From: Sasha Levin Date: Sat, 8 Feb 2025 16:15:27 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.6.77~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=536a6f5016798c5f2c113e8473f8ea764362cbde;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/apei-ghes-have-ghes-honor-the-panic-setting.patch b/queue-5.15/apei-ghes-have-ghes-honor-the-panic-setting.patch new file mode 100644 index 0000000000..069d4d3851 --- /dev/null +++ b/queue-5.15/apei-ghes-have-ghes-honor-the-panic-setting.patch @@ -0,0 +1,72 @@ +From 0dfcb4d023ff365cca8888ec0d015654d6c3a368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 13:52:24 +0100 +Subject: APEI: GHES: Have GHES honor the panic= setting + +From: Borislav Petkov + +[ Upstream commit 5c0e00a391dd0099fe95991bb2f962848d851916 ] + +The GHES driver overrides the panic= setting by force-rebooting the +system after a fatal hw error has been reported. The intent being that +such an error would be reported earlier. + +However, this is not optimal when a hard-to-debug issue requires long +time to reproduce and when that happens, the box will get rebooted after +30 seconds and thus destroy the whole hw context of when the error +happened. + +So rip out the default GHES panic timeout and honor the global one. + +In the panic disabled (panic=0) case, the error will still be logged to +dmesg for later inspection and if panic after a hw error is really +required, then that can be controlled the usual way - use panic= on the +cmdline or set it in the kernel .config's CONFIG_PANIC_TIMEOUT. + +Reported-by: Feng Tang +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Feng Tang +Reviewed-by: Ira Weiny +Link: https://patch.msgid.link/20250113125224.GFZ4UMiNtWIJvgpveU@fat_crate.local +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 160606af8b4f5..a6c8514110736 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -155,8 +155,6 @@ static unsigned long ghes_estatus_pool_size_request; + static struct ghes_estatus_cache *ghes_estatus_caches[GHES_ESTATUS_CACHES_SIZE]; + static atomic_t ghes_estatus_cache_alloced; + +-static int ghes_panic_timeout __read_mostly = 30; +- + static void __iomem *ghes_map(u64 pfn, enum fixed_addresses fixmap_idx) + { + phys_addr_t paddr; +@@ -858,14 +856,16 @@ static void __ghes_panic(struct ghes *ghes, + struct acpi_hest_generic_status *estatus, + u64 buf_paddr, enum fixed_addresses fixmap_idx) + { ++ const char *msg = GHES_PFX "Fatal hardware error"; ++ + __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus); + + ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx); + +- /* reboot to log the error! */ + if (!panic_timeout) +- panic_timeout = ghes_panic_timeout; +- panic("Fatal hardware error!"); ++ pr_emerg("%s but panic disabled\n", msg); ++ ++ panic(msg); + } + + static int ghes_proc(struct ghes *ghes) +-- +2.39.5 + diff --git a/queue-5.15/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch b/queue-5.15/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch new file mode 100644 index 0000000000..c7601a6316 --- /dev/null +++ b/queue-5.15/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch @@ -0,0 +1,51 @@ +From 538717347d3e1c91334435c985af9b72b5beda5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 11:43:03 -0400 +Subject: btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error + handling + +From: Josef Bacik + +[ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ] + +This BUG_ON is meant to catch backref cache problems, but these can +arise from either bugs in the backref cache or corruption in the extent +tree. Fix it to be a proper error. + +Reviewed-by: Boris Burkov +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 87f302a413f9a..887ae4a9c50c3 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4414,8 +4414,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans, + WARN_ON(!first_cow && level == 0); + + node = rc->backref_cache.path[level]; +- BUG_ON(node->bytenr != buf->start && +- node->new_bytenr != buf->start); ++ ++ /* ++ * If node->bytenr != buf->start and node->new_bytenr != ++ * buf->start then we've got the wrong backref node for what we ++ * expected to see here and the cache is incorrect. ++ */ ++ if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) { ++ btrfs_err(fs_info, ++"bytenr %llu was found but our backref cache was expecting %llu or %llu", ++ buf->start, node->bytenr, node->new_bytenr); ++ return -EUCLEAN; ++ } + + btrfs_backref_drop_node_buffer(node); + atomic_inc(&cow->refs); +-- +2.39.5 + diff --git a/queue-5.15/btrfs-fix-data-race-when-accessing-the-inode-s-disk_.patch b/queue-5.15/btrfs-fix-data-race-when-accessing-the-inode-s-disk_.patch new file mode 100644 index 0000000000..9178260369 --- /dev/null +++ b/queue-5.15/btrfs-fix-data-race-when-accessing-the-inode-s-disk_.patch @@ -0,0 +1,85 @@ +From 7014960f166d55ecbe5f4e1e2bb4397f27e36c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 15:56:51 +0800 +Subject: btrfs: fix data race when accessing the inode's disk_i_size at + btrfs_drop_extents() + +From: Hao-ran Zheng + +[ Upstream commit 5324c4e10e9c2ce307a037e904c0d9671d7137d9 ] + +A data race occurs when the function `insert_ordered_extent_file_extent()` +and the function `btrfs_inode_safe_disk_i_size_write()` are executed +concurrently. The function `insert_ordered_extent_file_extent()` is not +locked when reading inode->disk_i_size, causing +`btrfs_inode_safe_disk_i_size_write()` to cause data competition when +writing inode->disk_i_size, thus affecting the value of `modify_tree`. + +The specific call stack that appears during testing is as follows: + + ============DATA_RACE============ + btrfs_drop_extents+0x89a/0xa060 [btrfs] + insert_reserved_file_extent+0xb54/0x2960 [btrfs] + insert_ordered_extent_file_extent+0xff5/0x1760 [btrfs] + btrfs_finish_one_ordered+0x1b85/0x36a0 [btrfs] + btrfs_finish_ordered_io+0x37/0x60 [btrfs] + finish_ordered_fn+0x3e/0x50 [btrfs] + btrfs_work_helper+0x9c9/0x27a0 [btrfs] + process_scheduled_works+0x716/0xf10 + worker_thread+0xb6a/0x1190 + kthread+0x292/0x330 + ret_from_fork+0x4d/0x80 + ret_from_fork_asm+0x1a/0x30 + ============OTHER_INFO============ + btrfs_inode_safe_disk_i_size_write+0x4ec/0x600 [btrfs] + btrfs_finish_one_ordered+0x24c7/0x36a0 [btrfs] + btrfs_finish_ordered_io+0x37/0x60 [btrfs] + finish_ordered_fn+0x3e/0x50 [btrfs] + btrfs_work_helper+0x9c9/0x27a0 [btrfs] + process_scheduled_works+0x716/0xf10 + worker_thread+0xb6a/0x1190 + kthread+0x292/0x330 + ret_from_fork+0x4d/0x80 + ret_from_fork_asm+0x1a/0x30 + ================================= + +The main purpose of the check of the inode's disk_i_size is to avoid +taking write locks on a btree path when we have a write at or beyond +EOF, since in these cases we don't expect to find extent items in the +root to drop. However if we end up taking write locks due to a data +race on disk_i_size, everything is still correct, we only add extra +lock contention on the tree in case there's concurrency from other tasks. +If the race causes us to not take write locks when we actually need them, +then everything is functionally correct as well, since if we find out we +have extent items to drop and we took read locks (modify_tree set to 0), +we release the path and retry again with write locks. + +Since this data race does not affect the correctness of the function, +it is a harmless data race, use data_race() to check inode->disk_i_size. + +Reviewed-by: Filipe Manana +Signed-off-by: Hao-ran Zheng +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 44160d4ad53e0..31b25cb2f5cc3 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -731,7 +731,7 @@ int btrfs_drop_extents(struct btrfs_trans_handle *trans, + if (args->drop_cache) + btrfs_drop_extent_cache(inode, args->start, args->end - 1, 0); + +- if (args->start >= inode->disk_i_size && !args->replace_extent) ++ if (data_race(args->start >= inode->disk_i_size) && !args->replace_extent) + modify_tree = 0; + + update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID); +-- +2.39.5 + diff --git a/queue-5.15/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch b/queue-5.15/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch new file mode 100644 index 0000000000..856dd85fb0 --- /dev/null +++ b/queue-5.15/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch @@ -0,0 +1,212 @@ +From dc6da1e90221aae05c1901248a6fa54cc1927241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 17:26:10 +0000 +Subject: btrfs: fix use-after-free when attempting to join an aborted + transaction + +From: Filipe Manana + +[ Upstream commit e2f0943cf37305dbdeaf9846e3c941451bcdef63 ] + +When we are trying to join the current transaction and if it's aborted, +we read its 'aborted' field after unlocking fs_info->trans_lock and +without holding any extra reference count on it. This means that a +concurrent task that is aborting the transaction may free the transaction +before we read its 'aborted' field, leading to a use-after-free. + +Fix this by reading the 'aborted' field while holding fs_info->trans_lock +since any freeing task must first acquire that lock and set +fs_info->running_transaction to NULL before freeing the transaction. + +This was reported by syzbot and Dmitry with the following stack traces +from KASAN: + + ================================================================== + BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 + Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 + + CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + Workqueue: events_unbound btrfs_async_reclaim_data_space + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 + start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 + flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 + btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 + process_one_work kernel/workqueue.c:3236 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 + worker_thread+0x870/0xd30 kernel/workqueue.c:3398 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + + Allocated by task 5315: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 + kmalloc_noprof include/linux/slab.h:901 [inline] + join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 + start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 + btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 + lookup_open fs/namei.c:3649 [inline] + open_last_lookups fs/namei.c:3748 [inline] + path_openat+0x1c03/0x3590 fs/namei.c:3984 + do_filp_open+0x27f/0x4e0 fs/namei.c:4014 + do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 + do_sys_open fs/open.c:1417 [inline] + __do_sys_creat fs/open.c:1495 [inline] + __se_sys_creat fs/open.c:1489 [inline] + __x64_sys_creat+0x123/0x170 fs/open.c:1489 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Freed by task 5336: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4613 [inline] + kfree+0x196/0x430 mm/slub.c:4761 + cleanup_transaction fs/btrfs/transaction.c:2063 [inline] + btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 + insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 + btrfs_balance+0x992/0x10c0 fs/btrfs/volumes.c:4633 + btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3670 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + The buggy address belongs to the object at ffff888011839000 + which belongs to the cache kmalloc-2k of size 2048 + The buggy address is located 36 bytes inside of + freed 2048-byte region [ffff888011839000, ffff888011839800) + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11838 + head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) + page_type: f5(slab) + raw: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002 + raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 + head: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002 + head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 + head: 00fff00000000003 ffffea0000460e01 ffffffffffffffff 0000000000000000 + head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + page_owner tracks the page as allocated + page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 57, tgid 57 (kworker/0:2), ts 67248182943, free_ts 67229742023 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558 + prep_new_page mm/page_alloc.c:1566 [inline] + get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3476 + __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753 + alloc_pages_mpol_noprof+0x3e1/0x780 mm/mempolicy.c:2269 + alloc_slab_page+0x6a/0x110 mm/slub.c:2423 + allocate_slab+0x5a/0x2b0 mm/slub.c:2589 + new_slab mm/slub.c:2642 [inline] + ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830 + __slab_alloc+0x58/0xa0 mm/slub.c:3920 + __slab_alloc_node mm/slub.c:3995 [inline] + slab_alloc_node mm/slub.c:4156 [inline] + __do_kmalloc_node mm/slub.c:4297 [inline] + __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 mm/slub.c:4317 + kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609 + __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678 + alloc_skb include/linux/skbuff.h:1323 [inline] + alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612 + sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2884 + sock_alloc_send_skb include/net/sock.h:1803 [inline] + mld_newpack+0x1c3/0xaf0 net/ipv6/mcast.c:1747 + add_grhead net/ipv6/mcast.c:1850 [inline] + add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1988 + mld_send_cr net/ipv6/mcast.c:2114 [inline] + mld_ifc_work+0x691/0xd90 net/ipv6/mcast.c:2651 + page last free pid 5300 tgid 5300 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1127 [inline] + free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2659 + __slab_free+0x2c2/0x380 mm/slub.c:4524 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 + kasan_slab_alloc include/linux/kasan.h:250 [inline] + slab_post_alloc_hook mm/slub.c:4119 [inline] + slab_alloc_node mm/slub.c:4168 [inline] + __do_kmalloc_node mm/slub.c:4297 [inline] + __kmalloc_noprof+0x236/0x4c0 mm/slub.c:4310 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1037 [inline] + fib_create_info+0xc14/0x25b0 net/ipv4/fib_semantics.c:1435 + fib_table_insert+0x1f6/0x1f20 net/ipv4/fib_trie.c:1231 + fib_magic+0x3d8/0x620 net/ipv4/fib_frontend.c:1112 + fib_add_ifaddr+0x40c/0x5e0 net/ipv4/fib_frontend.c:1156 + fib_netdev_event+0x375/0x490 net/ipv4/fib_frontend.c:1494 + notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 + __dev_notify_flags+0x207/0x400 + dev_change_flags+0xf0/0x1a0 net/core/dev.c:9045 + do_setlink+0xc90/0x4210 net/core/rtnetlink.c:3109 + rtnl_changelink net/core/rtnetlink.c:3723 [inline] + __rtnl_newlink net/core/rtnetlink.c:3875 [inline] + rtnl_newlink+0x1bb6/0x2210 net/core/rtnetlink.c:4012 + + Memory state around the buggy address: + ffff888011838f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888011838f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff888011839000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888011839080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888011839100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Reported-by: syzbot+45212e9d87a98c3f5b42@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/678e7da5.050a0220.303755.007c.GAE@google.com/ +Reported-by: Dmitry Vyukov +Link: https://lore.kernel.org/linux-btrfs/CACT4Y+ZFBdo7pT8L2AzM=vegZwjp-wNkVJZQf0Ta3vZqtExaSw@mail.gmail.com/ +Fixes: 871383be592b ("btrfs: add missing unlocks to transaction abort paths") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/transaction.