From: Sasha Levin Date: Tue, 10 Dec 2024 20:35:48 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.6.65~4^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1eebe4b5903b11bcdcd98899041d19691d454eab;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/af_packet-avoid-erroring-out-after-sock_init_data-in.patch b/queue-5.4/af_packet-avoid-erroring-out-after-sock_init_data-in.patch new file mode 100644 index 00000000000..f1d440694dd --- /dev/null +++ b/queue-5.4/af_packet-avoid-erroring-out-after-sock_init_data-in.patch @@ -0,0 +1,67 @@ +From 99f268cda55fc2c64c3b3cdd9ebaa2fbcac00cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:00 +0100 +Subject: af_packet: avoid erroring out after sock_init_data() in + packet_create() + +From: Ignat Korchagin + +[ Upstream commit 46f2a11cb82b657fd15bab1c47821b635e03838b ] + +After sock_init_data() the allocated sk object is attached to the provided +sock object. On error, packet_create() frees the sk object leaving the +dangling pointer in the sock object on return. Some other code may try +to use this pointer and cause use-after-free. + +Suggested-by: Eric Dumazet +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-2-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 6aed6a36ea456..88bc4a21dda45 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3357,18 +3357,18 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + if (sock->type == SOCK_PACKET) + sock->ops = &packet_ops_spkt; + ++ po = pkt_sk(sk); ++ err = packet_alloc_pending(po); ++ if (err) ++ goto out_sk_free; ++ + sock_init_data(sock, sk); + +- po = pkt_sk(sk); + init_completion(&po->skb_completion); + sk->sk_family = PF_PACKET; + po->num = proto; + po->xmit = dev_queue_xmit; + +- err = packet_alloc_pending(po); +- if (err) +- goto out2; +- + packet_cached_dev_reset(po); + + sk->sk_destruct = packet_sock_destruct; +@@ -3403,7 +3403,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + preempt_enable(); + + return 0; +-out2: ++out_sk_free: + sk_free(sk); + out: + return err; +-- +2.43.0 + diff --git a/queue-5.4/asoc-hdmi-codec-reorder-channel-allocation-list.patch b/queue-5.4/asoc-hdmi-codec-reorder-channel-allocation-list.patch new file mode 100644 index 00000000000..5e60ecb911b --- /dev/null +++ b/queue-5.4/asoc-hdmi-codec-reorder-channel-allocation-list.patch @@ -0,0 +1,210 @@ +From 44c11e64f795148fb7c62b9362a9b3fa8b15738b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 04:43:44 +0000 +Subject: ASoC: hdmi-codec: reorder channel allocation list + +From: Jonas Karlman + +[ Upstream commit 82ff5abc2edcfba0c0f1a1be807795e2876f46e9 ] + +The ordering in hdmi_codec_get_ch_alloc_table_idx() results in +wrong channel allocation for a number of cases, e.g. when ELD +reports FL|FR|LFE|FC|RL|RR or FL|FR|LFE|FC|RL|RR|RC|RLC|RRC: + +ca_id 0x01 with speaker mask FL|FR|LFE is selected instead of +ca_id 0x03 with speaker mask FL|FR|LFE|FC for 4 channels + +and + +ca_id 0x04 with speaker mask FL|FR|RC gets selected instead of +ca_id 0x0b with speaker mask FL|FR|LFE|FC|RL|RR for 6 channels + +Fix this by reordering the channel allocation list with most +specific speaker masks at the top. + +Signed-off-by: Jonas Karlman +Signed-off-by: Christian Hewitt +Link: https://patch.msgid.link/20241115044344.3510979-1-christianshewitt@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdmi-codec.c | 140 +++++++++++++++++++--------------- + 1 file changed, 77 insertions(+), 63 deletions(-) + +diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c +index f8b5b960e5970..cc6ae76e2132f 100644 +--- a/sound/soc/codecs/hdmi-codec.c ++++ b/sound/soc/codecs/hdmi-codec.c +@@ -189,84 +189,97 @@ static const struct snd_pcm_chmap_elem hdmi_codec_8ch_chmaps[] = { + /* + * hdmi_codec_channel_alloc: speaker configuration available for CEA + * +- * This is an ordered list that must match with hdmi_codec_8ch_chmaps struct ++ * This is an ordered list where ca_id must exist in hdmi_codec_8ch_chmaps + * The preceding ones have better chances to be selected by + * hdmi_codec_get_ch_alloc_table_idx(). + */ + static const struct hdmi_codec_cea_spk_alloc hdmi_codec_channel_alloc[] = { + { .ca_id = 0x00, .n_ch = 2, +- .mask = FL | FR}, +- /* 2.1 */ +- { .ca_id = 0x01, .n_ch = 4, +- .mask = FL | FR | LFE}, +- /* Dolby Surround */ ++ .mask = FL | FR }, ++ { .ca_id = 0x03, .n_ch = 4, ++ .mask = FL | FR | LFE | FC }, + { .ca_id = 0x02, .n_ch = 4, + .mask = FL | FR | FC }, +- /* surround51 */ ++ { .ca_id = 0x01, .n_ch = 4, ++ .mask = FL | FR | LFE }, + { .ca_id = 0x0b, .n_ch = 6, +- .mask = FL | FR | LFE | FC | RL | RR}, +- /* surround40 */ +- { .ca_id = 0x08, .n_ch = 6, +- .mask = FL | FR | RL | RR }, +- /* surround41 */ +- { .ca_id = 0x09, .n_ch = 6, +- .mask = FL | FR | LFE | RL | RR }, +- /* surround50 */ ++ .mask = FL | FR | LFE | FC | RL | RR }, + { .ca_id = 0x0a, .n_ch = 6, + .mask = FL | FR | FC | RL | RR }, +- /* 6.1 */ +- { .ca_id = 0x0f, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RL | RR | RC }, +- /* surround71 */ ++ { .ca_id = 0x09, .n_ch = 6, ++ .mask = FL | FR | LFE | RL | RR }, ++ { .ca_id = 0x08, .n_ch = 6, ++ .mask = FL | FR | RL | RR }, ++ { .ca_id = 0x07, .n_ch = 6, ++ .mask = FL | FR | LFE | FC | RC }, ++ { .ca_id = 0x06, .n_ch = 6, ++ .mask = FL | FR | FC | RC }, ++ { .ca_id = 0x05, .n_ch = 6, ++ .mask = FL | FR | LFE | RC }, ++ { .ca_id = 0x04, .n_ch = 6, ++ .mask = FL | FR | RC }, + { .ca_id = 0x13, .n_ch = 8, + .mask = FL | FR | LFE | FC | RL | RR | RLC | RRC }, +- /* others */ +- { .ca_id = 0x03, .n_ch = 8, +- .mask = FL | FR | LFE | FC }, +- { .ca_id = 0x04, .n_ch = 8, +- .mask = FL | FR | RC}, +- { .ca_id = 0x05, .n_ch = 8, +- .mask = FL | FR | LFE | RC }, +- { .ca_id = 0x06, .n_ch = 8, +- .mask = FL | FR | FC | RC }, +- { .ca_id = 0x07, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RC }, +- { .ca_id = 0x0c, .n_ch = 8, +- .mask = FL | FR | RC | RL | RR }, +- { .ca_id = 0x0d, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | RC }, +- { .ca_id = 0x0e, .n_ch = 8, +- .mask = FL | FR | FC | RL | RR | RC }, +- { .ca_id = 0x10, .n_ch = 8, +- .mask = FL | FR | RL | RR | RLC | RRC }, +- { .ca_id = 0x11, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1f, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC }, + { .ca_id = 0x12, .n_ch = 8, + .mask = FL | FR | FC | RL | RR | RLC | RRC }, +- { .ca_id = 0x14, .n_ch = 8, +- .mask = FL | FR | FLC | FRC }, +- { .ca_id = 0x15, .n_ch = 8, +- .mask = FL | FR | LFE | FLC | FRC }, +- { .ca_id = 0x16, .n_ch = 8, +- .mask = FL | FR | FC | FLC | FRC }, +- { .ca_id = 0x17, .n_ch = 8, +- .mask = FL | FR | LFE | FC | FLC | FRC }, +- { .ca_id = 0x18, .n_ch = 8, +- .mask = FL | FR | RC | FLC | FRC }, +- { .ca_id = 0x19, .n_ch = 8, +- .mask = FL | FR | LFE | RC | FLC | FRC }, +- { .ca_id = 0x1a, .n_ch = 8, +- .mask = FL | FR | RC | FC | FLC | FRC }, +- { .ca_id = 0x1b, .n_ch = 8, +- .mask = FL | FR | LFE | RC | FC | FLC | FRC }, +- { .ca_id = 0x1c, .n_ch = 8, +- .mask = FL | FR | RL | RR | FLC | FRC }, +- { .ca_id = 0x1d, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | FLC | FRC }, + { .ca_id = 0x1e, .n_ch = 8, + .mask = FL | FR | FC | RL | RR | FLC | FRC }, +- { .ca_id = 0x1f, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC }, ++ { .ca_id = 0x11, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1d, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | FLC | FRC }, ++ { .ca_id = 0x10, .n_ch = 8, ++ .mask = FL | FR | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1c, .n_ch = 8, ++ .mask = FL | FR | RL | RR | FLC | FRC }, ++ { .ca_id = 0x0f, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR | RC }, ++ { .ca_id = 0x1b, .n_ch = 8, ++ .mask = FL | FR | LFE | RC | FC | FLC | FRC }, ++ { .ca_id = 0x0e, .n_ch = 8, ++ .mask = FL | FR | FC | RL | RR | RC }, ++ { .ca_id = 0x1a, .n_ch = 8, ++ .mask = FL | FR | RC | FC | FLC | FRC }, ++ { .ca_id = 0x0d, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | RC }, ++ { .ca_id = 0x19, .n_ch = 8, ++ .mask = FL | FR | LFE | RC | FLC | FRC }, ++ { .ca_id = 0x0c, .n_ch = 8, ++ .mask = FL | FR | RC | RL | RR }, ++ { .ca_id = 0x18, .n_ch = 8, ++ .mask = FL | FR | RC | FLC | FRC }, ++ { .ca_id = 0x17, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | FLC | FRC }, ++ { .ca_id = 0x16, .n_ch = 8, ++ .mask = FL | FR | FC | FLC | FRC }, ++ { .ca_id = 0x15, .n_ch = 8, ++ .mask = FL | FR | LFE | FLC | FRC }, ++ { .ca_id = 0x14, .n_ch = 8, ++ .mask = FL | FR | FLC | FRC }, ++ { .ca_id = 0x0b, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR }, ++ { .ca_id = 0x0a, .n_ch = 8, ++ .mask = FL | FR | FC | RL | RR }, ++ { .ca_id = 0x09, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR }, ++ { .ca_id = 0x08, .n_ch = 8, ++ .mask = FL | FR | RL | RR }, ++ { .ca_id = 0x07, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RC }, ++ { .ca_id = 0x06, .n_ch = 8, ++ .mask = FL | FR | FC | RC }, ++ { .ca_id = 0x05, .n_ch = 8, ++ .mask = FL | FR | LFE | RC }, ++ { .ca_id = 0x04, .n_ch = 8, ++ .mask = FL | FR | RC }, ++ { .ca_id = 0x03, .n_ch = 8, ++ .mask = FL | FR | LFE | FC }, ++ { .ca_id = 0x02, .n_ch = 8, ++ .mask = FL | FR | FC }, ++ { .ca_id = 0x01, .n_ch = 8, ++ .mask = FL | FR | LFE }, + }; + + struct hdmi_codec_priv { +@@ -372,7 +385,8 @@ static int hdmi_codec_chmap_ctl_get(struct snd_kcontrol *kcontrol, + struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol); + struct hdmi_codec_priv *hcp = info->private_data; + +- map = info->chmap[hcp->chmap_idx].map; ++ if (hcp->chmap_idx != HDMI_CODEC_CHMAP_IDX_UNKNOWN) ++ map = info->chmap[hcp->chmap_idx].map; + + for (i = 0; i < info->max_channels; i++) { + if (hcp->chmap_idx == HDMI_CODEC_CHMAP_IDX_UNKNOWN) +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch b/queue-5.4/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch new file mode 100644 index 00000000000..97429eb69ed --- /dev/null +++ b/queue-5.4/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch @@ -0,0 +1,67 @@ +From 97099df1dcf623d366a944f55cc9851a4f43968f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 16:37:29 +0800 +Subject: Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables + +From: Hilda Wu + +[ Upstream commit 69b84ffce260ff13826dc10aeb3c3e5c2288a552 ] + +Add the support ID 0489:e123 to usb_device_id table for +Realtek RTL8852B chip. + +The device info from /sys/kernel/debug/usb/devices as below. + +T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 7 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e123 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Hilda Wu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 6616671dfd32f..9f71f9135f9e3 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -372,6 +372,8 @@ static const struct usb_device_id blacklist_table[] = { + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0489, 0xe123), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch b/queue-5.4/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch new file mode 100644 index 00000000000..f2236882ff6 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch @@ -0,0 +1,40 @@ +From d916a23061e21b5d1cf60a4ab8f8747c556fbb16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:01 +0100 +Subject: Bluetooth: L2CAP: do not leave dangling sk pointer on error in + l2cap_sock_create() + +From: Ignat Korchagin + +[ Upstream commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 ] + +bt_sock_alloc() allocates the sk object and attaches it to the provided +sock object. On error l2cap_sock_alloc() frees the sk object, but the +dangling pointer is still attached to the sock object, which may create +use-after-free in other code. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-3-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 9eea2af9a8e1c..6ec6f6a06521d 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1678,6 +1678,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); ++ sock->sk = NULL; + return NULL; + } + +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch b/queue-5.4/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch new file mode 100644 index 00000000000..726ead30886 --- /dev/null +++ b/queue-5.4/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch @@ -0,0 +1,85 @@ +From ade5e9d86ed112a728f94bc3b2457cb0e81ab759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 10:59:17 +0800 +Subject: drm/amdgpu: set the right AMDGPU sg segment limitation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prike Liang + +[ Upstream commit e2e97435783979124ba92d6870415c57ecfef6a5 ] + +The driver needs to set the correct max_segment_size; +otherwise debug_dma_map_sg() will complain about the +over-mapping of the AMDGPU sg length as following: + +WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370 +[ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd +[ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii +[ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492 +[ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 +[ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370 +[ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05 +[ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286 +[ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027 +[ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680 +[ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930 +[ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000 +[ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800 +[ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000 +[ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0 +[ 364.049605] Call Trace: +[ 364.049607] +[ 364.049609] ? show_regs+0x6d/0x80 +[ 364.049614] ? __warn+0x8c/0x140 +[ 364.049618] ? debug_dma_map_sg+0x2dc/0x370 +[ 