From: Greg Kroah-Hartman Date: Sat, 26 Aug 2023 19:56:59 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v6.1.49~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ed9ddc498742b413b171f3dd9b49e87be6cd89d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: asoc-amd-yc-add-vivobook-pro-15-to-quirks-list-for-acp6x.patch asoc-cs35l41-correct-amp_gain_tlv-values.patch clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch ibmveth-use-dcbf-rather-than-dcbfl.patch mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch platform-x86-ideapad-laptop-add-support-for-new-hotkeys-found-on-thinkbook-14s-yoga-itl.patch platform-x86-lenovo-ymc-add-lenovo-yoga-7-14acn6-to-ec_trigger_quirk_dmi_table.patch shmem-fix-smaps-bug-sleeping-while-atomic.patch spi-spi-cadence-fix-data-corruption-issues-in-slave-mode.patch wifi-mac80211-limit-reorder_buf_filtered-to-avoid-ubsan-warning.patch --- diff --git a/queue-6.4/asoc-amd-yc-add-vivobook-pro-15-to-quirks-list-for-acp6x.patch b/queue-6.4/asoc-amd-yc-add-vivobook-pro-15-to-quirks-list-for-acp6x.patch new file mode 100644 index 00000000000..957ec913ba0 --- /dev/null +++ b/queue-6.4/asoc-amd-yc-add-vivobook-pro-15-to-quirks-list-for-acp6x.patch @@ -0,0 +1,36 @@ +From 3b1f08833c45d0167741e4097b0150e7cf086102 Mon Sep 17 00:00:00 2001 +From: BrenoRCBrito +Date: Fri, 18 Aug 2023 18:14:16 -0300 +Subject: ASoC: amd: yc: Add VivoBook Pro 15 to quirks list for acp6x + +From: BrenoRCBrito + +commit 3b1f08833c45d0167741e4097b0150e7cf086102 upstream. + +VivoBook Pro 15 Ryzen Edition uses Ryzen 6800H processor, and adding to + quirks list for acp6x will enable internal mic. + +Signed-off-by: BrenoRCBrito +Link: https://lore.kernel.org/r/20230818211417.32167-1-brenorcbrito@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -251,6 +251,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M6500RC"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Alienware"), + DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17 R5 AMD"), + } diff --git a/queue-6.4/asoc-cs35l41-correct-amp_gain_tlv-values.patch b/queue-6.4/asoc-cs35l41-correct-amp_gain_tlv-values.patch new file mode 100644 index 00000000000..71b56d7b30c --- /dev/null +++ b/queue-6.4/asoc-cs35l41-correct-amp_gain_tlv-values.patch @@ -0,0 +1,32 @@ +From 1613781d7e8a93618ff3a6b37f81f06769b53717 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Wed, 23 Aug 2023 09:53:08 +0100 +Subject: ASoC: cs35l41: Correct amp_gain_tlv values + +From: Charles Keepax + +commit 1613781d7e8a93618ff3a6b37f81f06769b53717 upstream. + +The current analog gain TLV seems to have completely incorrect values in +it. The gain starts at 0.5dB, proceeds in 1dB steps, and has no mute +value, correct the control to match. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20230823085308.753572-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/cs35l41.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/cs35l41.c ++++ b/sound/soc/codecs/cs35l41.c +@@ -168,7 +168,7 @@ static int cs35l41_get_fs_mon_config_ind + static const DECLARE_TLV_DB_RANGE(dig_vol_tlv, + 0, 0, TLV_DB_SCALE_ITEM(TLV_DB_GAIN_MUTE, 0, 1), + 1, 913, TLV_DB_MINMAX_ITEM(-10200, 1200)); +-static DECLARE_TLV_DB_SCALE(amp_gain_tlv, 0, 1, 1); ++static DECLARE_TLV_DB_SCALE(amp_gain_tlv, 50, 100, 0); + + static const struct snd_kcontrol_new dre_ctrl = + SOC_DAPM_SINGLE("Switch", CS35L41_PWR_CTRL3, 20, 1, 0); diff --git a/queue-6.4/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch b/queue-6.4/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch new file mode 100644 index 00000000000..842012c6942 --- /dev/null +++ b/queue-6.4/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch @@ -0,0 +1,146 @@ +From 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 