From: Greg Kroah-Hartman Date: Mon, 8 Jul 2024 13:03:29 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.6.38~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=00ce3eb679b7644f2b6e8acb297352d280c252b4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-dts-rockchip-fix-the-dcdc_reg2-minimum-voltage-on-quartz64-model-b.patch bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch clk-qcom-gcc-ipq9574-add-branch_halt_voted-flag.patch clk-sunxi-ng-common-don-t-call-hw_to_ccu_common-on-hw-without-common.patch drm-amdgpu-atomfirmware-silence-ubsan-warning.patch drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch drm-panel-orientation-quirks-add-quirk-for-valve-galileo.patch ima-avoid-blocking-in-rcu-read-side-critical-section.patch mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch mtd-rawnand-ensure-ecc-configuration-is-propagated-to-upper-layers.patch mtd-rawnand-fix-the-nand_read_data_op-early-check.patch mtd-rawnand-rockchip-ensure-nvddr-timings-are-rejected.patch net-stmmac-dwmac-qcom-ethqos-fix-error-array-size.patch powerpc-64s-fix-unnecessary-copy-to-0-when-kernel-is-booted-at-address-0.patch powerpc-pseries-fix-scv-instruction-crash-with-kexec.patch revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch --- diff --git a/queue-6.6/arm64-dts-rockchip-fix-the-dcdc_reg2-minimum-voltage-on-quartz64-model-b.patch b/queue-6.6/arm64-dts-rockchip-fix-the-dcdc_reg2-minimum-voltage-on-quartz64-model-b.patch new file mode 100644 index 00000000000..3ecbd57f4c6 --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-fix-the-dcdc_reg2-minimum-voltage-on-quartz64-model-b.patch @@ -0,0 +1,56 @@ +From d201c92bff90f3d3d0b079fc955378c15c0483cc Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 20 May 2024 19:20:28 +0200 +Subject: arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B + +From: Dragan Simic + +commit d201c92bff90f3d3d0b079fc955378c15c0483cc upstream. + +Correct the specified regulator-min-microvolt value for the buck DCDC_REG2 +regulator, which is part of the Rockchip RK809 PMIC, in the Pine64 Quartz64 +Model B board dts. According to the RK809 datasheet, version 1.01, this +regulator is capable of producing voltages as low as 0.5 V on its output, +instead of going down to 0.9 V only, which is additionally confirmed by the +regulator-min-microvolt values found in the board dts files for the other +supported boards that use the same RK809 PMIC. + +This allows the DVFS to clock the GPU on the Quartz64 Model B below 700 MHz, +all the way down to 200 MHz, which saves some power and reduces the amount of +generated heat a bit, improving the thermal headroom and possibly improving +the bursty CPU and GPU performance on this board. + +This also eliminates the following warnings in the kernel log: + + core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator + panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (200000000) + core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator + panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (300000000) + core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator + panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (400000000) + core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator + panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (600000000) + +Fixes: dcc8c66bef79 ("arm64: dts: rockchip: add Pine64 Quartz64-B device tree") +Cc: stable@vger.kernel.org +Reported-By: Diederik de Haas +Signed-off-by: Dragan Simic +Tested-by: Diederik de Haas +Link: https://lore.kernel.org/r/e70742ea2df432bf57b3f7de542d81ca22b0da2f.1716225483.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts +@@ -289,7 +289,7 @@ + regulator-name = "vdd_gpu"; + regulator-always-on; + regulator-boot-on; +- regulator-min-microvolt = <900000>; ++ regulator-min-microvolt = <500000>; + regulator-max-microvolt = <1350000>; + regulator-ramp-delay = <6001>; + diff --git a/queue-6.6/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch b/queue-6.6/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..0a7d28b95ad --- /dev/null +++ b/queue-6.6/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch @@ -0,0 +1,185 @@ +From 134061163ee5ca4759de5c24ca3bd71608891ba7 Mon Sep 17 00:00:00 2001 +From: Ghadi Elie Rahme +Date: Thu, 27 Jun 2024 14:14:05 +0300 +Subject: bnx2x: Fix multiple UBSAN array-index-out-of-bounds + +From: Ghadi Elie Rahme + +commit 134061163ee5ca4759de5c24ca3bd71608891ba7 upstream. + +Fix UBSAN warnings that occur when using a system with 32 physical +cpu cores or more, or when the user defines a number of Ethernet +queues greater than or equal to FP_SB_MAX_E1x using the num_queues +module parameter. + +Currently there is a read/write out of bounds that occurs on the array +"struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" +struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". +Looking at the definition of the "struct stats_query_entry query" array: + +struct stats_query_entry query[FP_SB_MAX_E1x+ + BNX2X_FIRST_QUEUE_QUERY_IDX]; + +FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and +has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 +meaning the array has a total size of 19. +Since accesses to "struct stats_query_entry query" are offset-ted by +BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet +queues should not exceed FP_SB_MAX_E1x (16). However one of these queues +is reserved for FCOE and thus the number of Ethernet queues should be set +to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if +it is not. + +This is also described in a comment in the source code in +drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition +of FP_SB_MAX_E1x. Below is the part of this explanation that it important +for this patch + +/* + * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is + * control by the number of fast-path status blocks supported by the + * device (HW/FW). Each fast-path status block (FP-SB) aka non-default + * status block represents an independent interrupts context that can + * serve a regular L2 networking queue. However special L2 queues such + * as the FCoE queue do not require a FP-SB and other components like + * the CNIC may consume FP-SB reducing the number of possible L2 queues + * + * If the maximum number of FP-SB available is X then: + * a. If CNIC is supported it consumes 1 FP-SB thus the max number of + * regular