364.049621] ? report_bug+0x193/0x1a0 +[ 364.049627] ? handle_bug+0x46/0x80 +[ 364.049631] ? exc_invalid_op+0x1d/0x80 +[ 364.049635] ? asm_exc_invalid_op+0x1f/0x30 +[ 364.049642] ? debug_dma_map_sg+0x2dc/0x370 +[ 364.049647] __dma_map_sg_attrs+0x90/0xe0 +[ 364.049651] dma_map_sgtable+0x25/0x40 +[ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu] +[ 364.049935] ? srso_return_thunk+0x5/0x5f +[ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu] +[ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm] +[ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm] +[ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu] +[ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu] +[ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu] +[ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu] +[ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu] +[ 364.051054] ? srso_return_thunk+0x5/0x5f +[ 364.051057] ? tomoyo_file_ioctl+0x20/0x30 +[ 364.051063] __x64_sys_ioctl+0x9c/0xd0 +[ 364.051068] x64_sys_call+0x1219/0x20d0 +[ 364.051073] do_syscall_64+0x51/0x120 +[ 364.051077] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 364.051081] RIP: 0033:0x7fb2d2f1a94f + +Signed-off-by: Prike Liang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 870dd78d5a21a..30e3cc9c25d03 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1678,6 +1678,7 @@ int amdgpu_ttm_init(struct amdgpu_device *adev) + + mutex_init(&adev->mman.gtt_window_lock); + ++ dma_set_max_seg_size(adev->dev, UINT_MAX); + /* No others user of address space so set it to 0 */ + r = ttm_bo_device_init(&adev->mman.bdev, + &amdgpu_bo_driver, +-- +2.43.0 + diff --git a/queue-5.4/drm-mcde-enable-module-autoloading.patch b/queue-5.4/drm-mcde-enable-module-autoloading.patch new file mode 100644 index 00000000000..313949fc0a4 --- /dev/null +++ b/queue-5.4/drm-mcde-enable-module-autoloading.patch @@ -0,0 +1,36 @@ +From 1fcbc5e14c6f6c7adb86f97b52cbf0363c4463cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 11:33:20 +0000 +Subject: drm/mcde: Enable module autoloading + +From: Liao Chen + +[ Upstream commit 8a16b5cdae26207ff4c22834559384ad3d7bc970 ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based +on the alias from of_device_id table. + +Signed-off-by: Liao Chen +Reviewed-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20240902113320.903147-4-liaochen4@huawei.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mcde/mcde_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mcde/mcde_drv.c b/drivers/gpu/drm/mcde/mcde_drv.c +index 82946ffcb6d21..9a767fbb86c95 100644 +--- a/drivers/gpu/drm/mcde/mcde_drv.c ++++ b/drivers/gpu/drm/mcde/mcde_drv.c +@@ -533,6 +533,7 @@ static const struct of_device_id mcde_of_match[] = { + }, + {}, + }; ++MODULE_DEVICE_TABLE(of, mcde_of_match); + + static struct platform_driver mcde_driver = { + .driver = { +-- +2.43.0 + diff --git a/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch new file mode 100644 index 00000000000..ac1de32384e --- /dev/null +++ b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch @@ -0,0 +1,51 @@ +From 4361a30ffe2ece3b2d8670c884ab4fe444552f94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 15:18:51 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joaquín Ignacio Aramendía + +[ Upstream commit 361ebf5ef843b0aa1704c72eb26b91cf76c3c5b7 ] + +Add quirk orientation for AYA NEO 2. The name appears without spaces in +DMI strings. That made it difficult to reuse the 2021 match. Also the +display is larger in resolution. + +Tested by the JELOS team that has been patching their own kernel for a +while now and confirmed by users in the AYA NEO and ChimeraOS discord +servers. + +Signed-off-by: Joaquín Ignacio Aramendía +Signed-off-by: Tobias Jakobi +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/2b35545b77a9fd8c9699b751ca282226dcecb1dd.1726492131.git.tjakobi@math.uni-bielefeld.de +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index f1091cb87de0c..bf90a5be956fe 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -166,6 +166,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* AYA NEO AYANEO 2 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* AYA NEO 2021 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYADEVICE"), +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch b/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch new file mode 100644 index 00000000000..2d1eeb95c6d --- /dev/null +++ b/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch @@ -0,0 +1,40 @@ +From 04eb46e92c7130e1257c4738111b207307f7628e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 18:07:19 +0300 +Subject: drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() + +From: Igor Artemiev + +[ Upstream commit a1e2da6a5072f8abe5b0feaa91a5bcd9dc544a04 ] + +It is possible, although unlikely, that an integer overflow will occur +when the result of radeon_get_ib_value() is shifted to the left. + +Avoid it by casting one of the operands to larger data type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Signed-off-by: Igor Artemiev +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r600_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c +index 19c9e86b2aafe..a85470213b27f 100644 +--- a/drivers/gpu/drm/radeon/r600_cs.c ++++ b/drivers/gpu/drm/radeon/r600_cs.c +@@ -2104,7 +2104,7 @@ static int r600_packet3_check(struct radeon_cs_parser *p, + return -EINVAL; + } + +- offset = radeon_get_ib_value(p, idx+1) << 8; ++ offset = (u64)radeon_get_ib_value(p, idx+1) << 8; + if (offset != track->vgt_strmout_bo_offset[idx_value]) { + DRM_ERROR("bad STRMOUT_BASE_UPDATE, bo offset does not match: 0x%llx, 0x%x\n", + offset, track->vgt_strmout_bo_offset[idx_value]); +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch b/queue-5.4/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch new file mode 100644 index 00000000000..964c184f17c --- /dev/null +++ b/queue-5.4/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch @@ -0,0 +1,85 @@ +From d0d95aa4f12b8c99842474bb1382244a967b26dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 02:44:00 -0600 +Subject: f2fs: fix f2fs_bug_on when uninstalling filesystem call + f2fs_evict_inode. + +From: Qi Han + +[ Upstream commit d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca ] + +creating a large files during checkpoint disable until it runs out of +space and then delete it, then remount to enable checkpoint again, and +then unmount the filesystem triggers the f2fs_bug_on as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/inode.c:896! +CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360 +Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +RIP: 0010:f2fs_evict_inode+0x58c/0x610 +Call Trace: + __die_body+0x15/0x60 + die+0x33/0x50 + do_trap+0x10a/0x120 + f2fs_evict_inode+0x58c/0x610 + do_error_trap+0x60/0x80 + f2fs_evict_inode+0x58c/0x610 + exc_invalid_op+0x53/0x60 + f2fs_evict_inode+0x58c/0x610 + asm_exc_invalid_op+0x16/0x20 + f2fs_evict_inode+0x58c/0x610 + evict+0x101/0x260 + dispose_list+0x30/0x50 + evict_inodes+0x140/0x190 + generic_shutdown_super+0x2f/0x150 + kill_block_super+0x11/0x40 + kill_f2fs_super+0x7d/0x140 + deactivate_locked_super+0x2a/0x70 + cleanup_mnt+0xb3/0x140 + task_work_run+0x61/0x90 + +The root cause is: creating large files during disable checkpoint +period results in not enough free segments, so when writing back root +inode will failed in f2fs_enable_checkpoint. When umount the file +system after enabling checkpoint, the root inode is dirty in +f2fs_evict_inode function, which triggers BUG_ON. The steps to +reproduce are as follows: + +dd if=/dev/zero of=f2fs.img bs=1M count=55 +mount f2fs.img f2fs_dir -o checkpoint=disable:10% +dd if=/dev/zero of=big bs=1M count=50 +sync +rm big +mount -o remount,checkpoint=enable f2fs_dir +umount f2fs_dir + +Let's redirty inode when there is not free segments during checkpoint +is disable. + +Signed-off-by: Qi Han +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 53e1a757e4e17..b0cbb01df8cba 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -631,8 +631,10 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc) + !is_inode_flag_set(inode, FI_DIRTY_INODE)) + return 0; + +- if (!f2fs_is_checkpoint_ready(sbi)) ++ if (!f2fs_is_checkpoint_ready(sbi)) { ++ f2fs_mark_inode_dirty_sync(inode, true); + return -ENOSPC; ++ } + + /* + * We need to balance fs here to prevent from producing dirty node pages +-- +2.43.0 + diff --git a/queue-5.4/hid-bpf-fix-nkro-on-mistel-md770.patch b/queue-5.4/hid-bpf-fix-nkro-on-mistel-md770.patch new file mode 100644 index 00000000000..27f08e87a3a --- /dev/null +++ b/queue-5.4/hid-bpf-fix-nkro-on-mistel-md770.patch @@ -0,0 +1,191 @@ +From 1fbcf8b1b86db5517d82b5ff571a794e64f7098a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 18:34:58 +0200 +Subject: HID: bpf: Fix NKRO on Mistel MD770 + +From: Benjamin Tissoires + +[ Upstream commit 9bc089307e8dff7797233308372b4a90ce8f79be ] + +Mistel MD770 keyboard (using Holtek Semiconductor, Inc. controller) has +a quirk in report descriptor in one of its interfaces (more detail in +the source file). Fix up the descriptor to allow NKRO to work again. + +Tested by loading the BPF program and confirming that 8 simultaneous +keypresses work. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218495 +Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/122 +Signed-off-by: Tatsuyuki Ishi +Acked-by: Jiri Kosina +Link: https://patch.msgid.link/20241017-import_bpf_6-13-v2-1-6a7acb89a97f@kernel.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/bpf/progs/Mistel__MD770.bpf.c | 154 ++++++++++++++++++++++ + 1 file changed, 154 insertions(+) + create mode 100644 drivers/hid/bpf/progs/Mistel__MD770.bpf.c + +diff --git a/drivers/hid/bpf/progs/Mistel__MD770.bpf.c b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c +new file mode 100644 +index 0000000000000..fb8b5a6968b12 +--- /dev/null ++++ b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c +@@ -0,0 +1,154 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* Copyright (c) 2024 Tatsuyuki Ishi ++ */ ++ ++#include "vmlinux.h" ++#include "hid_bpf.h" ++#include "hid_bpf_helpers.h" ++#include ++ ++#define VID_HOLTEK 0x04D9 ++#define PID_MD770 0x0339 ++#define RDESC_SIZE 203 ++ ++HID_BPF_CONFIG( ++ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, VID_HOLTEK, PID_MD770) ++); ++ ++/* ++ * The Mistel MD770 keyboard reports the first 6 simultaneous key presses ++ * through the first interface, and anything beyond that through a second ++ * interface. Unfortunately, the second interface's report descriptor has an ++ * error, causing events to be malformed and ignored. This HID-BPF driver ++ * fixes the descriptor to allow NKRO to work again. ++ * ++ * For reference, this is the original report descriptor: ++ * ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 0 ++ * 0x09, 0x80, // Usage (System Control) 2 ++ * 0xa1, 0x01, // Collection (Application) 4 ++ * 0x85, 0x01, // Report ID (1) 6 ++ * 0x19, 0x81, // Usage Minimum (129) 8 ++ * 0x29, 0x83, // Usage Maximum (131) 10 ++ * 0x15, 0x00, // Logical Minimum (0) 12 ++ * 0x25, 0x01, // Logical Maximum (1) 14 ++ * 0x95, 0x03, // Report Count (3) 16 ++ * 0x75, 0x01, // Report Size (1) 18 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 20 ++ * 0x95, 0x01, // Report Count (1) 22 ++ * 0x75, 0x05, // Report Size (5) 24 ++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 26 ++ * 0xc0, // End Collection 28 ++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 29 ++ * 0x09, 0x01, // Usage (Consumer Control) 31 ++ * 0xa1, 0x01, // Collection (Application) 33 ++ * 0x85, 0x02, // Report ID (2) 35 ++ * 0x15, 0x00, // Logical Minimum (0) 37 ++ * 0x25, 0x01, // Logical Maximum (1) 39 ++ * 0x95, 0x12, // Report Count (18) 41 ++ * 0x75, 0x01, // Report Size (1) 43 ++ * 0x0a, 0x83, 0x01, // Usage (AL Consumer Control Config) 45 ++ * 0x0a, 0x8a, 0x01, // Usage (AL Email Reader) 48 ++ * 0x0a, 0x92, 0x01, // Usage (AL Calculator) 51 ++ * 0x0a, 0x94, 0x01, // Usage (AL Local Machine Browser) 54 ++ * 0x09, 0xcd, // Usage (Play/Pause) 57 ++ * 0x09, 0xb7, // Usage (Stop) 59 ++ * 0x09, 0xb6, // Usage (Scan Previous Track) 61 ++ * 0x09, 0xb5, // Usage (Scan Next Track) 63 ++ * 0x09, 0xe2, // Usage (Mute) 65 ++ * 0x09, 0xea, // Usage (Volume Down) 67 ++ * 0x09, 0xe9, // Usage (Volume Up) 69 ++ * 0x0a, 0x21, 0x02, // Usage (AC Search) 71 ++ * 0x0a, 0x23, 0x02, // Usage (AC Home) 74 ++ * 0x0a, 0x24, 0x02, // Usage (AC Back) 77 ++ * 0x0a, 0x25, 0x02, // Usage (AC Forward) 80 ++ * 0x0a, 0x26, 0x02, // Usage (AC Stop) 83 ++ * 0x0a, 0x27, 0x02, // Usage (AC Refresh) 86 ++ * 0x0a, 0x2a, 0x02, // Usage (AC Bookmarks) 89 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 92 ++ * 0x95, 0x01, // Report Count (1) 94 ++ * 0x75, 0x0e, // Report Size (14) 96 ++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 98 ++ * 0xc0, // End Collection 100 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 101 ++ * 0x09, 0x02, // Usage (Mouse) 103 ++ * 0xa1, 0x01, // Collection (Application) 105 ++ * 0x09, 0x01, // Usage (Pointer) 107 ++ * 0xa1, 0x00, // Collection (Physical) 109 ++ * 0x85, 0x03, // Report ID (3) 111 ++ * 0x05, 0x09, // Usage Page (Button) 113 ++ * 0x19, 0x01, // Usage Minimum (1) 115 ++ * 0x29, 0x08, // Usage Maximum (8) 117 ++ * 0x15, 0x00, // Logical Minimum (0) 119 ++ * 0x25, 0x01, // Logical Maximum (1) 121 ++ * 0x75, 0x01, // Report Size (1) 123 ++ * 0x95, 0x08, // Report Count (8) 125 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 127 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 129 ++ * 0x09, 0x30, // Usage (X) 131 ++ * 0x09, 0x31, // Usage (Y) 133 ++ * 0x16, 0x01, 0x80, // Logical Minimum (-32767) 135 ++ * 0x26, 0xff, 