From: Greg Kroah-Hartman Date: Mon, 29 Apr 2024 11:56:47 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.19.313~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b9893b84efd2e19327429a969f5ae50dc311095;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-cppc-fix-access-width-used-for-pcc-registers.patch acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch irqchip-gic-v3-its-prevent-double-free-on-error.patch loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch mmc-sdhci-msm-pervent-access-to-suspended-controller.patch rust-don-t-select-constructors.patch rust-kernel-require-send-for-module-implementations.patch rust-make-mutually-exclusive-with-cfi_clang.patch smb-client-fix-struct_group-usage-in-__packed-structs.patch smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch --- diff --git a/queue-6.1/acpi-cppc-fix-access-width-used-for-pcc-registers.patch b/queue-6.1/acpi-cppc-fix-access-width-used-for-pcc-registers.patch new file mode 100644 index 00000000000..42e52691bac --- /dev/null +++ b/queue-6.1/acpi-cppc-fix-access-width-used-for-pcc-registers.patch @@ -0,0 +1,155 @@ +From f489c948028b69cea235d9c0de1cc10eeb26a172 Mon Sep 17 00:00:00 2001 +From: Vanshidhar Konda +Date: Thu, 11 Apr 2024 16:18:44 -0700 +Subject: ACPI: CPPC: Fix access width used for PCC registers + +From: Vanshidhar Konda + +commit f489c948028b69cea235d9c0de1cc10eeb26a172 upstream. + +commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system +memory accesses") modified cpc_read()/cpc_write() to use access_width to +read CPC registers. + +However, for PCC registers the access width field in the ACPI register +macro specifies the PCC subspace ID. For non-zero PCC subspace ID it is +incorrectly treated as access width. This causes errors when reading +from PCC registers in the CPPC driver. + +For PCC registers, base the size of read/write on the bit width field. +The debug message in cpc_read()/cpc_write() is updated to print relevant +information for the address space type used to read the register. + +Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") +Signed-off-by: Vanshidhar Konda +Tested-by: Jarred White +Reviewed-by: Jarred White +Reviewed-by: Easwar Hariharan +Cc: 5.15+ # 5.15+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 53 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 37 insertions(+), 16 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -998,14 +998,14 @@ static int cpc_read(int cpu, struct cpc_ + } + + *val = 0; ++ size = GET_BIT_WIDTH(reg); + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = GET_BIT_WIDTH(reg); + u32 val_u32; + acpi_status status; + + status = acpi_os_read_port((acpi_io_address)reg->address, +- &val_u32, width); ++ &val_u32, size); + if (ACPI_FAILURE(status)) { + pr_debug("Error: Failed to read SystemIO port %llx\n", + reg->address); +@@ -1014,17 +1014,22 @@ static int cpc_read(int cpu, struct cpc_ + + *val = val_u32; + return 0; +- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) { ++ /* ++ * For registers in PCC space, the register size is determined ++ * by the bit width field; the access size is used to indicate ++ * the PCC subspace id. ++ */ ++ size = reg->bit_width; + vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id); ++ } + else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + vaddr = reg_res->sys_mem_vaddr; + else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE) + return cpc_read_ffh(cpu, reg, val); + else + return acpi_os_read_memory((acpi_physical_address)reg->address, +- val, reg->bit_width); +- +- size = GET_BIT_WIDTH(reg); ++ val, size); + + switch (size) { + case 8: +@@ -1040,8 +1045,13 @@ static int cpc_read(int cpu, struct cpc_ + *val = readq_relaxed(vaddr); + break; + default: +- pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n", +- reg->bit_width, pcc_ss_id); ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { ++ pr_debug("Error: Cannot read %u bit width from system memory: 0x%llx\n", ++ size, reg->address); ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) { ++ pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n", ++ size, pcc_ss_id); ++ } + return -EFAULT; + } + +@@ -1059,12 +1069,13 @@ static int cpc_write(int cpu, struct cpc + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + ++ size = GET_BIT_WIDTH(reg); ++ + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = GET_BIT_WIDTH(reg); + acpi_status status; + + status = acpi_os_write_port((acpi_io_address)reg->address, +- (u32)val, width); ++ (u32)val, size); + if (ACPI_FAILURE(status)) { + pr_debug("Error: Failed to write SystemIO port %llx\n", + reg->address); +@@ -1072,17 +1083,22 @@ static int cpc_write(int cpu, struct cpc + } + + return 0; +- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) { ++ /* ++ * For registers in PCC space, the register size is determined ++ * by the bit width field; the access size is used to indicate ++ * the PCC subspace id. ++ */ ++ size = reg->bit_width; + vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id); ++ } + else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + vaddr = reg_res->sys_mem_vaddr; + else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE) + return cpc_write_ffh(cpu, reg, val); + else + return acpi_os_write_memory((acpi_physical_address)reg->address, +- val, reg->bit_width); +- +- size = GET_BIT_WIDTH(reg); ++ val, size); + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) + val = MASK_VAL(reg, val); +@@ -1101,8 +1117,13 @@ static int cpc_write(int cpu, struct cpc + writeq_relaxed(val, vaddr); + break; + default: +- pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n", +- reg->bit_width, pcc_ss_id); ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { ++ pr_debug("Error: Cannot write %u bit width to system memory: 0x%llx\n", ++ size, reg->address); ++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) { ++ pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n", ++ size, pcc_ss_id); ++ } + ret_val = -EFAULT; + break; + } diff --git a/queue-6.1/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch b/queue-6.1/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch new file mode 100644 index 00000000000..ff3e9f7554b --- /dev/null +++ b/queue-6.1/acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch @@ -0,0 +1,42 @@ +From 05d92ee782eeb7b939bdd0189e6efcab9195bf95 Mon Sep 17 00:00:00 2001 +From: Jarred White +Date: Mon, 8 Apr 2024 22:23:09 -0700 +Subject: ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro + +From: Jarred White + +commit 05d92ee782eeb7b939bdd0189e6efcab9195bf95 upstream. + +Commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for +system memory accesses") neglected