]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 4.19
authorSasha Levin <sashal@kernel.org>
Wed, 10 Apr 2024 15:57:05 +0000 (11:57 -0400)
committerSasha Levin <sashal@kernel.org>
Wed, 10 Apr 2024 15:57:05 +0000 (11:57 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
24 files changed:
queue-4.19/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch [new file with mode: 0644]
queue-4.19/batman-adv-return-directly-after-a-failed-batadv_dat.patch [new file with mode: 0644]
queue-4.19/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch [new file with mode: 0644]
queue-4.19/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch [new file with mode: 0644]
queue-4.19/btrfs-export-handle-invalid-inode-or-root-reference-.patch [new file with mode: 0644]
queue-4.19/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch [new file with mode: 0644]
queue-4.19/btrfs-send-handle-path-ref-underflow-in-header-itera.patch [new file with mode: 0644]
queue-4.19/drm-amd-display-fix-nanosec-stat-overflow.patch [new file with mode: 0644]
queue-4.19/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch [new file with mode: 0644]
queue-4.19/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch [new file with mode: 0644]
queue-4.19/input-allocate-keycode-for-display-refresh-rate-togg.patch [new file with mode: 0644]
queue-4.19/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch [new file with mode: 0644]
queue-4.19/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch [new file with mode: 0644]
queue-4.19/ktest-force-buildonly-1-for-make_warnings_file-test-.patch [new file with mode: 0644]
queue-4.19/media-sta2x11-fix-irq-handler-cast.patch [new file with mode: 0644]
queue-4.19/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch [new file with mode: 0644]
queue-4.19/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch [new file with mode: 0644]
queue-4.19/tools-iio-replace-seekdir-in-iio_generic_buffer.patch [new file with mode: 0644]
queue-4.19/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch [new file with mode: 0644]
queue-4.19/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch [new file with mode: 0644]
queue-4.19/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch [new file with mode: 0644]
queue-4.19/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch [new file with mode: 0644]

diff --git a/queue-4.19/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch b/queue-4.19/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch
new file mode 100644 (file)
index 0000000..b44533f
--- /dev/null
@@ -0,0 +1,65 @@
+From a54550b0692b4e2e6322a33d8a1f291faec82751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 22:17:31 +0100
+Subject: arm64: dts: rockchip: fix rk3399 hdmi ports node
+
+From: Johan Jonker <jbx6244@gmail.com>
+
+[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ]
+
+Fix rk3399 hdmi ports node so that it matches the
+rockchip,dw-hdmi.yaml binding.
+
+Signed-off-by: Johan Jonker <jbx6244@gmail.com>
+Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+index 5a60faa8e9998..f19d43021a4e7 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+@@ -1683,6 +1683,7 @@ simple-audio-card,codec {
+       hdmi: hdmi@ff940000 {
+               compatible = "rockchip,rk3399-dw-hdmi";
+               reg = <0x0 0xff940000 0x0 0x20000>;
++              reg-io-width = <4>;
+               interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH 0>;
+               clocks = <&cru PCLK_HDMI_CTRL>,
+                        <&cru SCLK_HDMI_SFR>,
+@@ -1691,13 +1692,16 @@ hdmi: hdmi@ff940000 {
+                        <&cru PLL_VPLL>;
+               clock-names = "iahb", "isfr", "cec", "grf", "vpll";
+               power-domains = <&power RK3399_PD_HDCP>;
+-              reg-io-width = <4>;
+               rockchip,grf = <&grf>;
+               #sound-dai-cells = <0>;
+               status = "disabled";
+               ports {
+-                      hdmi_in: port {
++                      #address-cells = <1>;
++                      #size-cells = <0>;
++
++                      hdmi_in: port@0 {
++                              reg = <0>;
+                               #address-cells = <1>;
+                               #size-cells = <0>;
+@@ -1710,6 +1714,10 @@ hdmi_in_vopl: endpoint@1 {
+                                       remote-endpoint = <&vopl_out_hdmi>;
+                               };
+                       };
++
++                      hdmi_out: port@1 {
++                              reg = <1>;
++                      };
+               };
+       };
+-- 
+2.43.0
+
diff --git a/queue-4.19/batman-adv-return-directly-after-a-failed-batadv_dat.patch b/queue-4.19/batman-adv-return-directly-after-a-failed-batadv_dat.patch
new file mode 100644 (file)
index 0000000..baee7a1
--- /dev/null
@@ -0,0 +1,55 @@
+From 0d7cf1af38db651f0497743ae85a73f207e86856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jan 2024 07:27:45 +0100
+Subject: batman-adv: Return directly after a failed
+ batadv_dat_select_candidates() in batadv_dat_forward_data()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+[ Upstream commit ffc15626c861f811f9778914be004fcf43810a91 ]
+
+The kfree() function was called in one case by
+the batadv_dat_forward_data() function during error handling
+even if the passed variable contained a null pointer.
+This issue was detected by using the Coccinelle software.
+
+* Thus return directly after a batadv_dat_select_candidates() call failed
+  at the beginning.
+
+* Delete the label “out” which became unnecessary with this refactoring.