Mon Sep 17 00:00:00 2001 +From: Andrey Skvortsov +Date: Sat, 5 Aug 2023 11:48:47 +0300 +Subject: clk: Fix slab-out-of-bounds error in devm_clk_release() + +From: Andrey Skvortsov + +commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream. + +Problem can be reproduced by unloading snd_soc_simple_card, because in +devm_get_clk_from_child() devres data is allocated as `struct clk`, but +devm_clk_release() expects devres data to be `struct devm_clk_state`. + +KASAN report: + ================================================================== + BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54 + Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287 + + Call trace: + dump_backtrace+0xe8/0x11c + show_stack+0x1c/0x30 + dump_stack_lvl+0x60/0x78 + print_report+0x150/0x450 + kasan_report+0xa8/0xf0 + __asan_load8+0x78/0xa0 + devm_clk_release+0x20/0x54 + release_nodes+0x84/0x120 + devres_release_all+0x144/0x210 + device_unbind_cleanup+0x1c/0xac + really_probe+0x2f0/0x5b0 + __driver_probe_device+0xc0/0x1f0 + driver_probe_device+0x68/0x120 + __driver_attach+0x140/0x294 + bus_for_each_dev+0xec/0x160 + driver_attach+0x38/0x44 + bus_add_driver+0x24c/0x300 + driver_register+0xf0/0x210 + __platform_driver_register+0x48/0x54 + asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card] + do_one_initcall+0xac/0x340 + do_init_module+0xd0/0x300 + load_module+0x2ba4/0x3100 + __do_sys_init_module+0x2c8/0x300 + __arm64_sys_init_module+0x48/0x5c + invoke_syscall+0x64/0x190 + el0_svc_common.constprop.0+0x124/0x154 + do_el0_svc+0x44/0xdc + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xec/0x11c + el0t_64_sync+0x14c/0x150 + + Allocated by task 287: + kasan_save_stack+0x38/0x60 + kasan_set_track+0x28/0x40 + kasan_save_alloc_info+0x20/0x30 + __kasan_kmalloc+0xac/0xb0 + __kmalloc_node_track_caller+0x6c/0x1c4 + __devres_alloc_node+0x44/0xb4 + devm_get_clk_from_child+0x44/0xa0 + asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils] + simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card] + simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card] + __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card] + asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card] + platform_probe+0x90/0xf0 + really_probe+0x118/0x5b0 + __driver_probe_device+0xc0/0x1f0 + driver_probe_device+0x68/0x120 + __driver_attach+0x140/0x294 + bus_for_each_dev+0xec/0x160 + driver_attach+0x38/0x44 + bus_add_driver+0x24c/0x300 + driver_register+0xf0/0x210 + __platform_driver_register+0x48/0x54 + asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card] + do_one_initcall+0xac/0x340 + do_init_module+0xd0/0x300 + load_module+0x2ba4/0x3100 + __do_sys_init_module+0x2c8/0x300 + __arm64_sys_init_module+0x48/0x5c + invoke_syscall+0x64/0x190 + el0_svc_common.constprop.0+0x124/0x154 + do_el0_svc+0x44/0xdc + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xec/0x11c + el0t_64_sync+0x14c/0x150 + + The buggy address belongs to the object at ffffff800ee09600 + which belongs to the cache kmalloc-256 of size 256 + The buggy address is located 136 bytes inside of + 256-byte region [ffffff800ee09600, ffffff800ee09700) + + The buggy address belongs to the physical page: + page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08 + head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0 + flags: 0x10200(slab|head|zone=0) + raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480 + raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ================================================================== + +Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit") +Signed-off-by: Andrey Skvortsov +Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-devres.