to properly wrap the bit_offset shift +when it comes to applying the mask. This may cause incorrect values to be +read and may cause the cpufreq module not be loaded. + +[ 11.059751] cpu_capacity: CPU0 missing/invalid highest performance. +[ 11.066005] cpu_capacity: partial information: fallback to 1024 for all CPUs + +Also, corrected the bitmask generation in GENMASK (extra bit being added). + +Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") +Signed-off-by: Jarred White +Cc: 5.15+ # 5.15+ +Reviewed-by: Vanshidhar Konda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -167,8 +167,8 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_ + #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) + + /* Shift and apply the mask for CPC reads/writes */ +-#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \ +- GENMASK(((reg)->bit_width), 0))) ++#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \ ++ GENMASK(((reg)->bit_width) - 1, 0)) + + static ssize_t show_feedback_ctrs(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) diff --git a/queue-6.1/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch b/queue-6.1/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch new file mode 100644 index 00000000000..ca6c8528a45 --- /dev/null +++ b/queue-6.1/acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch @@ -0,0 +1,182 @@ +From 2f4a4d63a193be6fd530d180bb13c3592052904c Mon Sep 17 00:00:00 2001 +From: Jarred White +Date: Fri, 1 Mar 2024 11:25:59 -0800 +Subject: ACPI: CPPC: Use access_width over bit_width for system memory accesses + +From: Jarred White + +commit 2f4a4d63a193be6fd530d180bb13c3592052904c upstream. + +To align with ACPI 6.3+, since bit_width can be any 8-bit value, it +cannot be depended on to be always on a clean 8b boundary. This was +uncovered on the Cobalt 100 platform. + +SError Interrupt on CPU26, code 0xbe000011 -- SError + CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 + Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION + pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) + pc : cppc_get_perf_caps+0xec/0x410 + lr : cppc_get_perf_caps+0xe8/0x410 + sp : ffff8000155ab730 + x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 + x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff + x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 + x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff + x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 + x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 + x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec + x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 + x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff + x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 + Kernel panic - not syncing: Asynchronous SError Interrupt + CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted +5.15.2.1-13 #1 + Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION + Call trace: + dump_backtrace+0x0/0x1e0 + show_stack+0x24/0x30 + dump_stack_lvl+0x8c/0xb8 + dump_stack+0x18/0x34 + panic+0x16c/0x384 + add_taint+0x0/0xc0 + arm64_serror_panic+0x7c/0x90 + arm64_is_fatal_ras_serror+0x34/0xa4 + do_serror+0x50/0x6c + el1h_64_error_handler+0x40/0x74 + el1h_64_error+0x7c/0x80 + cppc_get_perf_caps+0xec/0x410 + cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] + cpufreq_online+0x2dc/0xa30 + cpufreq_add_dev+0xc0/0xd4 + subsys_interface_register+0x134/0x14c + cpufreq_register_driver+0x1b0/0x354 + cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] + do_one_initcall+0x50/0x250 + do_init_module+0x60/0x27c + load_module+0x2300/0x2570 + __do_sys_finit_module+0xa8/0x114 + __arm64_sys_finit_module+0x2c/0x3c + invoke_syscall+0x78/0x100 + el0_svc_common.constprop.0+0x180/0x1a0 + do_el0_svc+0x84/0xa0 + el0_svc+0x2c/0xc0 + el0t_64_sync_handler+0xa4/0x12c + el0t_64_sync+0x1a4/0x1a8 + +Instead, use access_width to determine the size and use the offset and +width to shift and mask the bits to read/write out. Make sure to add a +check for system memory since pcc redefines the access_width to +subspace id. + +If access_width is not set, then fall back to using bit_width. + +Signed-off-by: Jarred White +Reviewed-by: Easwar Hariharan +Cc: 5.15+ # 5.15+ +[ rjw: Subject and changelog edits, comment adjustments ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -163,6 +163,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_ + show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf); + show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time); + ++/* Check for valid access_width, otherwise, fallback to using bit_width */ ++#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width) ++ ++/* Shift and apply the mask for CPC reads/writes */ ++#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \ ++ GENMASK(((reg)->bit_width), 0))) ++ + static ssize_t show_feedback_ctrs(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) + { +@@ -776,6 +783,7 @@ int acpi_cppc_processor_probe(struct acp + } else if (gas_t->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + if (gas_t->address) { + void __iomem *addr; ++ size_t access_width; + + if (!osc_cpc_flexible_adr_space_confirmed) { + pr_debug("Flexible address space capability not supported\n"); +@@ -783,7 +791,8 @@ int acpi_cppc_processor_probe(struct acp + goto out_free; + } + +- addr = ioremap(gas_t->address, gas_t->bit_width/8); ++ access_width = GET_BIT_WIDTH(gas_t) / 8; ++ addr = ioremap(gas_t->address, access_width); + if (!addr) + goto out_free; + cpc_ptr->cpc_regs[i-2].sys_mem_vaddr = addr; +@@ -979,6 +988,7 @@ int __weak cpc_write_ffh(int cpunum, str + static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val) + { + void __iomem *vaddr = NULL; ++ int size; + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + +@@ -990,7 +1000,7 @@ static int cpc_read(int cpu, struct cpc_ + *val = 0; + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = 8 << (reg->access_width - 1); ++ u32 width = GET_BIT_WIDTH(reg); + u32 val_u32; + acpi_status status; + +@@ -1014,7 +1024,9 @@ static int cpc_read(int cpu, struct cpc_ + return acpi_os_read_memory((acpi_physical_address)reg->address, + val, reg->bit_width); + +- switch (reg->bit_width) { ++ size = GET_BIT_WIDTH(reg); ++ ++ switch (size) { + case 8: + *val = readb_relaxed(vaddr); + break; +@@ -1033,18 +1045,22 @@ static int cpc_read(int cpu, struct cpc_ + return -EFAULT; + } + ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ *val = MASK_VAL(reg, *val); ++ + return 0; + } + + static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val) + { + int ret_val = 0; ++ int size; + void __iomem *vaddr = NULL; + int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu); + struct cpc_reg *reg = ®_res->cpc_entry.reg; + + if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { +- u32 width = 8 << (reg->access_width - 1); ++ u32 width = GET_BIT_WIDTH(reg); + acpi_status status; + + status = acpi_os_write_port((acpi_io_address)reg->address, +@@ -1066,7 +1082,12 @@ static int cpc_write(int cpu, struct cpc + return acpi_os_write_memory((acpi_physical_address)reg->address, + val, reg->bit_width); + +- switch (reg->bit_width) { ++ size = GET_BIT_WIDTH(reg); ++ ++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ val = MASK_VAL(reg, val); ++ ++ switch (size) { + case 8: + writeb_relaxed(val, vaddr); + break; diff --git a/queue-6.1/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch b/queue-6.1/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch new file mode 100644 index 00000000000..e52e60f7d75 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch @@ -0,0 +1,45 @@ +From 0ac417b8f124427c90ec8c2ef4f632b821d924cc Mon Sep 17 00:00:00 2001 +From: Iskander Amara +Date: Fri, 8 Mar 2024 09:52:42 +0100 +Subject: arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma + +From: Iskander Amara + +commit 0ac417b8f124427c90ec8c2ef4f632b821d924cc upstream. + +Q7_THRM# pin is connected to a diode on the module which is used +as a level shifter, and the pin have a pull-down enabled by +default. We need to configure it to internal pull-up, other- +wise whenever the pin is configured as INPUT and we try to +control it externally the value will always remain zero. + +Signed-off-by: Iskander Amara +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Reviewed-by: Quentin Schulz +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240308085243.69903-1-iskander.amara@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -407,6 +407,16 @@ + }; + + &pinctrl { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&q7_thermal_pin>; ++ ++ gpios { ++ q7_thermal_pin: q7-thermal-pin { ++ rockchip,pins = ++ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>; ++ }; ++ }; ++ + i2c8 { + i2c8_xfer_a: i2c8-xfer { + rockchip,pins = diff --git a/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch b/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch new file mode 100644 index 00000000000..7535e83e37e --- /dev/null +++ b/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch @@ -0,0 +1,69 @@ +From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Fri, 29 Mar 2024 10:34:39 +0800 +Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 + +From: WangYuli + +commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream. + +Add the support ID(0x0bda, 0x4853) to usb_device_id table for +Realtek RTL8852BE. + +Without this change the device utilizes an obsolete version of +the firmware that is encoded in it rather than the updated Realtek +firmware and config files from the firmware directory. The latter +files implement many new features. + +The device table is as follows: + +T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=4853 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Cc: stable@vger.kernel.org +Signed-off-by: Larry Finger +Signed-off-by: WangYuli +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -535,6 +535,8 @@ static const struct usb_device_id blackl + /* Realtek 8852BE Bluetooth devices */ + { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK | diff --git a/queue-6.1/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch b/queue-6.1/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch new file mode 100644 index 00000000000..8e8604ecd06 --- /dev/null +++ b/queue-6.1/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch @@ -0,0 +1,128 @@ +From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 1 Apr 2024 11:24:17 -0700 +Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() + +From: Nathan Chancellor + +commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream. + +After an innocuous optimization change in LLVM main (19.0.0), x86_64 +allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to +build due to the checks in check_copy_size(): + + In file included from net/bluetooth/sco.c:27: + In file included from include/linux/module.h:13: + In file included from include/linux/stat.h:19: + In file included from include/linux/time.h:60: + In file included from include/linux/time32.h:13: + In file included from include/linux/timex.h:67: + In file included from arch/x86/include/asm/timex.h:6: + In file included from arch/x86/include/asm/tsc.h:10: + In file included from arch/x86/include/asm/msr.h:15: + In file included from include/linux/percpu.h:7: + In file included from include/linux/smp.h:118: + include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' + declared with 'error' attribute: copy source size is too small + 244 | __bad_copy_from(); + | ^ + +The same exact error occurs in l2cap_sock.c. The copy_to_user() +statements that are failing come from l2cap_sock_getsockopt_old() and +sco_sock_getsockopt_old(). This does not occur with GCC with or without +KCSAN or Clang without KCSAN enabled. + +len is defined as an 'int' because it is assigned from +'__user int *optlen'. However, it is clamped against the result of +sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +platforms). This is done with min_t() because min() requires compatible +types, which results in both len and the result of sizeof() being casted +to 'unsigned int', meaning len changes signs and the result of sizeof() +is truncated. From there, len is passed to copy_to_user(), which has a +third parameter type of 'unsigned long', so it is widened and changes +signs again. This excessive casting in combination with the KCSAN +instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +call, failing the build. + +The official recommendation from LLVM developers is to consistently use +long types for all size variables to avoid the unnecessary casting in +the first place. Change the type of len to size_t in both +l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears +up the error while allowing min_t() to be replaced with min(), resulting +in simpler code with no casts and fewer implicit conversions. While len +is a different type than optlen now, it should result in no functional +change because the result of sizeof() will clamp all values of optlen in +the same manner as before. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Nathan Chancellor +Reviewed-by: Justin Stitt +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + net/bluetooth/sco.