L2 queues is Y=X-1 + * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) + * c. If the FCoE L2 queue is supported the actual number of L2 queues + * is Y+1 + * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for + * slow-path interrupts) or Y+2 if CNIC is supported (one additional + * FP interrupt context for the CNIC). + * e. The number of HW context (CID count) is always X or X+1 if FCoE + * L2 queue is supported. The cid for the FCoE L2 queue is always X. + */ + +However this driver also supports NICs that use the E2 controller which can +handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. +Looking at the commits when the E2 support was added, it was originally +using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). +Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver +was later updated to take full advantage of the E2 instead of having it be +limited to the capabilities of the E1x. But as far as we can tell, the +array "stats_query_entry query" was still limited to using the FP-SB +available to the E1x cards as part of an oversignt when the driver was +updated to take full advantage of the E2, and now with the driver being +aware of the greater queue size supported by E2 NICs, it causes the UBSAN +warnings seen in the stack traces below. + +This patch increases the size of the "stats_query_entry query" array by +replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle +both types of NICs. + +Stack traces: + +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 +index 20 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x] + bnx2x_stats_init+0x156/0x320 [bnx2x] + bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] + bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] + bnx2x_open+0x16b/0x290 [bnx2x] + __dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11 +index 28 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + +dump_stack_lvl+0x76/0xa0 +dump_stack+0x10/0x20 +__ubsan_handle_out_of_bounds+0xcb/0x110 +bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x] +bnx2x_stats_init+0x156/0x320 [bnx2x] +bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] +bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] +bnx2x_open+0x16b/0x290 [bnx2x] +__dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8 +index 29 is out of range for type 'stats_query_entry [19]' +CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Workqueue: bnx2x bnx2x_sp_task [bnx2x] +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x] + bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x] + ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x] + bnx2x_stats_start+0x44/0x70 [bnx2x] + bnx2x_stats_handle+0x149/0x350 [bnx2x] + bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x] + bnx2x_sp_task+0x491/0x5c0 [bnx2x] + process_one_work+0x18d/0x3f0 + +---[ end trace ]--- + +Fixes: 50f0a562f8cc ("bnx2x: add fcoe statistics") +Signed-off-by: Ghadi Elie Rahme +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240627111405.1037812-1-ghadi.rahme@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -1262,7 +1262,7 @@ enum { + + struct bnx2x_fw_stats_req { + struct stats_query_header hdr; +- struct stats_query_entry query[FP_SB_MAX_E1x+ ++ struct stats_query_entry query[FP_SB_MAX_E2 + + BNX2X_FIRST_QUEUE_QUERY_IDX]; + }; + diff --git a/queue-6.6/clk-qcom-gcc-ipq9574-add-branch_halt_voted-flag.patch b/queue-6.6/clk-qcom-gcc-ipq9574-add-branch_halt_voted-flag.patch new file mode 100644 index 00000000000..d4648594e7d --- /dev/null +++ b/queue-6.6/clk-qcom-gcc-ipq9574-add-branch_halt_voted-flag.patch @@ -0,0 +1,65 @@ +From 72ceafb587a56e26c905472418c7dc2033c294d3 Mon Sep 17 00:00:00 2001 +From: Md Sadre Alam +Date: Thu, 9 May 2024 16:24:05 +0530 +Subject: clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag + +From: Md Sadre Alam + +commit 72ceafb587a56e26c905472418c7dc2033c294d3 upstream. + +The crypto_ahb and crypto_axi clks are hardware voteable. +This means that the halt bit isn't reliable because some +other voter in the system, e.g. TrustZone, could be keeping +the clk enabled when the kernel turns it off from clk_disable(). +Make these clks use voting mode by changing the halt check to +BRANCH_HALT_VOTED and toggle the voting bit in the voting register +instead of directly controlling the branch by writing to the branch +register. This fixes stuck clk warnings seen on ipq9574 and saves +power by actually turning the clk off. + +Also changes the CRYPTO_AHB_CLK_ENA & CRYPTO_AXI_CLK_ENA +offset to 0xb004 from 0x16014. + +Cc: stable@vger.kernel.org +Fixes: f6b2bd9cb29a ("clk: qcom: gcc-ipq9574: Enable crypto clocks") +Signed-off-by: Md Sadre Alam +Link: https://lore.kernel.org/r/20240509105405.1262369-1-quic_mdalam@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-ipq9574.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-ipq9574.c b/drivers/clk/qcom/gcc-ipq9574.c +index 0a3f846695b8..f8b9a1e93bef 100644 +--- a/drivers/clk/qcom/gcc-ipq9574.c ++++ b/drivers/clk/qcom/gcc-ipq9574.c +@@ -2140,9 +2140,10 @@ static struct clk_rcg2 pcnoc_bfdcd_clk_src = { + + static struct clk_branch gcc_crypto_axi_clk = { + .halt_reg = 0x16010, ++ .halt_check = BRANCH_HALT_VOTED, + .clkr = { +- .enable_reg = 0x16010, +- .enable_mask = BIT(0), ++ .enable_reg = 0xb004, ++ .enable_mask = BIT(15), + .hw.init = &(const struct clk_init_data) { + .name = "gcc_crypto_axi_clk", + .parent_hws = (const struct clk_hw *[]) { +@@ -2156,9 +2157,10 @@ static struct clk_branch gcc_crypto_axi_clk = { + + static struct clk_branch gcc_crypto_ahb_clk = { + .halt_reg = 0x16014, ++ .halt_check = BRANCH_HALT_VOTED, + .clkr = { +- .enable_reg = 0x16014, +- .enable_mask = BIT(0), ++ .enable_reg = 0xb004, ++ .enable_mask = BIT(16), + .hw.init = &(const struct clk_init_data) { + .name = "gcc_crypto_ahb_clk", + .parent_hws = (const struct clk_hw *[]) { +-- +2.45.2 + diff --git a/queue-6.6/clk-sunxi-ng-common-don-t-call-hw_to_ccu_common-on-hw-without-common.patch b/queue-6.6/clk-sunxi-ng-common-don-t-call-hw_to_ccu_common-on-hw-without-common.patch new file mode 100644 index 00000000000..b6598629603 --- /dev/null +++ b/queue-6.6/clk-sunxi-ng-common-don-t-call-hw_to_ccu_common-on-hw-without-common.patch @@ -0,0 +1,72 @@ +From ea977d742507e534d9fe4f4d74256f6b7f589338 Mon Sep 17 00:00:00 2001 +From: Frank Oltmanns +Date: Sun, 23 Jun 2024 10:45:58 +0200 +Subject: clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common + +From: Frank Oltmanns + +commit ea977d742507e534d9fe4f4d74256f6b7f589338 upstream. + +In order to set the rate range of a hw sunxi_ccu_probe calls +hw_to_ccu_common() assuming all entries in desc->ccu_clks are contained +in a ccu_common struct. This assumption is incorrect and, in +consequence, causes invalid pointer de-references. + +Remove the faulty call. Instead, add one more loop that iterates over +the ccu_clks and sets the rate range, if required. + +Fixes: b914ec33b391 ("clk: sunxi-ng: common: Support minimum and maximum rate") +Reported-by: Robert J. Pafford +Closes: https://lore.kernel.org/lkml/DM6PR01MB58047C810DDD5D0AE397CADFF7C22@DM6PR01MB5804.prod.exchangelabs.