+
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Acked-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/distributed-arp-table.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index af380dc877e31..6930d414138e1 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -648,7 +648,7 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
+       cand = batadv_dat_select_candidates(bat_priv, ip, vid);
+       if (!cand)
+-              goto out;
++              return ret;
+       batadv_dbg(BATADV_DBG_DAT, bat_priv, "DHT_SEND for %pI4\n", &ip);
+@@ -692,7 +692,6 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
+               batadv_orig_node_put(cand[i].orig_node);
+       }
+-out:
+       kfree(cand);
+       return ret;
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch b/queue-4.19/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch
new file mode 100644 (file)
index 0000000..97d612e
--- /dev/null
@@ -0,0 +1,40 @@
+From 58dfb46bedb8b070d5450aa8ded2638beb7077fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 16:45:09 +0300
+Subject: block: prevent division by zero in blk_rq_stat_sum()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+[ Upstream commit 93f52fbeaf4b676b21acfe42a5152620e6770d02 ]
+
+The expression dst->nr_samples + src->nr_samples may
+have zero value on overflow. It is necessary to add
+a check to avoid division by zero.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20240305134509.23108-1-r.smirnov@omp.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-stat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-stat.c b/block/blk-stat.c
+index 7587b1c3caaf5..507ac714423bd 100644
+--- a/block/blk-stat.c
++++ b/block/blk-stat.c
+@@ -27,7 +27,7 @@ void blk_rq_stat_init(struct blk_rq_stat *stat)
+ /* src is a per-cpu stat, mean isn't initialized */
+ void blk_rq_stat_sum(struct blk_rq_stat *dst, struct blk_rq_stat *src)
+ {
+-      if (!src->nr_samples)
++      if (dst->nr_samples + src->nr_samples <= dst->nr_samples)
+               return;
+       dst->min = min(dst->min, src->min);
+-- 
+2.43.0
+
diff --git a/queue-4.19/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch b/queue-4.19/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch
new file mode 100644 (file)
index 0000000..b9824fb
--- /dev/null
@@ -0,0 +1,36 @@
+From 18562fd464610636907758fafecb3270889b746b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 12:40:34 +0800
+Subject: Bluetooth: btintel: Fix null ptr deref in btintel_read_version
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ]
+
+If hci_cmd_sync_complete() is triggered and skb is NULL, then
+hdev->req_skb is NULL, which will cause this issue.
+
+Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index 5270d55132015..6a3c0ad9f10ce 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -355,7 +355,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
+       struct sk_buff *skb;
+       skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
+-      if (IS_ERR(skb)) {
++      if (IS_ERR_OR_NULL(skb)) {
+               bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
+                          PTR_ERR(skb));
+               return PTR_ERR(skb);
+-- 
+2.43.0
+
diff --git a/queue-4.19/btrfs-export-handle-invalid-inode-or-root-reference-.patch b/queue-4.19/btrfs-export-handle-invalid-inode-or-root-reference-.patch
new file mode 100644 (file)
index 0000000..9255a2a
--- /dev/null
@@ -0,0 +1,48 @@
+From 93d2be30751e74c97f2a3d93c7ed5116c9664a50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jan 2024 21:19:18 +0100
+Subject: btrfs: export: handle invalid inode or root reference in
+ btrfs_get_parent()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 26b66d1d366a375745755ca7365f67110bbf6bd5 ]
+
+The get_parent handler looks up a parent of a given dentry, this can be
+either a subvolume or a directory. The search is set up with offset -1
+but it's never expected to find such item, as it would break allowed
+range of inode number or a root id. This means it's a corruption (ext4
+also returns this error code).
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/export.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c
+index ecc33e3a3c063..01e9a5afc33bf 100644
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -182,8 +182,15 @@ struct dentry *btrfs_get_parent(struct dentry *child)
+       ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+       if (ret < 0)
+               goto fail;
++      if (ret == 0) {
++              /*
++               * Key with offset of -1 found, there would have to exist an
++               * inode with such number or a root with such id.
++               */
++              ret = -EUCLEAN;
++              goto fail;
++      }
+-      BUG_ON(ret == 0); /* Key with offset of -1 found */
+       if (path->slots[0] == 0) {
+               ret = -ENOENT;
+               goto fail;
+-- 
+2.43.0
+
diff --git a/queue-4.19/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch b/queue-4.19/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch
new file mode 100644 (file)
index 0000000..1e4b349
--- /dev/null
@@ -0,0 +1,56 @@
+From d2faececc38907c88d41eec572916ef5c7c02229 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jan 2024 23:42:29 +0100
+Subject: btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 7411055db5ce64f836aaffd422396af0075fdc99 ]
+
+The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,
+as it could be caused only by two impossible conditions:
+
+- at first the search key is set up to look for a chunk tree item, with
+  offset -1, this is an inexact search and the key->offset will contain
+  the correct offset upon a successful search, a valid chunk tree item
+  cannot have an offset -1
+
+- after first successful search, the found_key corresponds to a chunk
+  item, the offset is decremented by 1 before the next loop, it's
+  impossible to find a chunk item there due to alignment and size
+  constraints
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/volumes.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index ceced5e56c5a9..30b5646b2c0de 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2948,7 +2948,17 @@ static int btrfs_relocate_sys_chunks(struct btrfs_fs_info *fs_info)
+                       mutex_unlock(&fs_info->delete_unused_bgs_mutex);
+                       goto error;
+               }
+-              BUG_ON(ret == 0); /* Corruption */
++              if (ret == 0) {
++                      /*
++                       * On the first search we would find chunk tree with
++                       * offset -1, which is not possible. On subsequent
++                       * loops this would find an existing item on an invalid
++                       * offset (one less than the previous one, wrong
++                       * alignment and size).
