--- /dev/null
+From 0a2ed70a549e61c5181bad5db418d223b68ae932 Mon Sep 17 00:00:00 2001
+From: Seiji Nishikawa <snishika@redhat.com>
+Date: Sun, 25 Aug 2024 23:13:52 +0900
+Subject: ACPI: PAD: fix crash in exit_round_robin()
+
+From: Seiji Nishikawa <snishika@redhat.com>
+
+commit 0a2ed70a549e61c5181bad5db418d223b68ae932 upstream.
+
+The kernel occasionally crashes in cpumask_clear_cpu(), which is called
+within exit_round_robin(), because when executing clear_bit(nr, addr) with
+nr set to 0xffffffff, the address calculation may cause misalignment within
+the memory, leading to access to an invalid memory address.
+
+----------
+BUG: unable to handle kernel paging request at ffffffffe0740618
+ ...
+CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1
+ ...
+RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
+Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31
+RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202
+RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
+RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8
+R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e
+R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e
+FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ ? acpi_pad_add+0x120/0x120 [acpi_pad]
+ kthread+0x10b/0x130
+ ? set_kthread_struct+0x50/0x50
+ ret_from_fork+0x1f/0x40
+ ...
+CR2: ffffffffe0740618
+
+crash> dis -lr ffffffffc0726923
+ ...
+/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114
+0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d
+/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325
+0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax
+/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80
+0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>
+
+crash> px tsk_in_cpu[14]
+$66 = 0xffffffff
+
+crash> px 0xffffffffc072692c+0x19cf4
+$99 = 0xffffffffc0740620
+
+crash> sym 0xffffffffc0740620
+ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]
+
+crash> px pad_busy_cpus_bits[0]
+$42 = 0xfffc0
+----------
+
+To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
+cpumask_clear_cpu() in exit_round_robin(), just as it is done in
+round_robin_cpu().
+
+Signed-off-by: Seiji Nishikawa <snishika@redhat.com>
+Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com
+[ rjw: Subject edit, avoid updates to the same value ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_pad.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpi_pad.c
++++ b/drivers/acpi/acpi_pad.c
+@@ -128,8 +128,11 @@ static void round_robin_cpu(unsigned int
+ static void exit_round_robin(unsigned int tsk_index)
+ {
+ struct cpumask *pad_busy_cpus = to_cpumask(pad_busy_cpus_bits);
+- cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus);
+- tsk_in_cpu[tsk_index] = -1;
++
++ if (tsk_in_cpu[tsk_index] != -1) {
++ cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus);
++ tsk_in_cpu[tsk_index] = -1;
++ }
+ }
+
+ static unsigned int idle_pct = 5; /* percentage */
--- /dev/null
+From ba4fafb02ad6a4eb2e00f861893b5db42ba54369 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:53 +0000
+Subject: media: uvcvideo: Return the number of processed controls
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream.
+
+If we let know our callers that we have not done anything, they will be
+able to optimize their decisions.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1560,11 +1560,16 @@ int uvc_ctrl_begin(struct uvc_video_chai
+ return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0;
+ }
+
++/*
++ * Returns the number of uvc controls that have been correctly set, or a
++ * negative number if there has been an error.
++ */
+ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+ struct uvc_fh *handle,
+ struct uvc_entity *entity,
+ int rollback)
+ {
++ unsigned int processed_ctrls = 0;
+ struct uvc_control *ctrl;
+ unsigned int i;
+ int ret;
+@@ -1598,6 +1603,9 @@ static int uvc_ctrl_commit_entity(struct
+ else
+ ret = 0;
+
++ if (!ret)
++ processed_ctrls++;
++
+ if (rollback || ret < 0)
+ memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
+@@ -1613,7 +1621,7 @@ static int uvc_ctrl_commit_entity(struct
+ uvc_ctrl_set_handle(handle, ctrl, handle);
+ }
+
+- return 0;
++ return processed_ctrls;
+ }
+
+ int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback,
+@@ -1634,6 +1642,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+
+ if (!rollback)
+ uvc_ctrl_send_events(handle, xctrls, xctrls_count);
++ ret = 0;
+ done:
+ mutex_unlock(&chain->ctrl_mutex);
+ return ret;
--- /dev/null
+From a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:55 +0000
+Subject: media: uvcvideo: Rollback non processed entities on error
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 upstream.