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Frank Oltmanns +Tested-by: Robert J. Pafford +Link: https://lore.kernel.org/r/20240623-sunxi-ng_fix_common_probe-v1-1-7c97e32824a1@oltmanns.dev +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/sunxi-ng/ccu_common.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu_common.c b/drivers/clk/sunxi-ng/ccu_common.c +index ac0091b4ce24..be375ce0149c 100644 +--- a/drivers/clk/sunxi-ng/ccu_common.c ++++ b/drivers/clk/sunxi-ng/ccu_common.c +@@ -132,7 +132,6 @@ static int sunxi_ccu_probe(struct sunxi_ccu *ccu, struct device *dev, + + for (i = 0; i < desc->hw_clks->num ; i++) { + struct clk_hw *hw = desc->hw_clks->hws[i]; +- struct ccu_common *common = hw_to_ccu_common(hw); + const char *name; + + if (!hw) +@@ -147,14 +146,21 @@ static int sunxi_ccu_probe(struct sunxi_ccu *ccu, struct device *dev, + pr_err("Couldn't register clock %d - %s\n", i, name); + goto err_clk_unreg; + } ++ } + +- if (common->max_rate) +- clk_hw_set_rate_range(hw, common->min_rate, +- common->max_rate); ++ for (i = 0; i < desc->num_ccu_clks; i++) { ++ struct ccu_common *cclk = desc->ccu_clks[i]; ++ ++ if (!cclk) ++ continue; ++ ++ if (cclk->max_rate) ++ clk_hw_set_rate_range(&cclk->hw, cclk->min_rate, ++ cclk->max_rate); + else +- WARN(common->min_rate, ++ WARN(cclk->min_rate, + "No max_rate, ignoring min_rate of clock %d - %s\n", +- i, name); ++ i, clk_hw_get_name(&cclk->hw)); + } + + ret = of_clk_add_hw_provider(node, of_clk_hw_onecell_get, +-- +2.45.2 + diff --git a/queue-6.6/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch b/queue-6.6/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch new file mode 100644 index 00000000000..824c9ea3c8f --- /dev/null +++ b/queue-6.6/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch @@ -0,0 +1,31 @@ +From d0417264437a8fa05f894cabba5a26715b32d78e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 1 Jul 2024 12:50:10 -0400 +Subject: drm/amdgpu/atomfirmware: silence UBSAN warning + +From: Alex Deucher + +commit d0417264437a8fa05f894cabba5a26715b32d78e upstream. + +This is a variable sized array. + +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/110420.html +Tested-by: Jeff Layton +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/include/atomfirmware.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/include/atomfirmware.h ++++ b/drivers/gpu/drm/amd/include/atomfirmware.h +@@ -702,7 +702,7 @@ struct atom_gpio_pin_lut_v2_1 + { + struct atom_common_table_header table_header; + /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut */ +- struct atom_gpio_pin_assignment gpio_pin[8]; ++ struct atom_gpio_pin_assignment gpio_pin[]; + }; + + diff --git a/queue-6.6/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch b/queue-6.6/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch new file mode 100644 index 00000000000..d0c405a59c8 --- /dev/null +++ b/queue-6.6/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch @@ -0,0 +1,35 @@ +From 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 27 Jun 2024 15:42:04 +0800 +Subject: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes + +From: Ma Ke + +commit 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 upstream. + +In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a possible NULL pointer +dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs") +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240627074204.3023776-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -983,6 +983,9 @@ nouveau_connector_get_modes(struct drm_c + struct drm_display_mode *mode; + + mode = drm_mode_duplicate(dev, nv_connector->native_mode); ++ if (!mode) ++ return 0; ++ + drm_mode_probed_add(connector, mode); + ret = 1; + } diff --git a/queue-6.6/drm-panel-orientation-quirks-add-quirk-for-valve-galileo.patch b/queue-6.6/drm-panel-orientation-quirks-add-quirk-for-valve-galileo.patch new file mode 100644 index 00000000000..49c215021d5 --- /dev/null +++ b/queue-6.6/drm-panel-orientation-quirks-add-quirk-for-valve-galileo.patch @@ -0,0 +1,37 @@ +From 26746ed40bb0e4ebe2b2bd61c04eaaa54e263c14 Mon Sep 17 00:00:00 2001 +From: John Schoenick +Date: Fri, 28 Jun 2024 13:58:21 -0700 +Subject: drm: panel-orientation-quirks: Add quirk for Valve Galileo + +From: John Schoenick + +commit 26746ed40bb0e4ebe2b2bd61c04eaaa54e263c14 upstream. + +Valve's Steam Deck Galileo revision has a 800x1280 OLED panel + +Cc: stable@vger.kernel.org # 6.1+ +Signed-off-by: John Schoenick +Signed-off-by: Matthew Schwartz +Signed-off-by: Hamza Mahfooz +Link: https://patchwork.freedesktop.org/patch/msgid/20240628205822.348402-2-mattschwartz@gwu.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -421,6 +421,13 @@ static const struct dmi_system_id orient + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Valve Steam Deck */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galileo"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* VIOS LTH17 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"), diff --git a/queue-6.6/ima-avoid-blocking-in-rcu-read-side-critical-section.patch b/queue-6.6/ima-avoid-blocking-in-rcu-read-side-critical-section.patch new file mode 100644 index 00000000000..679f06ce332 --- /dev/null +++ b/queue-6.6/ima-avoid-blocking-in-rcu-read-side-critical-section.patch @@ -0,0 +1,346 @@ +From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 +From: GUO Zihua +Date: Tue, 7 May 2024 01:25:41 +0000 +Subject: ima: Avoid blocking in RCU read-side critical section + +From: GUO Zihua + +commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream. + +A panic happens in ima_match_policy: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +PGD 