++                       */
++                      ret = -EUCLEAN;
++                      goto error;
++              }
+               ret = btrfs_previous_item(chunk_root, path, key.objectid,
+                                         key.type);
+-- 
+2.43.0
+
diff --git a/queue-4.19/btrfs-send-handle-path-ref-underflow-in-header-itera.patch b/queue-4.19/btrfs-send-handle-path-ref-underflow-in-header-itera.patch
new file mode 100644 (file)
index 0000000..63fe724
--- /dev/null
@@ -0,0 +1,43 @@
+From 2da489778d4f52541bb4dd5d4d88f803a18ebc8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 22:47:13 +0100
+Subject: btrfs: send: handle path ref underflow in header iterate_inode_ref()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 3c6ee34c6f9cd12802326da26631232a61743501 ]
+
+Change BUG_ON to proper error handling if building the path buffer
+fails. The pointers are not printed so we don't accidentally leak kernel
+addresses.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 0c86409a316e8..e3b6ca9176afe 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -958,7 +958,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path,
+                                       ret = PTR_ERR(start);
+                                       goto out;
+                               }
+-                              BUG_ON(start < p->buf);
++                              if (unlikely(start < p->buf)) {
++                                      btrfs_err(root->fs_info,
++                      "send: path ref buffer underflow for key (%llu %u %llu)",
++                                                found_key->objectid,
++                                                found_key->type,
++                                                found_key->offset);
++                                      ret = -EINVAL;
++                                      goto out;
++                              }
+                       }
+                       p->start = start;
+               } else {
+-- 
+2.43.0
+
diff --git a/queue-4.19/drm-amd-display-fix-nanosec-stat-overflow.patch b/queue-4.19/drm-amd-display-fix-nanosec-stat-overflow.patch
new file mode 100644 (file)
index 0000000..bc5babd
--- /dev/null
@@ -0,0 +1,45 @@
+From 3c83b4b2bacdb962da52ecd887a0fe1b605a62ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2019 11:53:52 -0400
+Subject: drm/amd/display: Fix nanosec stat overflow
+
+From: Aric Cyr <aric.cyr@amd.com>
+
+[ Upstream commit 14d68acfd04b39f34eea7bea65dda652e6db5bf6 ]
+
+[Why]
+Nanosec stats can overflow on long running systems potentially causing
+statistic logging issues.
+
+[How]
+Use 64bit types for nanosec stats to ensure no overflow.
+
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Aric Cyr <aric.cyr@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/inc/mod_stats.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
+index 3812094b52e8f..88b312c3eb43a 100644
+--- a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h
+@@ -51,10 +51,10 @@ void mod_stats_update_event(struct mod_stats *mod_stats,
+               unsigned int length);
+ void mod_stats_update_flip(struct mod_stats *mod_stats,
+-              unsigned long timestamp_in_ns);
++              unsigned long long timestamp_in_ns);
+ void mod_stats_update_vupdate(struct mod_stats *mod_stats,
+-              unsigned long timestamp_in_ns);
++              unsigned long long timestamp_in_ns);
+ void mod_stats_update_freesync(struct mod_stats *mod_stats,
+               unsigned int v_total_min,
+-- 
+2.43.0
+
diff --git a/queue-4.19/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch b/queue-4.19/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch
new file mode 100644 (file)
index 0000000..496e5cc
--- /dev/null
@@ -0,0 +1,47 @@
+From 7d220ad926a732ee203c5ad393447dd31022d2f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 14:35:43 +0300
+Subject: fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
+
+From: Aleksandr Burakov <a.burakov@rosalinux.ru>
+
+[ Upstream commit bc87bb342f106a0402186bcb588fcbe945dced4b ]
+
+There are some actions with value 'tmp' but 'dst_addr' is checked instead.
+It is obvious that a copy-paste error was made here and the value
+of variable 'tmp' should be checked here.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/via/accel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/via/accel.c b/drivers/video/fbdev/via/accel.c
+index eb3615c69987e..f542b01568df9 100644
+--- a/drivers/video/fbdev/via/accel.c
++++ b/drivers/video/fbdev/via/accel.c
+@@ -129,7 +129,7 @@ static int hw_bitblt_1(void __iomem *engine, u8 op, u32 width, u32 height,
+       if (op != VIA_BITBLT_FILL) {
+               tmp = src_mem ? 0 : src_addr;
+-              if (dst_addr & 0xE0000007) {
++              if (tmp & 0xE0000007) {
+                       printk(KERN_WARNING "hw_bitblt_1: Unsupported source "
+                               "address %X\n", tmp);
+                       return -EINVAL;
+@@ -274,7 +274,7 @@ static int hw_bitblt_2(void __iomem *engine, u8 op, u32 width, u32 height,
+               writel(tmp, engine + 0x18);
+               tmp = src_mem ? 0 : src_addr;
+-              if (dst_addr & 0xE0000007) {
++              if (tmp & 0xE0000007) {
+                       printk(KERN_WARNING "hw_bitblt_2: Unsupported source "
+                               "address %X\n", tmp);
+                       return -EINVAL;
+-- 
+2.43.0
+
diff --git a/queue-4.19/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch b/queue-4.19/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch
new file mode 100644 (file)
index 0000000..6af4f1e
--- /dev/null
@@ -0,0 +1,51 @@
+From 57e1559fc9b1cb088aab91d20fe83c73389041c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 11:13:44 +0300
+Subject: fbmon: prevent division by zero in fb_videomode_from_videomode()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+[ Upstream commit c2d953276b8b27459baed1277a4fdd5dd9bd4126 ]
+
+The expression htotal * vtotal can have a zero value on
+overflow. It is necessary to prevent division by zero like in
+fb_var_to_videomode().
