-+++ b/scripts/checkpatch.pl
-@@ -28,6 +28,7 @@ my %verbose_messages = ();
- my %verbose_emitted = ();
- my $tree = 1;
- my $chk_signoff = 1;
-+my $chk_fixes_tag = 1;
- my $chk_patch = 1;
- my $tst_only;
- my $emacs = 0;
-@@ -86,6 +87,7 @@ Options:
- -v, --verbose verbose mode
- --no-tree run without a kernel tree
- --no-signoff do not check for 'Signed-off-by' line
-+ --no-fixes-tag do not check for 'Fixes:' tag
- --patch treat FILE as patchfile (default)
- --emacs emacs compile window format
- --terse one line per report
-@@ -293,6 +295,7 @@ GetOptions(
- 'v|verbose!' => \$verbose,
- 'tree!' => \$tree,
- 'signoff!' => \$chk_signoff,
-+ 'fixes-tag!' => \$chk_fixes_tag,
- 'patch!' => \$chk_patch,
- 'emacs!' => \$emacs,
- 'terse!' => \$terse,
-@@ -1225,6 +1228,7 @@ sub git_commit_info {
- }
-
- $chk_signoff = 0 if ($file);
-+$chk_fixes_tag = 0 if ($file);
-
- my @rawlines = ();
- my @lines = ();
-@@ -2604,6 +2608,9 @@ sub process {
-
- our $clean = 1;
- my $signoff = 0;
-+ my $fixes_tag = 0;
-+ my $is_revert = 0;
-+ my $needs_fixes_tag = "";
- my $author = '';
- my $authorsignoff = 0;
- my $author_sob = '';
-@@ -3157,6 +3164,16 @@ sub process {
- }
- }
-
-+# These indicate a bug fix
-+ if (!$in_header_lines && !$is_patch &&
-+ $line =~ /^This reverts commit/) {
-+ $is_revert = 1;
-+ }
-+
-+ if (!$in_header_lines && !$is_patch &&
-+ $line =~ /((?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller))/) {
-+ $needs_fixes_tag = $1;
-+ }
-
- # Check Fixes: styles is correct
- if (!$in_header_lines &&
-@@ -3169,6 +3186,7 @@ sub process {
- my $id_length = 1;
- my $id_case = 1;
- my $title_has_quotes = 0;
-+ $fixes_tag = 1;
-
- if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) {
- my $tag = $1;
-@@ -7539,6 +7557,12 @@ sub process {
- ERROR("NOT_UNIFIED_DIFF",
- "Does not appear to be a unified-diff format patch\n");
- }
-+ if ($is_patch && $has_commit_log && $chk_fixes_tag) {
-+ if ($needs_fixes_tag ne "" && !$is_revert && !$fixes_tag) {
-+ WARN("MISSING_FIXES_TAG",
-+ "The commit message has '$needs_fixes_tag', perhaps it also needs a 'Fixes:' tag?\n");
-+ }
-+ }
- if ($is_patch && $has_commit_log && $chk_signoff) {
- if ($signoff == 0) {
- ERROR("MISSING_SIGN_OFF",
---
-2.43.0
-
+++ /dev/null
-From 3d244247e264a8ff5ffc3be98e47291c8abc9673 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 20 Jan 2023 13:35:19 +0100
-Subject: checkpatch: warn when Reported-by: is not followed by Link:
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Kai Wasserbäch <kai@dev.carbon-project.org>
-
-[ Upstream commit d7f1d71e5ef630ab9e15b5821d297a9e1a5fa1da ]
-
-Encourage patch authors to link to reports by issuing a warning, if a
-Reported-by: is not accompanied by a link to the report. Those links are
-often extremely useful for any code archaeologist that wants to know more
-about the backstory of a change than the commit message provides. That
-includes maintainers higher up in the patch-flow hierarchy, which is why
-Linus asks developers to add such links [1, 2, 3]. To quote [1]:
-
-> Again, the commit has a link to the patch *submission*, which is
-> almost entirely useless. There's no link to the actual problem the
-> patch fixes.
->
-> [...]
->
-> Put another way: I can see that
->
-> Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com>
->
-> in the commit, but I don't have a clue what the actual report was, and
-> there really isn't enough information in the commit itself, except for
-> a fairly handwavy "Device drivers might, for instance, still need to
-> flush operations.."