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/clk/clk-devres.c ++++ b/drivers/clk/clk-devres.c +@@ -205,18 +205,19 @@ EXPORT_SYMBOL(devm_clk_put); + struct clk *devm_get_clk_from_child(struct device *dev, + struct device_node *np, const char *con_id) + { +- struct clk **ptr, *clk; ++ struct devm_clk_state *state; ++ struct clk *clk; + +- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL); +- if (!ptr) ++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL); ++ if (!state) + return ERR_PTR(-ENOMEM); + + clk = of_clk_get_by_name(np, con_id); + if (!IS_ERR(clk)) { +- *ptr = clk; +- devres_add(dev, ptr); ++ state->clk = clk; ++ devres_add(dev, state); + } else { +- devres_free(ptr); ++ devres_free(state); + } + + return clk; diff --git a/queue-6.4/ibmveth-use-dcbf-rather-than-dcbfl.patch b/queue-6.4/ibmveth-use-dcbf-rather-than-dcbfl.patch new file mode 100644 index 00000000000..37976129fe0 --- /dev/null +++ b/queue-6.4/ibmveth-use-dcbf-rather-than-dcbfl.patch @@ -0,0 +1,34 @@ +From bfedba3b2c7793ce127680bc8f70711e05ec7a17 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 23 Aug 2023 14:51:39 +1000 +Subject: ibmveth: Use dcbf rather than dcbfl + +From: Michael Ellerman + +commit bfedba3b2c7793ce127680bc8f70711e05ec7a17 upstream. + +When building for power4, newer binutils don't recognise the "dcbfl" +extended mnemonic. + +dcbfl RA, RB is equivalent to dcbf RA, RB, 1. + +Switch to "dcbf" to avoid the build error. + +Signed-off-by: Michael Ellerman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmveth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -203,7 +203,7 @@ static inline void ibmveth_flush_buffer( + unsigned long offset; + + for (offset = 0; offset < length; offset += SMP_CACHE_BYTES) +- asm("dcbfl %0,%1" :: "b" (addr), "r" (offset)); ++ asm("dcbf %0,%1,1" :: "b" (addr), "r" (offset)); + } + + /* replenish the buffers for a pool. note that we don't need to diff --git a/queue-6.4/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch b/queue-6.4/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch new file mode 100644 index 00000000000..9481eaa1dc5 --- /dev/null +++ b/queue-6.4/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch @@ -0,0 +1,42 @@ +From f0362a253606e2031f8d61c74195d4d6556e12a4 Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Thu, 17 Aug 2023 13:57:59 -0400 +Subject: mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer + +From: Rik van Riel + +commit f0362a253606e2031f8d61c74195d4d6556e12a4 upstream. + +The code calling ima_free_kexec_buffer runs long after the memblock +allocator has already been torn down, potentially resulting in a use +after free in memblock_isolate_range. + +With KASAN or KFENCE, this use after free will result in a BUG +from the idle task, and a subsequent kernel panic. + +Switch ima_free_kexec_buffer over to memblock_free_late to avoid +that issue. + +Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c") +Cc: stable@kernel.org +Signed-off-by: Rik van Riel +Suggested-by: Mike Rappoport +Link: https://lore.kernel.org/r/20230817135759.0888e5ef@imladris.surriel.com +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/kexec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/of/kexec.c ++++ b/drivers/of/kexec.c +@@ -184,7 +184,8 @@ int __init ima_free_kexec_buffer(void) + if (ret) + return ret; + +- return memblock_phys_free(addr, size); ++ memblock_free_late(addr, size); ++ return 0; + } + #endif + diff --git a/queue-6.4/nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch b/queue-6.4/nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch new file mode 100644 index 00000000000..83156f082d5 --- /dev/null +++ b/queue-6.4/nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch @@ -0,0 +1,54 @@ +From 1cbc11aaa01f80577b67ae02c73ee781112125fd Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 30 Jun 2023 09:18:13 -0400 +Subject: NFSv4: Fix dropped lock for racing OPEN and delegation return + +From: Benjamin Coddington + +commit 1cbc11aaa01f80577b67ae02c73ee781112125fd upstream. + +Commmit f5ea16137a3f ("NFSv4: Retry LOCK on OLD_STATEID during delegation +return") attempted to solve this problem by using nfs4's generic async error +handling, but introduced a regression where v4.0 lock recovery would hang. +The additional complexity introduced by overloading that error handling is +not necessary for this case. This patch expects that commit to be +reverted. + +The problem as originally explained in the above commit is: + + There's a small window where a LOCK sent during a delegation return can + race with another OPEN on client, but the open stateid has not yet been + updated. In this case, the client doesn't handle the OLD_STATEID error + from the server and will lose this lock, emitting: + "NFS: nfs4_handle_delegation_recall_error: unhandled error -10024". + +Fix this by using the old_stateid refresh helpers if the server replies +with OLD_STATEID. + +Suggested-by: Trond Myklebust +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7180,8 +7180,15 @@ static void nfs4_lock_done(struct rpc_ta + } else if (!nfs4_update_lock_stateid(lsp, &data->res.stateid)) + goto out_restart; + break; +- case -NFS4ERR_BAD_STATEID: + case -NFS4ERR_OLD_STATEID: ++ if (data->arg.new_lock_owner != 0 && ++ nfs4_refresh_open_old_stateid(&data->arg.open_stateid, ++ lsp->ls_state)) ++ goto out_restart; ++ if (nfs4_refresh_lock_old_stateid(&data->arg.lock_stateid, lsp)) ++ goto out_restart; ++ fallthrough; ++ case -NFS4ERR_BAD_STATEID: + case -NFS4ERR_STALE_STATEID: + case -NFS4ERR_EXPIRED: + if (data->arg.new_lock_owner != 0) { diff --git a/queue-6.4/platform-x86-ideapad-laptop-add-support-for-new-hotkeys-found-on-thinkbook-14s-yoga-itl.patch b/queue-6.4/platform-x86-ideapad-laptop-add-support-for-new-hotkeys-found-on-thinkbook-14s-yoga-itl.patch new file mode 100644 index 00000000000..a53dc5c61dd --- /dev/null +++ b/queue-6.4/platform-x86-ideapad-laptop-add-support-for-new-hotkeys-found-on-thinkbook-14s-yoga-itl.patch @@ -0,0 +1,48 @@ +From a260f7d726fde52c0278bd3fa085a758639bcee2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Apitzsch?= +Date: Sat, 19 Aug 2023 09:12:15 +0200 +Subject: platform/x86: ideapad-laptop: Add support for new hotkeys found on ThinkBook 14s Yoga ITL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Apitzsch + +commit a260f7d726fde52c0278bd3fa085a758639bcee2 upstream. + +The Lenovo Thinkbook 14s Yoga ITL has 4 new symbols/shortcuts on their +F9-F11 and PrtSc keys: + +F9: Has a symbol of a head with a headset, the manual says "Service key" +F10: Has a symbol of a telephone horn which has been picked up from the + receiver, the manual says: "Answer incoming calls" +F11: Has a symbol of a telephone horn which is resting on the receiver, + the manual says: "Reject incoming calls" +PrtSc: Has a symbol of a siccor and a dashed ellipse, the manual says: + "Open the Windows 'Snipping' Tool app" + +This commit adds support for these 4 new hkey events. + +Signed-off-by: André Apitzsch +Link: https://lore.kernel.org/r/20230819-lenovo_keys-v1-1-9d34eac88e0a@apitzsch.eu +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/ideapad-laptop.