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbmon.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/core/fbmon.c b/drivers/video/fbdev/core/fbmon.c
+index 8607439d69328..e4040fb860bbc 100644
+--- a/drivers/video/fbdev/core/fbmon.c
++++ b/drivers/video/fbdev/core/fbmon.c
+@@ -1309,7 +1309,7 @@ int fb_get_mode(int flags, u32 val, struct fb_var_screeninfo *var, struct fb_inf
+ int fb_videomode_from_videomode(const struct videomode *vm,
+                               struct fb_videomode *fbmode)
+ {
+-      unsigned int htotal, vtotal;
++      unsigned int htotal, vtotal, total;
+       fbmode->xres = vm->hactive;
+       fbmode->left_margin = vm->hback_porch;
+@@ -1342,8 +1342,9 @@ int fb_videomode_from_videomode(const struct videomode *vm,
+       vtotal = vm->vactive + vm->vfront_porch + vm->vback_porch +
+                vm->vsync_len;
+       /* prevent division by zero */
+-      if (htotal && vtotal) {
+-              fbmode->refresh = vm->pixelclock / (htotal * vtotal);
++      total = htotal * vtotal;
++      if (total) {
++              fbmode->refresh = vm->pixelclock / total;
+       /* a mode must have htotal and vtotal != 0 or it is invalid */
+       } else {
+               fbmode->refresh = 0;
+-- 
+2.43.0
+
diff --git a/queue-4.19/input-allocate-keycode-for-display-refresh-rate-togg.patch b/queue-4.19/input-allocate-keycode-for-display-refresh-rate-togg.patch
new file mode 100644 (file)
index 0000000..dc819c6
--- /dev/null
@@ -0,0 +1,43 @@
+From 4fde13b271266d0067f63c373fe21496db7aadca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Mar 2024 12:31:41 +0100
+Subject: Input: allocate keycode for Display refresh rate toggle
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gergo Koteles <soyer@irl.hu>
+
+[ Upstream commit cfeb98b95fff25c442f78a6f616c627bc48a26b7 ]
+
+Newer Lenovo Yogas and Legions with 60Hz/90Hz displays send a wmi event
+when Fn + R is pressed. This is intended for use to switch between the
+two refresh rates.
+
+Allocate a new KEY_REFRESH_RATE_TOGGLE keycode for it.
+
+Signed-off-by: Gergo Koteles <soyer@irl.hu>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/15a5d08c84cf4d7b820de34ebbcf8ae2502fb3ca.1710065750.git.soyer@irl.hu
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/input-event-codes.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
+index 1c011379a9967..76b524895dea6 100644
+--- a/include/uapi/linux/input-event-codes.h
++++ b/include/uapi/linux/input-event-codes.h
+@@ -596,6 +596,7 @@
+ #define KEY_ALS_TOGGLE                0x230   /* Ambient light sensor */
+ #define KEY_ROTATE_LOCK_TOGGLE        0x231   /* Display rotation lock */
++#define KEY_REFRESH_RATE_TOGGLE       0x232   /* Display refresh rate toggle */
+ #define KEY_BUTTONCONFIG              0x240   /* AL Button Configuration */
+ #define KEY_TASKMANAGER               0x241   /* AL Task/Project Manager */
+-- 
+2.43.0
+
diff --git a/queue-4.19/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch b/queue-4.19/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch
new file mode 100644 (file)
index 0000000..8db623a
--- /dev/null
@@ -0,0 +1,42 @@
+From e31ca083333a5706b32a1e741ef0edcc135f19c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 11:37:59 -0800
+Subject: Input: synaptics-rmi4 - fail probing if memory allocation for "phys"
+ fails
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit bc4996184d56cfaf56d3811ac2680c8a0e2af56e ]
+
+While input core can work with input->phys set to NULL userspace might
+depend on it, so better fail probing if allocation fails. The system must
+be in a pretty bad shape for it to happen anyway.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Link: https://lore.kernel.org/r/20240117073124.143636-1-chentao@kylinos.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index ac6a20f7afdfa..0da814b41e72b 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -1199,7 +1199,11 @@ static int rmi_driver_probe(struct device *dev)
+               }
+               rmi_driver_set_input_params(rmi_dev, data->input);
+               data->input->phys = devm_kasprintf(dev, GFP_KERNEL,
+-                                              "%s/input0", dev_name(dev));
++                                                 "%s/input0", dev_name(dev));
++              if (!data->input->phys) {
++                      retval = -ENOMEM;
++                      goto err;
++              }
+       }
+       retval = rmi_init_functions(data);
+-- 
+2.43.0
+
diff --git a/queue-4.19/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch b/queue-4.19/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch
new file mode 100644 (file)
index 0000000..45e6ac9
--- /dev/null
@@ -0,0 +1,60 @@
+From 407de94fa25989b0ab37c4e9312eac33de904143 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 19:21:32 -0700
+Subject: isofs: handle CDs with bad root inode but good Joliet root directory
+
+From: Alex Henrie <alexhenrie24@gmail.com>
+
+[ Upstream commit 4243bf80c79211a8ca2795401add9c4a3b1d37ca ]
+
+I have a CD copy of the original Tom Clancy's Ghost Recon game from
+2001. The disc mounts without error on Windows, but on Linux mounting
+fails with the message "isofs_fill_super: get root inode failed". The
+error originates in isofs_read_inode, which returns -EIO because de_len
+is 0. The superblock on this disc appears to be intentionally corrupt as
+a form of copy protection.
+
+When the root inode is unusable, instead of giving up immediately, try
+to continue with the Joliet file table. This fixes the Ghost Recon CD
+and probably other copy-protected CDs too.