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index a9b794c47159f..4fb5e12c87d1b 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -295,8 +295,10 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + cur_trans = fs_info->running_transaction; + if (cur_trans) { + if (TRANS_ABORTED(cur_trans)) { ++ const int abort_error = cur_trans->aborted; ++ + spin_unlock(&fs_info->trans_lock); +- return cur_trans->aborted; ++ return abort_error; + } + if (btrfs_blocked_trans_types[cur_trans->state] & type) { + spin_unlock(&fs_info->trans_lock); +-- +2.39.5 + diff --git a/queue-5.15/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch b/queue-5.15/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch new file mode 100644 index 0000000000..47366ef3ba --- /dev/null +++ b/queue-5.15/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch @@ -0,0 +1,39 @@ +From a03ea9dfca7a75701096f10e1b43e478867f3d07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:43:12 +0200 +Subject: drm/sti: hdmi: use eld_mutex to protect access to connector->eld + +From: Dmitry Baryshkov + +[ Upstream commit e99c0b517bcd53cf61f998a3c4291333401cb391 ] + +Reading access to connector->eld can happen at the same time the +drm_edid_to_eld() updates the data. Take the newly added eld_mutex in +order to protect connector->eld from concurrent access. + +Reviewed-by: Maxime Ripard +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/20241206-drm-connector-eld-mutex-v2-9-c9bce1ee8bea@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index 36bea1551ef84..8b2f44d73630b 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -1219,7 +1219,9 @@ static int hdmi_audio_get_eld(struct device *dev, void *data, uint8_t *buf, size + struct drm_connector *connector = hdmi->drm_connector; + + DRM_DEBUG_DRIVER("\n"); ++ mutex_lock(&connector->eld_mutex); + memcpy(buf, connector->eld, min(sizeof(connector->eld), len)); ++ mutex_unlock(&connector->eld_mutex); + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/gpio-add-helpers-to-ease-the-transition-towards-immu.patch b/queue-5.15/gpio-add-helpers-to-ease-the-transition-towards-immu.patch new file mode 100644 index 0000000000..a84d38a5f7 --- /dev/null +++ b/queue-5.15/gpio-add-helpers-to-ease-the-transition-towards-immu.patch @@ -0,0 +1,54 @@ +From d9d8939dd5a7255811fcb467b5951a5c3ba1cbbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:39 +0100 +Subject: gpio: Add helpers to ease the transition towards immutable irq_chip + +From: Marc Zyngier + +[ Upstream commit 36b78aae4bfee749bbde73be570796bfd0f56bec ] + +Add a couple of new helpers to make it slightly simpler to convert +drivers to immutable irq_chip structures: + +- GPIOCHIP_IRQ_RESOURCE_HELPERS populates the irq_chip structure + with the resource management callbacks + +- gpio_irq_chip_set_chip() populates the gpio_irq_chip.chip + structure, avoiding the proliferation of ugly casts + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-4-maz@kernel.org +Stable-dep-of: 9860370c2172 ("gpio: xilinx: Convert gpio_lock to raw spinlock") +Signed-off-by: Sasha Levin +--- + include/linux/gpio/driver.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h +index b241fc23ff3a2..91f60d1e3eb31 100644 +--- a/include/linux/gpio/driver.h ++++ b/include/linux/gpio/driver.h +@@ -599,6 +599,18 @@ void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset); + int gpiochip_irq_reqres(struct irq_data *data); + void gpiochip_irq_relres(struct irq_data *data); + ++/* Paste this in your irq_chip structure */ ++#define GPIOCHIP_IRQ_RESOURCE_HELPERS \ ++ .irq_request_resources = gpiochip_irq_reqres, \ ++ .irq_release_resources = gpiochip_irq_relres ++ ++static inline void gpio_irq_chip_set_chip(struct gpio_irq_chip *girq, ++ const struct irq_chip *chip) ++{ ++ /* Yes, dropping const is ugly, but it isn't like we have a choice */ ++ girq->chip = (struct irq_chip *)chip; ++} ++ + /* Line status inquiry for drivers */ + bool gpiochip_line_is_open_drain(struct gpio_chip *gc, unsigned int offset); + bool gpiochip_line_is_open_source(struct gpio_chip *gc, unsigned int offset); +-- +2.39.5 + diff --git a/queue-5.15/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch b/queue-5.15/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch new file mode 100644 index 0000000000..4c52a0a59d --- /dev/null +++ b/queue-5.15/gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch @@ -0,0 +1,89 @@ +From dd90d8333e44d313ef8adebadb597025d77c844e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:37 +0100 +Subject: gpio: Don't fiddle with irqchips marked as immutable + +From: Marc Zyngier + +[ Upstream commit 6c846d026d490b2383d395bc8e7b06336219667b ] + +In order to move away from gpiolib messing with the internals of +unsuspecting irqchips, add a flag by which irqchips advertise +that they are not to be messed with, and do solemnly swear that +they correctly call into the gpiolib helpers when required. + +Also nudge the users into converting their drivers to the +new model. + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-2-maz@kernel.org +Stable-dep-of: 9860370c2172 ("gpio: xilinx: Convert gpio_lock to raw spinlock") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 7 ++++++- + include/linux/irq.h | 2 ++ + kernel/irq/debugfs.c | 1 + + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 5eb4edcf03bd4..631eaf2e418a7 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1484,6 +1484,11 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc) + { + struct irq_chip *irqchip = gc->irq.chip; + ++ if (irqchip->flags & IRQCHIP_IMMUTABLE) ++ return; ++ ++ chip_warn(gc, "not an immutable chip, please consider fixing it!\n"); ++ + if (!irqchip->irq_request_resources && + !irqchip->irq_release_resources) { + irqchip->irq_request_resources = gpiochip_irq_reqres; +@@ -1651,7 +1656,7 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gc) + irq_domain_remove(gc->irq.domain); + } + +- if (irqchip) { ++ if (irqchip && !(irqchip->flags & IRQCHIP_IMMUTABLE)) { + if (irqchip->irq_request_resources == gpiochip_irq_reqres) { + irqchip->irq_request_resources = NULL; + irqchip->irq_release_resources = NULL; +diff --git a/include/linux/irq.h b/include/linux/irq.h +index 4fd8d900a1b86..38399d7f508fd 100644 +--- a/include/linux/irq.h ++++ b/include/linux/irq.h +@@ -570,6 +570,7 @@ struct irq_chip { + * IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND: Invokes __enable_irq()/__disable_irq() for wake irqs + * in the suspend path if they are in disabled state + * IRQCHIP_AFFINITY_PRE_STARTUP: Default affinity update before startup ++ * IRQCHIP_IMMUTABLE: Don't ever change anything in this chip + */ + enum { + IRQCHIP_SET_TYPE_MASKED = (1 << 0), +@@ -583,6 +584,7 @@ enum { + IRQCHIP_SUPPORTS_NMI = (1 << 8), + IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND = (1 << 9), + IRQCHIP_AFFINITY_PRE_STARTUP = (1 << 10), ++ IRQCHIP_IMMUTABLE = (1 << 11), + }; + + #include +diff --git a/kernel/irq/debugfs.c b/kernel/irq/debugfs.c +index e4cff358b437e..7ff52d94b42c0 100644 +--- a/kernel/irq/debugfs.c ++++ b/kernel/irq/debugfs.c +@@ -58,6 +58,7 @@ static const struct irq_bit_descr irqchip_flags[] = { + BIT_MASK_DESCR(IRQCHIP_SUPPORTS_LEVEL_MSI), + BIT_MASK_DESCR(IRQCHIP_SUPPORTS_NMI), + BIT_MASK_DESCR(IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND), ++ BIT_MASK_DESCR(IRQCHIP_IMMUTABLE), + }; + + static void +-- +2.39.5 + diff --git a/queue-5.15/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch b/queue-5.15/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch new file mode 100644 index 0000000000..3b095a78b5 --- /dev/null +++ b/queue-5.15/gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch @@ -0,0 +1,70 @@ +From 8eddfca81184e45bb228f8e23535629a15724fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 15:18:38 +0100 +Subject: gpio: Expose the gpiochip_irq_re[ql]res helpers + +From: Marc Zyngier + +[ Upstream commit 704f08753b6dcd0e08c1953af0b2c7f3fac87111 ] + +The GPIO subsystem has a couple of internal helpers to manage +resources on behalf of the irqchip. Expose them so that GPIO +drivers can use them directly. + +Reviewed-by: Andy Shevchenko +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220419141846.598305-3-maz@kernel.org +Stable-dep-of: 9860370c2172 ("gpio: xilinx: Convert gpio_lock to raw spinlock") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 ++++-- + include/linux/gpio/driver.h | 4 ++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 631eaf2e418a7..d1e553529b354 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1432,19 +1432,21 @@ static int gpiochip_to_irq(struct gpio_chip *gc, unsigned int offset) + return irq_create_mapping(domain, offset); + } + +-static int gpiochip_irq_reqres(struct irq_data *d) ++int gpiochip_irq_reqres(struct irq_data *d) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + + return gpiochip_reqres_irq(gc, d->hwirq); + } ++EXPORT_SYMBOL(gpiochip_irq_reqres); + +-static void gpiochip_irq_relres(struct irq_data *d) ++void gpiochip_irq_relres(struct irq_data *d) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + + gpiochip_relres_irq(gc, d->hwirq); + } ++EXPORT_SYMBOL(gpiochip_irq_relres); + + static void gpiochip_irq_mask(struct irq_data *d) + { +diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h +index 65df2ce96f0b1..b241fc23ff3a2 100644 +--- a/include/linux/gpio/driver.h ++++ b/include/linux/gpio/driver.h +@@ -595,6 +595,10 @@ void gpiochip_relres_irq(struct gpio_chip *gc, unsigned int offset); + void gpiochip_disable_irq(struct gpio_chip *gc, unsigned int offset); + void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset); + ++/* irq_data versions of the above */ ++int gpiochip_irq_reqres(struct irq_data *data); ++void gpiochip_irq_relres(struct irq_data *data); ++ + /* Line status inquiry for drivers */ + bool gpiochip_line_is_open_drain(struct gpio_chip *gc, unsigned int offset); + bool gpiochip_line_is_open_source(struct gpio_chip *gc, unsigned int offset); +-- +2.39.5 + diff --git a/queue-5.15/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch b/queue-5.15/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch new file mode 100644 index 0000000000..b3e2dd47fd --- /dev/null +++ b/queue-5.15/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch @@ -0,0 +1,205 @@ +From c514f83e102d6e377afacef71e60f5b09ac70058 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 11:33:54 -0500 +Subject: gpio: xilinx: Convert gpio_lock to raw spinlock + +From: Sean Anderson + +[ Upstream commit 9860370c2172704b6b4f0075a0c2a29fd84af96a ] + +irq_chip functions may be called in raw spinlock context. Therefore, we +must also use a raw spinlock for our own internal locking. + +This fixes the following lockdep splat: + +[ 5.349336] ============================= +[ 5.353349] [ BUG: Invalid wait context ] +[ 5.357361] 6.13.0-rc5+ #69 Tainted: G W +[ 5.363031] ----------------------------- +[ 5.367045] kworker/u17:1/44 is trying to lock: +[ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) +[ 5.380079] other info that might help us debug this: +[ 5.385138] context-{5:5} +[ 5.387762] 5 locks held by kworker/u17:1/44: +[ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) +[ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) +[ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) +[ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) +[ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) +[ 5.436472] stack backtrace: +[ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 +[ 5.448690] Tainted: [W]=WARN +[ 5.451656] Hardware name: xlnx,zynqmp (DT) +[ 5.455845] Workqueue: events_unbound deferred_probe_work_func +[ 5.461699] Call trace: +[ 5.464147] show_stack+0x18/0x24 C +[ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) +[ 5.471501] dump_stack (lib/dump_stack.c:130) +[ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) +[ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) +[ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) +[ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) +[ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) +[ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) +[ 5.497645] irq_startup (kernel/irq/chip.c:270) +[ 5.501143] __setup_irq (kernel/irq/manage.c:1807) +[ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) + +Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support") +Signed-off-by: Sean Anderson +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-xilinx.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpio/gpio-xilinx.c b/drivers/gpio/gpio-xilinx.c +index 067ac1805853c..908730d8dc955 100644 +--- a/drivers/gpio/gpio-xilinx.c ++++ b/drivers/gpio/gpio-xilinx.c +@@ -66,7 +66,7 @@ struct xgpio_instance { + DECLARE_BITMAP(state, 64); + DECLARE_BITMAP(last_irq_read, 64); + DECLARE_BITMAP(dir, 64); +- spinlock_t gpio_lock; /* For serializing operations */ ++ raw_spinlock_t gpio_lock; /* For serializing operations */ + int irq; + DECLARE_BITMAP(enable, 64); + DECLARE_BITMAP(rising_edge, 64); +@@ -178,14 +178,14 @@ static void xgpio_set(struct gpio_chip *gc, unsigned int gpio, int val) + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Write to GPIO signal and set its direction to output */ + __assign_bit(bit, chip->state, val); + + xgpio_write_ch(chip, XGPIO_DATA_OFFSET, bit, chip->state); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -209,7 +209,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask, + bitmap_remap(hw_mask, mask, chip->sw_map, chip->hw_map, 64); + bitmap_remap(hw_bits, bits, chip->sw_map, chip->hw_map, 64); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + bitmap_replace(state, chip->state, hw_bits, hw_mask, 64); + +@@ -217,7 +217,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask, + + bitmap_copy(chip->state, state, 64); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -235,13 +235,13 @@ static int xgpio_dir_in(struct gpio_chip *gc, unsigned int gpio) + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Set the GPIO bit in shadow register and set direction as input */ + __set_bit(bit, chip->dir); + xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + return 0; + } +@@ -264,7 +264,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val) + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Write state of GPIO signal */ + __assign_bit(bit, chip->state, val); +@@ -274,7 +274,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val) + __clear_bit(bit, chip->dir); + xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + return 0; + } +@@ -404,7 +404,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data) + int bit = xgpio_to_bit(chip, irq_offset); + u32 mask = BIT(bit / 32), temp; + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + __clear_bit(bit, chip->enable); + +@@ -414,7 +414,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data) + temp &= ~mask; + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp); + } +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + gpiochip_disable_irq(&chip->gc, irq_offset); + } +@@ -434,7 +434,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data) + + gpiochip_enable_irq(&chip->gc, irq_offset); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + __set_bit(bit, chip->enable); + +@@ -453,7 +453,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data) + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, val); + } + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -518,7 +518,7 @@ static void xgpio_irqhandler(struct irq_desc *desc) + + chained_irq_enter(irqchip, desc); + +- spin_lock(&chip->gpio_lock); ++ raw_spin_lock(&chip->gpio_lock); + + xgpio_read_ch_all(chip, XGPIO_DATA_OFFSET, all); + +@@ -535,7 +535,7 @@ static void xgpio_irqhandler(struct irq_desc *desc) + bitmap_copy(chip->last_irq_read, all, 64); + bitmap_or(all, rising, falling, 64); + +- spin_unlock(&chip->gpio_lock); ++ raw_spin_unlock(&chip->gpio_lock); + + dev_dbg(gc->parent, "IRQ rising %*pb falling %*pb\n", 64, rising, 64, falling); + +@@ -636,7 +636,7 @@ static int xgpio_probe(struct platform_device *pdev) + bitmap_set(chip->hw_map, 0, width[0]); + bitmap_set(chip->hw_map, 32, width[1]); + +- spin_lock_init(&chip->gpio_lock); ++ raw_spin_lock_init(&chip->gpio_lock); + + chip->gc.base = -1; + chip->gc.ngpio = bitmap_weight(chip->hw_map, 64); +-- +2.39.5 + diff --git a/queue-5.15/gpio-xilinx-convert-to-immutable-irq_chip.patch b/queue-5.15/gpio-xilinx-convert-to-immutable-irq_chip.patch new file mode 100644 index 0000000000..48aa2e937b --- /dev/null +++ b/queue-5.15/gpio-xilinx-convert-to-immutable-irq_chip.patch @@ -0,0 +1,94 @@ +From df3ea82de54a8228241d9d417377bf2ad77453d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 10:55:15 +0100 +Subject: gpio: xilinx: Convert to immutable irq_chip + +From: Linus Walleij + +[ Upstream commit b4510f8fd5d0e9afa777f115871f5d522540c417 ] + +Convert the driver to immutable irq-chip with a bit of +intuition. + +Cc: Marc Zyngier +Signed-off-by: Linus Walleij +Reviewed-by: Marc Zyngier +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 9860370c2172 ("gpio: xilinx: Convert gpio_lock to raw spinlock") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-xilinx.