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -1049,6 +1049,11 @@ static const struct key_entry ideapad_ke + { KE_IGNORE, 0x03 | IDEAPAD_WMI_KEY }, + /* Customizable Lenovo Hotkey ("star" with 'S' inside) */ + { KE_KEY, 0x01 | IDEAPAD_WMI_KEY, { KEY_FAVORITES } }, ++ { KE_KEY, 0x04 | IDEAPAD_WMI_KEY, { KEY_SELECTIVE_SCREENSHOT } }, ++ /* Lenovo Support */ ++ { KE_KEY, 0x07 | IDEAPAD_WMI_KEY, { KEY_HELP } }, ++ { KE_KEY, 0x0e | IDEAPAD_WMI_KEY, { KEY_PICKUP_PHONE } }, ++ { KE_KEY, 0x0f | IDEAPAD_WMI_KEY, { KEY_HANGUP_PHONE } }, + /* Dark mode toggle */ + { KE_KEY, 0x13 | IDEAPAD_WMI_KEY, { KEY_PROG1 } }, + /* Sound profile switch */ diff --git a/queue-6.4/platform-x86-lenovo-ymc-add-lenovo-yoga-7-14acn6-to-ec_trigger_quirk_dmi_table.patch b/queue-6.4/platform-x86-lenovo-ymc-add-lenovo-yoga-7-14acn6-to-ec_trigger_quirk_dmi_table.patch new file mode 100644 index 00000000000..9410ef28580 --- /dev/null +++ b/queue-6.4/platform-x86-lenovo-ymc-add-lenovo-yoga-7-14acn6-to-ec_trigger_quirk_dmi_table.patch @@ -0,0 +1,43 @@ +From db35610a181c18f7a521a2e157f7acdef7ce425f Mon Sep 17 00:00:00 2001 +From: Swapnil Devesh +Date: Fri, 18 Aug 2023 18:09:47 +0530 +Subject: platform/x86: lenovo-ymc: Add Lenovo Yoga 7 14ACN6 to ec_trigger_quirk_dmi_table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Swapnil Devesh + +commit db35610a181c18f7a521a2e157f7acdef7ce425f upstream. + +This adds my laptop Lenovo Yoga 7 14ACN6, with Product Name: 82N7 +(from `dmidecode -t1 | grep "Product Name"`) to +the ec_trigger_quirk_dmi_table, have tested that this is required +for the YMC driver to work correctly on this model. + +Signed-off-by: Swapnil Devesh +Reviewed-by: Gergő Köteles +Link: https://lore.kernel.org/r/18a08a8b173.895ef3b250414.1213194126082324071@sidevesh.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/lenovo-ymc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/platform/x86/lenovo-ymc.c ++++ b/drivers/platform/x86/lenovo-ymc.c +@@ -36,6 +36,13 @@ static const struct dmi_system_id ec_tri + DMI_MATCH(DMI_PRODUCT_NAME, "82QF"), + }, + }, ++ { ++ /* Lenovo Yoga 7 14ACN6 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82N7"), ++ }, ++ }, + { } + }; + diff --git a/queue-6.4/series b/queue-6.4/series index 2e99b1bf125..48601131af6 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -48,3 +48,14 @@ netfilter-nf_tables-fix-out-of-memory-error-handling.patch netfilter-nf_tables-defer-gc-run-if-previous-batch-i.patch rtnetlink-reject-negative-ifindexes-in-rtm_newlink.patch bonding-fix-macvlan-over-alb-bond-support.patch +asoc-amd-yc-add-vivobook-pro-15-to-quirks-list-for-acp6x.patch +asoc-cs35l41-correct-amp_gain_tlv-values.patch +spi-spi-cadence-fix-data-corruption-issues-in-slave-mode.patch +ibmveth-use-dcbf-rather-than-dcbfl.patch +wifi-mac80211-limit-reorder_buf_filtered-to-avoid-ubsan-warning.patch +platform-x86-lenovo-ymc-add-lenovo-yoga-7-14acn6-to-ec_trigger_quirk_dmi_table.patch +platform-x86-ideapad-laptop-add-support-for-new-hotkeys-found-on-thinkbook-14s-yoga-itl.patch +nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch +clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch +mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch +shmem-fix-smaps-bug-sleeping-while-atomic.patch diff --git a/queue-6.4/shmem-fix-smaps-bug-sleeping-while-atomic.patch b/queue-6.4/shmem-fix-smaps-bug-sleeping-while-atomic.patch new file mode 100644 index 00000000000..58480b7df96 --- /dev/null +++ b/queue-6.4/shmem-fix-smaps-bug-sleeping-while-atomic.patch @@ -0,0 +1,49 @@ +From e5548f85b4527c4c803b7eae7887c10bf8f90c97 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 22 Aug 2023 22:14:47 -0700 +Subject: shmem: fix smaps BUG sleeping while atomic + +From: Hugh Dickins + +commit e5548f85b4527c4c803b7eae7887c10bf8f90c97 upstream. + +smaps_pte_hole_lookup() is calling shmem_partial_swap_usage() with page +table lock held: but shmem_partial_swap_usage() does cond_resched_rcu() if +need_resched(): "BUG: sleeping function called from invalid context". + +Since shmem_partial_swap_usage() is