From: Sasha Levin Date: Tue, 6 Sep 2022 03:26:11 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.10.142~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d57eb7d50ef5748e2f4dd7c94a61d6c963ded71;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/clk-bcm-rpi-add-missing-newline.patch b/queue-5.10/clk-bcm-rpi-add-missing-newline.patch new file mode 100644 index 00000000000..6bdb473219b --- /dev/null +++ b/queue-5.10/clk-bcm-rpi-add-missing-newline.patch @@ -0,0 +1,47 @@ +From dcb8db58afbb4d76d8ed5fc956d86067bd7d6b39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 17:49:52 +0200 +Subject: clk: bcm: rpi: Add missing newline + +From: Stefan Wahren + +[ Upstream commit 13b5cf8d6a0d4a5d289e1ed046cadc63b416db85 ] + +Some log messages lacks the final newline. So add them. + +Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220713154953.3336-3-stefan.wahren@i2se.com +Acked-by: Florian Fainelli +Reviewed-by: Ivan T. Ivanov +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index 27ae08c4952e7..969227e2df215 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -156,7 +156,7 @@ static int raspberrypi_fw_set_rate(struct clk_hw *hw, unsigned long rate, + ret = raspberrypi_clock_property(rpi->firmware, data, + RPI_FIRMWARE_SET_CLOCK_RATE, &_rate); + if (ret) +- dev_err_ratelimited(rpi->dev, "Failed to change %s frequency: %d", ++ dev_err_ratelimited(rpi->dev, "Failed to change %s frequency: %d\n", + clk_hw_get_name(hw), ret); + + return ret; +@@ -208,7 +208,7 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi, + RPI_FIRMWARE_GET_MIN_CLOCK_RATE, + &min_rate); + if (ret) { +- dev_err(rpi->dev, "Failed to get clock %d min freq: %d", ++ dev_err(rpi->dev, "Failed to get clock %d min freq: %d\n", + id, ret); + return ERR_PTR(ret); + } +-- +2.35.1 + diff --git a/queue-5.10/clk-bcm-rpi-fix-error-handling-of-raspberrypi_fw_get.patch b/queue-5.10/clk-bcm-rpi-fix-error-handling-of-raspberrypi_fw_get.patch new file mode 100644 index 00000000000..295ebb8bd53 --- /dev/null +++ b/queue-5.10/clk-bcm-rpi-fix-error-handling-of-raspberrypi_fw_get.patch @@ -0,0 +1,40 @@ +From 7277ebc04e6b00361456f49a58f2ec4a1e75d37d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jun 2022 10:36:43 +0200 +Subject: clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate + +From: Stefan Wahren + +[ Upstream commit 35f73cca1cecda0c1f8bb7d8be4ce5cd2d46ae8c ] + +The function raspberrypi_fw_get_rate (e.g. used for the recalc_rate +hook) can fail to get the clock rate from the firmware. In this case +we cannot return a signed error value, which would be casted to +unsigned long. Fix this by returning 0 instead. + +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220625083643.4012-1-stefan.wahren@i2se.com +Fixes: 4e85e535e6cc ("clk: bcm283x: add driver interfacing with Raspberry Pi's firmware") +Acked-by: Florian Fainelli +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index f89b9cfc43099..2c12bd5ac1388 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -139,7 +139,7 @@ static unsigned long raspberrypi_fw_get_rate(struct clk_hw *hw, + ret = raspberrypi_clock_property(rpi->firmware, data, + RPI_FIRMWARE_GET_CLOCK_RATE, &val); + if (ret) +- return ret; ++ return 0; + + return val; + } +-- +2.35.1 + diff --git a/queue-5.10/clk-bcm-rpi-prevent-out-of-bounds-access.patch b/queue-5.10/clk-bcm-rpi-prevent-out-of-bounds-access.patch new file mode 100644 index 00000000000..494697becbf --- /dev/null +++ b/queue-5.10/clk-bcm-rpi-prevent-out-of-bounds-access.patch @@ -0,0 +1,50 @@ +From ac3411b01e7a57c31dbfe25d77329043605baa14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 17:49:51 +0200 +Subject: clk: bcm: rpi: Prevent out-of-bounds access + +From: Stefan Wahren + +[ Upstream commit bc163555603e4ae9c817675ad80d618a4cdbfa2d ] + +The while loop in raspberrypi_discover_clocks() relies on the assumption +that the id of the last clock element is zero. Because this data comes +from the Videocore firmware and it doesn't guarantuee such a behavior +this could lead to out-of-bounds access. So fix this by providing +a