+
+If we fail to commit an entity, we need to restore the
+UVC_CTRL_DATA_BACKUP for the other uncommitted entities. Otherwise the
+control cache and the device would be out of sync.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Closes: https://lore.kernel.org/linux-media/fe845e04-9fde-46ee-9763-a6f00867929a@redhat.com/
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-3-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 42 ++++++++++++++++++++++++++-------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1577,7 +1577,7 @@ static int uvc_ctrl_commit_entity(struct
+ unsigned int processed_ctrls = 0;
+ struct uvc_control *ctrl;
+ unsigned int i;
+- int ret;
++ int ret = 0;
+
+ if (entity == NULL)
+ return 0;
+@@ -1605,8 +1605,6 @@ static int uvc_ctrl_commit_entity(struct
+ dev->intfnum, ctrl->info.selector,
+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+ ctrl->info.size);
+- else
+- ret = 0;
+
+ if (!ret)
+ processed_ctrls++;
+@@ -1618,14 +1616,22 @@ static int uvc_ctrl_commit_entity(struct
+
+ ctrl->dirty = 0;
+
+- if (ret < 0)
+- return ret;
+-
+- if (!rollback && handle &&
++ if (!rollback && handle && !ret &&
+ ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+ uvc_ctrl_set_handle(handle, ctrl, handle);
++
++ if (ret < 0 && !rollback) {
++ /*
++ * If we fail to set a control, we need to rollback
++ * the next ones.
++ */
++ rollback = 1;
++ }
+ }
+
++ if (ret)
++ return ret;
++
+ return processed_ctrls;
+ }
+
+@@ -1635,23 +1641,31 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+ {
+ struct uvc_video_chain *chain = handle->chain;
+ struct uvc_entity *entity;
+- int ret = 0;
++ int ret_out = 0;
++ int ret;
+
+ /* Find the control. */
+ list_for_each_entry(entity, &chain->entities, chain) {
+ ret = uvc_ctrl_commit_entity(chain->dev, handle, entity,
+ rollback);
+- if (ret < 0)
+- goto done;
+- else if (ret > 0 && !rollback)
++ if (ret < 0) {
++ /*
++ * When we fail to commit an entity, we need to
++ * restore the UVC_CTRL_DATA_BACKUP for all the
++ * controls in the other entities, otherwise our cache
++ * and the hardware will be out of sync.
++ */
++ rollback = 1;
++
++ ret_out = ret;
++ } else if (ret > 0 && !rollback) {
+ uvc_ctrl_send_events(handle, entity, xctrls,
+ xctrls_count);
++ }
+ }
+
+- ret = 0;
+-done:
+ mutex_unlock(&chain->ctrl_mutex);
+- return ret;
++ return ret_out;
+ }
+
+ int uvc_ctrl_get(struct uvc_video_chain *chain,
--- /dev/null
+From 5c791467aea6277430da5f089b9b6c2a9d8a4af7 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:54 +0000
+Subject: media: uvcvideo: Send control events for partial succeeds
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream.
+
+Today, when we are applying a change to entities A, B. If A succeeds and B
+fails the events for A are not sent.