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpio/gpio-xilinx.c b/drivers/gpio/gpio-xilinx.c +index db616ae560a3c..067ac1805853c 100644 +--- a/drivers/gpio/gpio-xilinx.c ++++ b/drivers/gpio/gpio-xilinx.c +@@ -68,7 +68,6 @@ struct xgpio_instance { + DECLARE_BITMAP(dir, 64); + spinlock_t gpio_lock; /* For serializing operations */ + int irq; +- struct irq_chip irqchip; + DECLARE_BITMAP(enable, 64); + DECLARE_BITMAP(rising_edge, 64); + DECLARE_BITMAP(falling_edge, 64); +@@ -416,6 +415,8 @@ static void xgpio_irq_mask(struct irq_data *irq_data) + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp); + } + spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ ++ gpiochip_disable_irq(&chip->gc, irq_offset); + } + + /** +@@ -431,6 +432,8 @@ static void xgpio_irq_unmask(struct irq_data *irq_data) + u32 old_enable = xgpio_get_value32(chip->enable, bit); + u32 mask = BIT(bit / 32), val; + ++ gpiochip_enable_irq(&chip->gc, irq_offset); ++ + spin_lock_irqsave(&chip->gpio_lock, flags); + + __set_bit(bit, chip->enable); +@@ -544,6 +547,16 @@ static void xgpio_irqhandler(struct irq_desc *desc) + chained_irq_exit(irqchip, desc); + } + ++static const struct irq_chip xgpio_irq_chip = { ++ .name = "gpio-xilinx", ++ .irq_ack = xgpio_irq_ack, ++ .irq_mask = xgpio_irq_mask, ++ .irq_unmask = xgpio_irq_unmask, ++ .irq_set_type = xgpio_set_irq_type, ++ .flags = IRQCHIP_IMMUTABLE, ++ GPIOCHIP_IRQ_RESOURCE_HELPERS, ++}; ++ + /** + * xgpio_probe - Probe method for the GPIO device. + * @pdev: pointer to the platform device +@@ -664,12 +677,6 @@ static int xgpio_probe(struct platform_device *pdev) + if (chip->irq <= 0) + goto skip_irq; + +- chip->irqchip.name = "gpio-xilinx"; +- chip->irqchip.irq_ack = xgpio_irq_ack; +- chip->irqchip.irq_mask = xgpio_irq_mask; +- chip->irqchip.irq_unmask = xgpio_irq_unmask; +- chip->irqchip.irq_set_type = xgpio_set_irq_type; +- + /* Disable per-channel interrupts */ + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, 0); + /* Clear any existing per-channel interrupts */ +@@ -679,7 +686,7 @@ static int xgpio_probe(struct platform_device *pdev) + xgpio_writereg(chip->regs + XGPIO_GIER_OFFSET, XGPIO_GIER_IE); + + girq = &chip->gc.irq; +- girq->chip = &chip->irqchip; ++ gpio_irq_chip_set_chip(girq, &xgpio_irq_chip); + girq->parent_handler = xgpio_irqhandler; + girq->num_parents = 1; + girq->parents = devm_kcalloc(&pdev->dev, 1, +-- +2.39.5 + diff --git a/queue-5.15/hid-wacom-add-pci-wacom-device-support.patch b/queue-5.15/hid-wacom-add-pci-wacom-device-support.patch new file mode 100644 index 0000000000..46c79c91ed --- /dev/null +++ b/queue-5.15/hid-wacom-add-pci-wacom-device-support.patch @@ -0,0 +1,46 @@ +From 74da276f549321149d6dcc908496b962df2ae4bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2024 09:35:27 +0800 +Subject: HID: Wacom: Add PCI Wacom device support + +From: Even Xu + +[ Upstream commit c4c123504a65583e3689b3de04a61dc5272e453a ] + +Add PCI device ID of wacom device into driver support list. + +Signed-off-by: Even Xu +Tested-by: Tatsunosuke Tobita +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 9a82cd124918f..a5e6c16c883dc 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -4882,6 +4882,10 @@ static const struct wacom_features wacom_features_0x94 = + HID_DEVICE(BUS_I2C, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ + .driver_data = (kernel_ulong_t)&wacom_features_##prod + ++#define PCI_DEVICE_WACOM(prod) \ ++ HID_DEVICE(BUS_PCI, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ ++ .driver_data = (kernel_ulong_t)&wacom_features_##prod ++ + #define USB_DEVICE_LENOVO(prod) \ + HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, prod), \ + .driver_data = (kernel_ulong_t)&wacom_features_##prod +@@ -5051,6 +5055,7 @@ const struct hid_device_id wacom_ids[] = { + + { USB_DEVICE_WACOM(HID_ANY_ID) }, + { I2C_DEVICE_WACOM(HID_ANY_ID) }, ++ { PCI_DEVICE_WACOM(HID_ANY_ID) }, + { BT_DEVICE_WACOM(HID_ANY_ID) }, + { } + }; +-- +2.39.5 + diff --git a/queue-5.15/i2c-force-elan06fa-touchpad-i2c-bus-freq-to-100khz.patch b/queue-5.15/i2c-force-elan06fa-touchpad-i2c-bus-freq-to-100khz.patch new file mode 100644 index 0000000000..36d15ce477 --- /dev/null +++ b/queue-5.15/i2c-force-elan06fa-touchpad-i2c-bus-freq-to-100khz.patch @@ -0,0 +1,73 @@ +From 8bb34a69a5be1e5188fb98534c4014031d94772d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 14:52:37 -0500 +Subject: i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz + +From: Randolph Ha + +[ Upstream commit bfd74cd1fbc026f04446e67d6915c7e199c2bffd ] + +When a 400KHz freq is used on this model of ELAN touchpad in Linux, +excessive smoothing (similar to when the touchpad's firmware detects +a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo +V15 G4) ACPI tables specify a 400KHz frequency for this device and +some I2C busses (e.g, Designware I2C) default to a 400KHz freq, +force the speed to 100KHz as a workaround. + +For future investigation: This problem may be related to the default +HCNT/LCNT values given by some busses' drivers, because they are not +specified in the aforementioned devices' ACPI tables, and because +the device works without issues on Windows at what is expected to be +a 400KHz frequency. The root cause of the issue is not known. + +Signed-off-by: Randolph Ha +Reviewed-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index 6ce05441178a3..8b06f5d4a4c30 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -327,6 +327,25 @@ static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = { + {} + }; + ++static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = { ++ /* ++ * When a 400KHz freq is used on this model of ELAN touchpad in Linux, ++ * excessive smoothing (similar to when the touchpad's firmware detects ++ * a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo ++ * V15 G4) ACPI tables specify a 400KHz frequency for this device and ++ * some I2C busses (e.g, Designware I2C) default to a 400KHz freq, ++ * force the speed to 100KHz as a workaround. ++ * ++ * For future investigation: This problem may be related to the default ++ * HCNT/LCNT values given by some busses' drivers, because they are not ++ * specified in the aforementioned devices' ACPI tables, and because ++ * the device works without issues on Windows at what is expected to be ++ * a 400KHz frequency. The root cause of the issue is not known. ++ */ ++ { "ELAN06FA", 0 }, ++ {} ++}; ++ + static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level, + void *data, void **return_value) + { +@@ -348,6 +367,9 @@ static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level, + if (acpi_match_device_ids(adev, i2c_acpi_force_400khz_device_ids) == 0) + lookup->force_speed = I2C_MAX_FAST_MODE_FREQ; + ++ if (acpi_match_device_ids(adev, i2c_acpi_force_100khz_device_ids) == 0) ++ lookup->force_speed = I2C_MAX_STANDARD_MODE_FREQ; ++ + return AE_OK; + } + +-- +2.39.5 + diff --git a/queue-5.15/input-allocate-keycode-for-phone-linking.patch b/queue-5.15/input-allocate-keycode-for-phone-linking.patch new file mode 100644 index 0000000000..ec265cb438 --- /dev/null +++ b/queue-5.15/input-allocate-keycode-for-phone-linking.patch @@ -0,0 +1,45 @@ +From df2bae28649cca313fc52a792e336106cc6d987b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 18:39:29 +0100 +Subject: Input: allocate keycode for phone linking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Illia Ostapyshyn + +[ Upstream commit 1bebc7869c99d466f819dd2cffaef0edf7d7a035 ] + +The F11 key on the new Lenovo Thinkpad T14 Gen 5, T16 Gen 3, and P14s +Gen 5 laptops includes a symbol showing a smartphone and a laptop +chained together. According to the user manual, it starts the Microsoft +Phone Link software used to connect to Android/iOS devices and relay +messages/calls or sync data. + +As there are no suitable keycodes for this action, introduce a new one. + +Signed-off-by: Illia Ostapyshyn +Acked-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20241114173930.44983-2-illia@yshyn.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + include/uapi/linux/input-event-codes.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h +index bed20a89c14c1..6128146bb133b 100644 +--- a/include/uapi/linux/input-event-codes.h ++++ b/include/uapi/linux/input-event-codes.h +@@ -519,6 +519,7 @@ + #define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */ + #define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */ + #define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */ ++#define KEY_LINK_PHONE 0x1bf /* AL Phone Syncing */ + + #define KEY_DEL_EOL 0x1c0 + #define KEY_DEL_EOS 0x1c1 +-- +2.39.5 + diff --git a/queue-5.15/kvm-e500-always-restore-irqs.patch b/queue-5.15/kvm-e500-always-restore-irqs.patch new file mode 100644 index 0000000000..05792f8421 --- /dev/null +++ b/queue-5.15/kvm-e500-always-restore-irqs.patch @@ -0,0 +1,47 @@ +From 9d0855b0755840992d3ba4b1bdbd691654d76986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2025 10:34:44 +0100 +Subject: KVM: e500: always restore irqs + +From: Paolo Bonzini + +[ Upstream commit 87ecfdbc699cc95fac73291b52650283ddcf929d ] + +If find_linux_pte fails, IRQs will not be restored. This is unlikely +to happen in practice since it would have been reported as hanging +hosts, but it should of course be fixed anyway. + +Cc: stable@vger.kernel.org +Reported-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index d3b0031c9586f..00037f270f4f0 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -479,7 +479,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + if (pte_present(pte)) { + wimg = (pte_val(pte) >> PTE_WIMGE_SHIFT) & + MAS2_WIMGE_MASK; +- local_irq_restore(flags); + } else { + local_irq_restore(flags); + pr_err_ratelimited("%s: pte not present: gfn %lx,pfn %lx\n", +@@ -488,8 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + goto out; + } + } +- writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ local_irq_restore(flags); + ++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); + +-- +2.39.5 + diff --git a/queue-5.15/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch b/queue-5.15/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch new file mode 100644 index 0000000000..51a6470b7a --- /dev/null +++ b/queue-5.15/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch @@ -0,0 +1,75 @@ +From 22d64c57795ad335cb6ab47494ffb1bf08c8fbcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:54 -0700 +Subject: KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map() + +From: Sean Christopherson + +[ Upstream commit c9be85dabb376299504e0d391d15662c0edf8273 ] + +Mark the underlying page as dirty in kvmppc_e500_ref_setup()'s sole +caller, kvmppc_e500_shadow_map(), which will allow converting e500 to +__kvm_faultin_pfn() + kvm_release_faultin_page() without having to do +a weird dance between ref_setup() and shadow_map(). + +Opportunistically drop the redundant kvm_set_pfn_accessed(), as +shadow_map() puts the page via kvm_release_pfn_clean(). + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-53-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 7f16afc331efd..738556b7f175c 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -242,7 +242,7 @@ static inline int tlbe_is_writable(struct kvm_book3e_206_tlb_entry *tlbe) + return tlbe->mas7_3 & (MAS3_SW|MAS3_UW); + } + +-static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref, ++static inline bool kvmppc_e500_ref_setup(struct tlbe_ref *ref, + struct kvm_book3e_206_tlb_entry *gtlbe, + kvm_pfn_t pfn, unsigned int wimg) + { +@@ -252,11 +252,7 @@ static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref, + /* Use guest supplied MAS2_G and MAS2_E */ + ref->flags |= (gtlbe->mas2 & MAS2_ATTRIB_MASK) | wimg; + +- /* Mark the page accessed */ +- kvm_set_pfn_accessed(pfn); +- +- if (tlbe_is_writable(gtlbe)) +- kvm_set_pfn_dirty(pfn); ++ return tlbe_is_writable(gtlbe); + } + + static inline void kvmppc_e500_ref_release(struct tlbe_ref *ref) +@@ -337,6 +333,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + unsigned int wimg = 0; + pgd_t *pgdir; + unsigned long flags; ++ bool writable = false; + + /* used to check for invalidations in progress */ + mmu_seq = kvm->mmu_notifier_seq; +@@ -490,7 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + goto out; + } + } +- kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ if (writable) ++ kvm_set_pfn_dirty(pfn); + + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); +-- +2.39.5 + diff --git a/queue-5.15/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch b/queue-5.15/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch new file mode 100644 index 0000000000..d36b92b47a --- /dev/null +++ b/queue-5.15/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch @@ -0,0 +1,46 @@ +From 61ba754bed089e86c5b4672d769b79d834e48c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:55 -0700 +Subject: KVM: PPC: e500: Mark "struct page" pfn accessed before dropping + mmu_lock + +From: Sean Christopherson + +[ Upstream commit 84cf78dcd9d65c45ab73998d4ad50f433d53fb93 ] + +Mark pages accessed before dropping mmu_lock when faulting in guest memory +so that shadow_map() can convert to kvm_release_faultin_page() without +tripping its lockdep assertion on mmu_lock being held. Marking pages +accessed outside of mmu_lock is ok (not great, but safe), but marking +pages _dirty_ outside of mmu_lock can make filesystems unhappy. + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-54-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 738556b7f175c..411385ad583b8 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -498,11 +498,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + kvmppc_mmu_flush_icache(pfn); + + out: +- spin_unlock(&kvm->mmu_lock); +- + /* Drop refcount on page, so that mmu notifiers can clear it */ + kvm_release_pfn_clean(pfn); +- ++ spin_unlock(&kvm->mmu_lock); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch b/queue-5.15/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch new file mode 100644 index 0000000000..3f1b58f268 --- /dev/null +++ b/queue-5.15/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch @@ -0,0 +1,66 @@ +From e8ee34eaa9f807316d3d23c39f4eaa064e2c8708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:56 -0700 +Subject: KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults + +From: Sean Christopherson + +[ Upstream commit 419cfb983ca93e75e905794521afefcfa07988bb ] + +Convert PPC e500 to use __kvm_faultin_pfn()+kvm_release_faultin_page(), +and continue the inexorable march towards the demise of +kvm_pfn_to_refcounted_page(). + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-55-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 411385ad583b8..d3b0031c9586f 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -322,6 +322,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + { + struct kvm_memory_slot *slot; + unsigned long pfn = 0; /* silence GCC warning */ ++ struct page *page = NULL; + unsigned long hva; + int pfnmap = 0; + int tsize = BOOK3E_PAGESZ_4K; +@@ -443,7 +444,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + + if (likely(!pfnmap)) { + tsize_pages = 1UL << (tsize + 10 - PAGE_SHIFT); +- pfn = gfn_to_pfn_memslot(slot, gfn); ++ pfn = __kvm_faultin_pfn(slot, gfn, FOLL_WRITE, NULL, &page); + if (is_error_noslot_pfn(pfn)) { + if (printk_ratelimit()) + pr_err("%s: real page not found for gfn %lx\n", +@@ -488,8 +489,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + } + } + writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); +- if (writable) +- kvm_set_pfn_dirty(pfn); + + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); +@@ -498,8 +497,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + kvmppc_mmu_flush_icache(pfn); + + out: +- /* Drop refcount on page, so that mmu notifiers can clear it */ +- kvm_release_pfn_clean(pfn); ++ kvm_release_faultin_page(kvm, page, !!ret, writable); + spin_unlock(&kvm->mmu_lock); + return ret; + } +-- +2.39.5 + diff --git a/queue-5.15/lockdep-fix-upper-limit-for-lockdep_-_bits-configs.patch b/queue-5.15/lockdep-fix-upper-limit-for-lockdep_-_bits-configs.patch new file mode 100644 index 0000000000..086b97576f --- /dev/null +++ b/queue-5.15/lockdep-fix-upper-limit-for-lockdep_-_bits-configs.patch @@ -0,0 +1,86 @@ +From 198db2b8a2556632b0ba7527149f9b41d5f35229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 18:36:26 +0000 +Subject: lockdep: Fix upper limit for LOCKDEP_*_BITS configs + +From: Carlos Llamas + +[ Upstream commit e638072e61726cae363d48812815197a2a0e097f ] + +Lockdep has a set of configs used to determine the size of the static +arrays that it uses. However, the upper limit that was initially setup +for these configs is too high (30 bit shift). This equates to several +GiB of static memory for individual symbols. Using such high values +leads to linker errors: + + $ make defconfig + $ ./scripts/config -e PROVE_LOCKING --set-val LOCKDEP_BITS 30 + $ make olddefconfig all + [...] + ld: kernel image bigger than KERNEL_IMAGE_SIZE + ld: section .bss VMA wraps around address space + +Adjust the upper limits to the maximum values that avoid these issues. +The need for anything more, likely points to a problem elsewhere. Note +that LOCKDEP_CHAINS_BITS was intentionally left out as its upper limit +had a different symptom and has already been fixed [1]. + +Reported-by: J. R. Okajima +Closes: https://lore.kernel.org/all/30795.1620913191@jrobl/ [1] +Cc: Peter Zijlstra +Cc: Boqun Feng +Cc: Ingo Molnar +Cc: Waiman Long +Cc: Will Deacon +Acked-by: Waiman Long +Signed-off-by: Carlos Llamas +Signed-off-by: Boqun Feng +Link: https://lore.kernel.org/r/20241024183631.643450-2-cmllamas@google.com +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 2025b624fbb67..db4f8ac489d41 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1408,7 +1408,7 @@ config LOCKDEP_SMALL + config LOCKDEP_BITS + int "Bitsize for MAX_LOCKDEP_ENTRIES" + depends on LOCKDEP && !LOCKDEP_SMALL +- range 10 30 ++ range 10 24 + default 15 + help + Try increasing this value if you hit "BUG: MAX_LOCKDEP_ENTRIES too low!" message. +@@ -1424,7 +1424,7 @@ config LOCKDEP_CHAINS_BITS + config LOCKDEP_STACK_TRACE_BITS + int "Bitsize for MAX_STACK_TRACE_ENTRIES" + depends on LOCKDEP && !LOCKDEP_SMALL +- range 10 30 ++ range 10 26 + default 19 + help + Try increasing this value if you hit "BUG: MAX_STACK_TRACE_ENTRIES too low!" message. +@@ -1432,7 +1432,7 @@ config LOCKDEP_STACK_TRACE_BITS + config LOCKDEP_STACK_TRACE_HASH_BITS + int "Bitsize for STACK_TRACE_HASH_SIZE" + depends on LOCKDEP && !LOCKDEP_SMALL +- range 10 30 ++ range 10 26 + default 14 + help + Try increasing this value if you need large MAX_STACK_TRACE_ENTRIES. +@@ -1440,7 +1440,7 @@ config LOCKDEP_STACK_TRACE_HASH_BITS + config LOCKDEP_CIRCULAR_QUEUE_BITS + int "Bitsize for elements in circular_queue struct" + depends on LOCKDEP +- range 10 30 ++ range 10 26 + default 12 + help + Try increasing this value if you hit "lockdep bfs error:-1" warning due to __cq_enqueue() failure. +-- +2.39.5 + diff --git a/queue-5.15/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch b/queue-5.15/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch new file mode 100644 index 0000000000..1fc819b35f --- /dev/null +++ b/queue-5.15/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch @@ -0,0 +1,42 @@ +From b1d8fa09ab83103178f6d22ab0fd1b0be10c1a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 20:38:08 +0100 +Subject: mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id + +From: Hans de Goede + +[ Upstream commit 1e89d21f8189d286f80b900e1b7cf57cb1f3037e ] + +On N4100 / N4120 Gemini Lake SoCs the ISA bridge PCI device-id is 31e8 +rather the 3197 found on e.g. the N4000 / N4020. + +While at fix the existing GLK PCI-id table entry breaking the table +being sorted by device-id. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241114193808.110132-1-hdegoede@redhat.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/lpc_ich.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/lpc_ich.c b/drivers/mfd/lpc_ich.c +index 9ffab9aafd81b..15a6004218521 100644 +--- a/drivers/mfd/lpc_ich.c ++++ b/drivers/mfd/lpc_ich.c +@@ -688,8 +688,9 @@ static const struct pci_device_id lpc_ich_ids[] = { + { PCI_VDEVICE(INTEL, 0x2917), LPC_ICH9ME}, + { PCI_VDEVICE(INTEL, 0x2918), LPC_ICH9}, + { PCI_VDEVICE(INTEL, 0x2919), LPC_ICH9M}, +- { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK}, + { PCI_VDEVICE(INTEL, 0x2b9c), LPC_COUGARMOUNTAIN}, ++ { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK}, ++ { PCI_VDEVICE(INTEL, 0x31e8), LPC_GLK}, + { PCI_VDEVICE(INTEL, 0x3a14), LPC_ICH10DO}, + { PCI_VDEVICE(INTEL, 0x3a16), LPC_ICH10R}, + { PCI_VDEVICE(INTEL, 0x3a18), LPC_ICH10}, +-- +2.39.5 + diff --git a/queue-5.15/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch b/queue-5.15/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch new file mode 100644 index 0000000000..ca96101e72 --- /dev/null +++ b/queue-5.15/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch @@ -0,0 +1,37 @@ +From baca264ee7b8cc4e52a62078b1fadd05f63c355c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 17:37:22 +0800 +Subject: mmc: core: Respect quirk_max_rate for non-UHS SDIO card + +From: Shawn Lin + +[ Upstream commit a2a44f8da29352f76c99c6904ee652911b8dc7dd ] + +The card-quirk was added to limit the clock-rate for a card with UHS-mode +support, although let's respect the quirk for non-UHS mode too, to make the +behaviour consistent. + +Signed-off-by: Shawn Lin +Message-ID: <1732268242-72799-1-git-send-email-shawn.lin@rock-chips.com> +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c +index eda2dbd965392..a0cac8c87ef2f 100644 +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -443,6 +443,8 @@ static unsigned mmc_sdio_get_max_clock(struct mmc_card *card) + if (card->type == MMC_TYPE_SD_COMBO) + max_dtr = min(max_dtr, mmc_sd_get_max_clock(card)); + ++ max_dtr = min_not_zero(max_dtr, card->quirk_max_rate); ++ + return max_dtr; + } + +-- +2.39.5 + diff --git a/queue-5.15/mmc-sdhci-msm-correctly-set-the-load-for-the-regulat.patch b/queue-5.15/mmc-sdhci-msm-correctly-set-the-load-for-the-regulat.patch new file mode 100644 index 0000000000..659ce0cf57 --- /dev/null +++ b/queue-5.15/mmc-sdhci-msm-correctly-set-the-load-for-the-regulat.patch @@ -0,0 +1,122 @@ +From 2a1204e9e91752fff4f478054070bd9df842d43b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 16:35:14 +0800 +Subject: mmc: sdhci-msm: Correctly set the load for the regulator + +From: Yuanjie Yang + +[ Upstream commit 20a0c37e44063997391430c4ae09973e9cbc3911 ] + +Qualcomm regulator supports two power supply modes: HPM and LPM. +Currently, the sdhci-msm.c driver does not set the load to adjust +the current for eMMC and SD. If the regulator dont't set correct +load in LPM state, it will lead to the inability to properly +initialize eMMC and SD. + +Set the correct regulator current for eMMC and SD to ensure that the +device can work normally even when the regulator is in LPM. + +Signed-off-by: Yuanjie Yang +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250114083514.258379-1-quic_yuanjiey@quicinc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 53 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index 943fc7b7f4fb5..4b727754d8e3c 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -132,9 +132,18 @@ + /* Timeout value to avoid infinite waiting for pwr_irq */ + #define MSM_PWR_IRQ_TIMEOUT_MS 5000 + ++/* Max load for eMMC Vdd supply */ ++#define MMC_VMMC_MAX_LOAD_UA 570000 ++ + /* Max load for eMMC Vdd-io supply */ + #define MMC_VQMMC_MAX_LOAD_UA 325000 + ++/* Max load for SD Vdd supply */ ++#define SD_VMMC_MAX_LOAD_UA 800000 ++ ++/* Max load for SD Vdd-io supply */ ++#define SD_VQMMC_MAX_LOAD_UA 22000 ++ + #define msm_host_readl(msm_host, host, offset) \ + msm_host->var_ops->msm_readl_relaxed(host, offset) + +@@ -1399,11 +1408,48 @@ static int sdhci_msm_set_pincfg(struct sdhci_msm_host *msm_host, bool level) + return ret; + } + +-static int sdhci_msm_set_vmmc(struct mmc_host *mmc) ++static void msm_config_vmmc_regulator(struct mmc_host *mmc, bool hpm) ++{ ++ int load; ++ ++ if (!hpm) ++ load = 0; ++ else if (!mmc->card) ++ load = max(MMC_VMMC_MAX_LOAD_UA, SD_VMMC_MAX_LOAD_UA); ++ else if (mmc_card_mmc(mmc->card)) ++ load = MMC_VMMC_MAX_LOAD_UA; ++ else if (mmc_card_sd(mmc->card)) ++ load = SD_VMMC_MAX_LOAD_UA; ++ else ++ return; ++ ++ regulator_set_load(mmc->supply.vmmc, load); ++} ++ ++static void msm_config_vqmmc_regulator(struct mmc_host *mmc, bool hpm) ++{ ++ int load; ++ ++ if (!hpm) ++ load = 0; ++ else if (!mmc->card) ++ load = max(MMC_VQMMC_MAX_LOAD_UA, SD_VQMMC_MAX_LOAD_UA); ++ else if (mmc_card_sd(mmc->card)) ++ load = SD_VQMMC_MAX_LOAD_UA; ++ else ++ return; ++ ++ regulator_set_load(mmc->supply.vqmmc, load); ++} ++ ++static int sdhci_msm_set_vmmc(struct sdhci_msm_host *msm_host, ++ struct mmc_host *mmc, bool hpm) + { + if (IS_ERR(mmc->supply.vmmc)) + return 0; + ++ msm_config_vmmc_regulator(mmc, hpm); ++ + return mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, mmc->ios.vdd); + } + +@@ -1416,6 +1462,8 @@ static int msm_toggle_vqmmc(struct sdhci_msm_host *msm_host, + if (msm_host->vqmmc_enabled == level) + return 0; + ++ msm_config_vqmmc_regulator(mmc, level); ++ + if (level) { + /* Set the IO voltage regulator to default voltage level */ + if (msm_host->caps_0 & CORE_3_0V_SUPPORT) +@@ -1638,7 +1686,8 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq) + } + + if (pwr_state) { +- ret = sdhci_msm_set_vmmc(mmc); ++ ret = sdhci_msm_set_vmmc(msm_host, mmc, ++ pwr_state & REQ_BUS_ON); + if (!ret) + ret = sdhci_msm_set_vqmmc(msm_host, mmc, + pwr_state & REQ_BUS_ON); +-- +2.39.5 + diff --git a/queue-5.15/net-mlx5-use-do_aux_work-for-phc-overflow-checks.patch b/queue-5.15/net-mlx5-use-do_aux_work-for-phc-overflow-checks.patch new file mode 100644 index 0000000000..634f9eaf64 --- /dev/null +++ b/queue-5.15/net-mlx5-use-do_aux_work-for-phc-overflow-checks.patch @@ -0,0 +1,129 @@ +From 4c43b6386850c984ff62cde1ef2114197db0e0bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 02:48:12 -0800 +Subject: net/mlx5: use do_aux_work for PHC overflow checks + +From: Vadim Fedorenko + +[ Upstream commit e61e6c415ba9ff2b32bb6780ce1b17d1d76238f1 ] + +The overflow_work is using system wq to do overflow checks and updates +for PHC device timecounter, which might be overhelmed by other tasks. +But there is dedicated kthread in PTP subsystem designed for such +things. This patch changes the work queue to proper align with PTP +subsystem and to avoid overloading system work queue. +The adjfine() function acts the same way as overflow check worker, +we can postpone ptp aux worker till the next overflow period after +adjfine() was called. + +Reviewed-by: Dragos Tatulea +Signed-off-by: Vadim Fedorenko +Acked-by: Tariq Toukan +Link: https://patch.msgid.link/20250107104812.380225-1-vadfed@meta.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++++++++++--------- + include/linux/mlx5/driver.h | 1 - + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index 6fece284de0f3..26d91b080d3c4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -177,17 +177,16 @@ static void mlx5_pps_out(struct work_struct *work) + } + } + +-static void mlx5_timestamp_overflow(struct work_struct *work) ++static long mlx5_timestamp_overflow(struct ptp_clock_info *ptp_info) + { +- struct delayed_work *dwork = to_delayed_work(work); + struct mlx5_core_dev *mdev; + struct mlx5_timer *timer; + struct mlx5_clock *clock; + unsigned long flags; + +- timer = container_of(dwork, struct mlx5_timer, overflow_work); +- clock = container_of(timer, struct mlx5_clock, timer); ++ clock = container_of(ptp_info, struct mlx5_clock, ptp_info); + mdev = container_of(clock, struct mlx5_core_dev, clock); ++ timer = &clock->timer; + + if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) + goto out; +@@ -198,7 +197,7 @@ static void mlx5_timestamp_overflow(struct work_struct *work) + write_sequnlock_irqrestore(&clock->lock, flags); + + out: +- schedule_delayed_work(&timer->overflow_work, timer->overflow_period); ++ return timer->overflow_period; + } + + static int mlx5_ptp_settime_real_time(struct mlx5_core_dev *mdev, +@@ -366,6 +365,7 @@ static int mlx5_ptp_adjfreq(struct ptp_clock_info *ptp, s32 delta) + timer->nominal_c_mult + diff; + mlx5_update_clock_info_page(mdev); + write_sequnlock_irqrestore(&clock->lock, flags); ++ ptp_schedule_worker(clock->ptp, timer->overflow_period); + + return 0; + } +@@ -616,6 +616,7 @@ static const struct ptp_clock_info mlx5_ptp_clock_info = { + .settime64 = mlx5_ptp_settime, + .enable = NULL, + .verify = NULL, ++ .do_aux_work = mlx5_timestamp_overflow, + }; + + static int mlx5_query_mtpps_pin_mode(struct mlx5_core_dev *mdev, u8 pin, +@@ -809,12 +810,11 @@ static void mlx5_init_overflow_period(struct mlx5_clock *clock) + do_div(ns, NSEC_PER_SEC / HZ); + timer->overflow_period = ns; + +- INIT_DELAYED_WORK(&timer->overflow_work, mlx5_timestamp_overflow); +- if (timer->overflow_period) +- schedule_delayed_work(&timer->overflow_work, 0); +- else ++ if (!timer->overflow_period) { ++ timer->overflow_period = HZ; + mlx5_core_warn(mdev, +- "invalid overflow period, overflow_work is not scheduled\n"); ++ "invalid overflow period, overflow_work is scheduled once per second\n"); ++ } + + if (clock_info) + clock_info->overflow_period = timer->overflow_period; +@@ -900,6 +900,9 @@ void mlx5_init_clock(struct mlx5_core_dev *mdev) + + MLX5_NB_INIT(&clock->pps_nb, mlx5_pps_event, PPS_EVENT); + mlx5_eq_notifier_register(mdev, &clock->pps_nb); ++ ++ if (clock->ptp) ++ ptp_schedule_worker(clock->ptp, 0); + } + + void mlx5_cleanup_clock(struct mlx5_core_dev *mdev) +@@ -916,7 +919,6 @@ void mlx5_cleanup_clock(struct mlx5_core_dev *mdev) + } + + cancel_work_sync(&clock->pps_info.out_work); +- cancel_delayed_work_sync(&clock->timer.overflow_work); + + if (mdev->clock_info) { + free_page((unsigned long)mdev->clock_info); +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 8f0c321674a88..ff47cff408aad 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -685,7 +685,6 @@ struct mlx5_timer { + struct timecounter tc; + u32 nominal_c_mult; + unsigned long overflow_period; +- struct delayed_work overflow_work; + }; + + struct mlx5_clock { +-- +2.39.5 + diff --git a/queue-5.15/net-ncsi-add-nc-si-1.2-get-mc-mac-address-command.patch b/queue-5.15/net-ncsi-add-nc-si-1.2-get-mc-mac-address-command.patch new file mode 100644 index 0000000000..206bc60cd2 --- /dev/null +++ b/queue-5.15/net-ncsi-add-nc-si-1.2-get-mc-mac-address-command.patch @@ -0,0 +1,173 @@ +From 0cc880f62fc5c82c42704cdaa79a9c6c5d0f6794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 10:07:35 -0600 +Subject: net/ncsi: Add NC-SI 1.2 Get MC MAC Address command + +From: Peter Delevoryas + +[ Upstream commit b8291cf3d1180b5b61299922f17c9441616a805a ] + +This change adds support for the NC-SI 1.2 Get MC MAC Address command, +specified here: + +https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.2.0.pdf + +It serves the exact same function as the existing OEM Get MAC Address +commands, so if a channel reports that it supports NC-SI 1.2, we prefer +to use the standard command rather than the OEM command. + +Verified with an invalid MAC address and 2 valid ones: + +[ 55.137072] ftgmac100 1e690000.ftgmac eth0: NCSI: Received 3 provisioned MAC addresses +[ 55.137614] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 0: 00:00:00:00:00:00 +[ 55.138026] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 1: fa:ce:b0:0c:20:22 +[ 55.138528] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 2: fa:ce:b0:0c:20:23 +[ 55.139241] ftgmac100 1e690000.ftgmac eth0: NCSI: Unable to assign 00:00:00:00:00:00 to device +[ 55.140098] ftgmac100 1e690000.ftgmac eth0: NCSI: Set MAC address to fa:ce:b0:0c:20:22 + +Signed-off-by: Peter Delevoryas +Signed-off-by: Patrick Williams +Signed-off-by: David S. Miller +Stable-dep-of: 9e2bbab94b88 ("net/ncsi: fix locking in Get MAC Address handling") +Signed-off-by: Sasha Levin +--- + net/ncsi/ncsi-cmd.c | 3 ++- + net/ncsi/ncsi-manage.c | 9 +++++++-- + net/ncsi/ncsi-pkt.h | 10 ++++++++++ + net/ncsi/ncsi-rsp.