designed to count across a range, but +smaps_pte_hole_lookup() only calls it for a single page slot, just break +out of the loop on the last or only page, before checking need_resched(). + +Link: https://lkml.kernel.org/r/6fe3b3ec-abdf-332f-5c23-6a3b3a3b11a9@google.com +Fixes: 230100321518 ("mm/smaps: simplify shmem handling of pte holes") +Signed-off-by: Hugh Dickins +Acked-by: Peter Xu +Cc: [5.16+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -806,14 +806,16 @@ unsigned long shmem_partial_swap_usage(s + XA_STATE(xas, &mapping->i_pages, start); + struct page *page; + unsigned long swapped = 0; ++ unsigned long max = end - 1; + + rcu_read_lock(); +- xas_for_each(&xas, page, end - 1) { ++ xas_for_each(&xas, page, max) { + if (xas_retry(&xas, page)) + continue; + if (xa_is_value(page)) + swapped++; +- ++ if (xas.xa_index == max) ++ break; + if (need_resched()) { + xas_pause(&xas); + cond_resched_rcu(); diff --git a/queue-6.4/spi-spi-cadence-fix-data-corruption-issues-in-slave-mode.patch b/queue-6.4/spi-spi-cadence-fix-data-corruption-issues-in-slave-mode.patch new file mode 100644 index 00000000000..cabd7195651 --- /dev/null +++ b/queue-6.4/spi-spi-cadence-fix-data-corruption-issues-in-slave-mode.patch @@ -0,0 +1,74 @@ +From 627d05a41ca1fbb9d390f9513af262f001f261f7 Mon Sep 17 00:00:00 2001 +From: Srinivas Goud +Date: Mon, 21 Aug 2023 15:00:16 +0530 +Subject: spi: spi-cadence: Fix data corruption issues in slave mode + +From: Srinivas Goud + +commit 627d05a41ca1fbb9d390f9513af262f001f261f7 upstream. + +Remove 10us delay in cdns_spi_process_fifo() (called from cdns_spi_irq()) +to fix data corruption issue on Master side when this driver +configured in Slave mode, as Slave is failed to prepare the date +on time due to above delay. + +Add 10us delay before processing the RX FIFO as TX empty doesn't +guarantee valid data in RX FIFO. + +Signed-off-by: Srinivas Goud +Reviewed-by: Charles Keepax +Tested-by: Charles Keepax +Link: https://lore.kernel.org/r/1692610216-217644-1-git-send-email-srinivas.goud@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -316,12 +316,6 @@ static void cdns_spi_process_fifo(struct + xspi->rx_bytes -= nrx; + + while (ntx || nrx) { +- /* When xspi in busy condition, bytes may send failed, +- * then spi control did't work thoroughly, add one byte delay +- */ +- if (cdns_spi_read(xspi, CDNS_SPI_ISR) & CDNS_SPI_IXR_TXFULL) +- udelay(10); +- + if (ntx) { + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); +@@ -391,6 +385,11 @@ static irqreturn_t cdns_spi_irq(int irq, + if (xspi->tx_bytes) { + cdns_spi_process_fifo(xspi, trans_cnt, trans_cnt); + } else { ++ /* Fixed delay due to controller limitation with ++ * RX_NEMPTY incorrect status ++ * Xilinx AR:65885 contains more details ++ */ ++ udelay(10); + cdns_spi_process_fifo(xspi, 0, trans_cnt); + cdns_spi_write(xspi, CDNS_SPI_IDR, + CDNS_SPI_IXR_DEFAULT); +@@ -438,12 +437,18 @@ static int cdns_transfer_one(struct spi_ + cdns_spi_setup_transfer(spi, transfer); + } else { + /* Set TX empty threshold to half of FIFO depth +- * only if TX bytes are more than half FIFO depth. ++ * only if TX bytes are more than FIFO depth. + */ + if (xspi->tx_bytes > xspi->tx_fifo_depth) + cdns_spi_write(xspi, CDNS_SPI_THLD, xspi->tx_fifo_depth >> 1); + } + ++ /* When xspi in busy condition, bytes may send failed, ++ * then spi control didn't work thoroughly, add one byte delay ++ */ ++ if (cdns_spi_read(xspi, CDNS_SPI_ISR) & CDNS_SPI_IXR_TXFULL) ++ udelay(10); ++ + cdns_spi_process_fifo(xspi, xspi->tx_fifo_depth, 0); + spi_transfer_delay_exec(transfer); + diff --git a/queue-6.4/wifi-mac80211-limit-reorder_buf_filtered-to-avoid-ubsan-warning.patch b/queue-6.4/wifi-mac80211-limit-reorder_buf_filtered-to-avoid-ubsan-warning.patch