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -457,7 +457,8 @@ static int l2cap_sock_getsockopt_old(str + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; + struct l2cap_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -504,7 +505,7 @@ static int l2cap_sock_getsockopt_old(str + + BT_DBG("mode 0x%2.2x", chan->mode); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *) &opts, len)) + err = -EFAULT; + +@@ -554,7 +555,7 @@ static int l2cap_sock_getsockopt_old(str + cinfo.hci_handle = chan->conn->hcon->handle; + memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -971,7 +971,8 @@ static int sco_sock_getsockopt_old(struc + struct sock *sk = sock->sk; + struct sco_options opts; + struct sco_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -993,7 +994,7 @@ static int sco_sock_getsockopt_old(struc + + BT_DBG("mtu %u", opts.mtu); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *)&opts, len)) + err = -EFAULT; + +@@ -1011,7 +1012,7 @@ static int sco_sock_getsockopt_old(struc + cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *)&cinfo, len)) + err = -EFAULT; + diff --git a/queue-6.1/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch b/queue-6.1/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch new file mode 100644 index 00000000000..866e6ec010b --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch @@ -0,0 +1,41 @@ +From 73e87c0a49fda31d7b589edccf4c72e924411371 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 22 Apr 2024 15:57:47 +0200 +Subject: Bluetooth: qca: fix NULL-deref on non-serdev suspend + +From: Johan Hovold + +commit 73e87c0a49fda31d7b589edccf4c72e924411371 upstream. + +Qualcomm ROME controllers can be registered from the Bluetooth line +discipline and in this case the HCI UART serdev pointer is NULL. + +Add the missing sanity check to prevent a NULL-pointer dereference when +wakeup() is called for a non-serdev controller during suspend. + +Just return true for now to restore the original behaviour and address +the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657 +("Bluetooth: hci_qca: only assign wakeup with serial port support") that +causes the crash to happen already at setup() time. + +Fixes: c1a74160eaf1 ("Bluetooth: hci_qca: Add device_may_wakeup support") +Cc: stable@vger.kernel.org # 5.13 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1645,6 +1645,9 @@ static bool qca_wakeup(struct hci_dev *h + struct hci_uart *hu = hci_get_drvdata(hdev); + bool wakeup; + ++ if (!hu->serdev) ++ return true; ++ + /* BT SoC attached through the serial bus is handled by the serdev driver. + * So we need to use the device handle of the serdev driver to get the + * status of device may wakeup. diff --git a/queue-6.1/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch b/queue-6.1/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch new file mode 100644 index 00000000000..75724bfb06d --- /dev/null +++ b/queue-6.1/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch @@ -0,0 +1,95 @@ +From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 17 Apr 2024 10:45:47 +0200 +Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() + +From: Johannes Thumshirn + +commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream. + +Syzbot reported the following information leak for in +btrfs_ioctl_logical_to_ino(): + + BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] + BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Uninit was created at: + __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 + __do_kmalloc_node mm/slub.c:3954 [inline] + __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 + kmalloc_node include/linux/slab.h:648 [inline] + kvmalloc_node+0xc0/0x2d0 mm/util.c:634 + kvmalloc include/linux/slab.h:766 [inline] + init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 + btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Bytes 40-65535 of 65536 are uninitialized + Memory access of size 65536 starts at ffff888045a40000 + +This happens, because we're copying a 'struct btrfs_data_container' back +to user-space. This btrfs_data_container is allocated in +'init_data_container()' via kvmalloc(), which does not zero-fill the +memory. + +Fix this by using kvzalloc() which zeroes out the memory on allocation. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: +Reviewed-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/backref.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -2475,20 +2475,14 @@ struct btrfs_data_container *init_data_c + size_t alloc_bytes; + + alloc_bytes = max_t(size_t, total_bytes, sizeof(*data)); +- data = kvmalloc(alloc_bytes, GFP_KERNEL); ++ data = kvzalloc(alloc_bytes, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + +- if (total_bytes >= sizeof(*data)) { ++ if (total_bytes >= sizeof(*data)) + data->bytes_left = total_bytes - sizeof(*data); +- data->bytes_missing = 0; +- } else { ++ else + data->bytes_missing = sizeof(*data) - total_bytes; +- data->bytes_left = 0; +- } +- +- data->elem_cnt = 0; +- data->elem_missed = 0; + + return data; + } diff --git a/queue-6.1/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch b/queue-6.1/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch new file mode 100644 index 00000000000..3794389464d --- /dev/null +++ b/queue-6.1/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch @@ -0,0 +1,108 @@ +From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 19 Apr 2024 17:05:54 -0700 +Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures + +From: Sean Christopherson + +commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream. + +Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it +on for all architectures exception x86. A recent commit to turn +mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta +missed that "cpu_mitigations" is completely generic, whereas +SPECULATION_MITIGATIONS is x86-specific. + +Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it +select CPU_MITIGATIONS, as having two configs for the same thing is +unnecessary and confusing. This will also allow x86 to use the knob to +manage mitigations that aren't strictly related to speculative +execution. + +Use another Kconfig to communicate to common code that CPU_MITIGATIONS +is already defined instead of having x86's menu depend on the common +CPU_MITIGATIONS. This allows keeping a single point of contact for all +of x86's mitigations, and it's not clear that other architectures *want* +to allow disabling mitigations at compile-time. + +Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n") +Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au +Reported-by: Stephen Rothwell +Reported-by: Michael Ellerman +Reported-by: Geert Uytterhoeven +Signed-off-by: Sean Christopherson +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Josh Poimboeuf +Acked-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 8 ++++++++ + arch/x86/Kconfig | 11 ++++++----- + kernel/cpu.c | 4 ++-- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -9,6 +9,14 @@ + # + source "arch/$(SRCARCH)/Kconfig" + ++config ARCH_CONFIGURES_CPU_MITIGATIONS ++ bool ++ ++if !ARCH_CONFIGURES_CPU_MITIGATIONS ++config CPU_MITIGATIONS ++ def_bool y ++endif ++ + menu "General architecture-dependent options" + + config CRASH_CORE +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -61,6 +61,7 @@ config X86 + select ACPI_SYSTEM_POWER_STATES_SUPPORT if ACPI + select ARCH_32BIT_OFF_T if X86_32 + select ARCH_CLOCKSOURCE_INIT ++ select ARCH_CONFIGURES_CPU_MITIGATIONS + select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE + select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION + select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64 +@@ -2449,17 +2450,17 @@ config CC_HAS_SLS + config CC_HAS_RETURN_THUNK + def_bool $(cc-option,-mfunction-return=thunk-extern) + +-menuconfig SPECULATION_MITIGATIONS +- bool "Mitigations for speculative execution vulnerabilities" ++menuconfig CPU_MITIGATIONS ++ bool "Mitigations for CPU vulnerabilities" + default y + help +- Say Y here to enable options which enable mitigations for +- speculative execution hardware vulnerabilities. ++ Say Y here to enable options which enable mitigations for hardware ++ vulnerabilities (usually related to speculative execution). + + If you say N, all mitigations will be disabled. You really + should know what you are doing to say so. + +-if SPECULATION_MITIGATIONS ++if CPU_MITIGATIONS + + config PAGE_TABLE_ISOLATION + bool "Remove the kernel mapping in user mode" +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -2788,8 +2788,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : +- CPU_MITIGATIONS_OFF; ++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + { diff --git a/queue-6.1/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch b/queue-6.1/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch new file mode 100644 index 00000000000..00b21c9aa87 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch @@ -0,0 +1,31 @@ +From 25e9227c6afd200bed6774c866980b8e36d033af Mon Sep 17 00:00:00 2001 +From: Mukul Joshi +Date: Thu, 18 Apr 2024 11:32:34 -0400 +Subject: drm/amdgpu: Fix leak when GPU memory allocation fails + +From: Mukul Joshi + +commit 25e9227c6afd200bed6774c866980b8e36d033af upstream. + +Free the sync object if the memory allocation fails for any +reason. + +Signed-off-by: Mukul Joshi +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1779,6 +1779,7 @@ err_node_allow: + err_bo_create: + amdgpu_amdkfd_unreserve_mem_limit(adev, aligned_size, flags); + err_reserve_limit: ++ amdgpu_sync_free(&(*mem)->sync); + mutex_destroy(&(*mem)->lock); + if (gobj) + drm_gem_object_put(gobj); diff --git a/queue-6.1/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch b/queue-6.1/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch new file mode 100644 index 00000000000..b45f635303a --- /dev/null +++ b/queue-6.1/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch @@ -0,0 +1,57 @@ +From 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Sun, 14 Apr 2024 21:20:56 -0400 +Subject: drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d upstream. + +This avoids a potential conflict with firmwares with the newer +HDP flush mechanism. + +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +@@ -345,17 +345,21 @@ static void sdma_v5_2_ring_emit_hdp_flus + u32 ref_and_mask = 0; + const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg; + +- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; ++ if (ring->me > 1) { ++ amdgpu_asic_flush_hdp(adev, ring); ++ } else { ++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; + +- amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | +- SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | +- SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); +- amdgpu_ring_write(ring, ref_and_mask); /* reference */ +- amdgpu_ring_write(ring, ref_and_mask); /* mask */ +- amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | +- SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | ++ SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | ++ SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); ++ amdgpu_ring_write(ring, ref_and_mask); /* reference */ ++ amdgpu_ring_write(ring, ref_and_mask); /* mask */ ++ amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | ++ SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ } + } + + /** diff --git a/queue-6.1/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch b/queue-6.1/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch new file mode 100644 index 00000000000..cb32b0937ee --- /dev/null +++ b/queue-6.1/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch @@ -0,0 +1,71 @@ +From 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 18 Mar 2024 11:59:02 +0100 +Subject: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up + +From: Nam Cao + +commit 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e upstream. + +The flag I2C_HID_READ_PENDING is used to serialize I2C operations. +However, this is not necessary, because I2C core already has its own +locking for that. + +More importantly, this flag can cause a lock-up: if the flag is set in +i2c_hid_xfer() and an interrupt happens, the interrupt handler +(i2c_hid_irq) will check this flag and return immediately without doing +anything, then the interrupt handler will be invoked again in an +infinite loop. + +Since interrupt handler is an RT task, it takes over the CPU and the +flag-clearing task never gets scheduled, thus we have a lock-up. + +Delete this unnecessary flag. + +Reported-and-tested-by: Eva Kurchatova +Closes: https://lore.kernel.org/r/CA+eeCSPUDpUg76ZO8dszSbAGn+UHjcyv8F1J-CUPVARAzEtW9w@mail.gmail.com +Fixes: 4a200c3b9a40 ("HID: i2c-hid: introduce HID over i2c specification implementation") +Cc: +Signed-off-by: Nam Cao +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -61,7 +61,6 @@ + /* flags */ + #define I2C_HID_STARTED 0 + #define I2C_HID_RESET_PENDING 1 +-#define I2C_HID_READ_PENDING 2 + + #define I2C_HID_PWR_ON 0x00 + #define I2C_HID_PWR_SLEEP 0x01 +@@ -193,15 +192,10 @@ static int i2c_hid_xfer(struct i2c_hid * + msgs[n].len = recv_len; + msgs[n].buf = recv_buf; + n++; +- +- set_bit(I2C_HID_READ_PENDING, &ihid->flags); + } + + ret = i2c_transfer(client->adapter, msgs, n); + +- if (recv_len) +- clear_bit(I2C_HID_READ_PENDING, &ihid->flags); +- + if (ret != n) + return ret < 0 ? ret : -EIO; + +@@ -569,9 +563,6 @@ static irqreturn_t i2c_hid_irq(int irq, + { + struct