0x7f, // Logical Maximum (32767) 138 ++ * 0x75, 0x10, // Report Size (16) 141 ++ * 0x95, 0x02, // Report Count (2) 143 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 145 ++ * 0x09, 0x38, // Usage (Wheel) 147 ++ * 0x15, 0x81, // Logical Minimum (-127) 149 ++ * 0x25, 0x7f, // Logical Maximum (127) 151 ++ * 0x75, 0x08, // Report Size (8) 153 ++ * 0x95, 0x01, // Report Count (1) 155 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 157 ++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 159 ++ * 0x0a, 0x38, 0x02, // Usage (AC Pan) 161 ++ * 0x95, 0x01, // Report Count (1) 164 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 166 ++ * 0xc0, // End Collection 168 ++ * 0xc0, // End Collection 169 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 170 ++ * 0x09, 0x06, // Usage (Keyboard) 172 ++ * 0xa1, 0x01, // Collection (Application) 174 ++ * 0x85, 0x04, // Report ID (4) 176 ++ * 0x05, 0x07, // Usage Page (Keyboard) 178 ++ * 0x95, 0x01, // Report Count (1) 180 ++ * 0x75, 0x08, // Report Size (8) 182 ++ * 0x81, 0x03, // Input (Cnst,Var,Abs) 184 ++ * 0x95, 0xe8, // Report Count (232) 186 ++ * 0x75, 0x01, // Report Size (1) 188 ++ * 0x15, 0x00, // Logical Minimum (0) 190 ++ * 0x25, 0x01, // Logical Maximum (1) 192 ++ * 0x05, 0x07, // Usage Page (Keyboard) 194 ++ * 0x19, 0x00, // Usage Minimum (0) 196 ++ * 0x29, 0xe7, // Usage Maximum (231) 198 ++ * 0x81, 0x00, // Input (Data,Arr,Abs) 200 <- change to 0x81, 0x02 (Data,Var,Abs) ++ * 0xc0, // End Collection 202 ++ */ ++ ++SEC(HID_BPF_RDESC_FIXUP) ++int BPF_PROG(hid_rdesc_fixup_mistel_md770, struct hid_bpf_ctx *hctx) ++{ ++ __u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE); ++ ++ if (!data) ++ return 0; /* EPERM check */ ++ ++ if (data[201] == 0x00) ++ data[201] = 0x02; ++ ++ return 0; ++} ++ ++HID_BPF_OPS(mistel_md770) = { ++ .hid_rdesc_fixup = (void *)hid_rdesc_fixup_mistel_md770, ++}; ++ ++SEC("syscall") ++int probe(struct hid_bpf_probe_args *ctx) ++{ ++ ctx->retval = ctx->rdesc_size != RDESC_SIZE; ++ if (ctx->retval) ++ ctx->retval = -EINVAL; ++ ++ return 0; ++} ++ ++char _license[] SEC("license") = "GPL"; +-- +2.43.0 + diff --git a/queue-5.4/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch b/queue-5.4/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch new file mode 100644 index 00000000000..cb39e7ec350 --- /dev/null +++ b/queue-5.4/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch @@ -0,0 +1,113 @@ +From 230241e652c4b0cd3482b93ba12639c34f7656cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 21:25:39 +0800 +Subject: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() + to avoid deadlock + +From: Defa Li + +[ Upstream commit 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 ] + +A deadlock may happen since the i3c_master_register() acquires +&i3cbus->lock twice. See the log below. +Use i3cdev->desc->info instead of calling i3c_device_info() to +avoid acquiring the lock twice. + +v2: + - Modified the title and commit message + +============================================ +WARNING: possible recursive locking detected +6.11.0-mainline +-------------------------------------------- +init/1 is trying to acquire lock: +f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock + +but task is already holding lock: +f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&i3cbus->lock); + lock(&i3cbus->lock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +2 locks held by init/1: + #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach + #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register + +stack backtrace: +CPU: 6 UID: 0 PID: 1 Comm: init +Call trace: + dump_backtrace+0xfc/0x17c + show_stack+0x18/0x28 + dump_stack_lvl+0x40/0xc0 + dump_stack+0x18/0x24 + print_deadlock_bug+0x388/0x390 + __lock_acquire+0x18bc/0x32ec + lock_acquire+0x134/0x2b0 + down_read+0x50/0x19c + i3c_bus_normaluse_lock+0x14/0x24 + i3c_device_get_info+0x24/0x58 + i3c_device_uevent+0x34/0xa4 + dev_uevent+0x310/0x384 + kobject_uevent_env+0x244/0x414 + kobject_uevent+0x14/0x20 + device_add+0x278/0x460 + device_register+0x20/0x34 + i3c_master_register_new_i3c_devs+0x78/0x154 + i3c_master_register+0x6a0/0x6d4 + mtk_i3c_master_probe+0x3b8/0x4d8 + platform_probe+0xa0/0xe0 + really_probe+0x114/0x454 + __driver_probe_device+0xa0/0x15c + driver_probe_device+0x3c/0x1ac + __driver_attach+0xc4/0x1f0 + bus_for_each_dev+0x104/0x160 + driver_attach+0x24/0x34 + bus_add_driver+0x14c/0x294 + driver_register+0x68/0x104 + __platform_driver_register+0x20/0x30 + init_module+0x20/0xfe4 + do_one_initcall+0x184/0x464 + do_init_module+0x58/0x1ec + load_module+0xefc/0x10c8 + __arm64_sys_finit_module+0x238/0x33c + invoke_syscall+0x58/0x10c + el0_svc_common+0xa8/0xdc + do_el0_svc+0x1c/0x28 + el0_svc+0x50/0xac + el0t_64_sync_handler+0x70/0xbc + el0t_64_sync+0x1a8/0x1ac + +Signed-off-by: Defa Li +Link: https://lore.kernel.org/r/20241107132549.25439-1-defa.li@mediatek.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 68170b1b32678..3f581a1cf8e62 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -257,7 +257,8 @@ static int i3c_device_uevent(struct device *dev, struct kobj_uevent_env *env) + struct i3c_device_info devinfo; + u16 manuf, part, ext; + +- i3c_device_get_info(i3cdev, &devinfo); ++ if (i3cdev->desc) ++ devinfo = i3cdev->desc->info; + manuf = I3C_PID_MANUF_ID(devinfo.pid); + part = I3C_PID_PART_ID(devinfo.pid); + ext = I3C_PID_EXTRA_INFO(devinfo.pid); +-- +2.43.0 + diff --git a/queue-5.4/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch b/queue-5.4/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..cf4ccc03730 --- /dev/null +++ b/queue-5.4/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch @@ -0,0 +1,39 @@ +From f8f412f9b27069aa018be675c90a8977c08c34bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 01:51:38 +0530 +Subject: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree + +From: Nihar Chaithanya + +[ Upstream commit a174706ba4dad895c40b1d2277bade16dfacdcd9 ] + +When the value of lp is 0 at the beginning of the for loop, it will +become negative in the next assignment and we should bail out. + +Reported-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 +Tested-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com +Signed-off-by: Nihar Chaithanya +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index d83ac5f5888a4..812945c8e3840 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2953,6 +2953,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + /* bubble the new value up the tree as required. + */ + for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { ++ if (lp == 0) ++ break; ++ + /* get the index of the first leaf of the 4 leaf + * group containing the specified leaf (leafno). + */ +-- +2.43.0 + diff --git a/queue-5.4/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch b/queue-5.4/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch new file mode 100644 index 00000000000..4d92c14744d --- /dev/null +++ b/queue-5.4/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch @@ -0,0 +1,43 @@ +From a76b00e0c55302197c1759191d2962f3ff1eb2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2024 14:07:22 +0530 +Subject: jfs: array-index-out-of-bounds fix in dtReadFirst + +From: Ghanshyam Agrawal + +[ Upstream commit ca84a2c9be482836b86d780244f0357e5a778c46 ] + +The value of stbl can be sometimes out of bounds due +to a bad filesystem. Added a check with appopriate return +of error code in that case. + +Reported-by: syzbot+65fa06e29859e41a83f3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=65fa06e29859e41a83f3 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 077a87e530205..bd198b04c388f 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3382,6 +3382,13 @@ static int dtReadFirst(struct inode *ip, struct btstack * btstack) + + /* get the leftmost entry */ + stbl = DT_GETSTBL(p); ++ ++ if (stbl[0] < 0 || stbl[0] > 127) { ++ DT_PUTPAGE(mp); ++ jfs_error(ip->i_sb, "stbl[0] out of bound\n"); ++ return -EIO; ++ } ++ + xd = (pxd_t *) & p->slot[stbl[0]]; + + /* get the child page block address */ +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch new file mode 100644 index 00000000000..ebf8fb30e77 --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch @@ -0,0 +1,43 @@ +From e101915f380e7387eb0f672c1eeee8532116037f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 11:35:47 +0530 +Subject: jfs: fix array-index-out-of-bounds in jfs_readdir + +From: Ghanshyam Agrawal + +[ Upstream commit 839f102efb168f02dfdd46717b7c6dddb26b015e ] + +The stbl might contain some invalid values. Added a check to +return error code in that case. + +Reported-by: syzbot+0315f8fe99120601ba88@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0315f8fe99120601ba88 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index bd198b04c388f..4692c50d615f0 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3187,6 +3187,14 @@ int jfs_readdir(struct file *file, struct dir_context *ctx) + stbl = DT_GETSTBL(p); + + for (i = index; i < p->header.nextindex; i++) { ++ if (stbl[i] < 0 || stbl[i] > 127) { ++ jfs_err("JFS: Invalid stbl[%d] = %d for inode %ld, block = %lld", ++ i, stbl[i], (long)ip->i_ino, (long long)bn); ++ free_page(dirent_buf); ++ DT_PUTPAGE(mp); ++ return -EIO; ++ } ++ + d = (struct ldtentry *) & p->slot[stbl[i]]; + + if (((long) jfs_dirent + d->namlen + 1) > +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-shift-out-of-bounds-in-dbsplit.patch b/queue-5.4/jfs-fix-shift-out-of-bounds-in-dbsplit.patch new file mode 100644 index 00000000000..61464ddcf71 --- /dev/null +++ b/queue-5.4/jfs-fix-shift-out-of-bounds-in-dbsplit.patch @@ -0,0 +1,39 @@ +From b1bb58c14c873b029e75f2dadee37af04740a9fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 13:42:18 +0530 +Subject: jfs: fix shift-out-of-bounds in dbSplit + +From: Ghanshyam Agrawal + +[ Upstream commit a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ] + +When dmt_budmin is less than zero, it causes errors +in the later stages. Added a check to return an error beforehand +in dbAllocCtl itself. + +Reported-by: syzbot+b5ca8a249162c4b9a7d0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b5ca8a249162c4b9a7d0 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 00258a551334a..d83ac5f5888a4 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1886,6 +1886,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results) + return -EIO; + dp = (struct dmap *) mp->data; + ++ if (dp->tree.budmin < 0) ++ return -EIO; ++ + /* try to allocate the blocks. + */ + rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results); +-- +2.43.0 + diff --git a/queue-5.4/leds-class-protect-brightness_show-with-led_cdev-led.patch b/queue-5.4/leds-class-protect-brightness_show-with-led_cdev-led.patch new file mode 100644 index 00000000000..5a1cb20b482 --- /dev/null +++ b/queue-5.4/leds-class-protect-brightness_show-with-led_cdev-led.patch @@ -0,0 +1,174 @@ +From e41c99a199ea271e9cd69676d29614db307b1287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2024 21:35:27 +0530 +Subject: leds: class: Protect brightness_show() with led_cdev->led_access + mutex + +From: Mukesh Ojha + +[ Upstream commit 4ca7cd938725a4050dcd62ae9472e931d603118d ] + +There is NULL pointer issue observed if from Process A where hid device +being added which results in adding a led_cdev addition and later a +another call to access of led_cdev attribute from Process B can result +in NULL pointer issue. + +Use mutex led_cdev->led_access to protect access to led->cdev and its +attribute inside brightness_show() and max_brightness_show() and also +update the comment for mutex that it should be used to protect the led +class device fields. + + Process A Process B + + kthread+0x114 + worker_thread+0x244 + process_scheduled_works+0x248 + uhid_device_add_worker+0x24 + hid_add_device+0x120 + device_add+0x268 + bus_probe_device+0x94 + device_initial_probe+0x14 + __device_attach+0xfc + bus_for_each_drv+0x10c + __device_attach_driver+0x14c + driver_probe_device+0x3c + __driver_probe_device+0xa0 + really_probe+0x190 + hid_device_probe+0x130 + ps_probe+0x990 + ps_led_register+0x94 + devm_led_classdev_register_ext+0x58 + led_classdev_register_ext+0x1f8 + device_create_with_groups+0x48 + device_create_groups_vargs+0xc8 + device_add+0x244 + kobject_uevent+0x14 + kobject_uevent_env[jt]+0x224 + mutex_unlock[jt]+0xc4 + __mutex_unlock_slowpath+0xd4 + wake_up_q+0x70 + try_to_wake_up[jt]+0x48c + preempt_schedule_common+0x28 + __schedule+0x628 + __switch_to+0x174 + el0t_64_sync+0x1a8/0x1ac + el0t_64_sync_handler+0x68/0xbc + el0_svc+0x38/0x68 + do_el0_svc+0x1c/0x28 + el0_svc_common+0x80/0xe0 + invoke_syscall+0x58/0x114 + __arm64_sys_read+0x1c/0x2c + ksys_read+0x78/0xe8 + vfs_read+0x1e0/0x2c8 + kernfs_fop_read_iter+0x68/0x1b4 + seq_read_iter+0x158/0x4ec + kernfs_seq_show+0x44/0x54 + sysfs_kf_seq_show+0xb4/0x130 + dev_attr_show+0x38/0x74 + brightness_show+0x20/0x4c + dualshock4_led_get_brightness+0xc/0x74 + +[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 +[ 3313.874301][ T4013] Mem abort info: +[ 3313.874303][ T4013] ESR = 0x0000000096000006 +[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits +[ 3313.874307][ T4013] SET = 0, FnV = 0 +[ 3313.874309][ T4013] EA = 0, S1PTW = 0 +[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault +[ 3313.874313][ T4013] Data abort info: +[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 +[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000 +.. + +[ 3313.874332][ T4013] Dumping ftrace buffer: +[ 3313.874334][ T4013] (ftrace buffer empty) +.. +.. +[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader +[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74 +[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60 +[ 3313.874656][ T4013] sp : ffffffc0b910bbd0 +.. +.. +[ 3313.874685][ T4013] Call trace: +[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74 +[ 3313.874690][ T4013] brightness_show+0x20/0x4c +[ 3313.874692][ T4013] dev_attr_show+0x38/0x74 +[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130 +[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54 +[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec +[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4 +[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8 +[ 3313.874711][ T4013] ksys_read+0x78/0xe8 +[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c +[ 3313.874718][ T4013] invoke_syscall+0x58/0x114 +[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0 +[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28 +[ 3313.874727][ T4013] el0_svc+0x38/0x68 +[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc +[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac + +Signed-off-by: Mukesh Ojha +Reviewed-by: Anish Kumar +Link: https://lore.kernel.org/r/20241103160527.82487-1-quic_mojha@quicinc.