new file mode 100644 index 00000000000..78fc0a825eb --- /dev/null +++ b/queue-6.4/wifi-mac80211-limit-reorder_buf_filtered-to-avoid-ubsan-warning.patch @@ -0,0 +1,97 @@ +From b98c16107cc1647242abbd11f234c05a3a5864f6 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 18 Aug 2023 09:40:04 +0800 +Subject: wifi: mac80211: limit reorder_buf_filtered to avoid UBSAN warning + +From: Ping-Ke Shih + +commit b98c16107cc1647242abbd11f234c05a3a5864f6 upstream. + +The commit 06470f7468c8 ("mac80211: add API to allow filtering frames in BA sessions") +added reorder_buf_filtered to mark frames filtered by firmware, and it +can only work correctly if hw.max_rx_aggregation_subframes <= 64 since +it stores the bitmap in a u64 variable. + +However, new HE or EHT devices can support BlockAck number up to 256 or +1024, and then using a higher subframe index leads UBSAN warning: + + UBSAN: shift-out-of-bounds in net/mac80211/rx.c:1129:39 + shift exponent 215 is too large for 64-bit type 'long long unsigned int' + Call Trace: + + dump_stack_lvl+0x48/0x70 + dump_stack+0x10/0x20 + __ubsan_handle_shift_out_of_bounds+0x1ac/0x360 + ieee80211_release_reorder_frame.constprop.0.cold+0x64/0x69 [mac80211] + ieee80211_sta_reorder_release+0x9c/0x400 [mac80211] + ieee80211_prepare_and_rx_handle+0x1234/0x1420 [mac80211] + ieee80211_rx_list+0xaef/0xf60 [mac80211] + ieee80211_rx_napi+0x53/0xd0 [mac80211] + +Since only old hardware that supports <=64 BlockAck uses +ieee80211_mark_rx_ba_filtered_frames(), limit the use as it is, so add a +WARN_ONCE() and comment to note to avoid using this function if hardware +capability is not suitable. + +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20230818014004.16177-1-pkshih@realtek.com +[edit commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + include/net/mac80211.h | 1 + + net/mac80211/rx.c | 12 ++++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -6578,6 +6578,7 @@ void ieee80211_stop_rx_ba_session(struct + * marks frames marked in the bitmap as having been filtered. Afterwards, it + * checks if any frames in the window starting from @ssn can now be released + * (in case they were only waiting for frames that were filtered.) ++ * (Only work correctly if @max_rx_aggregation_subframes <= 64 frames) + */ + void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid, + u16 ssn, u64 filtered, +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1083,7 +1083,8 @@ static inline bool ieee80211_rx_reorder_ + struct sk_buff *tail = skb_peek_tail(frames); + struct ieee80211_rx_status *status; + +- if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index)) ++ if (tid_agg_rx->reorder_buf_filtered && ++ tid_agg_rx->reorder_buf_filtered & BIT_ULL(index)) + return true; + + if (!tail) +@@ -1124,7 +1125,8 @@ static void ieee80211_release_reorder_fr + } + + no_frame: +- tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index); ++ if (tid_agg_rx->reorder_buf_filtered) ++ tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index); + tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num); + } + +@@ -4245,6 +4247,7 @@ void ieee80211_mark_rx_ba_filtered_frame + u16 ssn, u64 filtered, + u16 received_mpdus) + { ++ struct ieee80211_local *local; + struct sta_info *sta; + struct tid_ampdu_rx *tid_agg_rx; + struct sk_buff_head frames; +@@ -4262,6 +4265,11 @@ void ieee80211_mark_rx_ba_filtered_frame + + sta = container_of(pubsta, struct sta_info, sta); + ++ local = sta->sdata->local; ++ WARN_ONCE(local->hw.max_rx_aggregation_subframes > 64, ++ "RX BA marker can't support max_rx_aggregation_subframes %u > 64\n", ++ local->hw.max_rx_aggregation_subframes); ++ + if (!ieee80211_rx_data_set_sta(&rx, sta, -1)) + return; +