42f873067 P4D 0 +Oops: 0000 [#1] SMP NOPTI +CPU: 5 PID: 1286325 Comm: kubeletmonit.sh +Kdump: loaded Tainted: P +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS 0.0.0 02/06/2015 +RIP: 0010:ima_match_policy+0x84/0x450 +Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 + 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d + f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea + 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f +RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 +RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 +R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 +R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 +FS: 00007f5195b51740(0000) +GS:ff3e278b12d40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ima_get_action+0x22/0x30 + process_measurement+0xb0/0x830 + ? page_add_file_rmap+0x15/0x170 + ? alloc_set_pte+0x269/0x4c0 + ? prep_new_page+0x81/0x140 + ? simple_xattr_get+0x75/0xa0 + ? selinux_file_open+0x9d/0xf0 + ima_file_check+0x64/0x90 + path_openat+0x571/0x1720 + do_filp_open+0x9b/0x110 + ? page_counter_try_charge+0x57/0xc0 + ? files_cgroup_alloc_fd+0x38/0x60 + ? __alloc_fd+0xd4/0x250 + ? do_sys_open+0x1bd/0x250 + do_sys_open+0x1bd/0x250 + do_syscall_64+0x5d/0x1d0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by +ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a +RCU read-side critical section which contains kmalloc with GFP_KERNEL. +This implies a possible sleep and violates limitations of RCU read-side +critical sections on non-PREEMPT systems. + +Sleeping within RCU read-side critical section might cause +synchronize_rcu() returning early and break RCU protection, allowing a +UAF to happen. + +The root cause of this issue could be described as follows: +| Thread A | Thread B | +| |ima_match_policy | +| | rcu_read_lock | +|ima_lsm_update_rule | | +| synchronize_rcu | | +| | kmalloc(GFP_KERNEL)| +| | sleep | +==> synchronize_rcu returns early +| kfree(entry) | | +| | entry = entry->next| +==> UAF happens and entry now becomes NULL (or could be anything). +| | entry->action | +==> Accessing entry might cause panic. + +To fix this issue, we are converting all kmalloc that is called within +RCU read-side critical section to use GFP_ATOMIC. + +Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") +Cc: stable@vger.kernel.org +Signed-off-by: GUO Zihua +Acked-by: John Johansen +Reviewed-by: Mimi Zohar +Reviewed-by: Casey Schaufler +[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] +Signed-off-by: Paul Moore +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + include/linux/security.h | 5 +++-- + kernel/auditfilter.c | 5 +++-- + security/apparmor/audit.c | 6 +++--- + security/apparmor/include/audit.h | 2 +- + security/integrity/ima/ima.h | 2 +- + security/integrity/ima/ima_policy.c | 15 +++++++++------ + security/security.c | 6 ++++-- + security/selinux/include/audit.h | 4 +++- + security/selinux/ss/services.c | 5 +++-- + security/smack/smack_lsm.c | 4 +++- + 11 files changed, 34 insertions(+), 22 deletions(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -390,7 +390,7 @@ LSM_HOOK(int, 0, key_getsecurity, struct + + #ifdef CONFIG_AUDIT + LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) + LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) + LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1953,7 +1953,8 @@ static inline int security_key_getsecuri + + #ifdef CONFIG_AUDIT + #ifdef CONFIG_SECURITY +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp); + int security_audit_rule_known(struct audit_krule *krule); + int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); + void security_audit_rule_free(void *lsmrule); +@@ -1961,7 +1962,7 @@ void security_audit_rule_free(void *lsmr + #else + + static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return 0; + } +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to + entry->rule.buflen += f_val; + f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, +- (void **)&f->lsm_rule); ++ (void **)&f->lsm_rule, ++ GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (err == -EINVAL) { +@@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(s + + /* our own (refreshed) copy of lsm_rule */ + ret = security_audit_rule_init(df->type, df->op, df->lsm_str, +- (void **)&df->lsm_rule); ++ (void **)&df->lsm_rule, GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (ret == -EINVAL) { +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) + } + } + +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) + { + struct aa_audit_rule *rule; + +@@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op + return -EINVAL; + } + +- rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); ++ rule = kzalloc(sizeof(struct aa_audit_rule), gfp); + + if (!rule) + return -ENOMEM; + + /* Currently rules are treated as coming from the root ns */ + rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, +- GFP_KERNEL, true, false); ++ gfp, true, false); + if (IS_ERR(rule->label)) { + int err = PTR_ERR(rule->label); + aa_audit_rule_free(rule); +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -193,7 +193,7 @@ static inline int complain_error(int err + } + + void aa_audit_rule_free(void *vrule); +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); + int aa_audit_rule_known(struct audit_krule *rule); + int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); + +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -430,7 +430,7 @@ static inline void ima_free_modsig(struc + #else + + static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return -EINVAL; + } +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rul + kfree(entry); + } + +-static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ++static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, ++ gfp_t gfp) + { + struct ima_rule_entry *nentry; + int i; +@@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_co + * Immutable elements are copied over as pointers and data; only + * lsm rules can change + */ +- nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); ++ nentry = kmemdup(entry, sizeof(*nentry), gfp); + if (!nentry) + return NULL; + +@@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_co + + ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, + nentry->lsm[i].args_p, +- &nentry->lsm[i].rule); ++ &nentry->lsm[i].rule, ++ gfp); + if (!nentry->lsm[i].rule) + pr_warn("rule for LSM \'%s\' is undefined\n", + nentry->lsm[i].args_p); +@@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct im + int i; + struct ima_rule_entry *nentry; + +- nentry = ima_lsm_copy_rule(entry); ++ nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); + if (!nentry) + return -ENOMEM; + +@@ -664,7 +666,7 @@ retry: + } + + if (rc == -ESTALE && !rule_reinitialized) { +- lsm_rule = ima_lsm_copy_rule(rule); ++ lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); + if (lsm_rule) { + rule_reinitialized = true; + goto retry; +@@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_ + entry->lsm[lsm_rule].type = audit_type; + result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, + entry->lsm[lsm_rule].args_p, +- &entry->lsm[lsm_rule].rule); ++ &entry->lsm[lsm_rule].rule, ++ GFP_KERNEL); + if (!entry->lsm[lsm_rule].rule) { + pr_warn("rule for LSM \'%s\' is undefined\n", + entry->lsm[lsm_rule].args_p); +--- a/security/security.c ++++ b/security/security.c +@@ -5116,15 +5116,17 @@ int security_key_getsecurity(struct key + * @op: rule operator + * @rulestr: rule context + * @lsmrule: receive buffer for audit rule struct ++ * @gfp: GFP flag used for kmalloc + * + * Allocate and initialize an LSM audit rule structure. + * + * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of + * an invalid rule. + */ +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp) + { +- return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); ++ return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule, gfp); + } + + /** +--- a/security/selinux/include/audit.h ++++ b/security/selinux/include/audit.h +@@ -21,12 +21,14 @@ + * @op: the operator the rule uses + * @rulestr: the text "target" of the rule + * @rule: pointer to the new rule structure returned via this ++ * @gfp: GFP flag used for kmalloc + * + * Returns 0 if successful, -errno if not. On success, the rule structure + * will be allocated internally. The caller must free this structure with + * selinux_audit_rule_free() after use. + */ +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, ++ gfp_t gfp); + + /** + * selinux_audit_rule_free - free an selinux audit rule structure. +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -3497,7 +3497,8 @@ void selinux_audit_rule_free(void *vrule + } + } + +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct selinux_state *state = &selinux_state; + struct selinux_policy *policy; +@@ -3538,7 +3539,7 @@ int selinux_audit_rule_init(u32 field, u + return -EINVAL; + } + +- tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); ++ tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); + if (!tmprule) + return -ENOMEM; + context_init(&tmprule->au_ctxt); +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4616,11 +4616,13 @@ static int smack_post_notification(const + * @op: required testing operator (=, !=, >, <, ...) + * @rulestr: smack label to be audited + * @vrule: pointer to save our own audit rule representation ++ * @gfp: type of the memory for the allocation + * + * Prepare to audit cases where (@field @op @rulestr) is true. + * The label to be audited is created if necessay. + */ +-static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct smack_known *skp; + char **rule = (char **)vrule; diff --git a/queue-6.6/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch b/queue-6.6/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch new file mode 100644 index 00000000000..c3802258e7b --- /dev/null +++ b/queue-6.6/mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch @@ -0,0 +1,130 @@ +From 8754d9835683e8fab9a8305acdb38a3aeb9d20bd Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 16 May 2024 15:13:20 +0200 +Subject: mtd: rawnand: Bypass a couple of sanity checks during NAND identification + +From: Miquel Raynal + +commit 8754d9835683e8fab9a8305acdb38a3aeb9d20bd upstream. + +Early during NAND identification, mtd_info fields have not yet been +initialized (namely, writesize and oobsize) and thus cannot be used for +sanity checks yet. Of course if there is a misuse of +nand_change_read_column_op() so early we won't be warned, but there is +anyway no actual check to perform at this stage as we do not yet know +the NAND geometry. + +So, if the fields are empty, especially mtd->writesize which is *always* +set quite rapidly after identification, let's skip the sanity checks. + +nand_change_read_column_op() is subject to be used early for ONFI/JEDEC +identification in the very unlikely case of: +- bitflips appearing in the parameter page, +- the controller driver not supporting simple DATA_IN cycles. + +As nand_change_read_column_op() uses nand_fill_column_cycles() the logic +explaind above also applies in this secondary helper. + +Fixes: c27842e7e11f ("mtd: rawnand: onfi: Adapt the parameter page read to constraint controllers") +Fixes: daca31765e8b ("mtd: rawnand: jedec: Adapt the parameter page read to constraint controllers") +Cc: stable@vger.kernel.org +Reported-by: Alexander Dahl +Closes: https://lore.kernel.org/linux-mtd/20240306-shaky-bunion-d28b65ea97d7@thorsis.com/ +Reported-by: Steven Seeger +Closes: https://lore.kernel.org/linux-mtd/DM6PR05MB4506554457CF95191A670BDEF7062@DM6PR05MB4506.namprd05.prod.outlook.com/ +Signed-off-by: Miquel Raynal +Tested-by: Sascha Hauer +Link: https://lore.kernel.org/linux-mtd/20240516131320.579822-3-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 57 +++++++++++++++++++++------------------ + 1 file changed, 32 insertions(+), 25 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -1090,28 +1090,32 @@ static int nand_fill_column_cycles(struc + unsigned int offset_in_page) + { + struct mtd_info *mtd = nand_to_mtd(chip); ++ bool ident_stage = !mtd->writesize; + +- /* Make sure the offset is less than the actual page size. */ +- if (offset_in_page > mtd->writesize + mtd->oobsize) +- return -EINVAL; +- +- /* +- * On small page NANDs, there's a dedicated command to access the OOB +- * area, and the column address is relative to the start of the OOB +- * area, not the start of the page. Asjust the address accordingly. +- */ +- if (mtd->writesize <= 512 && offset_in_page >= mtd->writesize) +- offset_in_page -= mtd->writesize; +- +- /* +- * The offset in page is expressed in bytes, if the NAND bus is 16-bit +- * wide, then it must be divided by 