->
-> I don't want to know what device drivers _might_ do. I would want to
-> have an actual pointer to what they do and where.
-
-Another reason why these links are wanted: the ongoing regression tracking
-efforts can only scale with them, as they allow the regression tracking
-bot 'regzbot' to automatically connect tracked reports with patches that
-are posted or committed to fix tracked regressions.
-
-Link: https://lore.kernel.org/all/CAHk-=wjMmSZzMJ3Xnskdg4+GGz=5p5p+GSYyFBTh0f-DgvdBWg@mail.gmail.com/ [1]
-Link: https://lore.kernel.org/all/CAHk-=wgs38ZrfPvy=nOwVkVzjpM3VFU1zobP37Fwd_h9iAD5JQ@mail.gmail.com/ [2]
-Link: https://lore.kernel.org/all/CAHk-=wjxzafG-=J8oT30s7upn4RhBs6TX-uVFZ5rME+L5_DoJA@mail.gmail.com/ [3]
-Link: https://lkml.kernel.org/r/bb5dfd55ea2026303ab2296f4a6df3da7dd64006.1674217480.git.linux@leemhuis.info
-Signed-off-by: Kai Wasserbäch <kai@dev.carbon-project.org>
-Co-developed-by: Thorsten Leemhuis <linux@leemhuis.info>
-Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
-Cc: Andy Whitcroft <apw@canonical.com>
-Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
-Cc: Joe Perches <joe@perches.com>
-Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- scripts/checkpatch.pl | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
-index ecf4250b0d2d2..32dc82c0c7ace 100755
---- a/scripts/checkpatch.pl
-+++ b/scripts/checkpatch.pl
-@@ -3144,8 +3144,20 @@ sub process {
- "Co-developed-by and Signed-off-by: name/email do not match \n" . "$here\n" . $rawline . "\n" .$rawlines[$linenr]);
- }
- }
-+
-+# check if Reported-by: is followed by a Link:
-+ if ($sign_off =~ /^reported(?:|-and-tested)-by:$/i) {
-+ if (!defined $lines[$linenr]) {
-+ WARN("BAD_REPORTED_BY_LINK",
-+ "Reported-by: should be immediately followed by Link: to the report\n" . $herecurr . $rawlines[$linenr] . "\n");
-+ } elsif ($rawlines[$linenr] !~ m{^link:\s*https?://}i) {
-+ WARN("BAD_REPORTED_BY_LINK",
-+ "Reported-by: should be immediately followed by Link: with a URL to the report\n" . $herecurr . $rawlines[$linenr] . "\n");
-+ }
-+ }
- }
-
-+
- # Check Fixes: styles is correct
- if (!$in_header_lines &&
- $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) {
---
-2.43.0
-
--- /dev/null
+From a722511b18268bd1f7084eee243af416b85f288f Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 19 Feb 2023 17:04:28 -0800
+Subject: drm/msm: DEVFREQ_GOV_SIMPLE_ONDEMAND is no longer needed
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit a722511b18268bd1f7084eee243af416b85f288f upstream.
+
+DRM_MSM no longer needs DEVFREQ_GOV_SIMPLE_ONDEMAND (since commit
+dbd7a2a941b8 ("PM / devfreq: Fix build issues with devfreq disabled")
+in linux-next), so remove that select from the DRM_MSM Kconfig file.
+
+Fixes: 6563f60f14cb ("drm/msm/gpu: Add devfreq tuning debugfs")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Cc: Sean Paul <sean@poorly.run>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: freedreno@lists.freedesktop.org
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/523353/
+Link: https://lore.kernel.org/r/20230220010428.16910-1-rdunlap@infradead.org
+[rob: tweak commit message to make checkpatch.pl happy]
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/Kconfig
++++ b/drivers/gpu/drm/msm/Kconfig
+@@ -23,7 +23,6 @@ config DRM_MSM
+ select SHMEM
+ select TMPFS
+ select QCOM_SCM
+- select DEVFREQ_GOV_SIMPLE_ONDEMAND
+ select WANT_DEV_COREDUMP
+ select SND_SOC_HDMI_CODEC if SND_SOC
+ select SYNC_FILE
--- /dev/null
+From 090f612756a9720ec18b0b130e28be49839d7cb5 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Thu, 5 Sep 2024 15:03:48 +0300
+Subject: fs/ntfs3: Sequential field availability check in mi_enum_attr()
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 090f612756a9720ec18b0b130e28be49839d7cb5 upstream.