+
+Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20240208022134.451490-1-alexhenrie24@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/inode.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+index 6e4e2cfd40b9e..aec11a7676c9e 100644
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -910,8 +910,22 @@ static int isofs_fill_super(struct super_block *s, void *data, int silent)
+        * we then decide whether to use the Joliet descriptor.
+        */
+       inode = isofs_iget(s, sbi->s_firstdatazone, 0);
+-      if (IS_ERR(inode))
+-              goto out_no_root;
++
++      /*
++       * Fix for broken CDs with a corrupt root inode but a correct Joliet
++       * root directory.
++       */
++      if (IS_ERR(inode)) {
++              if (joliet_level && sbi->s_firstdatazone != first_data_zone) {
++                      printk(KERN_NOTICE
++                             "ISOFS: root inode is unusable. "
++                             "Disabling Rock Ridge and switching to Joliet.");
++                      sbi->s_rock = 0;
++                      inode = NULL;
++              } else {
++                      goto out_no_root;
++              }
++      }
+       /*
+        * Fix for broken CDs with Rock Ridge and empty ISO root directory but
+-- 
+2.43.0
+
diff --git a/queue-4.19/ktest-force-buildonly-1-for-make_warnings_file-test-.patch b/queue-4.19/ktest-force-buildonly-1-for-make_warnings_file-test-.patch
new file mode 100644 (file)
index 0000000..8228e3a
--- /dev/null
@@ -0,0 +1,41 @@
+From 825ba443edeaeeee8ab0736196846ba85558dded Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 12:28:08 -0300
+Subject: ktest: force $buildonly = 1 for 'make_warnings_file' test type
+
+From: Ricardo B. Marliere <ricardo@marliere.net>
+
+[ Upstream commit 07283c1873a4d0eaa0e822536881bfdaea853910 ]
+
+The test type "make_warnings_file" should have no mandatory configuration
+parameters other than the ones required by the "build" test type, because
+its purpose is to create a file with build warnings that may or may not be
+used by other subsequent tests. Currently, the only way to use it as a
+stand-alone test is by setting POWER_CYCLE, CONSOLE, SSH_USER,
+BUILD_TARGET, TARGET_IMAGE, REBOOT_TYPE and GRUB_MENU.
+
+Link: https://lkml.kernel.org/r/20240315-ktest-v2-1-c5c20a75f6a3@marliere.net
+
+Cc: John Hawley <warthog9@eaglescrag.net>
+Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/ktest/ktest.pl | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
+index 128a7fe45a1e3..a29d9e125b00b 100755
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -765,6 +765,7 @@ sub set_value {
+     if ($lvalue =~ /^(TEST|BISECT|CONFIG_BISECT)_TYPE(\[.*\])?$/ &&
+       $prvalue !~ /^(config_|)bisect$/ &&
+       $prvalue !~ /^build$/ &&
++      $prvalue !~ /^make_warnings_file$/ &&
+       $buildonly) {
+       # Note if a test is something other than build, then we
+-- 
+2.43.0
+
diff --git a/queue-4.19/media-sta2x11-fix-irq-handler-cast.patch b/queue-4.19/media-sta2x11-fix-irq-handler-cast.patch
new file mode 100644 (file)
index 0000000..69f16e6
--- /dev/null
@@ -0,0 +1,62 @@
+From e37aff03f1896f0e28a03d8222f8dee540d846e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 10:54:47 +0100
+Subject: media: sta2x11: fix irq handler cast
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3de49ae81c3a0f83a554ecbce4c08e019f30168e ]
+
+clang-16 warns about casting incompatible function pointers:
+
+drivers/media/pci/sta2x11/sta2x11_vip.c:1057:6: error: cast from 'irqreturn_t (*)(int, struct sta2x11_vip *)' (aka 'enum irqreturn (*)(int, struct sta2x11_vip *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+
+Change the prototype of the irq handler to the regular version with a
+local variable to adjust the argument type.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil: update argument documentation]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/sta2x11/sta2x11_vip.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/pci/sta2x11/sta2x11_vip.c b/drivers/media/pci/sta2x11/sta2x11_vip.c
+index 1858efedaf1a4..33d6c95b36130 100644
+--- a/drivers/media/pci/sta2x11/sta2x11_vip.c
++++ b/drivers/media/pci/sta2x11/sta2x11_vip.c
+@@ -780,7 +780,7 @@ static const struct video_device video_dev_template = {
+ /**
+  * vip_irq - interrupt routine
+  * @irq: Number of interrupt ( not used, correct number is assumed )
+- * @vip: local data structure containing all information
++ * @data: local data structure containing all information
+  *
+  * check for both frame interrupts set ( top and bottom ).
+  * check FIFO overflow, but limit number of log messages after open.
+@@ -790,8 +790,9 @@ static const struct video_device video_dev_template = {
+  *
+  * IRQ_HANDLED, interrupt done.
+  */
+-static irqreturn_t vip_irq(int irq, struct sta2x11_vip *vip)
++static irqreturn_t vip_irq(int irq, void *data)
+ {
++      struct sta2x11_vip *vip = data;
+       unsigned int status;
+       status = reg_read(vip, DVP_ITS);
+@@ -1073,9 +1074,7 @@ static int sta2x11_vip_init_one(struct pci_dev *pdev,
+       spin_lock_init(&vip->slock);
+-      ret = request_irq(pdev->irq,
+-                        (irq_handler_t) vip_irq,
+-                        IRQF_SHARED, KBUILD_MODNAME, vip);
++      ret = request_irq(pdev->irq, vip_irq, IRQF_SHARED, KBUILD_MODNAME, vip);
+       if (ret) {
+               dev_err(&pdev->dev, "request_irq failed\n");
+               ret = -ENODEV;
+-- 
+2.43.0
+
diff --git a/queue-4.19/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch b/queue-4.19/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch
new file mode 100644 (file)
index 0000000..2caa277
--- /dev/null
@@ -0,0 +1,45 @@
+From ad7e65c6556a8e28bcc96aaf5d6fed5aae2705a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 10:50:57 -0800
+Subject: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 2ae917d4bcab80ab304b774d492e2fcd6c52c06b ]
+
+The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an
+unsuccessful status.  In such cases, the elsiocb is not issued, the
+completion is not called, and thus the elsiocb resource is leaked.