2. +- */ +- if (chip->options & NAND_BUSWIDTH_16) { +- if (WARN_ON(offset_in_page % 2)) ++ /* Bypass all checks during NAND identification */ ++ if (likely(!ident_stage)) { ++ /* Make sure the offset is less than the actual page size. */ ++ if (offset_in_page > mtd->writesize + mtd->oobsize) + return -EINVAL; + +- offset_in_page /= 2; ++ /* ++ * On small page NANDs, there's a dedicated command to access the OOB ++ * area, and the column address is relative to the start of the OOB ++ * area, not the start of the page. Asjust the address accordingly. ++ */ ++ if (mtd->writesize <= 512 && offset_in_page >= mtd->writesize) ++ offset_in_page -= mtd->writesize; ++ ++ /* ++ * The offset in page is expressed in bytes, if the NAND bus is 16-bit ++ * wide, then it must be divided by 2. ++ */ ++ if (chip->options & NAND_BUSWIDTH_16) { ++ if (WARN_ON(offset_in_page % 2)) ++ return -EINVAL; ++ ++ offset_in_page /= 2; ++ } + } + + addrs[0] = offset_in_page; +@@ -1120,7 +1124,7 @@ static int nand_fill_column_cycles(struc + * Small page NANDs use 1 cycle for the columns, while large page NANDs + * need 2 + */ +- if (mtd->writesize <= 512) ++ if (!ident_stage && mtd->writesize <= 512) + return 1; + + addrs[1] = offset_in_page >> 8; +@@ -1419,16 +1423,19 @@ int nand_change_read_column_op(struct na + unsigned int len, bool force_8bit) + { + struct mtd_info *mtd = nand_to_mtd(chip); ++ bool ident_stage = !mtd->writesize; + + if (len && !buf) + return -EINVAL; + +- if (offset_in_page + len > mtd->writesize + mtd->oobsize) +- return -EINVAL; ++ if (!ident_stage) { ++ if (offset_in_page + len > mtd->writesize + mtd->oobsize) ++ return -EINVAL; + +- /* Small page NANDs do not support column change. */ +- if (mtd->writesize <= 512) +- return -ENOTSUPP; ++ /* Small page NANDs do not support column change. */ ++ if (mtd->writesize <= 512) ++ return -ENOTSUPP; ++ } + + if (nand_has_exec_op(chip)) { + const struct nand_interface_config *conf = diff --git a/queue-6.6/mtd-rawnand-ensure-ecc-configuration-is-propagated-to-upper-layers.patch b/queue-6.6/mtd-rawnand-ensure-ecc-configuration-is-propagated-to-upper-layers.patch new file mode 100644 index 00000000000..2c900dcf035 --- /dev/null +++ b/queue-6.6/mtd-rawnand-ensure-ecc-configuration-is-propagated-to-upper-layers.patch @@ -0,0 +1,68 @@ +From 3a1b777eb9fb75d09c45ae5dd1d007eddcbebf1f Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 7 May 2024 10:58:42 +0200 +Subject: mtd: rawnand: Ensure ECC configuration is propagated to upper layers + +From: Miquel Raynal + +commit 3a1b777eb9fb75d09c45ae5dd1d007eddcbebf1f upstream. + +Until recently the "upper layer" was MTD. But following incremental +reworks to bring spi-nand support and more recently generic ECC support, +there is now an intermediate "generic NAND" layer that also needs to get +access to some values. When using "converted" ECC engines, like the +software ones, these values are already propagated correctly. But +otherwise when using good old raw NAND controller drivers, we need to +manually set these values ourselves at the end of the "scan" operation, +once these values have been negotiated. + +Without this propagation, later (generic) checks like the one warning +users that the ECC strength is not high enough might simply no longer +work. + +Fixes: 8c126720fe10 ("mtd: rawnand: Use the ECC framework nand_ecc_is_strong_enough() helper") +Cc: stable@vger.kernel.org +Reported-by: Sascha Hauer +Closes: https://lore.kernel.org/all/Zhe2JtvvN1M4Ompw@pengutronix.de/ +Signed-off-by: Miquel Raynal +Tested-by: Sascha Hauer +Link: https://lore.kernel.org/linux-mtd/20240507085842.108844-1-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -6282,6 +6282,7 @@ static const struct nand_ops rawnand_ops + static int nand_scan_tail(struct nand_chip *chip) + { + struct mtd_info *mtd = nand_to_mtd(chip); ++ struct nand_device *base = &chip->base; + struct nand_ecc_ctrl *ecc = &chip->ecc; + int ret, i; + +@@ -6426,9 +6427,13 @@ static int nand_scan_tail(struct nand_ch + if (!ecc->write_oob_raw) + ecc->write_oob_raw = ecc->write_oob; + +- /* propagate ecc info to mtd_info */ ++ /* Propagate ECC info to the generic NAND and MTD layers */ + mtd->ecc_strength = ecc->strength; ++ if (!base->ecc.ctx.conf.strength) ++ base->ecc.ctx.conf.strength = ecc->strength; + mtd->ecc_step_size = ecc->size; ++ if (!base->ecc.ctx.conf.step_size) ++ base->ecc.ctx.conf.step_size = ecc->size; + + /* + * Set the number of read / write steps for one page depending on ECC +@@ -6436,6 +6441,8 @@ static int nand_scan_tail(struct nand_ch + */ + if (!ecc->steps) + ecc->steps = mtd->writesize / ecc->size; ++ if (!base->ecc.ctx.nsteps) ++ base->ecc.ctx.nsteps = ecc->steps; + if (ecc->steps * ecc->size != mtd->writesize) { + WARN(1, "Invalid ECC parameters\n"); + ret = -EINVAL; diff --git a/queue-6.6/mtd-rawnand-fix-the-nand_read_data_op-early-check.patch b/queue-6.6/mtd-rawnand-fix-the-nand_read_data_op-early-check.patch new file mode 100644 index 00000000000..35550b6b3ea --- /dev/null +++ b/queue-6.6/mtd-rawnand-fix-the-nand_read_data_op-early-check.patch @@ -0,0 +1,52 @@ +From 5da39530d19946f6241de84d1db69da2f5c61da7 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 16 May 2024 15:13:19 +0200 +Subject: mtd: rawnand: Fix the nand_read_data_op() early check + +From: Miquel Raynal + +commit 5da39530d19946f6241de84d1db69da2f5c61da7 upstream. + +The nand_read_data_op() operation, which only consists in DATA_IN +cycles, is sadly not supported by all controllers despite being very +basic. The core, for some time, supposed all drivers would support +it. An improvement to this situation for supporting more constrained +controller added a check to verify if the operation was supported before +attempting it by running the function with the check_only boolean set +first, and then possibly falling back to another (possibly slightly less +optimized) alternative. + +An even newer addition moved that check very early and probe time, in +order to perform the check only once. The content of the operation was +not so important, as long as the controller driver would tell whether +such operation on the NAND bus would be possible or not. In practice, no +buffer was provided (no fake buffer or whatever) as it is anyway not +relevant for the "check_only" condition. Unfortunately, early in the +function, there is an if statement verifying that