i2c_hid *ihid = dev_id; + +- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags)) +- return IRQ_HANDLED; +- + i2c_hid_get_input(ihid); + + return IRQ_HANDLED; diff --git a/queue-6.1/irqchip-gic-v3-its-prevent-double-free-on-error.patch b/queue-6.1/irqchip-gic-v3-its-prevent-double-free-on-error.patch new file mode 100644 index 00000000000..bbf15081613 --- /dev/null +++ b/queue-6.1/irqchip-gic-v3-its-prevent-double-free-on-error.patch @@ -0,0 +1,52 @@ +From c26591afd33adce296c022e3480dea4282b7ef91 Mon Sep 17 00:00:00 2001 +From: Guanrui Huang +Date: Thu, 18 Apr 2024 14:10:52 +0800 +Subject: irqchip/gic-v3-its: Prevent double free on error + +From: Guanrui Huang + +commit c26591afd33adce296c022e3480dea4282b7ef91 upstream. + +The error handling path in its_vpe_irq_domain_alloc() causes a double free +when its_vpe_init() fails after successfully allocating at least one +interrupt. This happens because its_vpe_irq_domain_free() frees the +interrupts along with the area bitmap and the vprop_page and +its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the +vprop_page again. + +Fix this by unconditionally invoking its_vpe_irq_domain_free() which +handles all cases correctly and by removing the bitmap/vprop_page freeing +from its_vpe_irq_domain_alloc(). + +[ tglx: Massaged change log ] + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Marc Zyngier +Reviewed-by: Zenghui Yu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4535,13 +4535,8 @@ static int its_vpe_irq_domain_alloc(stru + set_bit(i, bitmap); + } + +- if (err) { +- if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i); +- +- its_lpi_free(bitmap, base, nr_ids); +- its_free_prop_table(vprop_page); +- } ++ if (err) ++ its_vpe_irq_domain_free(domain, virq, i); + + return err; + } diff --git a/queue-6.1/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch b/queue-6.1/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch new file mode 100644 index 00000000000..3cde22dd251 --- /dev/null +++ b/queue-6.1/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch @@ -0,0 +1,42 @@ +From efb44ff64c95340b06331fc48634b99efc9dd77c Mon Sep 17 00:00:00 2001 +From: Jiantao Shan +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix access error when read fault on a write-only VMA + +From: Jiantao Shan + +commit efb44ff64c95340b06331fc48634b99efc9dd77c upstream. + +As with most architectures, allow handling of read faults in VMAs that +have VM_WRITE but without VM_READ (WRITE implies READ). + +Otherwise, reading before writing a write-only memory will error while +reading after writing everything is fine. + +BTW, move the VM_EXEC judgement before VM_READ/VM_WRITE to make logic a +little clearer. + +Cc: stable@vger.kernel.org +Fixes: 09cfefb7fa70c3af01 ("LoongArch: Add memory management") +Signed-off-by: Jiantao Shan +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/mm/fault.c ++++ b/arch/loongarch/mm/fault.c +@@ -193,10 +193,10 @@ good_area: + if (!(vma->vm_flags & VM_WRITE)) + goto bad_area; + } else { +- if (!(vma->vm_flags & VM_READ) && address != exception_era(regs)) +- goto bad_area; + if (!(vma->vm_flags & VM_EXEC) && address == exception_era(regs)) + goto bad_area; ++ if (!(vma->vm_flags & (VM_READ | VM_WRITE)) && address != exception_era(regs)) ++ goto bad_area; + } + + /* diff --git a/queue-6.1/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch b/queue-6.1/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch new file mode 100644 index 00000000000..cfd4a2d1c84 --- /dev/null +++ b/queue-6.1/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch @@ -0,0 +1,117 @@ +From d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix callchain parse error with kernel tracepoint events + +From: Huacai Chen + +commit d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 upstream. + +In order to fix perf's callchain parse error for LoongArch, we implement +perf_arch_fetch_caller_regs() which fills several necessary registers +used for callchain unwinding, including sp, fp, and era. This is similar +to the following commits. + +commit b3eac0265bf6: +("arm: perf: Fix callchain parse error with kernel tracepoint events") + +commit 5b09a094f2fb: +("arm64: perf: Fix callchain parse error with kernel tracepoint events") + +commit 9a7e8ec0d4cc: +("riscv: perf: Fix callchain parse error with kernel tracepoint events") + +Test with commands: + + perf record -e sched:sched_switch -g --call-graph dwarf + perf report + +Without this patch: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 43.41% 43.41% swapper [unknown] [k] 0000000000000000 + + 10.94% 10.94% loong-container [unknown] [k] 0000000000000000 + | + |--5.98%--0x12006ba38 + | + |--2.56%--0x12006bb84 + | + --2.40%--0x12006b6b8 + +With this patch, callchain can be parsed correctly: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 47.57% 47.57% swapper [kernel.vmlinux] [k] __schedule + | + ---__schedule + + 26.76% 26.76% loong-container [kernel.vmlinux] [k] __schedule + | + |--13.78%--0x12006ba38 + | | + | |--9.19%--__schedule + | | + | --4.59%--handle_syscall + | do_syscall + | sys_futex + | do_futex + | futex_wait + | futex_wait_queue_me + | hrtimer_start_range_ns + | __schedule + | + |--8.38%--0x12006bb84 + | handle_syscall + | do_syscall + | sys_epoll_pwait + | do_epoll_wait + | schedule_hrtimeout_range_clock + | hrtimer_start_range_ns + | __schedule + | + --4.59%--0x12006b6b8 + handle_syscall + do_syscall + sys_nanosleep + hrtimer_nanosleep + do_nanosleep + hrtimer_start_range_ns + __schedule + +Cc: stable@vger.kernel.org +Fixes: b37042b2bb7cd751f0 ("LoongArch: Add perf events support") +Reported-by: Youling Tang +Suggested-by: Youling Tang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/perf_event.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/loongarch/include/asm/perf_event.h b/arch/loongarch/include/asm/perf_event.h +index 2a35a0bc2aaa..52b638059e40 100644 +--- a/arch/loongarch/include/asm/perf_event.h ++++ b/arch/loongarch/include/asm/perf_event.h +@@ -7,6 +7,14 @@ + #ifndef __LOONGARCH_PERF_EVENT_H__ + #define __LOONGARCH_PERF_EVENT_H__ + ++#include ++ + #define perf_arch_bpf_user_pt_regs(regs) (struct user_pt_regs *)regs + ++#define perf_arch_fetch_caller_regs(regs, __ip) { \ ++ (regs)->csr_era = (__ip); \ ++ (regs)->regs[3] = current_stack_pointer; \ ++ (regs)->regs[22] = (unsigned long) __builtin_frame_address(0); \ ++} ++ + #endif /* __LOONGARCH_PERF_EVENT_H__ */ +-- +2.44.0 + diff --git a/queue-6.1/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch b/queue-6.1/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch new file mode 100644 index 00000000000..67213c8a1c5 --- /dev/null +++ b/queue-6.1/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch @@ -0,0 +1,64 @@ +From f8def10f73a516b771051a2f70f2f0446902cb4f Mon Sep 17 00:00:00 2001 +From: Mantas Pucka +Date: Thu, 21 Mar 2024 14:30:01 +0000 +Subject: mmc: sdhci-msm: pervent access to suspended controller + +From: Mantas Pucka + +commit f8def10f73a516b771051a2f70f2f0446902cb4f upstream. + +Generic sdhci code registers LED device and uses host->runtime_suspended +flag to protect access to it. The sdhci-msm driver doesn't set this flag, +which causes a crash when LED is accessed while controller is runtime +suspended. Fix this by setting the flag correctly. + +Cc: stable@vger.kernel.org +Fixes: 67e6db113c90 ("mmc: sdhci-msm: Add pm_runtime and system PM support") +Signed-off-by: Mantas Pucka +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20240321-sdhci-mmc-suspend-v1-1-fbc555a64400@8devices.