+
+This change changes the code so the events for A are send right after
+they happen.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1429,7 +1429,9 @@ static bool uvc_ctrl_xctrls_has_control(
+ }
+
+ static void uvc_ctrl_send_events(struct uvc_fh *handle,
+- const struct v4l2_ext_control *xctrls, unsigned int xctrls_count)
++ struct uvc_entity *entity,
++ const struct v4l2_ext_control *xctrls,
++ unsigned int xctrls_count)
+ {
+ struct uvc_control_mapping *mapping;
+ struct uvc_control *ctrl;
+@@ -1440,6 +1442,9 @@ static void uvc_ctrl_send_events(struct
+ u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
+
+ ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
++ if (ctrl->entity != entity)
++ continue;
++
+ if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+ /* Notification will be sent from an Interrupt event. */
+ continue;
+@@ -1638,10 +1643,11 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+ rollback);
+ if (ret < 0)
+ goto done;
++ else if (ret > 0 && !rollback)
++ uvc_ctrl_send_events(handle, entity, xctrls,
++ xctrls_count);
+ }
+
+- if (!rollback)
+- uvc_ctrl_send_events(handle, xctrls, xctrls_count);
+ ret = 0;
+ done:
+ mutex_unlock(&chain->ctrl_mutex);
xhci-dbc-flush-queued-requests-before-stopping-dbc.patch
logitech-c-270-even-more-broken.patch
usb-typec-displayport-fix-potential-deadlock.patch
+acpi-pad-fix-crash-in-exit_round_robin.patch
+media-uvcvideo-return-the-number-of-processed-controls.patch
+media-uvcvideo-send-control-events-for-partial-succeeds.patch
+media-uvcvideo-rollback-non-processed-entities-on-error.patch
+staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
--- /dev/null
+From a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 9 Jun 2025 14:13:14 -0700
+Subject: staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 upstream.
+
+After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which
+causes CONFIG_KASAN to be enabled in allmodconfig again, arm64
+allmodconfig builds with older versions of clang (15 through 17) show an
+instance of -Wframe-larger-than (which breaks the build with
+CONFIG_WERROR=y):
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than]
+ 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+This comes from aes_decipher() being inlined in rtw_aes_decrypt().
+Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher()
+also uses a decent amount of stack, just under the limit of 2048:
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+
+-Rpass-analysis=stack-frame-layout only shows one large structure on the
+stack, which is the ctx variable inlined from aes128k128d(). A good
+number of the other variables come from the additional checks of
+fortified string routines, which are present in memset(), which both
+aes_cipher() and aes_decipher() use to initialize some temporary
+buffers. In this case, since the size is known at compile time, these
+additional checks should not result in any code generation changes but
+allmodconfig has several sanitizers enabled, which may make it harder
+for the compiler to eliminate the compile time checks and the variables
+that come about from them.
+
+The memset() calls are just initializing these buffers to zero, so use
+'= {}' instead, which is used all over the kernel and does the exact
+same thing as memset() without the fortify checks, which drops the stack
+usage of these functions by a few hundred kilobytes.
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+ drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than]
+ 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+Cc: stable@vger.kernel.org
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250609-rtl8723bs-fix-clang-arm64-wflt-v1-1-e2accba43def@kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_security.c | 46 +++++++-------------------
+ 1 file changed, 14 insertions(+), 32 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_security.c
++++ b/drivers/staging/rtl8723bs/core/rtw_security.c
+@@ -1299,30 +1299,21 @@ static sint aes_cipher(u8 *key, uint hdr
+ num_blocks, payload_index;
+
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+ uint frtype = GetFrameType(pframe);
+ uint frsubtype = GetFrameSubType(pframe);
+
+ frsubtype = frsubtype>>4;
+
+-
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
+ a4_exists = 0;
+ else
+@@ -1540,15 +1531,15 @@ static sint aes_decipher(u8 *key, uint h
+ num_blocks, payload_index;
+ sint res = _SUCCESS;
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+
+
+@@ -1557,15 +1548,6 @@ static sint aes_decipher(u8 *key, uint h
+
+ frsubtype = frsubtype>>4;
+
+-
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ /* start to decrypt the payload */
+
+ num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