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 59 insertions(+), 4 deletions(-) + +diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c +index dda8b76b77988..7be177f551731 100644 +--- a/net/ncsi/ncsi-cmd.c ++++ b/net/ncsi/ncsi-cmd.c +@@ -269,7 +269,8 @@ static struct ncsi_cmd_handler { + { NCSI_PKT_CMD_GPS, 0, ncsi_cmd_handler_default }, + { NCSI_PKT_CMD_OEM, -1, ncsi_cmd_handler_oem }, + { NCSI_PKT_CMD_PLDM, 0, NULL }, +- { NCSI_PKT_CMD_GPUUID, 0, ncsi_cmd_handler_default } ++ { NCSI_PKT_CMD_GPUUID, 0, ncsi_cmd_handler_default }, ++ { NCSI_PKT_CMD_GMCMA, 0, ncsi_cmd_handler_default } + }; + + static struct ncsi_request *ncsi_alloc_command(struct ncsi_cmd_arg *nca) +diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c +index 30f5502530374..da7013c407012 100644 +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1040,11 +1040,16 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp) + case ncsi_dev_state_config_oem_gma: + nd->state = ncsi_dev_state_config_clear_vids; + +- nca.type = NCSI_PKT_CMD_OEM; + nca.package = np->id; + nca.channel = nc->id; + ndp->pending_req_num = 1; +- ret = ncsi_gma_handler(&nca, nc->version.mf_id); ++ if (nc->version.major >= 1 && nc->version.minor >= 2) { ++ nca.type = NCSI_PKT_CMD_GMCMA; ++ ret = ncsi_xmit_cmd(&nca); ++ } else { ++ nca.type = NCSI_PKT_CMD_OEM; ++ ret = ncsi_gma_handler(&nca, nc->version.mf_id); ++ } + if (ret < 0) + schedule_work(&ndp->work); + +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index c9d1da34dc4dc..f2f3b5c1b9412 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -338,6 +338,14 @@ struct ncsi_rsp_gpuuid_pkt { + __be32 checksum; + }; + ++/* Get MC MAC Address */ ++struct ncsi_rsp_gmcma_pkt { ++ struct ncsi_rsp_pkt_hdr rsp; ++ unsigned char address_count; ++ unsigned char reserved[3]; ++ unsigned char addresses[][ETH_ALEN]; ++}; ++ + /* AEN: Link State Change */ + struct ncsi_aen_lsc_pkt { + struct ncsi_aen_pkt_hdr aen; /* AEN header */ +@@ -398,6 +406,7 @@ struct ncsi_aen_hncdsc_pkt { + #define NCSI_PKT_CMD_GPUUID 0x52 /* Get package UUID */ + #define NCSI_PKT_CMD_QPNPR 0x56 /* Query Pending NC PLDM request */ + #define NCSI_PKT_CMD_SNPR 0x57 /* Send NC PLDM Reply */ ++#define NCSI_PKT_CMD_GMCMA 0x58 /* Get MC MAC Address */ + + + /* NCSI packet responses */ +@@ -433,6 +442,7 @@ struct ncsi_aen_hncdsc_pkt { + #define NCSI_PKT_RSP_GPUUID (NCSI_PKT_CMD_GPUUID + 0x80) + #define NCSI_PKT_RSP_QPNPR (NCSI_PKT_CMD_QPNPR + 0x80) + #define NCSI_PKT_RSP_SNPR (NCSI_PKT_CMD_SNPR + 0x80) ++#define NCSI_PKT_RSP_GMCMA (NCSI_PKT_CMD_GMCMA + 0x80) + + /* NCSI response code/reason */ + #define NCSI_PKT_RSP_C_COMPLETED 0x0000 /* Command Completed */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index f22d67cb04d37..e28be33bdf2c4 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -1093,6 +1093,44 @@ static int ncsi_rsp_handler_netlink(struct ncsi_request *nr) + return ret; + } + ++static int ncsi_rsp_handler_gmcma(struct ncsi_request *nr) ++{ ++ struct ncsi_dev_priv *ndp = nr->ndp; ++ struct net_device *ndev = ndp->ndev.dev; ++ struct ncsi_rsp_gmcma_pkt *rsp; ++ struct sockaddr saddr; ++ int ret = -1; ++ int i; ++ ++ rsp = (struct ncsi_rsp_gmcma_pkt *)skb_network_header(nr->rsp); ++ saddr.sa_family = ndev->type; ++ ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE; ++ ++ netdev_info(ndev, "NCSI: Received %d provisioned MAC addresses\n", ++ rsp->address_count); ++ for (i = 0; i < rsp->address_count; i++) { ++ netdev_info(ndev, "NCSI: MAC address %d: %02x:%02x:%02x:%02x:%02x:%02x\n", ++ i, rsp->addresses[i][0], rsp->addresses[i][1], ++ rsp->addresses[i][2], rsp->addresses[i][3], ++ rsp->addresses[i][4], rsp->addresses[i][5]); ++ } ++ ++ for (i = 0; i < rsp->address_count; i++) { ++ memcpy(saddr.sa_data, &rsp->addresses[i], ETH_ALEN); ++ ret = ndev->netdev_ops->ndo_set_mac_address(ndev, &saddr); ++ if (ret < 0) { ++ netdev_warn(ndev, "NCSI: Unable to assign %pM to device\n", ++ saddr.sa_data); ++ continue; ++ } ++ netdev_warn(ndev, "NCSI: Set MAC address to %pM\n", saddr.sa_data); ++ break; ++ } ++ ++ ndp->gma_flag = ret == 0; ++ return ret; ++} ++ + static struct ncsi_rsp_handler { + unsigned char type; + int payload; +@@ -1129,7 +1167,8 @@ static struct ncsi_rsp_handler { + { NCSI_PKT_RSP_PLDM, -1, ncsi_rsp_handler_pldm }, + { NCSI_PKT_RSP_GPUUID, 20, ncsi_rsp_handler_gpuuid }, + { NCSI_PKT_RSP_QPNPR, -1, ncsi_rsp_handler_pldm }, +- { NCSI_PKT_RSP_SNPR, -1, ncsi_rsp_handler_pldm } ++ { NCSI_PKT_RSP_SNPR, -1, ncsi_rsp_handler_pldm }, ++ { NCSI_PKT_RSP_GMCMA, -1, ncsi_rsp_handler_gmcma }, + }; + + int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev, +-- +2.39.5 + diff --git a/queue-5.15/net-ncsi-fix-locking-in-get-mac-address-handling.patch b/queue-5.15/net-ncsi-fix-locking-in-get-mac-address-handling.patch new file mode 100644 index 0000000000..c070d2ac6e --- /dev/null +++ b/queue-5.15/net-ncsi-fix-locking-in-get-mac-address-handling.patch @@ -0,0 +1,137 @@ +From 2491fdb3ea11fb12b5edc3de8da14598fb888a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 17:50:54 +0300 +Subject: net/ncsi: fix locking in Get MAC Address handling + +From: Paul Fertser + +[ Upstream commit 9e2bbab94b88295dcc57c7580393c9ee08d7314d ] + +Obtaining RTNL lock in a response handler is not allowed since it runs +in an atomic softirq context. Postpone setting the MAC address by adding +a dedicated step to the configuration FSM. + +Fixes: 790071347a0a ("net/ncsi: change from ndo_set_mac_address to dev_set_mac_address") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20241129-potin-revert-ncsi-set-mac-addr-v1-1-94ea2cb596af@gmail.com +Signed-off-by: Paul Fertser +Tested-by: Potin Lai +Link: https://patch.msgid.link/20250109145054.30925-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 ++ + net/ncsi/ncsi-manage.c | 16 ++++++++++++++-- + net/ncsi/ncsi-rsp.c | 19 ++++++------------- + 3 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index ef0f8f73826f5..4e0842df5234e 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -289,6 +289,7 @@ enum { + ncsi_dev_state_config_sp = 0x0301, + ncsi_dev_state_config_cis, + ncsi_dev_state_config_oem_gma, ++ ncsi_dev_state_config_apply_mac, + ncsi_dev_state_config_clear_vids, + ncsi_dev_state_config_svf, + ncsi_dev_state_config_ev, +@@ -322,6 +323,7 @@ struct ncsi_dev_priv { + #define NCSI_DEV_RESHUFFLE 4 + #define NCSI_DEV_RESET 8 /* Reset state of NC */ + unsigned int gma_flag; /* OEM GMA flag */ ++ struct sockaddr pending_mac; /* MAC address received from GMA */ + spinlock_t lock; /* Protect the NCSI device */ + unsigned int package_probe_id;/* Current ID during probe */ + unsigned int package_num; /* Number of packages */ +diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c +index da7013c407012..1104c6ce8d65e 100644 +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1038,7 +1038,7 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp) + : ncsi_dev_state_config_clear_vids; + break; + case ncsi_dev_state_config_oem_gma: +- nd->state = ncsi_dev_state_config_clear_vids; ++ nd->state = ncsi_dev_state_config_apply_mac; + + nca.package = np->id; + nca.channel = nc->id; +@@ -1050,10 +1050,22 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp) + nca.type = NCSI_PKT_CMD_OEM; + ret = ncsi_gma_handler(&nca, nc->version.mf_id); + } +- if (ret < 0) ++ if (ret < 0) { ++ nd->state = ncsi_dev_state_config_clear_vids; + schedule_work(&ndp->work); ++ } + + break; ++ case ncsi_dev_state_config_apply_mac: ++ rtnl_lock(); ++ ret = dev_set_mac_address(dev, &ndp->pending_mac, NULL); ++ rtnl_unlock(); ++ if (ret < 0) ++ netdev_warn(dev, "NCSI: 'Writing MAC address to device failed\n"); ++ ++ nd->state = ncsi_dev_state_config_clear_vids; ++ ++ fallthrough; + case ncsi_dev_state_config_clear_vids: + case ncsi_dev_state_config_svf: + case ncsi_dev_state_config_ev: +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index e28be33bdf2c4..14bd66909ca45 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -628,16 +628,14 @@ static int ncsi_rsp_handler_snfc(struct ncsi_request *nr) + static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id) + { + struct ncsi_dev_priv *ndp = nr->ndp; ++ struct sockaddr *saddr = &ndp->pending_mac; + struct net_device *ndev = ndp->ndev.dev; + struct ncsi_rsp_oem_pkt *rsp; +- struct sockaddr saddr; + u32 mac_addr_off = 0; +- int ret = 0; + + /* Get the response header */ + rsp = (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + +- saddr.sa_family = ndev->type; + ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + if (mfr_id == NCSI_OEM_MFR_BCM_ID) + mac_addr_off = BCM_MAC_ADDR_OFFSET; +@@ -646,22 +644,17 @@ static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id) + else if (mfr_id == NCSI_OEM_MFR_INTEL_ID) + mac_addr_off = INTEL_MAC_ADDR_OFFSET; + +- memcpy(saddr.sa_data, &rsp->data[mac_addr_off], ETH_ALEN); ++ saddr->sa_family = ndev->type; ++ memcpy(saddr->sa_data, &rsp->data[mac_addr_off], ETH_ALEN); + if (mfr_id == NCSI_OEM_MFR_BCM_ID || mfr_id == NCSI_OEM_MFR_INTEL_ID) +- eth_addr_inc((u8 *)saddr.sa_data); +- if (!is_valid_ether_addr((const u8 *)saddr.sa_data)) ++ eth_addr_inc((u8 *)saddr->sa_data); ++ if (!is_valid_ether_addr((const u8 *)saddr->sa_data)) + return -ENXIO; + + /* Set the flag for GMA command which should only be called once */ + ndp->gma_flag = 1; + +- rtnl_lock(); +- ret = dev_set_mac_address(ndev, &saddr, NULL); +- rtnl_unlock(); +- if (ret < 0) +- netdev_warn(ndev, "NCSI: 'Writing mac address to device failed\n"); +- +- return ret; ++ return 0; + } + + /* Response handler for Mellanox card */ +-- +2.39.5 + diff --git a/queue-5.15/net-wwan-iosm-fix-hibernation-by-re-binding-the-driv.patch b/queue-5.15/net-wwan-iosm-fix-hibernation-by-re-binding-the-driv.patch new file mode 100644 index 0000000000..4135ab56e2 --- /dev/null +++ b/queue-5.15/net-wwan-iosm-fix-hibernation-by-re-binding-the-driv.patch @@ -0,0 +1,146 @@ +From f8ff93c63b0216126b76e9a9d7b20bf6f0b9c60f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 00:33:50 +0100 +Subject: net: wwan: iosm: Fix hibernation by re-binding the driver around it + +From: Maciej S. Szmigiero + +[ Upstream commit 0b6f6593aa8c3a05f155c12fd0e7ad33a5149c31 ] + +Currently, the driver is seriously broken with respect to the +hibernation (S4): after image restore the device is back into +IPC_MEM_EXEC_STAGE_BOOT (which AFAIK means bootloader stage) and needs +full re-launch of the rest of its firmware, but the driver restore +handler treats the device as merely sleeping and just sends it a +wake-up command. + +This wake-up command times out but device nodes (/dev/wwan*) remain +accessible. +However attempting to use them causes the bootloader to crash and +enter IPC_MEM_EXEC_STAGE_CD_READY stage (which apparently means "a crash +dump is ready"). + +It seems that the device cannot be re-initialized from this crashed +stage without toggling some reset pin (on my test platform that's +apparently what the device _RST ACPI method does). + +While it would theoretically be possible to rewrite the driver to tear +down the whole MUX / IPC layers on hibernation (so the bootloader does +not crash from improper access) and then re-launch the device on +restore this would require significant refactoring of the driver +(believe me, I've tried), since there are quite a few assumptions +hard-coded in the driver about the device never being partially +de-initialized (like channels other than devlink cannot be closed, +for example). +Probably this would also need some programming guide for this hardware. + +Considering that the driver seems orphaned [1] and other people are +hitting this issue too [2] fix it by simply unbinding the PCI driver +before hibernation and re-binding it after restore, much like +USB_QUIRK_RESET_RESUME does for USB devices that exhibit a similar +problem. + +Tested on XMM7360 in HP EliteBook 855 G7 both with s2idle (which uses +the existing suspend / resume handlers) and S4 (which uses the new code). + +[1]: https://lore.kernel.org/all/c248f0b4-2114-4c61-905f-466a786bdebb@leemhuis.info/ +[2]: +https://github.com/xmm7360/xmm7360-pci/issues/211#issuecomment-1804139413 + +Reviewed-by: Sergey Ryazanov +Signed-off-by: Maciej S. Szmigiero +Link: https://patch.msgid.link/e60287ebdb0ab54c4075071b72568a40a75d0205.1736372610.git.mail@maciej.szmigiero.