+
+Check return value after calling lpfc_sli4_resume_rpi() and conditionally
+release the elsiocb resource.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240131185112.149731-3-justintee8345@gmail.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index f666518d84b0a..0890c2e38eeca 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -601,8 +601,10 @@ lpfc_rcv_padisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+                               /* Save the ELS cmd */
+                               elsiocb->drvrTimeout = cmd;
+-                              lpfc_sli4_resume_rpi(ndlp,
+-                                      lpfc_mbx_cmpl_resume_rpi, elsiocb);
++                              if (lpfc_sli4_resume_rpi(ndlp,
++                                              lpfc_mbx_cmpl_resume_rpi,
++                                              elsiocb))
++                                      kfree(elsiocb);
+                               goto out;
+                       }
+               }
+-- 
+2.43.0
+
index a90682230041e8a49197183b0894fa82281506a8..080a233cf59c29617a2aef3ffcf6a9de80d725b9 100644 (file)
@@ -141,3 +141,26 @@ asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch
 ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch
 ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch
 alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
+wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch
+batman-adv-return-directly-after-a-failed-batadv_dat.patch
+vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch
+arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch
+tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch
+btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch
+btrfs-export-handle-invalid-inode-or-root-reference-.patch
+btrfs-send-handle-path-ref-underflow-in-header-itera.patch
+bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch
+input-synaptics-rmi4-fail-probing-if-memory-allocati.patch
+sysv-don-t-call-sb_bread-with-pointers_lock-held.patch
+scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch
+isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch
+media-sta2x11-fix-irq-handler-cast.patch
+drm-amd-display-fix-nanosec-stat-overflow.patch
+sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch
+block-prevent-division-by-zero-in-blk_rq_stat_sum.patch
+input-allocate-keycode-for-display-refresh-rate-togg.patch
+ktest-force-buildonly-1-for-make_warnings_file-test-.patch
+tools-iio-replace-seekdir-in-iio_generic_buffer.patch
+usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch
+fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch
+fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch
diff --git a/queue-4.19/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch b/queue-4.19/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch
new file mode 100644 (file)
index 0000000..e42b721
--- /dev/null
@@ -0,0 +1,87 @@
+From 3018f5c6f054e69f687abf5e25866418971f5f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jan 2024 11:38:25 -0800
+Subject: SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to
+ unsigned int
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+[ Upstream commit 2c35f43b5a4b9cdfaa6fdd946f5a212615dac8eb ]
+
+When the NFS client is under extreme load the rpc_wait_queue.qlen counter
+can be overflowed. Here is an instant of the backlog queue overflow in a
+real world environment shown by drgn helper:
+
+rpc_task_stats(rpc_clnt):
+-------------------------
+rpc_clnt: 0xffff92b65d2bae00
+rpc_xprt: 0xffff9275db64f000
+  Queue:  sending[64887] pending[524] backlog[30441] binding[0]
+XMIT task: 0xffff925c6b1d8e98
+     WRITE: 750654
+        __dta_call_status_580: 65463
+        __dta_call_transmit_status_579: 1
+        call_reserveresult: 685189
+        nfs_client_init_is_complete: 1
+    COMMIT: 584
+        call_reserveresult: 573
+        __dta_call_status_580: 11
+    ACCESS: 1
+        __dta_call_status_580: 1
+   GETATTR: 10
+        __dta_call_status_580: 4
+        call_reserveresult: 6
+751249 tasks for server 111.222.333.444
+Total tasks: 751249
+
+count_rpc_wait_queues(xprt):
+----------------------------
+**** rpc_xprt: 0xffff9275db64f000 num_reqs: 65511
+wait_queue: xprt_binding[0] cnt: 0
+wait_queue: xprt_binding[1] cnt: 0
+wait_queue: xprt_binding[2] cnt: 0
+wait_queue: xprt_binding[3] cnt: 0
+rpc_wait_queue[xprt_binding].qlen: 0 maxpriority: 0
+wait_queue: xprt_sending[0] cnt: 0
+wait_queue: xprt_sending[1] cnt: 64887
+wait_queue: xprt_sending[2] cnt: 0
+wait_queue: xprt_sending[3] cnt: 0
+rpc_wait_queue[xprt_sending].qlen: 64887 maxpriority: 3
+wait_queue: xprt_pending[0] cnt: 524
+wait_queue: xprt_pending[1] cnt: 0
+wait_queue: xprt_pending[2] cnt: 0
+wait_queue: xprt_pending[3] cnt: 0
+rpc_wait_queue[xprt_pending].qlen: 524 maxpriority: 0
+wait_queue: xprt_backlog[0] cnt: 0
+wait_queue: xprt_backlog[1] cnt: 685801
+wait_queue: xprt_backlog[2] cnt: 0
+wait_queue: xprt_backlog[3] cnt: 0
+rpc_wait_queue[xprt_backlog].qlen: 30441 maxpriority: 3 [task cnt mismatch]
+
+There is no effect on operations when this overflow occurs. However
+it causes confusion when trying to diagnose the performance problem.