+
+The code is slightly reformatted to consistently check field availability
+without duplication.
+
+Fixes: 556bdf27c2dd ("ntfs3: Add bounds checking to mi_enum_attr()")
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/record.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -231,6 +231,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ }
+
+ /* Can we use the first field (attr->type). */
++ /* NOTE: this code also checks attr->size availability. */
+ if (off + 8 > used) {
+ static_assert(ALIGN(sizeof(enum ATTR_TYPE), 8) == 8);
+ return NULL;
+@@ -251,10 +252,6 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ return NULL;
+
+ asize = le32_to_cpu(attr->size);
+- if (asize < SIZEOF_RESIDENT) {
+- /* Impossible 'cause we should not return such attribute. */
+- return NULL;
+- }
+
+ /* Check overflow and boundary. */
+ if (off + asize < off || off + asize > used)
+@@ -285,6 +282,10 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ if (attr->non_res != 1)
+ return NULL;
+
++ /* Can we use memory including attr->nres.valid_size? */
++ if (asize < SIZEOF_NONRESIDENT)
++ return NULL;
++
+ t16 = le16_to_cpu(attr->nres.run_off);
+ if (t16 > asize)
+ return NULL;
+@@ -311,7 +312,8 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+
+ if (!attr->nres.svcn && is_attr_ext(attr)) {
+ /* First segment of sparse/compressed attribute */
+- if (asize + 8 < SIZEOF_NONRESIDENT_EX)
++ /* Can we use memory including attr->nres.total_size? */
++ if (asize < SIZEOF_NONRESIDENT_EX)
+ return NULL;
+
+ tot_size = le64_to_cpu(attr->nres.total_size);
+@@ -321,9 +323,6 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ if (tot_size > alloc_size)
+ return NULL;
+ } else {
+- if (asize + 8 < SIZEOF_NONRESIDENT)
+- return NULL;
+-
+ if (attr->nres.c_unit)
+ return NULL;
+ }
--- /dev/null
+From 36faa04ce3d9c962b4b29d285ad07ca29e2988e4 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Tue, 1 Oct 2024 12:22:32 -0400
+Subject: i3c: master: Remove i3c_dev_disable_ibi_locked(olddev) on device hotjoin
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 36faa04ce3d9c962b4b29d285ad07ca29e2988e4 upstream.
+
+When a new device hotjoins, a new dynamic address is assigned.
+i3c_master_add_i3c_dev_locked() identifies that the device was previously
+attached to the bus and locates the olddev.
+
+i3c_master_add_i3c_dev_locked()
+{
+ ...
+ olddev = i3c_master_search_i3c_dev_duplicate(newdev);
+ ...
+ if (olddev) {
+ ...
+ i3c_dev_disable_ibi_locked(olddev);
+ ^^^^^^
+ The olddev should not receive any commands on the i3c bus as it
+ does not exist and has been assigned a new address. This will
+ result in NACK or timeout. So remove it.
+ }
+
+ i3c_dev_free_ibi_locked(olddev);
+ ^^^^^^^^
+ This function internally calls i3c_dev_disable_ibi_locked() function
+ causing to send DISEC command with old Address.
+
+ The olddev should not receive any commands on the i3c bus as it
+ does not exist and has been assigned a new address. This will
+ result in NACK or timeout. So, update the olddev->ibi->enabled
+ flag to false to avoid DISEC with OldAddr.
+}
+
+Include part of Ravindra Yashvant Shinde's work:
+https://lore.kernel.org/linux-i3c/20240820151917.3904956-1-ravindra.yashvant.shinde@nxp.com/T/#u
+
+Fixes: 317bacf960a4 ("i3c: master: add enable(disable) hot join in sys entry")
+Co-developed-by: Ravindra Yashvant Shinde <ravindra.yashvant.shinde@nxp.com>
+Signed-off-by: Ravindra Yashvant Shinde <ravindra.yashvant.shinde@nxp.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20241001162232.223724-1-Frank.Li@nxp.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -2031,11 +2031,16 @@ int i3c_master_add_i3c_dev_locked(struct
+ ibireq.max_payload_len = olddev->ibi->max_payload_len;
+ ibireq.num_slots = olddev->ibi->num_slots;
+
+- if (olddev->ibi->enabled) {
++ if (olddev->ibi->enabled)
+ enable_ibi = true;
+- i3c_dev_disable_ibi_locked(olddev);
+- }
+-
++ /*
++ * The olddev should not receive any commands on the
++ * i3c bus as it does not exist and has been assigned
++ * a new address. This will result in NACK or timeout.