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_pcie.c | 56 ++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +index 8b4222b137d14..968ca9ff21df1 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + + #include "iosm_ipc_imem.h" +@@ -18,6 +19,7 @@ MODULE_LICENSE("GPL v2"); + /* WWAN GUID */ + static guid_t wwan_acpi_guid = GUID_INIT(0xbad01b75, 0x22a8, 0x4f48, 0x87, 0x92, + 0xbd, 0xde, 0x94, 0x67, 0x74, 0x7d); ++static bool pci_registered; + + static void ipc_pcie_resources_release(struct iosm_pcie *ipc_pcie) + { +@@ -484,7 +486,6 @@ static struct pci_driver iosm_ipc_driver = { + }, + .id_table = iosm_ipc_ids, + }; +-module_pci_driver(iosm_ipc_driver); + + int ipc_pcie_addr_map(struct iosm_pcie *ipc_pcie, unsigned char *data, + size_t size, dma_addr_t *mapping, int direction) +@@ -566,3 +567,56 @@ void ipc_pcie_kfree_skb(struct iosm_pcie *ipc_pcie, struct sk_buff *skb) + IPC_CB(skb)->mapping = 0; + dev_kfree_skb(skb); + } ++ ++static int pm_notify(struct notifier_block *nb, unsigned long mode, void *_unused) ++{ ++ if (mode == PM_HIBERNATION_PREPARE || mode == PM_RESTORE_PREPARE) { ++ if (pci_registered) { ++ pci_unregister_driver(&iosm_ipc_driver); ++ pci_registered = false; ++ } ++ } else if (mode == PM_POST_HIBERNATION || mode == PM_POST_RESTORE) { ++ if (!pci_registered) { ++ int ret; ++ ++ ret = pci_register_driver(&iosm_ipc_driver); ++ if (ret) { ++ pr_err(KBUILD_MODNAME ": unable to re-register PCI driver: %d\n", ++ ret); ++ } else { ++ pci_registered = true; ++ } ++ } ++ } ++ ++ return 0; ++} ++ ++static struct notifier_block pm_notifier = { ++ .notifier_call = pm_notify, ++}; ++ ++static int __init iosm_ipc_driver_init(void) ++{ ++ int ret; ++ ++ ret = pci_register_driver(&iosm_ipc_driver); ++ if (ret) ++ return ret; ++ ++ pci_registered = true; ++ ++ register_pm_notifier(&pm_notifier); ++ ++ return 0; ++} ++module_init(iosm_ipc_driver_init); ++ ++static void __exit iosm_ipc_driver_exit(void) ++{ ++ unregister_pm_notifier(&pm_notifier); ++ ++ if (pci_registered) ++ pci_unregister_driver(&iosm_ipc_driver); ++} ++module_exit(iosm_ipc_driver_exit); +-- +2.39.5 + diff --git a/queue-5.15/platform-x86-acer-wmi-ignore-ac-events.patch b/queue-5.15/platform-x86-acer-wmi-ignore-ac-events.patch new file mode 100644 index 0000000000..ec5603db38 --- /dev/null +++ b/queue-5.15/platform-x86-acer-wmi-ignore-ac-events.patch @@ -0,0 +1,53 @@ +From a53b3af4e32387e76161acab3f4296a0c9d681a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jan 2025 21:17:22 +0100 +Subject: platform/x86: acer-wmi: Ignore AC events +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit f6bfa25c6665f8721421ea94fe506cc22f1d4b43 ] + +On the Acer Swift SFG14-41, the events 8 - 1 and 8 - 0 are printed on +AC connect/disconnect. Ignore those events to avoid spamming the +kernel log with error messages. + +Reported-by: Farhan Anwar +Closes: https://lore.kernel.org/platform-driver-x86/2ffb529d-e7c8-4026-a3b8-120c8e7afec8@gmail.com +Tested-by: Rayan Margham +Reviewed-by: Ilpo Järvinen +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20250119201723.11102-2-W_Armin@gmx.de +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/acer-wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c +index 82516796a53b0..7ef80f517e76e 100644 +--- a/drivers/platform/x86/acer-wmi.c ++++ b/drivers/platform/x86/acer-wmi.c +@@ -88,6 +88,7 @@ enum acer_wmi_event_ids { + WMID_HOTKEY_EVENT = 0x1, + WMID_ACCEL_OR_KBD_DOCK_EVENT = 0x5, + WMID_GAMING_TURBO_KEY_EVENT = 0x7, ++ WMID_AC_EVENT = 0x8, + }; + + static const struct key_entry acer_wmi_keymap[] __initconst = { +@@ -2067,6 +2068,9 @@ static void acer_wmi_notify(u32 value, void *context) + if (return_value.key_num == 0x4) + acer_toggle_turbo(); + break; ++ case WMID_AC_EVENT: ++ /* We ignore AC events here */ ++ break; + default: + pr_warn("Unknown function number - %d - %d\n", + return_value.function, return_value.key_num); +-- +2.39.5 + diff --git a/queue-5.15/printk-fix-signed-integer-overflow-when-defining-log.patch b/queue-5.15/printk-fix-signed-integer-overflow-when-defining-log.patch new file mode 100644 index 0000000000..99db46755f --- /dev/null +++ b/queue-5.15/printk-fix-signed-integer-overflow-when-defining-log.patch @@ -0,0 +1,41 @@ +From 9c37b2eb43e9f2a3d57f7fb77c6eb3bfd07c3505 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2024 19:36:08 +0800 +Subject: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX + +From: Kuan-Wei Chiu + +[ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ] + +Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which +leads to undefined behavior. To prevent this, cast 1 to u32 before +performing the shift, ensuring well-defined behavior. + +This change explicitly avoids any potential overflow by ensuring that +the shift occurs on an unsigned 32-bit integer. + +Signed-off-by: Kuan-Wei Chiu +Acked-by: Petr Mladek +Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 5e81d2a79d5cc..113990f38436e 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -403,7 +403,7 @@ static struct latched_seq clear_seq = { + /* record buffer */ + #define LOG_ALIGN __alignof__(unsigned long) + #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) +-#define LOG_BUF_LEN_MAX (u32)(1 << 31) ++#define LOG_BUF_LEN_MAX ((u32)1 << 31) + static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); + static char *log_buf = __log_buf; + static u32 log_buf_len = __LOG_BUF_LEN; +-- +2.39.5 + diff --git a/queue-5.15/safesetid-check-size-of-policy-writes.patch b/queue-5.15/safesetid-check-size-of-policy-writes.patch new file mode 100644 index 0000000000..0ab3a8eda1 --- /dev/null +++ b/queue-5.15/safesetid-check-size-of-policy-writes.patch @@ -0,0 +1,42 @@ +From 5d57847dbe83076dfe58e7a3583a6ec15b19219a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 10:26:57 -0800 +Subject: safesetid: check size of policy writes + +From: Leo Stone + +[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ] + +syzbot attempts to write a buffer with a large size to a sysfs entry +with writes handled by handle_policy_update(), triggering a warning +in kmalloc. + +Check the size specified for write buffers before allocating. + +Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a +Signed-off-by: Leo Stone +[PM: subject tweak] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/safesetid/securityfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c +index 25310468bcddf..8e1ffd70b18ab 100644 +--- a/security/safesetid/securityfs.c ++++ b/security/safesetid/securityfs.c +@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file, + char *buf, *p, *end; + int err; + ++ if (len >= KMALLOC_MAX_SIZE) ++ return -EINVAL; ++ + pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL); + if (!pol) + return -ENOMEM; +-- +2.39.5 + diff --git a/queue-5.15/sched-don-t-try-to-catch-up-excess-steal-time.patch b/queue-5.15/sched-don-t-try-to-catch-up-excess-steal-time.patch new file mode 100644 index 0000000000..87ba3ec4fa --- /dev/null +++ b/queue-5.15/sched-don-t-try-to-catch-up-excess-steal-time.patch @@ -0,0 +1,76 @@ +From 60d84bd91a08b522f06dc9396c232fc661ed784f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 13:37:45 +0900 +Subject: sched: Don't try to catch up excess steal time. + +From: Suleiman Souhlal + +[ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] + +When steal time exceeds the measured delta when updating clock_task, we +currently try to catch up the excess in future updates. +However, this results in inaccurate run times for the future things using +clock_task, in some situations, as they end up getting additional steal +time that did not actually happen. +This is because there is a window between reading the elapsed time in +update_rq_clock() and sampling the steal time in update_rq_clock_task(). +If the VCPU gets preempted between those two points, any additional +steal time is accounted to the outgoing task even though the calculated +delta did not actually contain any of that "stolen" time. +When this race happens, we can end up with steal time that exceeds the +calculated delta, and the previous code would try to catch up that excess +steal time in future clock updates, which is given to the next, +incoming task, even though it did not actually have any time stolen. + +This behavior is particularly bad when steal time can be very long, +which we've seen when trying to extend steal time to contain the duration +that the host was suspended [0]. When this happens, clock_task stays +frozen, during which the running task stays running for the whole +duration, since its run time doesn't increase. +However the race can happen even under normal operation. + +Ideally we would read the elapsed cpu time and the steal time atomically, +to prevent this race from happening in the first place, but doing so +is non-trivial. + +Since the time between those two points isn't otherwise accounted anywhere, +neither to the outgoing task nor the incoming task (because the "end of +outgoing task" and "start of incoming task" timestamps are the same), +I would argue that the right thing to do is to simply drop any excess steal +time, in order to prevent these issues. + +[0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ + +Signed-off-by: Suleiman Souhlal +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index fee8e2a7c7530..e6e3f76648983 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -642,13 +642,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) + #endif + #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING + if (static_key_false((¶virt_steal_rq_enabled))) { +- steal = paravirt_steal_clock(cpu_of(rq)); ++ u64 prev_steal; ++ ++ steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); + steal -= rq->prev_steal_time_rq; + + if (unlikely(steal > delta)) + steal = delta; + +- rq->prev_steal_time_rq += steal; ++ rq->prev_steal_time_rq = prev_steal; + delta -= steal; + } + #endif +-- +2.39.5 + diff --git a/queue-5.15/selftests-net-ipsec-fix-null-pointer-dereference-in-.patch b/queue-5.15/selftests-net-ipsec-fix-null-pointer-dereference-in-.patch new file mode 100644 index 0000000000..b3aeeae911 --- /dev/null +++ b/queue-5.15/selftests-net-ipsec-fix-null-pointer-dereference-in-.patch @@ -0,0 +1,50 @@ +From d5ad29b202e9d8c1cb1b15a50d25fece38c82ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 09:30:37 +0800 +Subject: selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() + +From: Liu Ye + +[ Upstream commit 3a0b7fa095212b51ed63892540c4f249991a2d74 ] + +Address Null pointer dereference / undefined behavior in rtattr_pack +(note that size is 0 in the bad case). + +Flagged by cppcheck as: + tools/testing/selftests/net/ipsec.c:230:25: warning: Possible null pointer + dereference: payload [nullPointer] + memcpy(RTA_DATA(attr), payload, size); + ^ + tools/testing/selftests/net/ipsec.c:1618:54: note: Calling function 'rtattr_pack', + 4th argument 'NULL' value is 0 + if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) { + ^ + tools/testing/selftests/net/ipsec.c:230:25: note: Null pointer dereference + memcpy(RTA_DATA(attr), payload, size); + ^ +Signed-off-by: Liu Ye + +Link: https://patch.msgid.link/20250116013037.29470-1-liuye@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/ipsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c +index c5be3f390849b..ae3da27b00973 100644 +--- a/tools/testing/selftests/net/ipsec.c ++++ b/tools/testing/selftests/net/ipsec.c +@@ -189,7 +189,8 @@ static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz, + + attr->rta_len = RTA_LENGTH(size); + attr->rta_type = rta_type; +- memcpy(RTA_DATA(attr), payload, size); ++ if (payload) ++ memcpy(RTA_DATA(attr), payload, size); + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 3bc8e58ff3..84a48c5a31 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -200,3 +200,46 @@ mptcp-consolidate-suboption-status.patch media-uvcvideo-fix-double-free-in-error-path.patch usb-gadget-f_tcm-don-t-free-command-immediately.patch btrfs-output-the-reason-for-open_ctree-failure.patch +btrfs-fix-use-after-free-when-attempting-to-join-an-.patch +btrfs-fix-data-race-when-accessing-the-inode-s-disk_.patch +btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch +sched-don-t-try-to-catch-up-excess-steal-time.patch +lockdep-fix-upper-limit-for-lockdep_-_bits-configs.patch +x86-amd_nb-restrict-init-function-to-amd-based-syste.patch +printk-fix-signed-integer-overflow-when-defining-log.patch +drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch +safesetid-check-size-of-policy-writes.patch +tun-fix-group-permission-check.patch +mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch +wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch +tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch +mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch +hid-wacom-add-pci-wacom-device-support.patch +net-mlx5-use-do_aux_work-for-phc-overflow-checks.patch +wifi-iwlwifi-avoid-memory-leak.patch +i2c-force-elan06fa-touchpad-i2c-bus-freq-to-100khz.patch +apei-ghes-have-ghes-honor-the-panic-setting.patch +net-wwan-iosm-fix-hibernation-by-re-binding-the-driv.patch +mmc-sdhci-msm-correctly-set-the-load-for-the-regulat.patch +tipc-re-order-conditions-in-tipc_crypto_key_rcv.patch +selftests-net-ipsec-fix-null-pointer-dereference-in-.patch +input-allocate-keycode-for-phone-linking.patch +platform-x86-acer-wmi-ignore-ac-events.patch +kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch +kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch +kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch +kvm-e500-always-restore-irqs.patch +usb-chipidea-ci_hdrc_imx-use-dev_err_probe.patch +usb-chipidea-ci_hdrc_imx-convert-to-platform-remove-.patch +usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount.patch +net-ncsi-add-nc-si-1.2-get-mc-mac-address-command.patch +net-ncsi-fix-locking-in-get-mac-address-handling.patch +gpio-don-t-fiddle-with-irqchips-marked-as-immutable.patch +gpio-expose-the-gpiochip_irq_re-ql-res-helpers.patch +gpio-add-helpers-to-ease-the-transition-towards-immu.patch +gpio-xilinx-convert-to-immutable-irq_chip.patch +gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch +xfs-report-realtime-block-quota-limits-on-realtime-d.patch +xfs-don-t-over-report-free-space-or-inodes-in-statvf.patch +usb-xhci-add-timeout-argument-in-address_device-usb-.patch +usb-xhci-fix-null-pointer-dereference-on-certain-com.patch diff --git a/queue-5.15/tipc-re-order-conditions-in-tipc_crypto_key_rcv.patch b/queue-5.15/tipc-re-order-conditions-in-tipc_crypto_key_rcv.patch new file mode 100644 index 0000000000..3cb08fd1f0 --- /dev/null +++ b/queue-5.15/tipc-re-order-conditions-in-tipc_crypto_key_rcv.patch @@ -0,0 +1,41 @@ +From dc7c6d8c2a75adc1b79172fb21f5bae59e0a7fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2025 12:36:14 +0300 +Subject: tipc: re-order conditions in tipc_crypto_key_rcv() + +From: Dan Carpenter + +[ Upstream commit 5fe71fda89745fc3cd95f70d06e9162b595c3702 ] + +On a 32bit system the "keylen + sizeof(struct tipc_aead_key)" math could +have an integer wrapping issue. It doesn't matter because the "keylen" +is checked on the next line, but just to make life easier for static +analysis tools, let's re-order these conditions and avoid the integer +overflow. + +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 86d1e782b8fca..b09c4a17b283e 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -2304,8 +2304,8 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr) + keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME))); + + /* Verify the supplied size values */ +- if (unlikely(size != keylen + sizeof(struct tipc_aead_key) || +- keylen > TIPC_AEAD_KEY_SIZE_MAX)) { ++ if (unlikely(keylen > TIPC_AEAD_KEY_SIZE_MAX || ++ size != keylen + sizeof(struct tipc_aead_key))) { + pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name); + goto exit; + } +-- +2.39.5 + diff --git a/queue-5.15/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch b/queue-5.15/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch new file mode 100644 index 0000000000..186d5b9595 --- /dev/null +++ b/queue-5.15/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch @@ -0,0 +1,46 @@ +From 995bfb18d73a16279385280fdcde9f46de5a2ed9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 19:38:40 +0900 +Subject: tomoyo: don't emit warning in tomoyo_write_control() + +From: Tetsuo Handa + +[ Upstream commit 3df7546fc03b8f004eee0b9e3256369f7d096685 ] + +syzbot is reporting too large allocation warning at tomoyo_write_control(), +for one can write a very very long line without new line character. To fix +this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE, +for practically a valid line should be always shorter than 32KB where the +"too small to fail" memory-allocation rule applies. + +One might try to write a valid line that is longer than 32KB, but such +request will likely fail with -ENOMEM. Therefore, I feel that separately +returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant. +There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE. + +Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76 +Reported-by: Leo Stone +Closes: https://lkml.kernel.org/r/20241216021459.178759-2-leocstone@gmail.com +Signed-off-by: Tetsuo Handa +Signed-off-by: Sasha Levin +--- + security/tomoyo/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c +index 9a66e5826f25a..cb8184122b920 100644 +--- a/security/tomoyo/common.c ++++ b/security/tomoyo/common.c +@@ -2673,7 +2673,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, + + if (head->w.avail >= head->writebuf_size - 1) { + const int len = head->writebuf_size * 2; +- char *cp = kzalloc(len, GFP_NOFS); ++ char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN); + + if (!cp) { + error = -ENOMEM; +-- +2.39.5 + diff --git a/queue-5.15/tun-fix-group-permission-check.patch b/queue-5.15/tun-fix-group-permission-check.patch new file mode 100644 index 0000000000..27a6a5860f --- /dev/null +++ b/queue-5.15/tun-fix-group-permission-check.patch @@ -0,0 +1,72 @@ +From bd834c1935765628a985904db161786b2c48f92c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 10:36:14 +0300 +Subject: tun: fix group permission check + +From: Stas Sergeev + +[ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] + +Currently tun checks the group permission even if the user have matched. +Besides going against the usual permission semantic, this has a +very interesting implication: if the tun group is not among the +supplementary groups of the tun user, then effectively no one can +access the tun device. CAP_SYS_ADMIN still can, but its the same as +not setting the tun ownership. + +This patch relaxes the group checking so that either the user match +or the group match is enough. This avoids the situation when no one +can access the device even though the ownership is properly set. + +Also I simplified the logic by removing the redundant inversions: +tun_not_capable() --> !tun_capable() + +Signed-off-by: Stas Sergeev +Reviewed-by: Willem de Bruijn +Acked-by: Jason Wang +Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 959ca6b9cd138..a85f743aa1573 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -575,14 +575,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, + return ret; + } + +-static inline bool tun_not_capable(struct tun_struct *tun) ++static inline bool tun_capable(struct tun_struct *tun) + { + const struct cred *cred = current_cred(); + struct net *net = dev_net(tun->dev); + +- return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || +- (gid_valid(tun->group) && !in_egroup_p(tun->group))) && +- !ns_capable(net->user_ns, CAP_NET_ADMIN); ++ if (ns_capable(net->user_ns, CAP_NET_ADMIN)) ++ return 1; ++ if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) ++ return 1; ++ if (gid_valid(tun->group) && in_egroup_p(tun->group)) ++ return 1; ++ return 0; + } + + static void tun_set_real_num_queues(struct tun_struct *tun) +@@ -2718,7 +2722,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + !!(tun->flags & IFF_MULTI_QUEUE)) + return -EINVAL; + +- if (tun_not_capable(tun)) ++ if (!tun_capable(tun)) + return -EPERM; + err = security_tun_dev_open(tun->security); + if (err < 0) +-- +2.39.5 + diff --git a/queue-5.15/usb-chipidea-ci_hdrc_imx-convert-to-platform-remove-.patch b/queue-5.15/usb-chipidea-ci_hdrc_imx-convert-to-platform-remove-.patch new file mode 100644 index 0000000000..3e98529331 --- /dev/null +++ b/queue-5.15/usb-chipidea-ci_hdrc_imx-convert-to-platform-remove-.patch @@ -0,0 +1,68 @@ +From 9fc323ba359e08140d8c0a5d31b1b0e481618053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 01:01:07 +0200 +Subject: usb: chipidea/ci_hdrc_imx: Convert to platform remove callback + returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit ad593ed671feb49e93a77653886c042f68b6cdfd ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart from +emitting a warning) and this typically results in resource leaks. To improve +here there is a quest to make the remove callback return void. In the first +step of this quest all drivers are converted to .remove_new() which already +returns void. Eventually after all drivers are converted, .remove_new() is +renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230517230239.187727-6-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 74adad500346 ("usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()") +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index caa91117ba429..9f4253777d0de 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -505,7 +505,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + return ret; + } + +-static int ci_hdrc_imx_remove(struct platform_device *pdev) ++static void ci_hdrc_imx_remove(struct platform_device *pdev) + { + struct ci_hdrc_imx_data *data = platform_get_drvdata(pdev); + +@@ -525,8 +525,6 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev) + if (data->hsic_pad_regulator) + regulator_disable(data->hsic_pad_regulator); + } +- +- return 0; + } + + static void ci_hdrc_imx_shutdown(struct platform_device *pdev) +@@ -672,7 +670,7 @@ static const struct dev_pm_ops ci_hdrc_imx_pm_ops = { + }; + static struct platform_driver ci_hdrc_imx_driver = { + .probe = ci_hdrc_imx_probe, +- .remove = ci_hdrc_imx_remove, ++ .remove_new = ci_hdrc_imx_remove, + .shutdown = ci_hdrc_imx_shutdown, + .driver = { + .name = "imx_usb", +-- +2.39.5 + diff --git a/queue-5.15/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount.patch b/queue-5.15/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount.patch new file mode 100644 index 0000000000..1fc0df9304 --- /dev/null +++ b/queue-5.15/usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount.patch @@ -0,0 +1,115 @@ +From 67f7f8e41c3931663a765787fe4e007138300819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 10:55:39 +0900 +Subject: usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() + and in the error path of .probe() + +From: Joe Hattori + +[ Upstream commit 74adad500346fb07d69af2c79acbff4adb061134 ] + +Current implementation of ci_hdrc_imx_driver does not decrement the +refcount of the device obtained in usbmisc_get_init_data(). Add a +put_device() call in .remove() and in .probe() before returning an +error. + +This bug was found by an experimental static analysis tool that I am +developing. + +Cc: stable +Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs") +Signed-off-by: Joe Hattori +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20241216015539.352579-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index 9f4253777d0de..13731e85980e2 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -355,25 +355,29 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + data->pinctrl = devm_pinctrl_get(dev); + if (PTR_ERR(data->pinctrl) == -ENODEV) + data->pinctrl = NULL; +- else if (IS_ERR(data->pinctrl)) +- return dev_err_probe(dev, PTR_ERR(data->pinctrl), ++ else if (IS_ERR(data->pinctrl)) { ++ ret = dev_err_probe(dev, PTR_ERR(data->pinctrl), + "pinctrl get failed\n"); ++ goto err_put; ++ } + + data->hsic_pad_regulator = + devm_regulator_get_optional(dev, "hsic"); + if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) { + /* no pad regualator is needed */ + data->hsic_pad_regulator = NULL; +- } else if (IS_ERR(data->hsic_pad_regulator)) +- return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), ++ } else if (IS_ERR(data->hsic_pad_regulator)) { ++ ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), + "Get HSIC pad regulator error\n"); ++ goto err_put; ++ } + + if (data->hsic_pad_regulator) { + ret = regulator_enable(data->hsic_pad_regulator); + if (ret) { + dev_err(dev, + "Failed to enable HSIC pad regulator\n"); +- return ret; ++ goto err_put; + } + } + } +@@ -387,13 +391,14 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + dev_err(dev, + "pinctrl_hsic_idle lookup failed, err=%ld\n", + PTR_ERR(pinctrl_hsic_idle)); +- return PTR_ERR(pinctrl_hsic_idle); ++ ret = PTR_ERR(pinctrl_hsic_idle); ++ goto err_put; + } + + ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle); + if (ret) { + dev_err(dev, "hsic_idle select failed, err=%d\n", ret); +- return ret; ++ goto err_put; + } + + data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl, +@@ -402,7 +407,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + dev_err(dev, + "pinctrl_hsic_active lookup failed, err=%ld\n", + PTR_ERR(data->pinctrl_hsic_active)); +- return PTR_ERR(data->pinctrl_hsic_active); ++ ret = PTR_ERR(data->pinctrl_hsic_active); ++ goto err_put; + } + } + +@@ -502,6 +508,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + if (pdata.flags & CI_HDRC_PMQOS) + cpu_latency_qos_remove_request(&data->pm_qos_req); + data->ci_pdev = NULL; ++err_put: ++ put_device(data->usbmisc_data->dev); + return ret; + } + +@@ -525,6 +533,7 @@ static void ci_hdrc_imx_remove(struct platform_device *pdev) + if (data->hsic_pad_regulator) + regulator_disable(data->hsic_pad_regulator); + } ++ put_device(data->usbmisc_data->dev); + } + + static void ci_hdrc_imx_shutdown(struct platform_device *pdev) +-- +2.39.5 + diff --git a/queue-5.15/usb-chipidea-ci_hdrc_imx-use-dev_err_probe.patch b/queue-5.15/usb-chipidea-ci_hdrc_imx-use-dev_err_probe.patch new file mode 100644 index 0000000000..13f07cb6dd --- /dev/null +++ b/queue-5.15/usb-chipidea-ci_hdrc_imx-use-dev_err_probe.patch @@ -0,0 +1,71 @@ +From 3cba9013df24dc3ce10eea86588b84850038c7bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 14:05:22 +0200 +Subject: usb: chipidea: ci_hdrc_imx: use dev_err_probe() + +From: Alexander Stein + +[ Upstream commit 18171cfc3c236a1587dcad9adc27c6e781af4438 ] + +Use dev_err_probe() to simplify handling errors in ci_hdrc_imx_probe() + +Acked-by: Peter Chen +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20220614120522.1469957-1-alexander.stein@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 74adad500346 ("usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()") +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c +index d8efa90479e23..caa91117ba429 100644 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -355,25 +355,18 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + data->pinctrl = devm_pinctrl_get(dev); + if (PTR_ERR(data->pinctrl) == -ENODEV) + data->pinctrl = NULL; +- else if (IS_ERR(data->pinctrl)) { +- if (PTR_ERR(data->pinctrl) != -EPROBE_DEFER) +- dev_err(dev, "pinctrl get failed, err=%ld\n", +- PTR_ERR(data->pinctrl)); +- return PTR_ERR(data->pinctrl); +- } ++ else if (IS_ERR(data->pinctrl)) ++ return dev_err_probe(dev, PTR_ERR(data->pinctrl), ++ "pinctrl get failed\n"); + + data->hsic_pad_regulator = + devm_regulator_get_optional(dev, "hsic"); + if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) { + /* no pad regualator is needed */ + data->hsic_pad_regulator = NULL; +- } else if (IS_ERR(data->hsic_pad_regulator)) { +- if (PTR_ERR(data->hsic_pad_regulator) != -EPROBE_DEFER) +- dev_err(dev, +- "Get HSIC pad regulator error: %ld\n", +- PTR_ERR(data->hsic_pad_regulator)); +- return PTR_ERR(data->hsic_pad_regulator); +- } ++ } else if (IS_ERR(data->hsic_pad_regulator)) ++ return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), ++ "Get HSIC pad regulator error\n"); + + if (data->hsic_pad_regulator) { + ret = regulator_enable(data->hsic_pad_regulator); +@@ -465,9 +458,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) + &pdata); + if (IS_ERR(data->ci_pdev)) { + ret = PTR_ERR(data->ci_pdev); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "ci_hdrc_add_device failed, err=%d\n", +- ret); ++ dev_err_probe(dev, ret, "ci_hdrc_add_device failed\n"); + goto err_clk; + } + +-- +2.39.5 + diff --git a/queue-5.15/usb-xhci-add-timeout-argument-in-address_device-usb-.patch b/queue-5.15/usb-xhci-add-timeout-argument-in-address_device-usb-.patch new file mode 100644 index 0000000000..702056a2f9 --- /dev/null +++ b/queue-5.15/usb-xhci-add-timeout-argument-in-address_device-usb-.patch @@ -0,0 +1,206 @@ +From b9857f8447f44af171dca03ec7e63f655e68b8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 17:20:28 +0200 +Subject: usb: xhci: Add timeout argument in address_device USB HCD callback + +From: Hardik Gajjar + +[ Upstream commit a769154c7cac037914ba375ae88aae55b2c853e0 ] + +- The HCD address_device callback now accepts a user-defined timeout value + in milliseconds, providing better control over command execution times. +- The default timeout value for the address_device command has been set + to 5000 ms, aligning with the USB 3.2 specification. However, this + timeout can be adjusted as needed. +- The xhci_setup_device function has been updated to accept the timeout + value, allowing it to specify the maximum wait time for the command + operation to complete. +- The hub driver has also been updated to accommodate the newly added + timeout parameter during the SET_ADDRESS request. + +Signed-off-by: Hardik Gajjar +Reviewed-by: Mathias Nyman +Link: https://lore.kernel.org/r/20231027152029.104363-1-hgajjar@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1e0a19912adb ("usb: xhci: Fix NULL pointer dereference on certain command aborts") +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 2 +- + drivers/usb/host/xhci-mem.c | 2 ++ + drivers/usb/host/xhci-ring.c | 11 ++++++----- + drivers/usb/host/xhci.c | 23 ++++++++++++++++------- + drivers/usb/host/xhci.h | 9 +++++++-- + include/linux/usb/hcd.h | 5 +++-- + 6 files changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 1a7a6161e68ff..9902fcc06d5e2 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4654,7 +4654,7 @@ static int hub_set_address(struct usb_device *udev, int devnum) + if (udev->state != USB_STATE_DEFAULT) + return -EINVAL; + if (hcd->driver->address_device) +- retval = hcd->driver->address_device(hcd, udev); ++ retval = hcd->driver->address_device(hcd, udev, USB_CTRL_SET_TIMEOUT); + else + retval = usb_control_msg(udev, usb_sndaddr0pipe(), + USB_REQ_SET_ADDRESS, 0, devnum, 0, +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index c44b66628a6dc..c819192445b08 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1761,6 +1761,8 @@ struct xhci_command *xhci_alloc_command(struct xhci_hcd *xhci, + } + + command->status = 0; ++ /* set default timeout to 5000 ms */ ++ command->timeout_ms = XHCI_CMD_DEFAULT_TIMEOUT; + INIT_LIST_HEAD(&command->cmd_list); + return command; + } +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index f2b86872aa6bd..97b192058ffe4 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -333,9 +333,10 @@ void xhci_ring_cmd_db(struct xhci_hcd *xhci) + readl(&xhci->dba->doorbell[0]); + } + +-static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci, unsigned long delay) ++static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci) + { +- return mod_delayed_work(system_wq, &xhci->cmd_timer, delay); ++ return mod_delayed_work(system_wq, &xhci->cmd_timer, ++ msecs_to_jiffies(xhci->current_cmd->timeout_ms)); + } + + static struct xhci_command *xhci_next_queued_cmd(struct xhci_hcd *xhci) +@@ -379,7 +380,7 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, + if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && + !(xhci->xhc_state & XHCI_STATE_DYING)) { + xhci->current_cmd = cur_cmd; +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + xhci_ring_cmd_db(xhci); + } + } +@@ -1922,7 +1923,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, + if (!list_is_singular(&xhci->cmd_list)) { + xhci->current_cmd = list_first_entry(&cmd->cmd_list, + struct xhci_command, cmd_list); +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + } else if (xhci->current_cmd == cmd) { + xhci->current_cmd = NULL; + } +@@ -4503,7 +4504,7 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, + /* if there are no other commands queued we start the timeout timer */ + if (list_empty(&xhci->cmd_list)) { + xhci->current_cmd = cmd; +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + } + + list_add_tail(&cmd->cmd_list, &xhci->cmd_list); +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index c145a1ac1abab..e9ebb6c7954fa 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4190,12 +4190,18 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) + return 0; + } + +-/* +- * Issue an Address Device command and optionally send a corresponding +- * SetAddress request to the device. ++/** ++ * xhci_setup_device - issues an Address Device command to assign a unique ++ * USB bus address. ++ * @hcd: USB host controller data structure. ++ * @udev: USB dev structure representing the connected device. ++ * @setup: Enum specifying setup mode: address only or with context. ++ * @timeout_ms: Max wait time (ms) for the command operation to complete. ++ * ++ * Return: 0 if successful; otherwise, negative error code. + */ + static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, +- enum xhci_setup_dev setup) ++ enum xhci_setup_dev setup, unsigned int timeout_ms) + { + const char *act = setup == SETUP_CONTEXT_ONLY ? "context" : "address"; + unsigned long flags; +@@ -4252,6 +4258,7 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, + } + + command->in_ctx = virt_dev->in_ctx; ++ command->timeout_ms = timeout_ms; + + slot_ctx = xhci_get_slot_ctx(xhci, virt_dev->in_ctx); + ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx); +@@ -4380,14 +4387,16 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, + return ret; + } + +-static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev) ++static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev, ++ unsigned int timeout_ms) + { +- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS); ++ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS, timeout_ms); + } + + static int xhci_enable_device(struct usb_hcd *hcd, struct usb_device *udev) + { +- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY); ++ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY, ++ XHCI_CMD_DEFAULT_TIMEOUT); + } + + /* +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index f76dae4ea429f..1ca283f5d3066 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -563,6 +563,8 @@ struct xhci_command { + struct completion *completion; + union xhci_trb *command_trb; + struct list_head cmd_list; ++ /* xHCI command response timeout in milliseconds */ ++ unsigned int timeout_ms; + }; + + /* drop context bitmasks */ +@@ -1326,8 +1328,11 @@ struct xhci_td { + unsigned int num_trbs; + }; + +-/* xHCI command default timeout value */ +-#define XHCI_CMD_DEFAULT_TIMEOUT (5 * HZ) ++/* ++ * xHCI command default timeout value in milliseconds. ++ * USB 3.2 spec, section 9.2.6.1 ++ */ ++#define XHCI_CMD_DEFAULT_TIMEOUT 5000 + + /* command descriptor */ + struct xhci_cd { +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h +index aa43ef8a7aa34..a0f092b3fb66c 100644 +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -385,8 +385,9 @@ struct hc_driver { + * or bandwidth constraints. + */ + void (*reset_bandwidth)(struct usb_hcd *, struct usb_device *); +- /* Returns the hardware-chosen device address */ +- int (*address_device)(struct usb_hcd *, struct usb_device *udev); ++ /* Set the hardware-chosen device address */ ++ int (*address_device)(struct usb_hcd *, struct usb_device *udev, ++ unsigned int timeout_ms); + /* prepares the hardware to send commands to the device */ + int (*enable_device)(struct usb_hcd *, struct usb_device *udev); + /* Notifies the HCD after a hub descriptor is fetched. +-- +2.39.5 + diff --git a/queue-5.15/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch b/queue-5.15/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch new file mode 100644 index 0000000000..358dddf66d --- /dev/null +++ b/queue-5.15/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch @@ -0,0 +1,56 @@ +From 2cce2f007b6466988a4182b6b0a5a3e229741003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 14:01:40 +0200 +Subject: usb: xhci: Fix NULL pointer dereference on certain command aborts + +From: Michal Pecio + +[ Upstream commit 1e0a19912adb68a4b2b74fd77001c96cd83eb073 ] + +If a command is queued to the final usable TRB of a ring segment, the +enqueue pointer is advanced to the subsequent link TRB and no further. +If the command is later aborted, when the abort completion is handled +the dequeue pointer is advanced to the first TRB of the next segment. + +If no further commands are queued, xhci_handle_stopped_cmd_ring() sees +the ring pointers unequal and assumes that there is a pending command, +so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. + +Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell +ring likely is unnecessary too, but it's harmless. Leave it alone. + +This is probably Bug 219532, but no confirmation has been received. + +The issue has been independently reproduced and confirmed fixed using +a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. +Everything continued working normally after several prevented crashes. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219532 +Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,") +CC: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241227120142.1035206-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 97b192058ffe4..64bf50ea62a49 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -380,7 +380,8 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, + if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && + !(xhci->xhc_state & XHCI_STATE_DYING)) { + xhci->current_cmd = cur_cmd; +- xhci_mod_cmd_timer(xhci); ++ if (cur_cmd) ++ xhci_mod_cmd_timer(xhci); + xhci_ring_cmd_db(xhci); + } + } +-- +2.39.5 + diff --git a/queue-5.15/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch b/queue-5.15/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch new file mode 100644 index 0000000000..504361112b --- /dev/null +++ b/queue-5.15/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch @@ -0,0 +1,42 @@ +From be3fcaee13bbd58e0b2034d0f976f8511c12ffb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:04:41 +0300 +Subject: wifi: brcmsmac: add gain range check to + wlc_phy_iqcal_gainparams_nphy() + +From: Dmitry Antipov + +[ Upstream commit 3f4a0948c3524ae50f166dbc6572a3296b014e62 ] + +In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN() +instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access. +Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241210070441.836362-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +index 8580a27547891..42e7bc67e9143 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +@@ -23427,6 +23427,9 @@ wlc_phy_iqcal_gainparams_nphy(struct brcms_phy *pi, u16 core_no, + break; + } + ++ if (WARN_ON(k == NPHY_IQCAL_NUMGAINS)) ++ return; ++ + params->txgm = tbl_iqcal_gainparams_nphy[band_idx][k][1]; + params->pga = tbl_iqcal_gainparams_nphy[band_idx][k][2]; + params->pad = tbl_iqcal_gainparams_nphy[band_idx][k][3]; +-- +2.39.5 + diff --git a/queue-5.15/wifi-iwlwifi-avoid-memory-leak.patch b/queue-5.15/wifi-iwlwifi-avoid-memory-leak.patch new file mode 100644 index 0000000000..618f273e52 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-avoid-memory-leak.patch @@ -0,0 +1,69 @@ +From 1ce196b37dda045315adf164e74bd28aed6e95b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2024 22:34:15 +0200 +Subject: wifi: iwlwifi: avoid memory leak + +From: Miri Korenblit + +[ Upstream commit 80e96206a3ef348fbd658d98f2f43149c36df8bc ] + +A caller of iwl_acpi_get_dsm_object must free the returned object. +iwl_acpi_get_dsm_integer returns immediately without freeing +it if the expected size is more than 8 bytes. Fix that. + +Note that with the current code this will never happen, since the caller +of iwl_acpi_get_dsm_integer already checks that the expected size if +either 1 or 4 bytes, so it can't exceed 8 bytes. + +While at it, print the DSM value instead of the return value, as this +was the intention in the first place. + +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20241228223206.bf61eaab99f8.Ibdc5df02f885208c222456d42c889c43b7e3b2f7@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +index 0b1c6bf729c3e..eefd42ea535cd 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -98,7 +98,7 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func, + size_t expected_size) + { + union acpi_object *obj; +- int ret = 0; ++ int ret; + + obj = iwl_acpi_get_dsm_object(dev, rev, func, NULL, guid); + if (IS_ERR(obj)) { +@@ -113,8 +113,10 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func, + } else if (obj->type == ACPI_TYPE_BUFFER) { + __le64 le_value = 0; + +- if (WARN_ON_ONCE(expected_size > sizeof(le_value))) +- return -EINVAL; ++ if (WARN_ON_ONCE(expected_size > sizeof(le_value))) { ++ ret = -EINVAL; ++ goto out; ++ } + + /* if the buffer size doesn't match the expected size */ + if (obj->buffer.length != expected_size) +@@ -135,8 +137,9 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func, + } + + IWL_DEBUG_DEV_RADIO(dev, +- "ACPI: DSM method evaluated: func=%d, ret=%d\n", +- func, ret); ++ "ACPI: DSM method evaluated: func=%d, value=%lld\n", ++ func, *value); ++ ret = 0; + out: + ACPI_FREE(obj); + return ret; +-- +2.39.5 + diff --git a/queue-5.15/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch b/queue-5.15/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch new file mode 100644 index 0000000000..ecf426db87 --- /dev/null +++ b/queue-5.15/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch @@ -0,0 +1,40 @@ +From e12defaab59b4fe25313221ff20daf7e43e2d143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 16:11:55 +0000 +Subject: x86/amd_nb: Restrict init function to AMD-based systems + +From: Yazen Ghannam + +[ Upstream commit bee9e840609cc67d0a7d82f22a2130fb7a0a766d ] + +The code implicitly operates on AMD-based systems by matching on PCI +IDs. However, the use of these IDs is going away. + +Add an explicit CPU vendor check instead of relying on PCI IDs. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20241206161210.163701-3-yazen.ghannam@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/amd_nb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index 62cd2af806b47..eda11832b6e62 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -544,6 +544,10 @@ static __init void fix_erratum_688(void) + + static __init int init_amd_nbs(void) + { ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && ++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) ++ return 0; ++ + amd_cache_northbridges(); + amd_cache_gart(); + +-- +2.39.5 + diff --git a/queue-5.15/xfs-don-t-over-report-free-space-or-inodes-in-statvf.patch b/queue-5.15/xfs-don-t-over-report-free-space-or-inodes-in-statvf.patch new file mode 100644 index 0000000000..a570bfc67c --- /dev/null +++ b/queue-5.15/xfs-don-t-over-report-free-space-or-inodes-in-statvf.patch @@ -0,0 +1,85 @@ +From 35cf2745ab54f703c778943469cba35671d51a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 14:37:56 -0800 +Subject: xfs: don't over-report free space or inodes in statvfs + +From: Darrick J. Wong + +[ Upstream commit 4b8d867ca6e2fc6d152f629fdaf027053b81765a ] + +Emmanual Florac reports a strange occurrence when project quota limits +are enabled, free space is lower than the remaining quota, and someone +runs statvfs: + + # mkfs.xfs -f /dev/sda + # mount /dev/sda /mnt -o prjquota + # xfs_quota -x -c 'limit -p bhard=2G 55' /mnt + # mkdir /mnt/dir + # xfs_io -c 'chproj 55' -c 'chattr +P' -c 'stat -vvvv' /mnt/dir + # fallocate -l 19g /mnt/a + # df /mnt /mnt/dir + Filesystem Size Used Avail Use% Mounted on + /dev/sda 20G 20G 345M 99% /mnt + /dev/sda 2.0G 0 2.0G 0% /mnt + +I think the bug here is that xfs_fill_statvfs_from_dquot unconditionally +assigns to f_bfree without checking that the filesystem has enough free +space to fill the remaining project quota. However, this is a +longstanding behavior of xfs so it's unclear what to do here. + +Cc: # v2.6.18 +Fixes: 932f2c323196c2 ("[XFS] statvfs component of directory/project quota support, code originally by Glen.") +Reported-by: Emmanuel Florac +Signed-off-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_qm_bhv.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/fs/xfs/xfs_qm_bhv.c b/fs/xfs/xfs_qm_bhv.c +index 268a07218c777..26b2c449f3c66 100644 +--- a/fs/xfs/xfs_qm_bhv.c ++++ b/fs/xfs/xfs_qm_bhv.c +@@ -32,21 +32,28 @@ xfs_fill_statvfs_from_dquot( + limit = blkres->softlimit ? + blkres->softlimit : + blkres->hardlimit; +- if (limit && statp->f_blocks > limit) { +- statp->f_blocks = limit; +- statp->f_bfree = statp->f_bavail = +- (statp->f_blocks > blkres->reserved) ? +- (statp->f_blocks - blkres->reserved) : 0; ++ if (limit) { ++ uint64_t remaining = 0; ++ ++ if (limit > blkres->reserved) ++ remaining = limit - blkres->reserved; ++ ++ statp->f_blocks = min(statp->f_blocks, limit); ++ statp->f_bfree = min(statp->f_bfree, remaining); ++ statp->f_bavail = min(statp->f_bavail, remaining); + } + + limit = dqp->q_ino.softlimit ? + dqp->q_ino.softlimit : + dqp->q_ino.hardlimit; +- if (limit && statp->f_files > limit) { +- statp->f_files = limit; +- statp->f_ffree = +- (statp->f_files > dqp->q_ino.reserved) ? +- (statp->f_files - dqp->q_ino.reserved) : 0; ++ if (limit) { ++ uint64_t remaining = 0; ++ ++ if (limit > dqp->q_ino.reserved) ++ remaining = limit - dqp->q_ino.reserved; ++ ++ statp->f_files = min(statp->f_files, limit); ++ statp->f_ffree = min(statp->f_ffree, remaining); + } + } + +-- +2.39.5 + diff --git a/queue-5.15/xfs-report-realtime-block-quota-limits-on-realtime-d.patch b/queue-5.15/xfs-report-realtime-block-quota-limits-on-realtime-d.patch new file mode 100644 index 0000000000..cafad7f6bf --- /dev/null +++ b/queue-5.15/xfs-report-realtime-block-quota-limits-on-realtime-d.patch @@ -0,0 +1,98 @@ +From 62d072285158aef4aea4580f32c143a393b30faf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2024 20:19:40 -0800 +Subject: xfs: report realtime block quota limits on realtime directories + +From: Darrick J. Wong + +[ Upstream commit 9a17ebfea9d0c7e0bb7409dcf655bf982a5d6e52 ] + +On the data device, calling statvfs on a projinherit directory results +in the block and avail counts being curtailed to the project quota block +limits, if any are set. Do the same for realtime files or directories, +only use the project quota rt block limits. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Stable-dep-of: 4b8d867ca6e2 ("xfs: don't over-report free space or inodes in statvfs") +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_qm_bhv.c | 18 ++++++++++++------ + fs/xfs/xfs_super.c | 11 +++++------ + 2 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/fs/xfs/xfs_qm_bhv.c b/fs/xfs/xfs_qm_bhv.c +index b77673dd05581..268a07218c777 100644 +--- a/fs/xfs/xfs_qm_bhv.c ++++ b/fs/xfs/xfs_qm_bhv.c +@@ -19,18 +19,24 @@ + STATIC void + xfs_fill_statvfs_from_dquot( + struct kstatfs *statp, ++ struct xfs_inode *ip, + struct xfs_dquot *dqp) + { ++ struct xfs_dquot_res *blkres = &dqp->q_blk; + uint64_t limit; + +- limit = dqp->q_blk.softlimit ? +- dqp->q_blk.softlimit : +- dqp->q_blk.hardlimit; ++ if (XFS_IS_REALTIME_MOUNT(ip->i_mount) && ++ (ip->i_diflags & (XFS_DIFLAG_RTINHERIT | XFS_DIFLAG_REALTIME))) ++ blkres = &dqp->q_rtb; ++ ++ limit = blkres->softlimit ? ++ blkres->softlimit : ++ blkres->hardlimit; + if (limit && statp->f_blocks > limit) { + statp->f_blocks = limit; + statp->f_bfree = statp->f_bavail = +- (statp->f_blocks > dqp->q_blk.reserved) ? +- (statp->f_blocks - dqp->q_blk.reserved) : 0; ++ (statp->f_blocks > blkres->reserved) ? ++ (statp->f_blocks - blkres->reserved) : 0; + } + + limit = dqp->q_ino.softlimit ? +@@ -61,7 +67,7 @@ xfs_qm_statvfs( + struct xfs_dquot *dqp; + + if (!xfs_qm_dqget(mp, ip->i_projid, XFS_DQTYPE_PROJ, false, &dqp)) { +- xfs_fill_statvfs_from_dquot(statp, dqp); ++ xfs_fill_statvfs_from_dquot(statp, ip, dqp); + xfs_qm_dqput(dqp); + } + } +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c +index f4c25b07dc99d..e48455e2b5f2f 100644 +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -837,12 +837,6 @@ xfs_fs_statfs( + ffree = statp->f_files - (icount - ifree); + statp->f_ffree = max_t(int64_t, ffree, 0); + +- +- if ((ip->i_diflags & XFS_DIFLAG_PROJINHERIT) && +- ((mp->m_qflags & (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))) == +- (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD)) +- xfs_qm_statvfs(ip, statp); +- + if (XFS_IS_REALTIME_MOUNT(mp) && + (ip->i_diflags & (XFS_DIFLAG_RTINHERIT | XFS_DIFLAG_REALTIME))) { + statp->f_blocks = sbp->sb_rblocks; +@@ -850,6 +844,11 @@ xfs_fs_statfs( + sbp->sb_frextents * sbp->sb_rextsize; + } + ++ if ((ip->i_diflags & XFS_DIFLAG_PROJINHERIT) && ++ ((mp->m_qflags & (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))) == ++ (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD)) ++ xfs_qm_statvfs(ip, statp); ++ + return 0; + } + +-- +2.39.5 +