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class.c | 14 +++++++++++--- + include/linux/leds.h | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index 0a4823d9797ae..a9f37e8227881 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -27,11 +27,14 @@ static ssize_t brightness_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct led_classdev *led_cdev = dev_get_drvdata(dev); ++ unsigned int brightness; + +- /* no lock needed for this */ ++ mutex_lock(&led_cdev->led_access); + led_update_brightness(led_cdev); ++ brightness = led_cdev->brightness; ++ mutex_unlock(&led_cdev->led_access); + +- return sprintf(buf, "%u\n", led_cdev->brightness); ++ return sprintf(buf, "%u\n", brightness); + } + + static ssize_t brightness_store(struct device *dev, +@@ -68,8 +71,13 @@ static ssize_t max_brightness_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct led_classdev *led_cdev = dev_get_drvdata(dev); ++ unsigned int max_brightness; ++ ++ mutex_lock(&led_cdev->led_access); ++ max_brightness = led_cdev->max_brightness; ++ mutex_unlock(&led_cdev->led_access); + +- return sprintf(buf, "%u\n", led_cdev->max_brightness); ++ return sprintf(buf, "%u\n", max_brightness); + } + static DEVICE_ATTR_RO(max_brightness); + +diff --git a/include/linux/leds.h b/include/linux/leds.h +index efb309dba914a..ef68aa9a00ff7 100644 +--- a/include/linux/leds.h ++++ b/include/linux/leds.h +@@ -146,7 +146,7 @@ struct led_classdev { + struct kernfs_node *brightness_hw_changed_kn; + #endif + +- /* Ensures consistent access to the LED Flash Class device */ ++ /* Ensures consistent access to the LED class device */ + struct mutex led_access; + }; + +-- +2.43.0 + diff --git a/queue-5.4/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch b/queue-5.4/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch new file mode 100644 index 00000000000..dd037b7a446 --- /dev/null +++ b/queue-5.4/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch @@ -0,0 +1,50 @@ +From 218c2475e41c5c2e30ca88c8ec0a93339ff29ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 19:40:40 +1000 +Subject: media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108 + +From: Rohan Barar + +[ Upstream commit 61a830bc0ea69a05d8a4534f825c6aa618263649 ] + +Add Dexatek Technology Ltd USB Video Grabber 1d19:6108 to the cx231xx +driver. This device is sold under the name "BAUHN DVD Maker (DK8723)" by +ALDI in Australia. + +This device is similar to 1d19:6109, which is already included in cx231xx. + +Both video and audio capture function correctly after installing the +patched cx231xx driver. + +Patch Changelog +v1: + - Initial submission. +v2: + - Fix SoB + Improve subject. +v3: + - Rephrase message to not exceed 75 characters per line. + - Removed reference to external GitHub URL. + +Signed-off-by: Rohan Barar +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index e123e74c549ed..49094b6b2a31e 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -994,6 +994,8 @@ const unsigned int cx231xx_bcount = ARRAY_SIZE(cx231xx_boards); + + /* table of devices that work with this driver */ + struct usb_device_id cx231xx_id_table[] = { ++ {USB_DEVICE(0x1D19, 0x6108), ++ .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB}, + {USB_DEVICE(0x1D19, 0x6109), + .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB}, + {USB_DEVICE(0x0572, 0x5A3C), +-- +2.43.0 + diff --git a/queue-5.4/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch b/queue-5.4/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch new file mode 100644 index 00000000000..240ff85d36e --- /dev/null +++ b/queue-5.4/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch @@ -0,0 +1,245 @@ +From 7c2f3ef3336faff9af332f7049170c7b8c78d84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:40 +0200 +Subject: media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera + +From: David Given + +[ Upstream commit b2ec92bb5605452d539a7aa1e42345b95acd8583 ] + +Adds a quirk to make the NXP Semiconductors 1fc9:009b chipset work. + +lsusb for the device reports: + +Bus 003 Device 011: ID 1fc9:009b NXP Semiconductors IR VIDEO +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 [unknown] + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x1fc9 NXP Semiconductors + idProduct 0x009b IR VIDEO + bcdDevice 1.01 + iManufacturer 1 Guide sensmart + iProduct 2 IR VIDEO + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x00c2 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0xc0 + Self Powered + MaxPower 100mA + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 0 + bInterfaceCount 2 + bFunctionClass 14 Video + bFunctionSubClass 3 Video Interface Collection + bFunctionProtocol 0 + iFunction 3 IR Camera + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 14 Video + bInterfaceSubClass 1 Video Control + bInterfaceProtocol 0 + iInterface 0 + VideoControl Interface Descriptor: + bLength 13 + bDescriptorType 36 + bDescriptorSubtype 1 (HEADER) + bcdUVC 1.00 + wTotalLength 0x0033 + dwClockFrequency 6.000000MHz + bInCollection 1 + baInterfaceNr( 0) 1 + VideoControl Interface Descriptor: + bLength 18 + bDescriptorType 36 + bDescriptorSubtype 2 (INPUT_TERMINAL) + bTerminalID 1 + wTerminalType 0x0201 Camera Sensor + bAssocTerminal 0 + iTerminal 0 + wObjectiveFocalLengthMin 0 + wObjectiveFocalLengthMax 0 + wOcularFocalLength 0 + bControlSize 3 + bmControls 0x00000000 + VideoControl Interface Descriptor: + bLength 9 + bDescriptorType 36 + bDescriptorSubtype 3 (OUTPUT_TERMINAL) + bTerminalID 2 + wTerminalType 0x0101 USB Streaming + bAssocTerminal 0 + bSourceID 1 + iTerminal 0 + VideoControl Interface Descriptor: + bLength 11 + bDescriptorType 36 + bDescriptorSubtype 5 (PROCESSING_UNIT) + Warning: Descriptor too short + bUnitID 3 + bSourceID 1 + wMaxMultiplier 0 + bControlSize 2 + bmControls 0x00000000 + iProcessing 0 + bmVideoStandards 0x62 + NTSC - 525/60 + PAL - 525/60 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 1 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 0 + bInterfaceClass 14 Video + bInterfaceSubClass 2 Video Streaming + bInterfaceProtocol 0 + iInterface 0 + VideoStreaming Interface Descriptor: + bLength 14 + bDescriptorType 36 + bDescriptorSubtype 1 (INPUT_HEADER) + bNumFormats 1 + wTotalLength 0x0055 + bEndpointAddress 0x82 EP 2 IN + bmInfo 0 + bTerminalLink 2 + bStillCaptureMethod 2 + bTriggerSupport 0 + bTriggerUsage 0 + bControlSize 1 + bmaControls( 0) 0 + VideoStreaming Interface Descriptor: + bLength 27 + bDescriptorType 36 + bDescriptorSubtype 4 (FORMAT_UNCOMPRESSED) + bFormatIndex 1 + bNumFrameDescriptors 1 + guidFormat {e436eb7b-524f-11ce-9f53-0020af0ba770} + bBitsPerPixel 16 + bDefaultFrameIndex 1 + bAspectRatioX 0 + bAspectRatioY 0 + bmInterlaceFlags 0x00 + Interlaced stream or variable: No + Fields per frame: 2 fields + Field 1 first: No + Field pattern: Field 1 only + bCopyProtect 0 + VideoStreaming Interface Descriptor: + bLength 34 + bDescriptorType 36 + bDescriptorSubtype 5 (FRAME_UNCOMPRESSED) + bFrameIndex 1 + bmCapabilities 0x00 + Still image unsupported + wWidth 240 + wHeight 322 + dwMinBitRate 12364800 + dwMaxBitRate 30912000 + dwMaxVideoFrameBufferSize 154560 + dwDefaultFrameInterval 400000 + bFrameIntervalType 2 + dwFrameInterval( 0) 400000 + dwFrameInterval( 1) 1000000 + VideoStreaming Interface Descriptor: + bLength 10 + bDescriptorType 36 + bDescriptorSubtype 3 (STILL_IMAGE_FRAME) + bEndpointAddress 0x00 EP 0 OUT + bNumImageSizePatterns 1 + wWidth( 0) 240 + wHeight( 0) 322 + bNumCompressionPatterns 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 1 + bNumEndpoints 1 + bInterfaceClass 14 Video + bInterfaceSubClass 2 Video Streaming + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 5 + Transfer Type Isochronous + Synch Type Asynchronous + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 1 +Device Status: 0x0001 + Self Powered + +Signed-off-by: David Given +Reviewed-by: Laurent Pinchart +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20240918180540.10830-2-dg@cowlark.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 2f913ea44b281..2c2ceb50500ce 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2425,6 +2425,8 @@ static const struct uvc_device_info uvc_quirk_force_y8 = { + * The Logitech cameras listed below have their interface class set to + * VENDOR_SPEC because they don't announce themselves as UVC devices, even + * though they are compliant. ++ * ++ * Sort these by vendor/product ID. + */ + static const struct usb_device_id uvc_ids[] = { + /* LogiLink Wireless Webcam */ +@@ -2893,6 +2895,15 @@ static const struct usb_device_id uvc_ids[] = { + .bInterfaceProtocol = 0, + .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_PROBE_MINMAX + | UVC_QUIRK_IGNORE_SELECTOR_UNIT) }, ++ /* NXP Semiconductors IR VIDEO */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x1fc9, ++ .idProduct = 0x009b, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax }, + /* Oculus VR Positional Tracker DK2 */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +-- +2.43.0 + diff --git a/queue-5.4/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch b/queue-5.4/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch new file mode 100644 index 00000000000..3877a963d2b --- /dev/null +++ b/queue-5.4/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch @@ -0,0 +1,119 @@ +From 9eb6df6d41170f02a8b81d4ccd984bd4a6a38482 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 11:12:33 -0400 +Subject: misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle + +From: Parker Newman + +[ Upstream commit 7738a7ab9d12c5371ed97114ee2132d4512e9fd5 ] + +Add a quirk similar to eeprom_93xx46 to add an extra clock cycle before +reading data from the EEPROM. + +The 93Cx6 family of EEPROMs output a "dummy 0 bit" between the writing +of the op-code/address from the host to the EEPROM and the reading of +the actual data from the EEPROM. + +More info can be found on page 6 of the AT93C46 datasheet (linked below). +Similar notes are found in other 93xx6 datasheets. + +In summary the read operation for a 93Cx6 EEPROM is: +Write to EEPROM: 110[A5-A0] (9 bits) +Read from EEPROM: 0[D15-D0] (17 bits) + +Where: + 110 is the start bit and READ OpCode + [A5-A0] is the address to read from + 0 is a "dummy bit" preceding the actual data + [D15-D0] is the actual data. + +Looking at the READ timing diagrams in the 93Cx6 datasheets the dummy +bit should be clocked out on the last address bit clock cycle meaning it +should be discarded naturally. + +However, depending on the hardware configuration sometimes this dummy +bit is not discarded. This is the case with Exar PCI UARTs which require +an extra clock cycle between sending the address and reading the data. + +Datasheet: https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-5193-SEEPROM-AT93C46D-Datasheet.pdf +Reviewed-by: Andy Shevchenko +Signed-off-by: Parker Newman +Link: https://lore.kernel.org/r/0f23973efefccd2544705a0480b4ad4c2353e407.1727880931.git.pnewman@connecttech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93cx6.c | 10 ++++++++++ + include/linux/eeprom_93cx6.h | 11 +++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/misc/eeprom/eeprom_93cx6.c b/drivers/misc/eeprom/eeprom_93cx6.c +index 36a2eb837371b..6b42ba6705d3f 100644 +--- a/drivers/misc/eeprom/eeprom_93cx6.c ++++ b/drivers/misc/eeprom/eeprom_93cx6.c +@@ -186,6 +186,11 @@ void eeprom_93cx6_read(struct eeprom_93cx6 *eeprom, const u8 word, + eeprom_93cx6_write_bits(eeprom, command, + PCI_EEPROM_WIDTH_OPCODE + eeprom->width); + ++ if (has_quirk_extra_read_cycle(eeprom)) { ++ eeprom_93cx6_pulse_high(eeprom); ++ eeprom_93cx6_pulse_low(eeprom); ++ } ++ + /* + * Read the requested 16 bits. + */ +@@ -252,6 +257,11 @@ void eeprom_93cx6_readb(struct eeprom_93cx6 *eeprom, const u8 byte, + eeprom_93cx6_write_bits(eeprom, command, + PCI_EEPROM_WIDTH_OPCODE + eeprom->width + 1); + ++ if (has_quirk_extra_read_cycle(eeprom)) { ++ eeprom_93cx6_pulse_high(eeprom); ++ eeprom_93cx6_pulse_low(eeprom); ++ } ++ + /* + * Read the requested 8 bits. + */ +diff --git a/include/linux/eeprom_93cx6.h b/include/linux/eeprom_93cx6.h +index c860c72a921d0..3a485cc0e0fa0 100644 +--- a/include/linux/eeprom_93cx6.h ++++ b/include/linux/eeprom_93cx6.h +@@ -11,6 +11,8 @@ + Supported chipsets: 93c46, 93c56 and 93c66. + */ + ++#include ++ + /* + * EEPROM operation defines. + */ +@@ -34,6 +36,7 @@ + * @register_write(struct eeprom_93cx6 *eeprom): handler to + * write to the eeprom register by using all reg_* fields. + * @width: eeprom width, should be one of the PCI_EEPROM_WIDTH_* defines ++ * @quirks: eeprom or controller quirks + * @drive_data: Set if we're driving the data line. + * @reg_data_in: register field to indicate data input + * @reg_data_out: register field to indicate data output +@@ -50,6 +53,9 @@ struct eeprom_93cx6 { + void (*register_write)(struct eeprom_93cx6 *eeprom); + + int width; ++ unsigned int quirks; ++/* Some EEPROMs require an extra clock cycle before reading */ ++#define PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE BIT(0) + + char drive_data; + char reg_data_in; +@@ -71,3 +77,8 @@ extern void eeprom_93cx6_wren(struct eeprom_93cx6 *eeprom, bool enable); + + extern void eeprom_93cx6_write(struct eeprom_93cx6 *eeprom, + u8 addr, u16 data); ++ ++static inline bool has_quirk_extra_read_cycle(struct eeprom_93cx6 *eeprom) ++{ ++ return eeprom->quirks & PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE; ++} +-- +2.43.0 + diff --git a/queue-5.4/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch b/queue-5.4/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch new file mode 100644 index 00000000000..8a330681fb2 --- /dev/null +++ b/queue-5.4/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch @@ -0,0 +1,39 @@ +From 7030adc9cdcfc833b5322ce8dd813ce7de2ab2f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:03 +0100 +Subject: net: af_can: do not leave a dangling sk pointer in can_create() + +From: Ignat Korchagin + +[ Upstream commit 811a7ca7320c062e15d0f5b171fe6ad8592d1434 ] + +On error can_create() frees the allocated sk object, but sock_init_data() +has already attached it to the provided sock object. This will leave a +dangling sk pointer in the sock object and may cause use-after-free later. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Vincent Mailhol +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Marc Kleine-Budde +Link: https://patch.msgid.link/20241014153808.51894-5-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index b396c23561d63..bc06016a4fe90 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, + /* release sk on errors */ + sock_orphan(sk); + sock_put(sk); ++ sock->sk = NULL; + } + + errout: +-- +2.43.0 + diff --git a/queue-5.4/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch b/queue-5.4/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch new file mode 100644 index 00000000000..60169648936 --- /dev/null +++ b/queue-5.4/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch @@ -0,0 +1,57 @@ +From 54a11aaf196ba6e38970e0485c3052e902c50662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 11:48:08 +0100 +Subject: net: ethernet: fs_enet: Use %pa to format resource_size_t + +From: Simon Horman + +[ Upstream commit 45fe45fada261e1e83fce2a07fa22835aec1cf0a ] + +The correct format string for resource_size_t is %pa which +acts on the address of the variable to be formatted [1]. + +[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229 + +Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string") + +Flagged by gcc-14 as: + +drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c: In function 'fs_mii_bitbang_init': +drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c:126:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=] + 126 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); + | ~^ ~~~~~~~~~ + | | | + | | resource_size_t {aka long long unsigned int} + | unsigned int + | %llx + +No functional change intended. +Compile tested only. + +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/ +Signed-off-by: Simon Horman +Reviewed-by: Daniel Machon +Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-2-dcc9afb8858b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c +index 21de56345503f..f743112730194 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c ++++ b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c +@@ -126,7 +126,7 @@ static int fs_mii_bitbang_init(struct mii_bus *bus, struct device_node *np) + * we get is an int, and the odds of multiple bitbang mdio buses + * is low enough that it's not worth going too crazy. + */ +- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); ++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start); + + data = of_get_property(np, "fsl,mdio-pin", &len); + if (!data || len != 4) +-- +2.43.0 + diff --git a/queue-5.4/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch b/queue-5.4/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch new file mode 100644 index 00000000000..d6a11b3cb8c --- /dev/null +++ b/queue-5.4/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch @@ -0,0 +1,57 @@ +From e7fe3fef582d1ff5e1506763c85a6ad8115153a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 11:48:07 +0100 +Subject: net: fec_mpc52xx_phy: Use %pa to format resource_size_t + +From: Simon Horman + +[ Upstream commit 020bfdc4ed94be472138c891bde4d14241cf00fd ] + +The correct format string for resource_size_t is %pa which +acts on the address of the variable to be formatted [1]. + +[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229 + +Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string") + +Flagged by gcc-14 as: + +drivers/net/ethernet/freescale/fec_mpc52xx_phy.c: In function 'mpc52xx_fec_mdio_probe': +drivers/net/ethernet/freescale/fec_mpc52xx_phy.c:97:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=] + 97 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); + | ~^ ~~~~~~~~~ + | | | + | | resource_size_t {aka long long unsigned int} + | unsigned int + | %llx + +No functional change intended. +Compile tested only. + +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/ +Signed-off-by: Simon Horman +Reviewed-by: Daniel Machon +Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-1-dcc9afb8858b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_mpc52xx_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c +index b5497e3083020..7e631e2f710fb 100644 +--- a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c ++++ b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c +@@ -92,7 +92,7 @@ static int mpc52xx_fec_mdio_probe(struct platform_device *of) + goto out_free; + } + +- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); ++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start); + bus->priv = priv; + + bus->parent = dev; +-- +2.43.0 + diff --git a/queue-5.4/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch b/queue-5.4/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch new file mode 100644 index 00000000000..7bc898439c9 --- /dev/null +++ b/queue-5.4/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch @@ -0,0 +1,62 @@ +From 5e14facd6bc81bafb3423dc179d5bcc2def0b265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:04 +0100 +Subject: net: ieee802154: do not leave a dangling sk pointer in + ieee802154_create() + +From: Ignat Korchagin + +[ Upstream commit b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d ] + +sock_init_data() attaches the allocated sk object to the provided sock +object. If ieee802154_create() fails later, the allocated sk object is +freed, but the dangling pointer remains in the provided sock object, which +may allow use-after-free. + +Clear the sk pointer in the sock object on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Miquel Raynal +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-6-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ieee802154/socket.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index ce5f25c89dfaf..b5f8aaa428844 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1055,19 +1055,21 @@ static int ieee802154_create(struct net *net, struct socket *sock, + + if (sk->sk_prot->hash) { + rc = sk->sk_prot->hash(sk); +- if (rc) { +- sk_common_release(sk); +- goto out; +- } ++ if (rc) ++ goto out_sk_release; + } + + if (sk->sk_prot->init) { + rc = sk->sk_prot->init(sk); + if (rc) +- sk_common_release(sk); ++ goto out_sk_release; + } + out: + return rc; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + static const struct net_proto_family ieee802154_family_ops = { +-- +2.43.0 + diff --git a/queue-5.4/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch b/queue-5.4/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch new file mode 100644 index 00000000000..7114e6d4c6a --- /dev/null +++ b/queue-5.4/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch @@ -0,0 +1,76 @@ +From d846bb8949e617c07726da4b4650ad8c69626965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:05 +0100 +Subject: net: inet: do not leave a dangling sk pointer in inet_create() + +From: Ignat Korchagin + +[ Upstream commit 9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff ] + +sock_init_data() attaches the allocated sk object to the provided sock +object. If inet_create() fails later, the sk object is freed, but the +sock object retains the dangling pointer, which may create use-after-free +later. + +Clear the sk pointer in the sock object on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-7-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index be2b786cee2bd..486ab202303ff 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -369,32 +369,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + inet->inet_sport = htons(inet->inet_num); + /* Add to protocol hash chains. */ + err = sk->sk_prot->hash(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (sk->sk_prot->init) { + err = sk->sk_prot->init(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (!kern) { + err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + out: + return err; + out_rcu_unlock: + rcu_read_unlock(); + goto out; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + +-- +2.43.0 + diff --git a/queue-5.4/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch b/queue-5.4/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch new file mode 100644 index 00000000000..91184ed8b35 --- /dev/null +++ b/queue-5.4/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch @@ -0,0 +1,75 @@ +From c9fb9fe9a1057d8881656fc00e662894e7785efb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:06 +0100 +Subject: net: inet6: do not leave a dangling sk pointer in inet6_create() + +From: Ignat Korchagin + +[ Upstream commit 9df99c395d0f55fb444ef39f4d6f194ca437d884 ] + +sock_init_data() attaches the allocated sk pointer to the provided sock +object. If inet6_create() fails later, the sk object is released, but the +sock object retains the dangling sk pointer, which may cause use-after-free +later. + +Clear the sock sk pointer on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-8-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/af_inet6.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 7ee0bfea9de1d..845d77b0a7f03 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -251,31 +251,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + */ + inet->inet_sport = htons(inet->inet_num); + err = sk->sk_prot->hash(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + if (sk->sk_prot->init) { + err = sk->sk_prot->init(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (!kern) { + err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + out: + return err; + out_rcu_unlock: + rcu_read_unlock(); + goto out; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, +-- +2.43.0 + diff --git a/queue-5.4/net-neighbor-clear-error-in-case-strict-check-is-not.patch b/queue-5.4/net-neighbor-clear-error-in-case-strict-check-is-not.patch new file mode 100644 index 00000000000..63e53ab47f9 --- /dev/null +++ b/queue-5.4/net-neighbor-clear-error-in-case-strict-check-is-not.patch @@ -0,0 +1,42 @@ +From c4fd5fda2ece0d518ef501ca81a8d43790d6a209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 16:32:21 -0800 +Subject: net/neighbor: clear error in case strict check is not set + +From: Jakub Kicinski + +[ Upstream commit 0de6a472c3b38432b2f184bd64eb70d9ea36d107 ] + +Commit 51183d233b5a ("net/neighbor: Update neigh_dump_info for strict +data checking") added strict checking. The err variable is not cleared, +so if we find no table to dump we will return the validation error even +if user did not want strict checking. + +I think the only way to hit this is to send an buggy request, and ask +for a table which doesn't exist, so there's no point treating this +as a real fix. I only noticed it because a syzbot repro depended on it +to trigger another bug. + +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241115003221.733593-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index e571007d083cc..4dfe17f1a76aa 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2734,6 +2734,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) + err = neigh_valid_dump_req(nlh, cb->strict_check, &filter, cb->extack); + if (err < 0 && cb->strict_check) + return err; ++ err = 0; + + s_t = cb->args[0]; + +-- +2.43.0 + diff --git a/queue-5.4/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch b/queue-5.4/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch new file mode 100644 index 00000000000..ff4249fd1e2 --- /dev/null +++ b/queue-5.4/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch @@ -0,0 +1,40 @@ +From 8dd4ac9c59d17cc7ba2212bbafda9a785c118a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 15:45:29 +0300 +Subject: net/sched: cbs: Fix integer overflow in cbs_set_port_rate() + +From: Elena Salomatkina + +[ Upstream commit 397006ba5d918f9b74e734867e8fddbc36dc2282 ] + +The subsequent calculation of port_rate = speed * 1000 * BYTES_PER_KBIT, +where the BYTES_PER_KBIT is of type LL, may cause an overflow. +At least when speed = SPEED_20000, the expression to the left of port_rate +will be greater than INT_MAX. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Elena Salomatkina +Link: https://patch.msgid.link/20241013124529.1043-1-esalomatkina@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_cbs.c b/net/sched/sch_cbs.c +index 2eaac2ff380fa..db92ae819fd28 100644 +--- a/net/sched/sch_cbs.c ++++ b/net/sched/sch_cbs.c +@@ -309,7 +309,7 @@ static void cbs_set_port_rate(struct net_device *dev, struct cbs_sched_data *q) + { + struct ethtool_link_ksettings ecmd; + int speed = SPEED_10; +- int port_rate; ++ s64 port_rate; + int err; + + err = __ethtool_get_link_ksettings(dev, &ecmd); +-- +2.43.0 + diff --git a/queue-5.4/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch b/queue-5.4/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch new file mode 100644 index 00000000000..6d9d708870f --- /dev/null +++ b/queue-5.4/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch @@ -0,0 +1,44 @@ +From 48b9cbbc42f77bed8e9f1ecc364c8711e92d22ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 03:15:17 -0800 +Subject: netpoll: Use rcu_access_pointer() in __netpoll_setup + +From: Breno Leitao + +[ Upstream commit c69c5e10adb903ae2438d4f9c16eccf43d1fcbc1 ] + +The ndev->npinfo pointer in __netpoll_setup() is RCU-protected but is being +accessed directly for a NULL check. While no RCU read lock is held in this +context, we should still use proper RCU primitives for consistency and +correctness. + +Replace the direct NULL check with rcu_access_pointer(), which is the +appropriate primitive when only checking for NULL without dereferencing +the pointer. This function provides the necessary ordering guarantees +without requiring RCU read-side protection. + +Reviewed-by: Michal Kubiak +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-1-a1888dcb4a02@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 9b263a5c0f36f..9a67aa989d606 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -615,7 +615,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev) + goto out; + } + +- if (!ndev->npinfo) { ++ if (!rcu_access_pointer(ndev->npinfo)) { + npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL); + if (!npinfo) { + err = -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.4/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch b/queue-5.4/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch new file mode 100644 index 00000000000..79b10baf3bf --- /dev/null +++ b/queue-5.4/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch @@ -0,0 +1,65 @@ +From 76d6559fc77936c15be44e225c1cbe4a3aad8485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 08:55:26 +0000 +Subject: nvdimm: rectify the illogical code within nd_dax_probe() + +From: Yi Yang + +[ Upstream commit b61352101470f8b68c98af674e187cfaa7c43504 ] + +When nd_dax is NULL, nd_pfn is consequently NULL as well. Nevertheless, +it is inadvisable to perform pointer arithmetic or address-taking on a +NULL pointer. +Introduce the nd_dax_devinit() function to enhance the code's logic and +improve its readability. + +Signed-off-by: Yi Yang +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20241108085526.527957-1-yiyang13@huawei.com +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/dax_devs.c | 4 ++-- + drivers/nvdimm/nd.h | 7 +++++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c +index 6d22b0f83b3b0..c882534dbe84c 100644 +--- a/drivers/nvdimm/dax_devs.c ++++ b/drivers/nvdimm/dax_devs.c +@@ -113,12 +113,12 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns) + + nvdimm_bus_lock(&ndns->dev); + nd_dax = nd_dax_alloc(nd_region); +- nd_pfn = &nd_dax->nd_pfn; +- dax_dev = nd_pfn_devinit(nd_pfn, ndns); ++ dax_dev = nd_dax_devinit(nd_dax, ndns); + nvdimm_bus_unlock(&ndns->dev); + if (!dax_dev) + return -ENOMEM; + pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL); ++ nd_pfn = &nd_dax->nd_pfn; + nd_pfn->pfn_sb = pfn_sb; + rc = nd_pfn_validate(nd_pfn, DAX_SIG); + dev_dbg(dev, "dax: %s\n", rc == 0 ? dev_name(dax_dev) : ""); +diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h +index ee5c04070ef91..23d011b01fa61 100644 +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -326,6 +326,13 @@ struct nd_dax *to_nd_dax(struct device *dev); + int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns); + bool is_nd_dax(struct device *dev); + struct device *nd_dax_create(struct nd_region *nd_region); ++static inline struct device *nd_dax_devinit(struct nd_dax *nd_dax, ++ struct nd_namespace_common *ndns) ++{ ++ if (!nd_dax) ++ return NULL; ++ return nd_pfn_devinit(&nd_dax->nd_pfn, ndns); ++} + #else + static inline int nd_dax_probe(struct device *dev, + struct nd_namespace_common *ndns) +-- +2.43.0 + diff --git a/queue-5.4/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch b/queue-5.4/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch new file mode 100644 index 00000000000..56339f0015a --- /dev/null +++ b/queue-5.4/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch @@ -0,0 +1,63 @@ +From fc922b6ddc117fa447c74efc72523229d4503dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 10:46:04 +0800 +Subject: PCI: Add ACS quirk for Wangxun FF5xxx NICs + +From: Mengyuan Lou + +[ Upstream commit aa46a3736afcb7b0793766d22479b8b99fc1b322 ] + +Wangxun FF5xxx NICs are similar to SFxxx, RP1000 and RP2000 NICs. They may +be multi-function devices, but they do not advertise an ACS capability. + +But the hardware does isolate FF5xxx functions as though it had an ACS +capability and PCI_ACS_RR and PCI_ACS_CR were set in the ACS Control +register, i.e., all peer-to-peer traffic is directed upstream instead of +being routed internally. + +Add ACS quirk for FF5xxx NICs in pci_quirk_wangxun_nic_acs() so the +functions can be in independent IOMMU groups. + +Link: https://lore.kernel.org/r/E16053DB2B80E9A5+20241115024604.30493-1-mengyuanlou@net-swift.com +Signed-off-by: Mengyuan Lou +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index b60954b04a077..6a2d64d050c04 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4870,18 +4870,21 @@ static int pci_quirk_brcm_acs(struct pci_dev *dev, u16 acs_flags) + } + + /* +- * Wangxun 10G/1G NICs have no ACS capability, and on multi-function +- * devices, peer-to-peer transactions are not be used between the functions. +- * So add an ACS quirk for below devices to isolate functions. ++ * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on ++ * multi-function devices, the hardware isolates the functions by ++ * directing all peer-to-peer traffic upstream as though PCI_ACS_RR and ++ * PCI_ACS_CR were set. + * SFxxx 1G NICs(em). + * RP1000/RP2000 10G NICs(sp). ++ * FF5xxx 40G/25G/10G NICs(aml). + */ + static int pci_quirk_wangxun_nic_acs(struct pci_dev *dev, u16 acs_flags) + { + switch (dev->device) { +- case 0x0100 ... 0x010F: +- case 0x1001: +- case 0x2001: ++ case 0x0100 ... 0x010F: /* EM */ ++ case 0x1001: case 0x2001: /* SP */ ++ case 0x5010: case 0x5025: case 0x5040: /* AML */ ++ case 0x5110: case 0x5125: case 0x5140: /* AML */ + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } +-- +2.43.0 + diff --git a/queue-5.4/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch b/queue-5.4/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch new file mode 100644 index 00000000000..ed28c6bd792 --- /dev/null +++ b/queue-5.4/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch @@ -0,0 +1,130 @@ +From 13723226de246695b0b2705380adab1d7e8cc8b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 15:27:54 -0700 +Subject: PCI: Add 'reset_subordinate' to reset hierarchy below bridge + +From: Keith Busch + +[ Upstream commit 2fa046449a82a7d0f6d9721dd83e348816038444 ] + +The "bus" and "cxl_bus" reset methods reset a device by asserting Secondary +Bus Reset on the bridge leading to the device. These only work if the +device is the only device below the bridge. + +Add a sysfs 'reset_subordinate' attribute on bridges that can assert +Secondary Bus Reset regardless of how many devices are below the bridge. + +This resets all the devices below a bridge in a single command, including +the locking and config space save/restore that reset methods normally do. + +This may be the only way to reset devices that don't support other reset +methods (ACPI, FLR, PM reset, etc). + +Link: https://lore.kernel.org/r/20241025222755.3756162-1-kbusch@meta.com +Signed-off-by: Keith Busch +[bhelgaas: commit log, add capable(CAP_SYS_ADMIN) check] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Alex Williamson +Reviewed-by: Amey Narkhede +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-pci | 11 +++++++++++ + drivers/pci/pci-sysfs.c | 26 +++++++++++++++++++++++++ + drivers/pci/pci.c | 2 +- + drivers/pci/pci.h | 1 + + 4 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci +index 8bfee557e50ea..e84434d48dcf0 100644 +--- a/Documentation/ABI/testing/sysfs-bus-pci ++++ b/Documentation/ABI/testing/sysfs-bus-pci +@@ -125,6 +125,17 @@ Description: + will be present in sysfs. Writing 1 to this file + will perform reset. + ++What: /sys/bus/pci/devices/.../reset_subordinate ++Date: October 2024 ++Contact: linux-pci@vger.kernel.org ++Description: ++ This is visible only for bridge devices. If you want to reset ++ all devices attached through the subordinate bus of a specific ++ bridge device, writing 1 to this will try to do it. This will ++ affect all devices attached to the system through this bridge ++ similiar to writing 1 to their individual "reset" file, so use ++ with caution. ++ + What: /sys/bus/pci/devices/.../vpd + Date: February 2008 + Contact: Ben Hutchings +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 90d5a29a6ff3d..131c6d7e86f8f 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -505,6 +505,31 @@ static ssize_t bus_rescan_store(struct device *dev, + static struct device_attribute dev_attr_bus_rescan = __ATTR(rescan, 0200, NULL, + bus_rescan_store); + ++static ssize_t reset_subordinate_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct pci_bus *bus = pdev->subordinate; ++ unsigned long val; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (kstrtoul(buf, 0, &val) < 0) ++ return -EINVAL; ++ ++ if (val) { ++ int ret = __pci_reset_bus(bus); ++ ++ if (ret) ++ return ret; ++ } ++ ++ return count; ++} ++static DEVICE_ATTR_WO(reset_subordinate); ++ + #if defined(CONFIG_PM) && defined(CONFIG_ACPI) + static ssize_t d3cold_allowed_store(struct device *dev, + struct device_attribute *attr, +@@ -628,6 +653,7 @@ static struct attribute *pci_dev_attrs[] = { + static struct attribute *pci_bridge_attrs[] = { + &dev_attr_subordinate_bus_number.attr, + &dev_attr_secondary_bus_number.attr, ++ &dev_attr_reset_subordinate.attr, + NULL, + }; + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 41050a35631fa..ad5bd17f77a3b 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5538,7 +5538,7 @@ EXPORT_SYMBOL_GPL(pci_probe_reset_bus); + * + * Same as above except return -EAGAIN if the bus cannot be locked + */ +-static int __pci_reset_bus(struct pci_bus *bus) ++int __pci_reset_bus(struct pci_bus *bus) + { + int rc; + +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 725d2b0d45693..7a737ef76e6de 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -41,6 +41,7 @@ int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vmai, + int pci_probe_reset_function(struct pci_dev *dev); + int pci_bridge_secondary_bus_reset(struct pci_dev *dev); + int pci_bus_error_reset(struct pci_dev *dev); ++int __pci_reset_bus(struct pci_bus *bus); + + #define PCI_PM_D2_DELAY 200 + #define PCI_PM_D3_WAIT 10 +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch b/queue-5.4/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch new file mode 100644 index 00000000000..12bcc51a3c9 --- /dev/null +++ b/queue-5.4/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch @@ -0,0 +1,39 @@ +From 2a55b249f8fc5715bee51a374026fb88e9967612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 02:19:43 +0100 +Subject: pinctrl: qcom-pmic-gpio: add support for PM8937 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +[ Upstream commit 89265a58ff24e3885c2c9ca722bc3aaa47018be9 ] + +PM8937 has 8 GPIO-s with holes on GPIO3, GPIO4 and GPIO6. + +Signed-off-by: Barnabás Czémán +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/20241031-msm8917-v2-2-8a075faa89b1@mainlining.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +index 3769ad08eadfe..ea244b00d5bed 100644 +--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +@@ -1106,6 +1106,8 @@ static int pmic_gpio_remove(struct platform_device *pdev) + static const struct of_device_id pmic_gpio_of_match[] = { + { .compatible = "qcom,pm8005-gpio", .data = (void *) 4 }, + { .compatible = "qcom,pm8916-gpio", .data = (void *) 4 }, ++ /* pm8937 has 8 GPIOs with holes on 3, 4 and 6 */ ++ { .compatible = "qcom,pm8937-gpio", .data = (void *) 8 }, + { .compatible = "qcom,pm8941-gpio", .data = (void *) 36 }, + { .compatible = "qcom,pm8994-gpio", .data = (void *) 22 }, + { .compatible = "qcom,pmi8994-gpio", .data = (void *) 10 }, +-- +2.43.0 + diff --git a/queue-5.4/powerpc-prom_init-fixup-missing-powermac-size-cells.patch b/queue-5.4/powerpc-prom_init-fixup-missing-powermac-size-cells.patch new file mode 100644 index 00000000000..e71e3a3bb06 --- /dev/null +++ b/queue-5.4/powerpc-prom_init-fixup-missing-powermac-size-cells.patch @@ -0,0 +1,103 @@ +From 1d4d5e401f13c9f73f475240853efa5ece41e66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 13:57:10 +1100 +Subject: powerpc/prom_init: Fixup missing powermac #size-cells + +From: Michael Ellerman + +[ Upstream commit cf89c9434af122f28a3552e6f9cc5158c33ce50a ] + +On some powermacs `escc` nodes are missing `#size-cells` properties, +which is deprecated and now triggers a warning at boot since commit +045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells +handling"). + +For example: + + Missing '#size-cells' in /pci@f2000000/mac-io@c/escc@13000 + WARNING: CPU: 0 PID: 0 at drivers/of/base.c:133 of_bus_n_size_cells+0x98/0x108 + Hardware name: PowerMac3,1 7400 0xc0209 PowerMac + ... + Call Trace: + of_bus_n_size_cells+0x98/0x108 (unreliable) + of_bus_default_count_cells+0x40/0x60 + __of_get_address+0xc8/0x21c + __of_address_to_resource+0x5c/0x228 + pmz_init_port+0x5c/0x2ec + pmz_probe.isra.0+0x144/0x1e4 + pmz_console_init+0x10/0x48 + console_init+0xcc/0x138 + start_kernel+0x5c4/0x694 + +As powermacs boot via prom_init it's possible to add the missing +properties to the device tree during boot, avoiding the warning. Note +that `escc-legacy` nodes are also missing `#size-cells` properties, but +they are skipped by the macio driver, so leave them alone. + +Depends-on: 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling") +Signed-off-by: Michael Ellerman +Reviewed-by: Rob Herring +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20241126025710.591683-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom_init.