sentinel element. + +Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") +Link: https://github.com/raspberrypi/firmware/issues/1688 +Suggested-by: Phil Elwell +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220713154953.3336-2-stefan.wahren@i2se.com +Acked-by: Florian Fainelli +Reviewed-by: Ivan T. Ivanov +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index ff87305cbe9d9..27ae08c4952e7 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -251,8 +251,13 @@ static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi, + struct rpi_firmware_get_clocks_response *clks; + int ret; + ++ /* ++ * The firmware doesn't guarantee that the last element of ++ * RPI_FIRMWARE_GET_CLOCKS is zeroed. So allocate an additional ++ * zero element as sentinel. ++ */ + clks = devm_kcalloc(rpi->dev, +- RPI_FIRMWARE_NUM_CLK_ID, sizeof(*clks), ++ RPI_FIRMWARE_NUM_CLK_ID + 1, sizeof(*clks), + GFP_KERNEL); + if (!clks) + return -ENOMEM; +-- +2.35.1 + diff --git a/queue-5.10/clk-bcm-rpi-use-correct-order-for-the-parameters-of-.patch b/queue-5.10/clk-bcm-rpi-use-correct-order-for-the-parameters-of-.patch new file mode 100644 index 00000000000..f6743c193b2 --- /dev/null +++ b/queue-5.10/clk-bcm-rpi-use-correct-order-for-the-parameters-of-.patch @@ -0,0 +1,37 @@ +From fc60f741e78001531af1cec198d69975393c1612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 23:20:58 +0200 +Subject: clk: bcm: rpi: Use correct order for the parameters of devm_kcalloc() + +From: Christophe JAILLET + +[ Upstream commit b7fa6242f3e035308a76284560e4f918dad9b017 ] + +We should have 'n', then 'size', not the opposite. +This is harmless because the 2 values are just multiplied, but having +the correct order silence a (unpublished yet) smatch warning. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/49d726d11964ca0e3757bdb5659e3b3eaa1572b5.1653081643.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index 2c12bd5ac1388..ff87305cbe9d9 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -252,7 +252,7 @@ static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi, + int ret; + + clks = devm_kcalloc(rpi->dev, +- sizeof(*clks), RPI_FIRMWARE_NUM_CLK_ID, ++ RPI_FIRMWARE_NUM_CLK_ID, sizeof(*clks), + GFP_KERNEL); + if (!clks) + return -ENOMEM; +-- +2.35.1 + diff --git a/queue-5.10/clk-core-fix-runtime-pm-sequence-in-clk_core_unprepa.patch b/queue-5.10/clk-core-fix-runtime-pm-sequence-in-clk_core_unprepa.patch new file mode 100644 index 00000000000..0a8cdf12c9a --- /dev/null +++ b/queue-5.10/clk-core-fix-runtime-pm-sequence-in-clk_core_unprepa.patch @@ -0,0 +1,50 @@ +From 6edf0b1c95883f8bbec1d3cff504884058c21eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:14:24 +0800 +Subject: clk: core: Fix runtime PM sequence in clk_core_unprepare() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +[ Upstream commit 4b592061f7b3971c70e8b72fc42aaead47c24701 ] + +In the original commit 9a34b45397e5 ("clk: Add support for runtime PM"), +the commit message mentioned that pm_runtime_put_sync() would be done +at the end of clk_core_unprepare(). This mirrors the operations in +clk_core_prepare() in the opposite order. + +However, the actual code that was added wasn't in the order the commit +message described. Move clk_pm_runtime_put() to the end of +clk_core_unprepare() so that it is in the correct order. + +Fixes: 9a34b45397e5 ("clk: Add support for runtime PM") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20220822081424.1310926-3-wenst@chromium.