the input parameters +are right for normal use, making the early check always unsuccessful. + +Fixes: 9f820fc0651c ("mtd: rawnand: Check the data only read pattern only once") +Cc: stable@vger.kernel.org +Reported-by: Alexander Dahl +Closes: https://lore.kernel.org/linux-mtd/20240306-shaky-bunion-d28b65ea97d7@thorsis.com/ +Reported-by: Steven Seeger +Closes: https://lore.kernel.org/linux-mtd/DM6PR05MB4506554457CF95191A670BDEF7062@DM6PR05MB4506.namprd05.prod.outlook.com/ +Signed-off-by: Miquel Raynal +Reviewed-by: Alexander Dahl +Link: https://lore.kernel.org/linux-mtd/20240516131320.579822-2-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -2154,7 +2154,7 @@ EXPORT_SYMBOL_GPL(nand_reset_op); + int nand_read_data_op(struct nand_chip *chip, void *buf, unsigned int len, + bool force_8bit, bool check_only) + { +- if (!len || !buf) ++ if (!len || (!check_only && !buf)) + return -EINVAL; + + if (nand_has_exec_op(chip)) { diff --git a/queue-6.6/mtd-rawnand-rockchip-ensure-nvddr-timings-are-rejected.patch b/queue-6.6/mtd-rawnand-rockchip-ensure-nvddr-timings-are-rejected.patch new file mode 100644 index 00000000000..c77574b05cd --- /dev/null +++ b/queue-6.6/mtd-rawnand-rockchip-ensure-nvddr-timings-are-rejected.patch @@ -0,0 +1,42 @@ +From b27d8946b5edd9827ee3c2f9ea1dd30022fb1ebe Mon Sep 17 00:00:00 2001 +From: Val Packett +Date: Sun, 19 May 2024 00:13:39 -0300 +Subject: mtd: rawnand: rockchip: ensure NVDDR timings are rejected + +From: Val Packett + +commit b27d8946b5edd9827ee3c2f9ea1dd30022fb1ebe upstream. + +.setup_interface first gets called with a "target" value of +NAND_DATA_IFACE_CHECK_ONLY, in which case an error is expected +if the controller driver does not support the timing mode (NVDDR). + +Fixes: a9ecc8c814e9 ("mtd: rawnand: Choose the best timings, NV-DDR included") +Signed-off-by: Val Packett +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240519031409.26464-1-val@packett.cool +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/rockchip-nand-controller.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c ++++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c +@@ -420,13 +420,13 @@ static int rk_nfc_setup_interface(struct + u32 rate, tc2rw, trwpw, trw2c; + u32 temp; + +- if (target < 0) +- return 0; +- + timings = nand_get_sdr_timings(conf); + if (IS_ERR(timings)) + return -EOPNOTSUPP; + ++ if (target < 0) ++ return 0; ++ + if (IS_ERR(nfc->nfc_clk)) + rate = clk_get_rate(nfc->ahb_clk); + else diff --git a/queue-6.6/net-stmmac-dwmac-qcom-ethqos-fix-error-array-size.patch b/queue-6.6/net-stmmac-dwmac-qcom-ethqos-fix-error-array-size.patch new file mode 100644 index 00000000000..909f6aa9161 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-qcom-ethqos-fix-error-array-size.patch @@ -0,0 +1,34 @@ +From b698ab56837bc9e666b7e7e12e9c28fe1d6a763c Mon Sep 17 00:00:00 2001 +From: Yijie Yang +Date: Mon, 1 Jul 2024 09:47:20 +0800 +Subject: net: stmmac: dwmac-qcom-ethqos: fix error array size + +From: Yijie Yang + +commit b698ab56837bc9e666b7e7e12e9c28fe1d6a763c upstream. + +Correct member @num_por with size of right array @emac_v4_0_0_por for +struct ethqos_emac_driver_data @emac_v4_0_0_data. + +Cc: stable@vger.kernel.org +Fixes: 8c4d92e82d50 ("net: stmmac: dwmac-qcom-ethqos: add support for emac4 on sa8775p platforms") +Signed-off-by: Yijie Yang +Reviewed-by: Bartosz Golaszewski +Link: https://patch.msgid.link/20240701014720.2547856-1-quic_yijiyang@quicinc.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +@@ -268,7 +268,7 @@ static const struct ethqos_emac_por emac + + static const struct ethqos_emac_driver_data emac_v4_0_0_data = { + .por = emac_v4_0_0_por, +- .num_por = ARRAY_SIZE(emac_v3_0_0_por), ++ .num_por = ARRAY_SIZE(emac_v4_0_0_por), + .rgmii_config_loopback_en = false, + .has_emac_ge_3 = true, + .link_clk_name = "phyaux", diff --git a/queue-6.6/powerpc-64s-fix-unnecessary-copy-to-0-when-kernel-is-booted-at-address-0.patch b/queue-6.6/powerpc-64s-fix-unnecessary-copy-to-0-when-kernel-is-booted-at-address-0.patch new file mode 100644 index 00000000000..c34ff207fa0 --- /dev/null +++ b/queue-6.6/powerpc-64s-fix-unnecessary-copy-to-0-when-kernel-is-booted-at-address-0.patch @@ -0,0 +1,45 @@ +From 13fc6c175924eaa953cf597ce28ffa4edc4554a6 Mon Sep 17 00:00:00 2001 +From: Jinglin Wen +Date: Thu, 20 Jun 2024 10:41:50 +0800 +Subject: powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0 + +From: Jinglin Wen + +commit 13fc6c175924eaa953cf597ce28ffa4edc4554a6 upstream. + +According to the code logic, when the kernel is loaded at address 0, no +copying operation should be performed, but it is currently being done. + +This patch fixes the issue where the kernel code was incorrectly +duplicated to address 0 when booting from address 0. + +Fixes: b270bebd34e3 ("powerpc/64s: Run at the kernel virtual address earlier in boot") +Cc: stable@vger.kernel.org # v6.4+ +Signed-off-by: Jinglin Wen +Suggested-by: Michael Ellerman +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240620024150.14857-1-jinglin.wen@shingroup.cn +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_64.S | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S +index 4690c219bfa4..63432a33ec49 100644 +--- a/arch/powerpc/kernel/head_64.S ++++ b/arch/powerpc/kernel/head_64.S +@@ -647,8 +647,9 @@ __after_prom_start: + * Note: This process overwrites the OF exception vectors. + */ + LOAD_REG_IMMEDIATE(r3, PAGE_OFFSET) +- mr. r4,r26 /* In some cases the loader may */ +- beq 9f /* have already put us at zero */ ++ mr r4,r26 /* Load the virtual source address into r4 */ ++ cmpld r3,r4 /* Check if source == dest */ ++ beq 9f /* If so skip the copy */ + li r6,0x100 /* Start offset, the first 0x100 */ + /* bytes were copied earlier. */ + +-- +2.45.2 + diff --git a/queue-6.6/powerpc-pseries-fix-scv-instruction-crash-with-kexec.patch b/queue-6.6/powerpc-pseries-fix-scv-instruction-crash-with-kexec.patch new file mode 100644 index 00000000000..8656090e271 --- /dev/null +++ b/queue-6.6/powerpc-pseries-fix-scv-instruction-crash-with-kexec.patch @@ -0,0 +1,100 @@ +From 21a741eb75f80397e5f7d3739e24d7d75e619011 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 25 Jun 2024 23:40:47 +1000 +Subject: powerpc/pseries: Fix scv instruction crash with kexec + +From: Nicholas Piggin + +commit 21a741eb75f80397e5f7d3739e24d7d75e619011 upstream. + +kexec on pseries disables AIL (reloc_on_exc), required for scv +instruction support, before other CPUs have been shut down. This means +they can execute scv instructions after AIL is disabled, which causes an +interrupt at an unexpected entry location that crashes the kernel. + +Change the kexec sequence to disable AIL after other CPUs have been +brought down. + +As a refresher, the real-mode scv interrupt vector is 0x17000, and the +fixed-location head code probably couldn't easily deal with implementing +such high addresses so it was just decided not to support that interrupt +at all. + +Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions") +Cc: stable@vger.kernel.org # v5.9+ +Reported-by: Sourabh Jain +Closes: https://lore.kernel.org/3b4b2943-49ad-4619-b195-bc416f1d1409@linux.ibm.com +Signed-off-by: Nicholas Piggin +Tested-by: Gautam Menghani +Tested-by: Sourabh Jain +Link: https://msgid.link/20240625134047.298759-1-npiggin@gmail.com +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kexec/core_64.c | 11 +++++++++++ + arch/powerpc/platforms/pseries/kexec.c | 8 -------- + arch/powerpc/platforms/pseries/pseries.h | 1 - + arch/powerpc/platforms/pseries/setup.c | 1 - + 4 files changed, 11 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/kexec/core_64.c ++++ b/arch/powerpc/kexec/core_64.c +@@ -26,6 +26,7 @@ + #include + #include + #include /* _end */ ++#include + #include + #include + #include +@@ -316,6 +317,16 @@ void default_machine_kexec(struct kimage + if (!kdump_in_progress()) + kexec_prepare_cpus(); + ++#ifdef CONFIG_PPC_PSERIES ++ /* ++ * This must be done after other CPUs have shut down, otherwise they ++ * could execute the 'scv' instruction, which is not supported with ++ * reloc disabled (see configure_exceptions()). ++ */ ++ if (firmware_has_feature(FW_FEATURE_SET_MODE)) ++ pseries_disable_reloc_on_exc(); ++#endif ++ + printk("kexec: Starting switchover sequence.\n"); + + /* switch to a staticly allocated stack. Based on irq stack code. +--- a/arch/powerpc/platforms/pseries/kexec.c ++++ b/arch/powerpc/platforms/pseries/kexec.c +@@ -61,11 +61,3 @@ void pseries_kexec_cpu_down(int crash_sh + } else + xics_kexec_teardown_cpu(secondary); + } +- +-void pseries_machine_kexec(struct kimage *image) +-{ +- if (firmware_has_feature(FW_FEATURE_SET_MODE)) +- pseries_disable_reloc_on_exc(); +- +- default_machine_kexec(image); +-} +--- a/arch/powerpc/platforms/pseries/pseries.h ++++ b/arch/powerpc/platforms/pseries/pseries.h +@@ -38,7 +38,6 @@ static inline void smp_init_pseries(void + #endif + + extern void pseries_kexec_cpu_down(int crash_shutdown, int secondary); +-void pseries_machine_kexec(struct kimage *image); + + extern void pSeries_final_fixup(void); + +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -1153,7 +1153,6 @@ define_machine(pseries) { + .machine_check_exception = pSeries_machine_check_exception, + .machine_check_log_err = pSeries_machine_check_log_err, + #ifdef CONFIG_KEXEC_CORE +- .machine_kexec = pseries_machine_kexec, + .kexec_cpu_down = pseries_kexec_cpu_down, + #endif + #ifdef CONFIG_MEMORY_HOTPLUG diff --git a/queue-6.6/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch b/queue-6.6/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch new file mode 100644 index 00000000000..f5dc777f97a --- /dev/null +++ b/queue-6.6/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch @@ -0,0 +1,53 @@ +From 30139c702048f1097342a31302cbd3d478f50c63 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 21 Jun 2024 16:42:37 +0200 +Subject: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" + +From: Jan Kara + +commit 30139c702048f1097342a31302cbd3d478f50c63 upstream. + +Patch series "mm: Avoid possible overflows in dirty throttling". + +Dirty throttling logic assumes dirty limits in page units fit into +32-bits. This patch series makes sure this is true (see patch 2/2 for +more details). + + +This patch (of 2): + +This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. + +The commit is broken in several ways. Firstly, the removed (u64) cast +from the multiplication will introduce a multiplication overflow on 32-bit +archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the +default settings with 4GB of RAM will trigger this). Secondly, the +div64_u64() is unnecessarily expensive on 32-bit archs. We have +div64_ul() in case we want to be safe & cheap. Thirdly, if dirty +thresholds are larger than 1<<32 pages, then dirty balancing is going to +blow up in many other spectacular ways anyway so trying to fix one +possible overflow is just moot. + +Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz +Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz +Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again") +Signed-off-by: Jan Kara +Reviewed-By: Zach O'Keefe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1660,7 +1660,7 @@ static inline void wb_dirty_limits(struc + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need diff --git a/queue-6.6/series b/queue-6.6/series index f96d29d2fa4..fa453f0b0fb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -98,3 +98,19 @@ bluetooth-hci_bcm4377-fix-msgid-release.patch bluetooth-qca-fix-bt-enable-failure-again-for-qca6390-after-warm-reboot.patch can-kvaser_usb-explicitly-initialize-family-in-leafimx-driver_info-struct.patch fsnotify-do-not-generate-events-for-o_path-file-descriptors.patch +revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch +drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch +drm-amdgpu-atomfirmware-silence-ubsan-warning.patch +drm-panel-orientation-quirks-add-quirk-for-valve-galileo.patch +clk-qcom-gcc-ipq9574-add-branch_halt_voted-flag.patch +clk-sunxi-ng-common-don-t-call-hw_to_ccu_common-on-hw-without-common.patch +powerpc-pseries-fix-scv-instruction-crash-with-kexec.patch +powerpc-64s-fix-unnecessary-copy-to-0-when-kernel-is-booted-at-address-0.patch +mtd-rawnand-ensure-ecc-configuration-is-propagated-to-upper-layers.patch +mtd-rawnand-fix-the-nand_read_data_op-early-check.patch +mtd-rawnand-bypass-a-couple-of-sanity-checks-during-nand-identification.patch +mtd-rawnand-rockchip-ensure-nvddr-timings-are-rejected.patch +net-stmmac-dwmac-qcom-ethqos-fix-error-array-size.patch +bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch +arm64-dts-rockchip-fix-the-dcdc_reg2-minimum-voltage-on-quartz64-model-b.patch +ima-avoid-blocking-in-rcu-read-side-critical-section.patch