++ * So, update the olddev->ibi->enabled flag to false
++ * to avoid DISEC with OldAddr.
++ */
++ olddev->ibi->enabled = false;
+ i3c_dev_free_ibi_locked(olddev);
+ }
+ mutex_unlock(&olddev->ibi_lock);
--- /dev/null
+From 3b2ac810d86eb96e882db80a3320a3848b133208 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 2 Oct 2024 10:50:38 -0400
+Subject: i3c: master: svc: fix possible assignment of the same address to two devices
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 3b2ac810d86eb96e882db80a3320a3848b133208 upstream.
+
+svc_i3c_master_do_daa() {
+ ...
+ for (i = 0; i < dev_nb; i++) {
+ ret = i3c_master_add_i3c_dev_locked(m, addrs[i]);
+ if (ret)
+ goto rpm_out;
+ }
+}
+
+If two devices (A and B) are detected in DAA and address 0xa is assigned to
+device A and 0xb to device B, a failure in i3c_master_add_i3c_dev_locked()
+for device A (addr: 0xa) could prevent device B (addr: 0xb) from being
+registered on the bus. The I3C stack might still consider 0xb a free
+address. If a subsequent Hotjoin occurs, 0xb might be assigned to Device A,
+causing both devices A and B to use the same address 0xb, violating the I3C
+specification.
+
+The return value for i3c_master_add_i3c_dev_locked() should not be checked
+because subsequent steps will scan the entire I3C bus, independent of
+whether i3c_master_add_i3c_dev_locked() returns success.
+
+If device A registration fails, there is still a chance to register device
+B. i3c_master_add_i3c_dev_locked() can reset DAA if a failure occurs while
+retrieving device information.
+
+Cc: stable@kernel.org
+Fixes: 317bacf960a4 ("i3c: master: add enable(disable) hot join in sys entry")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20241002-svc-i3c-hj-v6-6-7e6e1d3569ae@nxp.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master/svc-i3c-master.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/drivers/i3c/master/svc-i3c-master.c
++++ b/drivers/i3c/master/svc-i3c-master.c
+@@ -1010,12 +1010,27 @@ static int svc_i3c_master_do_daa(struct
+ goto rpm_out;
+ }
+
+- /* Register all devices who participated to the core */
+- for (i = 0; i < dev_nb; i++) {
+- ret = i3c_master_add_i3c_dev_locked(m, addrs[i]);
+- if (ret)
+- goto rpm_out;
+- }
++ /*
++ * Register all devices who participated to the core
++ *
++ * If two devices (A and B) are detected in DAA and address 0xa is assigned to
++ * device A and 0xb to device B, a failure in i3c_master_add_i3c_dev_locked()
++ * for device A (addr: 0xa) could prevent device B (addr: 0xb) from being
++ * registered on the bus. The I3C stack might still consider 0xb a free
++ * address. If a subsequent Hotjoin occurs, 0xb might be assigned to Device A,
++ * causing both devices A and B to use the same address 0xb, violating the I3C
++ * specification.
++ *
++ * The return value for i3c_master_add_i3c_dev_locked() should not be checked
++ * because subsequent steps will scan the entire I3C bus, independent of
++ * whether i3c_master_add_i3c_dev_locked() returns success.
++ *
++ * If device A registration fails, there is still a chance to register device
++ * B. i3c_master_add_i3c_dev_locked() can reset DAA if a failure occurs while
++ * retrieving device information.
++ */
++ for (i = 0; i < dev_nb; i++)
++ i3c_master_add_i3c_dev_locked(m, addrs[i]);
+
+ /* Configure IBI auto-rules */
+ ret = svc_i3c_update_ibirules(master);
--- /dev/null
+From 61850725779709369c7e907ae8c7c75dc7cec4f3 Mon Sep 17 00:00:00 2001
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Date: Sun, 15 Sep 2024 00:39:33 +0800
+Subject: i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream.