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 7f4e2c031a9ab..b7ef63614417d 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2856,7 +2856,7 @@ static void __init fixup_device_tree_chrp(void) + #endif + + #if defined(CONFIG_PPC64) && defined(CONFIG_PPC_PMAC) +-static void __init fixup_device_tree_pmac(void) ++static void __init fixup_device_tree_pmac64(void) + { + phandle u3, i2c, mpic; + u32 u3_rev; +@@ -2896,7 +2896,31 @@ static void __init fixup_device_tree_pmac(void) + &parent, sizeof(parent)); + } + #else +-#define fixup_device_tree_pmac() ++#define fixup_device_tree_pmac64() ++#endif ++ ++#ifdef CONFIG_PPC_PMAC ++static void __init fixup_device_tree_pmac(void) ++{ ++ __be32 val = 1; ++ char type[8]; ++ phandle node; ++ ++ // Some pmacs are missing #size-cells on escc nodes ++ for (node = 0; prom_next_node(&node); ) { ++ type[0] = '\0'; ++ prom_getprop(node, "device_type", type, sizeof(type)); ++ if (prom_strcmp(type, "escc")) ++ continue; ++ ++ if (prom_getproplen(node, "#size-cells") != PROM_ERROR) ++ continue; ++ ++ prom_setprop(node, NULL, "#size-cells", &val, sizeof(val)); ++ } ++} ++#else ++static inline void fixup_device_tree_pmac(void) { } + #endif + + #ifdef CONFIG_PPC_EFIKA +@@ -3121,6 +3145,7 @@ static void __init fixup_device_tree(void) + fixup_device_tree_maple_memory_controller(); + fixup_device_tree_chrp(); + fixup_device_tree_pmac(); ++ fixup_device_tree_pmac64(); + fixup_device_tree_efika(); + fixup_device_tree_pasemi(); + } +-- +2.43.0 + diff --git a/queue-5.4/rocker-fix-link-status-detection-in-rocker_carrier_i.patch b/queue-5.4/rocker-fix-link-status-detection-in-rocker_carrier_i.patch new file mode 100644 index 00000000000..4b137a5a251 --- /dev/null +++ b/queue-5.4/rocker-fix-link-status-detection-in-rocker_carrier_i.patch @@ -0,0 +1,39 @@ +From b9d4ccd8f32d9eac701de6a15647df68016fe269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 18:19:46 +0300 +Subject: rocker: fix link status detection in rocker_carrier_init() + +From: Dmitry Antipov + +[ Upstream commit e64285ff41bb7a934bd815bd38f31119be62ac37 ] + +Since '1 << rocker_port->pport' may be undefined for port >= 32, +cast the left operand to 'unsigned long long' like it's done in +'rocker_port_set_enable()' above. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20241114151946.519047-1-dmantipov@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index 5abb3f9684ffd..6bee5055559fe 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2542,7 +2542,7 @@ static void rocker_carrier_init(const struct rocker_port *rocker_port) + u64 link_status = rocker_read64(rocker, PORT_PHYS_LINK_STATUS); + bool link_up; + +- link_up = link_status & (1 << rocker_port->pport); ++ link_up = link_status & (1ULL << rocker_port->pport); + if (link_up) + netif_carrier_on(rocker_port->dev); + else +-- +2.43.0 + diff --git a/queue-5.4/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch b/queue-5.4/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch new file mode 100644 index 00000000000..400b68da7cb --- /dev/null +++ b/queue-5.4/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch @@ -0,0 +1,80 @@ +From 8e5f935eace4771dcc1e65ddeb476db3825ce966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 12:27:53 +0200 +Subject: s390/cpum_sf: Handle CPU hotplug remove during sampling + +From: Thomas Richter + +[ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ] + +CPU hotplug remove handling triggers the following function +call sequence: + + CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() + ... + CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() + +The s390 CPUMF sampling CPU hotplug handler invokes: + + s390_pmu_sf_offline_cpu() + +--> cpusf_pmu_setup() + +--> setup_pmc_cpu() + +--> deallocate_buffers() + +This function de-allocates all sampling data buffers (SDBs) allocated +for that CPU at event initialization. It also clears the +PMU_F_RESERVED bit. The CPU is gone and can not be sampled. + +With the event still being active on the removed CPU, the CPU event +hotplug support in kernel performance subsystem triggers the +following function calls on the removed CPU: + + perf_event_exit_cpu() + +--> perf_event_exit_cpu_context() + +--> __perf_event_exit_context() + +--> __perf_remove_from_context() + +--> event_sched_out() + +--> cpumsf_pmu_del() + +--> cpumsf_pmu_stop() + +--> hw_perf_event_update() + +to stop and remove the event. During removal of the event, the +sampling device driver tries to read out the remaining samples from +the sample data buffers (SDBs). But they have already been freed +(and may have been re-assigned). This may lead to a use after free +situation in which case the samples are most likely invalid. In the +best case the memory has not been reassigned and still contains +valid data. + +Remedy this situation and check if the CPU is still in reserved +state (bit PMU_F_RESERVED set). In this case the SDBs have not been +released an contain valid data. This is always the case when +the event is removed (and no CPU hotplug off occured). +If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 4f251cd624d7e..6047ccb6f8e26 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1862,7 +1862,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags) + event->hw.state |= PERF_HES_STOPPED; + + if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) { +- hw_perf_event_update(event, 1); ++ /* CPU hotplug off removes SDBs. No samples to extract. */ ++ if (cpuhw->flags & PMU_F_RESERVED) ++ hw_perf_event_update(event, 1); + event->hw.state |= PERF_HES_UPTODATE; + } + perf_pmu_enable(event->pmu); +-- +2.43.0 + diff --git a/queue-5.4/samples-bpf-fix-a-resource-leak.patch b/queue-5.4/samples-bpf-fix-a-resource-leak.patch new file mode 100644 index 00000000000..c308ddc0e0c --- /dev/null +++ b/queue-5.4/samples-bpf-fix-a-resource-leak.patch @@ -0,0 +1,39 @@ +From cbd13dbecfcfe740535d1a7cb933a6004c54a28b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 18:41:26 -0700 +Subject: samples/bpf: Fix a resource leak + +From: Zhu Jun + +[ Upstream commit f3ef53174b23246fe9bc2bbc2542f3a3856fa1e2 ] + +The opened file should be closed in show_sockopts(), otherwise resource +leak will occur that this problem was discovered by reading code + +Signed-off-by: Zhu Jun +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241010014126.2573-1-zhujun2@cmss.chinamobile.com +Signed-off-by: Sasha Levin +--- + samples/bpf/test_cgrp2_sock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/samples/bpf/test_cgrp2_sock.c b/samples/bpf/test_cgrp2_sock.c +index b0811da5a00f3..3f56519a1ccd7 100644 +--- a/samples/bpf/test_cgrp2_sock.c ++++ b/samples/bpf/test_cgrp2_sock.c +@@ -174,8 +174,10 @@ static int show_sockopts(int family) + return 1; + } + +- if (get_bind_to_device(sd, name, sizeof(name)) < 0) ++ if (get_bind_to_device(sd, name, sizeof(name)) < 0) { ++ close(sd); + return 1; ++ } + + mark = get_somark(sd); + prio = get_priority(sd); +-- +2.43.0 + diff --git a/queue-5.4/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch b/queue-5.4/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch new file mode 100644 index 00000000000..29602bfef2f --- /dev/null +++ b/queue-5.4/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch @@ -0,0 +1,90 @@ +From 0213043c1cc068a4e783cfae952d1842c5f2430c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 11:57:22 +0200 +Subject: scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device + reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +[ Upstream commit 0b120edb37dc9dd8ca82893d386922eb6b16f860 ] + +Most drives rewind the tape when the device is reset. Reading and writing +are not allowed until something is done to make the tape position match the +user's expectation (e.g., rewind the tape). Add MTIOCGET and MTLOAD to +operations allowed after reset. MTIOCGET is modified to not touch the tape +if pos_unknown is non-zero. The tape location is known after MTLOAD. + +Signed-off-by: Kai Mäkisara +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14 +Link: https://lore.kernel.org/r/20241106095723.63254-3-Kai.Makisara@kolumbus.fi +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 4e0737c25fbdf..49e149d28954a 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -3505,6 +3505,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg) + int i, cmd_nr, cmd_type, bt; + int retval = 0; + unsigned int blk; ++ bool cmd_mtiocget; + struct scsi_tape *STp = file->private_data; + struct st_modedef *STm; + struct st_partstat *STps; +@@ -3619,6 +3620,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg) + */ + if (mtc.mt_op != MTREW && + mtc.mt_op != MTOFFL && ++ mtc.mt_op != MTLOAD && + mtc.mt_op != MTRETEN && + mtc.mt_op != MTERASE && + mtc.mt_op != MTSEEK && +@@ -3732,17 +3734,28 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg) + goto out; + } + ++ cmd_mtiocget = cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET); ++ + if ((i = flush_buffer(STp, 0)) < 0) { +- retval = i; +- goto out; +- } +- if (STp->can_partitions && +- (i = switch_partition(STp)) < 0) { +- retval = i; +- goto out; ++ if (cmd_mtiocget && STp->pos_unknown) { ++ /* flush fails -> modify status accordingly */ ++ reset_state(STp); ++ STp->pos_unknown = 1; ++ } else { /* return error */ ++ retval = i; ++ goto out; ++ } ++ } else { /* flush_buffer succeeds */ ++ if (STp->can_partitions) { ++ i = switch_partition(STp); ++ if (i < 0) { ++ retval = i; ++ goto out; ++ } ++ } + } + +- if (cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET)) { ++ if (cmd_mtiocget) { + struct mtget mt_status; + + if (_IOC_SIZE(cmd_in) != sizeof(struct mtget)) { +-- +2.43.0 + diff --git a/queue-5.4/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch b/queue-5.4/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch new file mode 100644 index 00000000000..9b77263af89 --- /dev/null +++ b/queue-5.4/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch @@ -0,0 +1,42 @@ +From b13adb298d532f8199e6a3a8408f99e233e41bb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 11:57:21 +0200 +Subject: scsi: st: Don't modify unknown block number in MTIOCGET +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +[ Upstream commit 5bb2d6179d1a8039236237e1e94cfbda3be1ed9e ] + +Struct mtget field mt_blkno -1 means it is unknown. Don't add anything to +it. + +Signed-off-by: Kai Mäkisara +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14 +Link: https://lore.kernel.org/r/20241106095723.63254-2-Kai.Makisara@kolumbus.fi +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 2121e44c342f8..4e0737c25fbdf 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -3756,7 +3756,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg) + ((STp->density << MT_ST_DENSITY_SHIFT) & MT_ST_DENSITY_MASK); + mt_status.mt_blkno = STps->drv_block; + mt_status.mt_fileno = STps->drv_file; +- if (STp->block_size != 0) { ++ if (STp->block_size != 0 && mt_status.mt_blkno >= 0) { + if (STps->rw == ST_WRITING) + mt_status.mt_blkno += + (STp->buffer)->buffer_bytes / STp->block_size; +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index d6bb66fb0a1..18bf6996987 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -263,3 +263,48 @@ bcache-revert-replacing-is_err_or_null-with-is_err-again.patch dma-buf-fix-dma_fence_array_signaled-v4.patch regmap-detach-regmap-from-dev-on-regmap_exit.patch mmc-core-further-prevent-card-detect-during-shutdown.patch +s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch +timekeeping-always-check-for-negative-motion.patch +media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch +media-cx231xx-add-support-for-dexatek-usb-video-grab.patch +hid-bpf-fix-nkro-on-mistel-md770.patch +drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch +drm-mcde-enable-module-autoloading.patch +drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch +samples-bpf-fix-a-resource-leak.patch +net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch +net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch +net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch +af_packet-avoid-erroring-out-after-sock_init_data-in.patch +bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch +net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch +net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch +net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch +net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch +wifi-ath5k-add-pci-id-for-sx76x.patch +wifi-ath5k-add-pci-id-for-arcadyan-devices.patch +jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch +jfs-fix-shift-out-of-bounds-in-dbsplit.patch +jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch +jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch +drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch +wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch +wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch +bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch +asoc-hdmi-codec-reorder-channel-allocation-list.patch +rocker-fix-link-status-detection-in-rocker_carrier_i.patch +net-neighbor-clear-error-in-case-strict-check-is-not.patch +netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch +tracing-use-atomic64_inc_return-in-trace_clock_count.patch +leds-class-protect-brightness_show-with-led_cdev-led.patch +scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch +scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch +pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch +nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch +f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch +pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch +pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch +i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch +usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch +powerpc-prom_init-fixup-missing-powermac-size-cells.patch +misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch diff --git a/queue-5.4/timekeeping-always-check-for-negative-motion.patch b/queue-5.4/timekeeping-always-check-for-negative-motion.patch new file mode 100644 index 00000000000..f4807f9f1bf --- /dev/null +++ b/queue-5.4/timekeeping-always-check-for-negative-motion.patch @@ -0,0 +1,87 @@ +From a6188d33b7a5ea1f492ad8a52645e5698698ba38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 13:04:08 +0100 +Subject: timekeeping: Always check for negative motion + +From: Thomas Gleixner + +[ Upstream commit c163e40af9b2331b2c629fd4ec8b703ed4d4ae39 ] + +clocksource_delta() has two variants. One with a check for negative motion, +which is only selected by x86. This is a historic leftover as this function +was previously used in the time getter hot paths. + +Since 135225a363ae timekeeping_cycles_to_ns() has unconditional protection +against this as a by-product of the protection against 64bit math overflow. + +clocksource_delta() is only used in the clocksource watchdog and in +timekeeping_advance(). The extra conditional there is not hurting anyone. + +Remove the config option and unconditionally prevent negative motion of the +readout. + +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/all/20241031120328.599430157@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 1 - + kernel/time/Kconfig | 5 ----- + kernel/time/timekeeping_internal.h | 7 ------- + 3 files changed, 13 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index df0a3a1b08ae0..a3e7f75a8cfa8 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -99,7 +99,6 @@ config X86 + select ARCH_WANTS_THP_SWAP if X86_64 + select BUILDTIME_EXTABLE_SORT + select CLKEVT_I8253 +- select CLOCKSOURCE_VALIDATE_LAST_CYCLE + select CLOCKSOURCE_WATCHDOG + select DCACHE_WORD_ACCESS + select EDAC_ATOMIC_SCRUB +diff --git a/kernel/time/Kconfig b/kernel/time/Kconfig +index fcc42353f1253..4b9a8653a6327 100644 +--- a/kernel/time/Kconfig ++++ b/kernel/time/Kconfig +@@ -17,11 +17,6 @@ config ARCH_CLOCKSOURCE_DATA + config ARCH_CLOCKSOURCE_INIT + bool + +-# Clocksources require validation of the clocksource against the last +-# cycle update - x86/TSC misfeature +-config CLOCKSOURCE_VALIDATE_LAST_CYCLE +- bool +- + # Timekeeping vsyscall support + config GENERIC_TIME_VSYSCALL + bool +diff --git a/kernel/time/timekeeping_internal.h b/kernel/time/timekeeping_internal.h +index bcbb52db22565..d7f99e69bce4b 100644 +--- a/kernel/time/timekeeping_internal.h ++++ b/kernel/time/timekeeping_internal.h +@@ -13,7 +13,6 @@ extern void tk_debug_account_sleep_time(const struct timespec64 *t); + #define tk_debug_account_sleep_time(x) + #endif + +-#ifdef CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE + static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) + { + u64 ret = (now - last) & mask; +@@ -24,11 +23,5 @@ static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) + */ + return ret & ~(mask >> 1) ? 0 : ret; + } +-#else +-static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) +-{ +- return (now - last) & mask; +-} +-#endif + + #endif /* _TIMEKEEPING_INTERNAL_H */ +-- +2.43.0 + diff --git a/queue-5.4/tracing-use-atomic64_inc_return-in-trace_clock_count.patch b/queue-5.4/tracing-use-atomic64_inc_return-in-trace_clock_count.patch new file mode 100644 index 00000000000..daf97d65e8e --- /dev/null +++ b/queue-5.4/tracing-use-atomic64_inc_return-in-trace_clock_count.patch @@ -0,0 +1,38 @@ +From 73319ed6fbc1a28790d34ac3dae0a8d044d1e391 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 10:56:28 +0200 +Subject: tracing: Use atomic64_inc_return() in trace_clock_counter() + +From: Uros Bizjak + +[ Upstream commit eb887c4567d1b0e7684c026fe7df44afa96589e6 ] + +Use atomic64_inc_return(&ref) instead of atomic64_add_return(1, &ref) +to use optimized implementation and ease register pressure around +the primitive for targets that implement optimized variant. + +Cc: Steven Rostedt +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241007085651.48544-1-ubizjak@gmail.com +Signed-off-by: Uros Bizjak +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c +index 4702efb00ff21..4cb2ebc439be6 100644 +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -154,5 +154,5 @@ static atomic64_t trace_counter; + */ + u64 notrace trace_clock_counter(void) + { +- return atomic64_add_return(1, &trace_counter); ++ return atomic64_inc_return(&trace_counter); + } +-- +2.43.0 + diff --git a/queue-5.4/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch b/queue-5.4/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch new file mode 100644 index 00000000000..9bd2dbdabdf --- /dev/null +++ b/queue-5.4/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch @@ -0,0 +1,44 @@ +From 65d9618f78df3a7afdad20984e9ca4afbc1d69a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 10:29:04 +0800 +Subject: usb: chipidea: udc: handle USB Error Interrupt if IOC not set + +From: Xu Yang + +[ Upstream commit 548f48b66c0c5d4b9795a55f304b7298cde2a025 ] + +As per USBSTS register description about UEI: + + When completion of a USB transaction results in an error condition, this + bit is set by the Host/Device Controller. This bit is set along with the + USBINT bit, if the TD on which the error interrupt occurred also had its + interrupt on complete (IOC) bit set. + +UI is set only when IOC set. Add checking UEI to fix miss call +isr_tr_complete_handler() when IOC have not set and transfer error happen. + +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20240926022906.473319-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index 72d62abb6f285..a6ce6b89b271a 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1902,7 +1902,7 @@ static irqreturn_t udc_irq(struct ci_hdrc *ci) + } + } + +- if (USBi_UI & intr) ++ if ((USBi_UI | USBi_UEI) & intr) + isr_tr_complete_handler(ci); + + if ((USBi_SLI & intr) && !(ci->suspended)) { +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch b/queue-5.4/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch new file mode 100644 index 00000000000..62cb638605c --- /dev/null +++ b/queue-5.4/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch @@ -0,0 +1,34 @@ +From d3aee4a0f2e68cb4d5e4925bb2fc340c2a67f273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 11:07:16 -0700 +Subject: wifi: ath5k: add PCI ID for Arcadyan devices + +From: Rosen Penev + +[ Upstream commit f3ced9bb90b0a287a1fa6184d16b0f104a78fa90 ] + +Arcadyan made routers with this PCI ID containing an AR2417. + +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20240930180716.139894-3-rosenp@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c +index b7f62c472b879..e58da21b28ef5 100644 +--- a/drivers/net/wireless/ath/ath5k/pci.c ++++ b/drivers/net/wireless/ath/ath5k/pci.c +@@ -47,6 +47,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = { + { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */ + { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */ + { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */ ++ { PCI_VDEVICE(ATHEROS, 0xff1a) }, /* Arcadyan ARV45XX AR2417 */ + { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */ + { 0 } + }; +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath5k-add-pci-id-for-sx76x.patch b/queue-5.4/wifi-ath5k-add-pci-id-for-sx76x.patch new file mode 100644 index 00000000000..d7dddd1e824 --- /dev/null +++ b/queue-5.4/wifi-ath5k-add-pci-id-for-sx76x.patch @@ -0,0 +1,34 @@ +From 9da96bf1edf5cd9c9c812854ade4344e7c062ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 11:07:15 -0700 +Subject: wifi: ath5k: add PCI ID for SX76X + +From: Rosen Penev + +[ Upstream commit da0474012402d4729b98799d71a54c35dc5c5de3 ] + +This is in two devices made by Gigaset, SX762 and SX763. + +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20240930180716.139894-2-rosenp@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c +index d5ee32ce9eb3d..b7f62c472b879 100644 +--- a/drivers/net/wireless/ath/ath5k/pci.c ++++ b/drivers/net/wireless/ath/ath5k/pci.c +@@ -46,6 +46,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = { + { PCI_VDEVICE(ATHEROS, 0x001b) }, /* 5413 Eagle */ + { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */ + { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */ ++ { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */ + { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */ + { 0 } + }; +-- +2.43.0 + diff --git a/queue-5.4/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch b/queue-5.4/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch new file mode 100644 index 00000000000..1adbba4d7eb --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch @@ -0,0 +1,52 @@ +From 01dc2f995a43c2083679d57fb7f4ea15fe6c23c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 14:28:13 +0100 +Subject: wifi: brcmfmac: Fix oops due to NULL pointer dereference in + brcmf_sdiod_sglist_rw() + +From: Norbert van Bolhuis + +[ Upstream commit 857282b819cbaa0675aaab1e7542e2c0579f52d7 ] + +This patch fixes a NULL pointer dereference bug in brcmfmac that occurs +when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs +are sent from the pkt queue. + +The problem is the number of entries in the pre-allocated sgtable, it is +nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. +Given the default [rt]xglom_size=32 it's actually 35 which is too small. +Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB +is added for each original SKB if tailroom isn't enough to hold tail_pad. +At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" +in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return +NULL and this causes the oops. + +The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle +the worst-case. +Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 +additional bytes of memory. + +Signed-off-by: Norbert van Bolhuis +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241107132903.13513-1-nvbolhuis@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +index c492d2d2db1df..32ac1fa5bdecf 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -770,7 +770,7 @@ void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev) + + nents = max_t(uint, BRCMF_DEFAULT_RXGLOM_SIZE, + sdiodev->settings->bus.sdio.txglomsz); +- nents += (nents >> 4) + 1; ++ nents *= 2; + + WARN_ON(nents > sdiodev->max_segment_count); + +-- +2.43.0 + diff --git a/queue-5.4/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch b/queue-5.4/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch new file mode 100644 index 00000000000..db1713807ed --- /dev/null +++ b/queue-5.4/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch @@ -0,0 +1,53 @@ +From e7c5794ac3639bed0c004c3265ea1e4e8bfb197e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 14:07:25 +0800 +Subject: wifi: ipw2x00: libipw_rx_any(): fix bad alignment + +From: Jiapeng Chong + +[ Upstream commit 4fa4f049dc0d9741b16c96bcbf0108c85368a2b9 ] + +This patch fixes incorrect code alignment. + +./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:871:2-3: code aligned with following code on line 882. +./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:886:2-3: code aligned with following code on line 900. + +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11381 +Signed-off-by: Jiapeng Chong +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241101060725.54640-1-jiapeng.chong@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +index 34cfd81628559..36831f4a2ea5e 100644 +--- a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c ++++ b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +@@ -870,8 +870,8 @@ void libipw_rx_any(struct libipw_device *ieee, + switch (ieee->iw_mode) { + case IW_MODE_ADHOC: + /* our BSS and not from/to DS */ +- if (ether_addr_equal(hdr->addr3, ieee->bssid)) +- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == 0) { ++ if (ether_addr_equal(hdr->addr3, ieee->bssid) && ++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == 0)) { + /* promisc: get all */ + if (ieee->dev->flags & IFF_PROMISC) + is_packet_for_us = 1; +@@ -885,8 +885,8 @@ void libipw_rx_any(struct libipw_device *ieee, + break; + case IW_MODE_INFRA: + /* our BSS (== from our AP) and from DS */ +- if (ether_addr_equal(hdr->addr2, ieee->bssid)) +- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS) { ++ if (ether_addr_equal(hdr->addr2, ieee->bssid) && ++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS)) { + /* promisc: get all */ + if (ieee->dev->flags & IFF_PROMISC) + is_packet_for_us = 1; +-- +2.43.0 +