+
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/sched.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
+index 96837ae07822b..ca0a568fd8244 100644
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -190,7 +190,7 @@ struct rpc_wait_queue {
+       unsigned char           maxpriority;            /* maximum priority (0 if queue is not a priority queue) */
+       unsigned char           priority;               /* current priority */
+       unsigned char           nr;                     /* # tasks remaining for cookie */
+-      unsigned short          qlen;                   /* total # tasks waiting in queue */
++      unsigned int            qlen;                   /* total # tasks waiting in queue */
+       struct rpc_timer        timer_list;
+ #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) || IS_ENABLED(CONFIG_TRACEPOINTS)
+       const char *            name;
+-- 
+2.43.0
+
diff --git a/queue-4.19/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch b/queue-4.19/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch
new file mode 100644 (file)
index 0000000..bb701f4
--- /dev/null
@@ -0,0 +1,94 @@
+From 32da3f52468d75001cbbed5f98bf782d8dfc3a04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 21:04:50 +0900
+Subject: sysv: don't call sb_bread() with pointers_lock held
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit f123dc86388cb669c3d6322702dc441abc35c31e ]
+
+syzbot is reporting sleep in atomic context in SysV filesystem [1], for
+sb_bread() is called with rw_spinlock held.
+
+A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug
+and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by
+"Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12.
+
+Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the
+former bug by moving pointers_lock lock to the callers, but instead
+introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made
+this problem easier to hit).
+
+Al Viro suggested that why not to do like get_branch()/get_block()/
+find_shared() in Minix filesystem does. And doing like that is almost a
+revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch()
+ from with find_shared() is called without write_lock(&pointers_lock).
+
+Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f@syzkaller.appspotmail.com>
+Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKURA.ne.jp
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/sysv/itree.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
+index e3d1673b8ec97..ef9bcfeec21ad 100644
+--- a/fs/sysv/itree.c
++++ b/fs/sysv/itree.c
+@@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh)
+       return (sysv_zone_t*)((char*)bh->b_data + bh->b_size);
+ }
+-/*
+- * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock)
+- */
+ static Indirect *get_branch(struct inode *inode,
+                           int depth,
+                           int offsets[],
+@@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode,
+               bh = sb_bread(sb, block);
+               if (!bh)
+                       goto failure;
++              read_lock(&pointers_lock);
+               if (!verify_chain(chain, p))
+                       goto changed;
+               add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets);
++              read_unlock(&pointers_lock);
+               if (!p->key)
+                       goto no_block;
+       }
+       return NULL;
+ changed:
++      read_unlock(&pointers_lock);
+       brelse(bh);
+       *err = -EAGAIN;
+       goto no_block;
+@@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b
+               goto out;
+ reread:
+-      read_lock(&pointers_lock);
+       partial = get_branch(inode, depth, offsets, chain, &err);
+-      read_unlock(&pointers_lock);
+       /* Simplest case - block found, no allocation needed */
+       if (!partial) {
+@@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode,
+       *top = 0;
+       for (k = depth; k > 1 && !offsets[k-1]; k--)
+               ;
++      partial = get_branch(inode, k, offsets, chain, &err);
+       write_lock(&pointers_lock);
+-      partial = get_branch(inode, k, offsets, chain, &err);
+       if (!partial)
+               partial = chain + k-1;
+       /*
+-- 
+2.43.0
+
diff --git a/queue-4.19/tools-iio-replace-seekdir-in-iio_generic_buffer.patch b/queue-4.19/tools-iio-replace-seekdir-in-iio_generic_buffer.patch
new file mode 100644 (file)
index 0000000..59b3acd
--- /dev/null
@@ -0,0 +1,45 @@
+From 492311462c3d4698d848dad3aae00ad69dc74f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jan 2024 12:32:20 +0200
+Subject: tools: iio: replace seekdir() in iio_generic_buffer
+
+From: Petre Rodan <petre.rodan@subdimension.ro>
+
+[ Upstream commit 4e6500bfa053dc133021f9c144261b77b0ba7dc8 ]
+
+Replace seekdir() with rewinddir() in order to fix a localized glibc bug.
+
+One of the glibc patches that stable Gentoo is using causes an improper
+directory stream positioning bug on 32bit arm. That in turn ends up as a
+floating point exception in iio_generic_buffer.
+
+The attached patch provides a fix by using an equivalent function which
+should not cause trouble for other distros and is easier to reason about
+in general as it obviously always goes back to to the start.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=31212
+
+Signed-off-by: Petre Rodan <petre.rodan@subdimension.ro>
+Link: https://lore.kernel.org/r/20240108103224.3986-1-petre.rodan@subdimension.ro
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/iio/iio_utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c
+index d174487b2f226..1ef51c7e7b04f 100644
+--- a/tools/iio/iio_utils.c
++++ b/tools/iio/iio_utils.c
+@@ -376,7 +376,7 @@ int build_channel_array(const char *device_dir,
+               goto error_close_dir;
+       }
+-      seekdir(dp, 0);
++      rewinddir(dp);
+       while (ent = readdir(dp), ent) {
+               if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
+                          "_en") == 0) {
+-- 
+2.43.0
+
diff --git a/queue-4.19/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch b/queue-4.19/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch
new file mode 100644 (file)
index 0000000..6ce67d5
--- /dev/null
@@ -0,0 +1,35 @@
+From af9a72cc424a02d44669067c1354fbcbc17c6ef0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 16:19:56 -0800
+Subject: tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit f85450f134f0b4ca7e042dc3dc89155656a2299d ]
+
+In function get_pkg_num() if fopen_or_die() succeeds it returns a file
+pointer to be used. But fclose() is never called before returning from
+the function.