+
+In the svc_i3c_master_probe function, &master->hj_work is bound with
+svc_i3c_master_hj_work, &master->ibi_work is bound with
+svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the
+hj_work, svc_i3c_master_irq_handler can start the ibi_work.
+
+If we remove the module which will call svc_i3c_master_remove to
+make cleanup, it will free master->base through i3c_master_unregister
+while the work mentioned above will be used. The sequence of operations
+that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | svc_i3c_master_hj_work
+svc_i3c_master_remove |
+i3c_master_unregister(&master->base)|
+device_unregister(&master->dev) |
+device_release |
+//free master->base |
+ | i3c_master_do_daa(&master->base)
+ | //use master->base
+
+Fix it by ensuring that the work is canceled before proceeding with the
+cleanup in svc_i3c_master_remove.
+
+Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn
+Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master/svc-i3c-master.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i3c/master/svc-i3c-master.c
++++ b/drivers/i3c/master/svc-i3c-master.c
+@@ -1772,6 +1772,7 @@ static int svc_i3c_master_remove(struct
+ {
+ struct svc_i3c_master *master = platform_get_drvdata(pdev);
+
++ cancel_work_sync(&master->hj_work);
+ i3c_master_unregister(&master->base);
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
--- /dev/null
+From dbd7a2a941b8cbf9e5f79a777ed9fe0090eebb61 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Mon, 23 Jan 2023 07:37:45 -0800
+Subject: PM / devfreq: Fix build issues with devfreq disabled
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit dbd7a2a941b8cbf9e5f79a777ed9fe0090eebb61 upstream.
+
+The existing no-op shims for when PM_DEVFREQ (or an individual governor)
+only do half the job. The governor specific config/tuning structs need
+to be available to avoid compile errors in drivers using devfreq.
+
+Fixes: 6563f60f14cb ("drm/msm/gpu: Add devfreq tuning debugfs")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Patchwork: https://patchwork.freedesktop.org/patch/519801/
+Link: https://lore.kernel.org/r/20230123153745.3185032-1-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/devfreq.h | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/include/linux/devfreq.h
++++ b/include/linux/devfreq.h
+@@ -273,8 +273,8 @@ void devm_devfreq_unregister_notifier(st
+ struct devfreq *devfreq_get_devfreq_by_node(struct device_node *node);
+ struct devfreq *devfreq_get_devfreq_by_phandle(struct device *dev,
+ const char *phandle_name, int index);
++#endif /* CONFIG_PM_DEVFREQ */
+
+-#if IS_ENABLED(CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND)
+ /**
+ * struct devfreq_simple_ondemand_data - ``void *data`` fed to struct devfreq
+ * and devfreq_add_device
+@@ -292,9 +292,7 @@ struct devfreq_simple_ondemand_data {
+ unsigned int upthreshold;
+ unsigned int downdifferential;
+ };
+-#endif
+
+-#if IS_ENABLED(CONFIG_DEVFREQ_GOV_PASSIVE)
+ enum devfreq_parent_dev_type {
+ DEVFREQ_PARENT_DEV,
+ CPUFREQ_PARENT_DEV,
+@@ -337,9 +335,8 @@ struct devfreq_passive_data {
+ struct notifier_block nb;
+ struct list_head cpu_data_list;
+ };
+-#endif
+
+-#else /* !CONFIG_PM_DEVFREQ */
++#if !defined(CONFIG_PM_DEVFREQ)
+ static inline struct devfreq *devfreq_add_device(struct device *dev,
+ struct devfreq_dev_profile *profile,
+ const char *governor_name,
--- /dev/null
+From b5a23a60e8ab5711f4952912424347bf3864ce8d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 15 Nov 2024 11:59:54 +0100
+Subject: serial: amba-pl011: fix build regression
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b5a23a60e8ab5711f4952912424347bf3864ce8d upstream.