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-msm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -2831,6 +2831,11 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = true; ++ spin_unlock_irqrestore(&host->lock, flags); + + /* Drop the performance vote */ + dev_pm_opp_set_rate(dev, 0); +@@ -2845,6 +2850,7 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; + int ret; + + ret = clk_bulk_prepare_enable(ARRAY_SIZE(msm_host->bulk_clks), +@@ -2863,7 +2869,15 @@ static __maybe_unused int sdhci_msm_runt + + dev_pm_opp_set_rate(dev, msm_host->clk_rate); + +- return sdhci_msm_ice_resume(msm_host); ++ ret = sdhci_msm_ice_resume(msm_host); ++ if (ret) ++ return ret; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = false; ++ spin_unlock_irqrestore(&host->lock, flags); ++ ++ return ret; + } + + static const struct dev_pm_ops sdhci_msm_pm_ops = { diff --git a/queue-6.1/rust-don-t-select-constructors.patch b/queue-6.1/rust-don-t-select-constructors.patch new file mode 100644 index 00000000000..4d3f85bb073 --- /dev/null +++ b/queue-6.1/rust-don-t-select-constructors.patch @@ -0,0 +1,40 @@ +From 7d49f53af4b988b188d3932deac2c9c80fd7d9ce Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Fri, 8 Mar 2024 09:36:31 +0000 +Subject: rust: don't select CONSTRUCTORS + +From: Alice Ryhl + +commit 7d49f53af4b988b188d3932deac2c9c80fd7d9ce upstream. + +This was originally part of commit 4b9a68f2e59a0 ("rust: add support for +static synchronisation primitives") from the old Rust branch, which used +module constructors to initialize globals containing various +synchronisation primitives with pin-init. That commit has never been +upstreamed, but the `select CONSTRUCTORS` statement ended up being +included in the patch that initially added Rust support to the Linux +Kernel. + +We are not using module constructors, so let's remove the select. + +Signed-off-by: Alice Ryhl +Reviewed-by: Benno Lossin +Cc: stable@vger.kernel.org +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Link: https://lore.kernel.org/r/20240308-constructors-v1-1-4c811342391c@google.com +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1924,7 +1924,6 @@ config RUST + depends on !GCC_PLUGINS + depends on !RANDSTRUCT + depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE +- select CONSTRUCTORS + help + Enables Rust support in the kernel. + diff --git a/queue-6.1/rust-kernel-require-send-for-module-implementations.patch b/queue-6.1/rust-kernel-require-send-for-module-implementations.patch new file mode 100644 index 00000000000..71dc25af31a --- /dev/null +++ b/queue-6.1/rust-kernel-require-send-for-module-implementations.patch @@ -0,0 +1,39 @@ +From 323617f649c0966ad5e741e47e27e06d3a680d8f Mon Sep 17 00:00:00 2001 +From: Wedson Almeida Filho +Date: Thu, 28 Mar 2024 16:54:54 -0300 +Subject: rust: kernel: require `Send` for `Module` implementations + +From: Wedson Almeida Filho + +commit 323617f649c0966ad5e741e47e27e06d3a680d8f upstream. + +The thread that calls the module initialisation code when a module is +loaded is not guaranteed [in fact, it is unlikely] to be the same one +that calls the module cleanup code on module unload, therefore, `Module` +implementations must be `Send` to account for them moving from one +thread to another implicitly. + +Signed-off-by: Wedson Almeida Filho +Reviewed-by: Alice Ryhl +Reviewed-by: Benno Lossin +Cc: stable@vger.kernel.org # 6.8.x: df70d04d5697: rust: phy: implement `Send` for `Registration` +Cc: stable@vger.kernel.org +Fixes: 247b365dc8dc ("rust: add `kernel` crate") +Link: https://lore.kernel.org/r/20240328195457.225001-3-wedsonaf@gmail.com +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/lib.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/rust/kernel/lib.rs ++++ b/rust/kernel/lib.rs +@@ -37,7 +37,7 @@ const __LOG_PREFIX: &[u8] = b"rust_kerne + /// The top level entrypoint to implementing a kernel module. + /// + /// For any teardown or cleanup operations, your type may implement [`Drop`]. +-pub trait Module: Sized + Sync { ++pub trait Module: Sized + Sync + Send { + /// Called at module initialization time. + /// + /// Use this method to perform whatever setup or registration your module diff --git a/queue-6.1/rust-make-mutually-exclusive-with-cfi_clang.patch b/queue-6.1/rust-make-mutually-exclusive-with-cfi_clang.patch new file mode 100644 index 00000000000..465bfa46787 --- /dev/null +++ b/queue-6.1/rust-make-mutually-exclusive-with-cfi_clang.patch @@ -0,0 +1,50 @@ +From 8933cf4651e02853ca679be7b2d978dfcdcc5e0c Mon Sep 17 00:00:00 2001 +From: Conor Dooley +Date: Thu, 4 Apr 2024 15:17:02 +0100 +Subject: rust: make mutually exclusive with CFI_CLANG + +From: Conor Dooley + +commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. + +On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, +loading a rust module will trigger a kernel panic. Support for +sanitisers, including kcfi (CFI_CLANG), is in the works, but for now +they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG +to prevent configuring a kernel without symmetrical support for kfi. + +[ Matthew Maurer writes [1]: + + This patch is fine by me - the last patch needed for KCFI to be + functional in Rust just landed upstream last night, so we should + revisit this (in the form of enabling it) once we move to + `rustc-1.79.0` or later. + + Ramon de C Valle also gave feedback [2] on the status of KCFI for + Rust and created a tracking issue [3] in upstream Rust. - Miguel ] + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Cc: stable@vger.kernel.org +Signed-off-by: Conor Dooley +Acked-by: Nathan Chancellor +Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] +Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] +Link: https://github.com/rust-lang/rust/issues/123479 [3] +Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud +[ Added feedback from the list, links, and used Cc for the tag. ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1920,6 +1920,7 @@ config RUST + bool "Rust support" + depends on HAVE_RUST + depends on RUST_IS_AVAILABLE ++ depends on !CFI_CLANG + depends on !MODVERSIONS + depends on !GCC_PLUGINS + depends on !RANDSTRUCT diff --git a/queue-6.1/series b/queue-6.1/series index 8b02ab09e07..0a73c76a6e6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -61,3 +61,24 @@ revert-crypto-api-disallow-identical-driver-names.patch virtio_net-do-not-send-rss-key-if-it-is-not-supported.patch fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch x86-cpu-fix-check-for-rdpkru-in-__show_regs.patch +rust-kernel-require-send-for-module-implementations.patch +rust-don-t-select-constructors.patch +rust-make-mutually-exclusive-with-cfi_clang.patch +bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch +bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch +bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch +mmc-sdhci-msm-pervent-access-to-suspended-controller.patch +smb-client-fix-struct_group-usage-in-__packed-structs.patch +smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch +hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch +btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch +cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch +loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch +loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch +arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch +drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch +drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch +irqchip-gic-v3-its-prevent-double-free-on-error.patch +acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch +acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch +acpi-cppc-fix-access-width-used-for-pcc-registers.patch diff --git a/queue-6.1/smb-client-fix-struct_group-usage-in-__packed-structs.patch b/queue-6.1/smb-client-fix-struct_group-usage-in-__packed-structs.patch new file mode 100644 index 00000000000..9b9b0915a4e --- /dev/null +++ b/queue-6.1/smb-client-fix-struct_group-usage-in-__packed-structs.patch @@ -0,0 +1,219 @@ +From 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 23 Apr 2024 20:41:22 -0600 +Subject: smb: client: Fix struct_group() usage in __packed structs + +From: Gustavo A. R. Silva + +commit 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 upstream. + +Use struct_group_attr() in __packed structs, instead of struct_group(). + +Below you can see the pahole output before/after changes: + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + }; /* 0 56 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } network_open_info; /* 0 56 */ + }; /* 0 56 */ + __le32 Reserved; /* 56 4 */ + + /* size: 60, cachelines: 1, members: 2 */ + /* last cacheline: 60 bytes */ +} __attribute__((__packed__)); + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)); /* 0 52 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)) network_open_info; /* 0 52 */ + }; /* 0 52 */ + __le32 Reserved; /* 52 4 */ + + /* size: 56, cachelines: 1, members: 2 */ + /* last cacheline: 56 bytes */ +}; + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + }; /* 48 40 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } common_attributes; /* 48 40 */ + }; /* 48 40 */ + + ... + + /* size: 111, cachelines: 2, members: 14 */ + /* last cacheline: 47 bytes */ +} __attribute__((__packed__)); + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)); /* 48 36 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)) common_attributes; /* 48 36 */ + }; /* 48 36 */ + + ... + + /* size: 107, cachelines: 2, members: 14 */ + /* last cacheline: 43 bytes */ +} __attribute__((__packed__)); + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + }; /* 0 40 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } common_attributes; /* 0 40 */ + }; /* 0 40 */ + + ... + + /* size: 113, cachelines: 2, members: 17 */ + /* last cacheline: 49 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)); /* 0 36 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)) common_attributes; /* 0 36 */ + }; /* 0 36 */ + + ... + + /* size: 109, cachelines: 2, members: 17 */ + /* last cacheline: 45 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings") +Cc: stable@vger.kernel.org +Reviewed-by: Namjae Jeon +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifspdu.h | 4 ++-- + fs/smb/client/smb2pdu.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cifspdu.h ++++ b/fs/smb/client/cifspdu.h +@@ -882,7 +882,7 @@ typedef struct smb_com_open_rsp { + __u8 OplockLevel; + __u16 Fid; + __le32 CreateAction; +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +@@ -2270,7 +2270,7 @@ typedef struct { + /* QueryFileInfo/QueryPathinfo (also for SetPath/SetFile) data buffer formats */ + /******************************************************************************/ + typedef struct { /* data block encoding of response to level 263 QPathInfo */ +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +--- a/fs/smb/client/smb2pdu.h ++++ b/fs/smb/client/smb2pdu.h +@@ -339,7 +339,7 @@ struct smb2_file_reparse_point_info { + } __packed; + + struct smb2_file_network_open_info { +- struct_group(network_open_info, ++ struct_group_attr(network_open_info, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; diff --git a/queue-6.1/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch b/queue-6.1/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch new file mode 100644 index 00000000000..546b76f1700 --- /dev/null +++ b/queue-6.1/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch @@ -0,0 +1,41 @@ +From 8861fd5180476f45f9e8853db154600469a0284f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Apr 2024 12:49:50 -0500 +Subject: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result + +From: Steve French + +commit 8861fd5180476f45f9e8853db154600469a0284f upstream. + +Coverity spotted that the cifs_sync_mid_result function could deadlock + +"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires +lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock" + +Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -931,12 +931,15 @@ cifs_sync_mid_result(struct mid_q_entry + list_del_init(&mid->qhead); + mid->mid_flags |= MID_DELETED; + } ++ spin_unlock(&server->mid_lock); + cifs_server_dbg(VFS, "%s: invalid mid state mid=%llu state=%d\n", + __func__, mid->mid, mid->mid_state); + rc = -EIO; ++ goto sync_mid_done; + } + spin_unlock(&server->mid_lock); + ++sync_mid_done: + release_mid(mid); + return rc; + }