+
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
+index 2aba622d1c5aa..470d03e143422 100644
+--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
+@@ -1112,6 +1112,7 @@ unsigned int get_pkg_num(int cpu)
+       retval = fscanf(fp, "%d\n", &pkg);
+       if (retval != 1)
+               errx(1, "%s: failed to parse", pathname);
++      fclose(fp);
+       return pkg;
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch b/queue-4.19/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch
new file mode 100644 (file)
index 0000000..7483efa
--- /dev/null
@@ -0,0 +1,47 @@
+From 3020ba186866482b3a9a4d7461dcc3fb26284c96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 11:13:51 +0000
+Subject: usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 12f371e2b6cb4b79c788f1f073992e115f4ca918 ]
+
+Function checkdone is only required if QUIRK2 is defined, so add
+appropriate #if / #endif around the function.
+
+Cleans up clang scan build warning:
+drivers/usb/host/sl811-hcd.c:588:18: warning: unused function
+'checkdone' [-Wunused-function]
+
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Link: https://lore.kernel.org/r/20240307111351.1982382-1-colin.i.king@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/sl811-hcd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c
+index 6dedefada92b1..873300e8cd277 100644
+--- a/drivers/usb/host/sl811-hcd.c
++++ b/drivers/usb/host/sl811-hcd.c
+@@ -585,6 +585,7 @@ done(struct sl811 *sl811, struct sl811h_ep *ep, u8 bank)
+               finish_request(sl811, ep, urb, urbstat);
+ }
++#ifdef QUIRK2
+ static inline u8 checkdone(struct sl811 *sl811)
+ {
+       u8      ctl;
+@@ -616,6 +617,7 @@ static inline u8 checkdone(struct sl811 *sl811)
+ #endif
+       return irqstat;
+ }
++#endif
+ static irqreturn_t sl811h_irq(struct usb_hcd *hcd)
+ {
+-- 
+2.43.0
+
diff --git a/queue-4.19/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch b/queue-4.19/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch
new file mode 100644 (file)
index 0000000..91c6c5a
--- /dev/null
@@ -0,0 +1,80 @@
+From 9b79588fbad4566d6927feba2f8aa26d2a1e87e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jan 2024 08:40:00 -0800
+Subject: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ]
+
+Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.
+
+memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
+at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)
+
+WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
+dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
+
+Some code commentry, based on my understanding:
+
+544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
+/// This is 24 + payload_size
+
+memcpy(&dg_info->msg, dg, dg_size);
+       Destination = dg_info->msg ---> this is a 24 byte
+                                       structure(struct vmci_datagram)
+       Source = dg --> this is a 24 byte structure (struct vmci_datagram)
+       Size = dg_size = 24 + payload_size
+
+{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.
+
+ 35 struct delayed_datagram_info {
+ 36         struct datagram_entry *entry;
+ 37         struct work_struct work;
+ 38         bool in_dg_host_queue;
+ 39         /* msg and msg_payload must be together. */
+ 40         struct vmci_datagram msg;
+ 41         u8 msg_payload[];
+ 42 };
+
+So those extra bytes of payload are copied into msg_payload[], a run time
+warning is seen while fuzzing with Syzkaller.
+
+One possible way to fix the warning is to split the memcpy() into
+two parts -- one -- direct assignment of msg and second taking care of payload.
+
+Gustavo quoted:
+"Under FORTIFY_SOURCE we should not copy data across multiple members
+in a structure."
+
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
+Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c
+index 8a4b6bbe1beed..275542e8b2ad9 100644
+--- a/drivers/misc/vmw_vmci/vmci_datagram.c
++++ b/drivers/misc/vmw_vmci/vmci_datagram.c
+@@ -242,7 +242,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg)
+                       dg_info->in_dg_host_queue = true;
+                       dg_info->entry = dst_entry;
+-                      memcpy(&dg_info->msg, dg, dg_size);
++                      dg_info->msg = *dg;
++                      memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
+                       INIT_WORK(&dg_info->work, dg_delayed_dispatch);
+                       schedule_work(&dg_info->work);
+-- 
+2.43.0
+
diff --git a/queue-4.19/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch b/queue-4.19/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch
new file mode 100644 (file)
index 0000000..42aab22
--- /dev/null
@@ -0,0 +1,43 @@
+From ca2467deb7f08071487306d27db35460f22506c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Dec 2023 13:29:03 +0200
+Subject: wifi: ath9k: fix LNA selection in ath_ant_try_scan()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit d6b27eb997ef9a2aa51633b3111bc4a04748e6d3 ]
+
+In 'ath_ant_try_scan()', (most likely) the 2nd LNA's signal
+strength should be used in comparison against RSSI when
+selecting first LNA as the main one. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20231211172502.25202-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/antenna.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/antenna.c b/drivers/net/wireless/ath/ath9k/antenna.c
+index a3668433dc02b..deac6184dd016 100644
+--- a/drivers/net/wireless/ath/ath9k/antenna.c
++++ b/drivers/net/wireless/ath/ath9k/antenna.c
+@@ -643,7 +643,7 @@ static void ath_ant_try_scan(struct ath_ant_comb *antcomb,
+                               conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1;
+                               conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_PLUS_LNA2;
+                       } else if (antcomb->rssi_sub >
+-                                 antcomb->rssi_lna1) {
++                                 antcomb->rssi_lna2) {
+                               /* set to A-B */
+                               conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1;
+                               conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_MINUS_LNA2;
+-- 
+2.43.0
+