+
+When CONFIG_DMA_ENGINE is disabled, the driver now fails to build:
+
+drivers/tty/serial/amba-pl011.c: In function 'pl011_unthrottle_rx':
+drivers/tty/serial/amba-pl011.c:1822:16: error: 'struct uart_amba_port' has no member named 'using_rx_dma'
+ 1822 | if (uap->using_rx_dma) {
+ | ^~
+drivers/tty/serial/amba-pl011.c:1823:20: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1823 | uap->dmacr |= UART011_RXDMAE;
+ | ^~
+drivers/tty/serial/amba-pl011.c:1824:32: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1824 | pl011_write(uap->dmacr, uap, REG_DMACR);
+ | ^~
+
+Add the missing #ifdef check around these field accesses, matching
+what other parts of this driver do.
+
+Fixes: 2bcacc1c87ac ("serial: amba-pl011: Fix RX stall when DMA is used")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202411140617.nkjeHhsK-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20241115110021.744332-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/amba-pl011.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1837,10 +1837,12 @@ static void pl011_unthrottle_rx(struct u
+
+ pl011_write(uap->im, uap, REG_IMSC);
+
++#ifdef CONFIG_DMA_ENGINE
+ if (uap->using_rx_dma) {
+ uap->dmacr |= UART011_RXDMAE;
+ pl011_write(uap->dmacr, uap, REG_DMACR);
+ }
++#endif
+
+ uart_port_unlock_irqrestore(&uap->port, flags);
+ }
clk-imx-clk-scu-fix-clk-enable-state-save-and-restor.patch
iommu-vt-d-fix-checks-and-print-in-dmar_fault_dump_p.patch
iommu-vt-d-fix-checks-and-print-in-pgtable_walk.patch
-checkpatch-warn-when-reported-by-is-not-followed-by-.patch
-checkpatch-check-for-missing-fixes-tags.patch
-checkpatch-always-parse-orig_commit-in-fixes-tag.patch
mfd-rt5033-fix-missing-regmap_del_irq_chip.patch
fs-proc-kcore.c-fix-coccinelle-reported-error-instan.patch
scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch
drm-ttm-make-sure-the-mapped-tt-pages-are-decrypted-when-needed.patch
drm-ttm-print-the-memory-decryption-status-just-once.patch
drm-amdgpu-rework-resume-handling-for-display-v2.patch
+usb-dwc3-ep0-don-t-reset-resource-alloc-flag.patch
+serial-amba-pl011-fix-build-regression.patch
+i3c-master-remove-i3c_dev_disable_ibi_locked-olddev-on-device-hotjoin.patch
+i3c-master-svc-fix-possible-assignment-of-the-same-address-to-two-devices.patch
+pm-devfreq-fix-build-issues-with-devfreq-disabled.patch
+drm-msm-devfreq_gov_simple_ondemand-is-no-longer-needed.patch
+fs-ntfs3-sequential-field-availability-check-in-mi_enum_attr.patch
+i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch
+bluetooth-mgmt-fix-possible-deadlocks.patch
--- /dev/null
+From f2e0eee4703869dc5edb5302a919861566ca7797 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Tue, 16 Apr 2024 01:23:07 +0000
+Subject: usb: dwc3: ep0: Don't reset resource alloc flag
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit f2e0eee4703869dc5edb5302a919861566ca7797 upstream.
+
+The DWC3_EP_RESOURCE_ALLOCATED flag ensures that the resource of an
+endpoint is only assigned once. Unless the endpoint is reset, don't
+clear this flag. Otherwise we may set endpoint resource again, which
+prevents the driver from initiate transfer after handling a STALL or
+endpoint halt to the control endpoint.
+
+Cc: stable@vger.kernel.org
+Fixes: b311048c174d ("usb: dwc3: gadget: Rewrite endpoint allocation flow")
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/00122b7cc5be06abef461776e7cc9f5ebc8bc1cb.1713229786.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/ep0.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -224,7 +224,8 @@ void dwc3_ep0_stall_and_restart(struct d
+
+ /* reinitialize physical ep1 */
+ dep = dwc->eps[1];
+- dep->flags = DWC3_EP_ENABLED;
++ dep->flags &= DWC3_EP_RESOURCE_ALLOCATED;
++ dep->flags |= DWC3_EP_ENABLED;
+
+ /* stall is always issued on EP0 */
+ dep = dwc->eps[0];
projects / thirdparty / kernel / stable-queue.git / commitdiff