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 2e56cc0a3bce6..b355d3d40f63a 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -846,10 +846,9 @@ static void clk_core_unprepare(struct clk_core *core) + if (core->ops->unprepare) + core->ops->unprepare(core->hw); + +- clk_pm_runtime_put(core); +- + trace_clk_unprepare_complete(core); + clk_core_unprepare(core->parent); ++ clk_pm_runtime_put(core); + } + + static void clk_core_unprepare_lock(struct clk_core *core) +-- +2.35.1 + diff --git a/queue-5.10/clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch b/queue-5.10/clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch new file mode 100644 index 00000000000..1387cb73d0c --- /dev/null +++ b/queue-5.10/clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch @@ -0,0 +1,127 @@ +From 51cc53d63c9910dfb01d44d4663bbb67d0008dc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:14:23 +0800 +Subject: clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +[ Upstream commit 35b0fac808b95eea1212f8860baf6ad25b88b087 ] + +In the previous commits that added CLK_OPS_PARENT_ENABLE, support for +this flag was only added to rate change operations (rate setting and +reparent) and disabling unused subtree. It was not added to the +clock gate related operations. Any hardware driver that needs it for +these operations will either see bogus results, or worse, hang. + +This has been seen on MT8192 and MT8195, where the imp_ii2_* clk +drivers set this, but dumping debugfs clk_summary would cause it +to hang. + +Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)") +Fixes: a4b3518d146f ("clk: core: support clocks which requires parents enable (part 1)") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Nícolas F. R. A. Prado +Tested-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20220822081424.1310926-2-wenst@chromium.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 2e56cc0a3bce6..4f20d5318183f 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -203,6 +203,9 @@ static bool clk_core_rate_is_protected(struct clk_core *core) + return core->protect_count; + } + ++static int clk_core_prepare_enable(struct clk_core *core); ++static void clk_core_disable_unprepare(struct clk_core *core); ++ + static bool clk_core_is_prepared(struct clk_core *core) + { + bool ret = false; +@@ -215,7 +218,11 @@ static bool clk_core_is_prepared(struct clk_core *core) + return core->prepare_count; + + if (!clk_pm_runtime_get(core)) { ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_prepare_enable(core->parent); + ret = core->ops->is_prepared(core->hw); ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_disable_unprepare(core->parent); + clk_pm_runtime_put(core); + } + +@@ -251,7 +258,13 @@ static bool clk_core_is_enabled(struct clk_core *core) + } + } + ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_prepare_enable(core->parent); ++ + ret = core->ops->is_enabled(core->hw); ++ ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_disable_unprepare(core->parent); + done: + if (core->rpm_enabled) + pm_runtime_put(core->dev); +@@ -818,6 +831,9 @@ int clk_rate_exclusive_get(struct clk *clk) + } + EXPORT_SYMBOL_GPL(clk_rate_exclusive_get); + ++static int clk_core_enable_lock(struct clk_core *core); ++static void clk_core_disable_lock(struct clk_core *core); ++ + static void clk_core_unprepare(struct clk_core *core) + { + lockdep_assert_held(&prepare_lock); +@@ -841,6 +857,9 @@ static void clk_core_unprepare(struct clk_core *core) + + WARN(core->enable_count > 0, "Unpreparing enabled %s\n", core->name); + ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_enable_lock(core->parent); ++ + trace_clk_unprepare(core); + + if (core->ops->unprepare) +@@ -849,6 +868,9 @@ static void clk_core_unprepare(struct clk_core *core) + clk_pm_runtime_put(core); + + trace_clk_unprepare_complete(core); ++ ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_disable_lock(core->parent); + clk_core_unprepare(core->parent); + } + +@@ -897,6 +919,9 @@ static int clk_core_prepare(struct clk_core *core) + if (ret) + goto runtime_put; + ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_enable_lock(core->parent); ++ + trace_clk_prepare(core); + + if (core->ops->prepare) +@@ -904,6 +929,9 @@ static int clk_core_prepare(struct clk_core *core) + + trace_clk_prepare_complete(core); + ++ if (core->flags & CLK_OPS_PARENT_ENABLE) ++ clk_core_disable_lock(core->parent); ++ + if (ret) + goto unprepare; + } +-- +2.35.1 + diff --git a/queue-5.10/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch b/queue-5.10/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch new file mode 100644 index 00000000000..6ff42a7b343 --- /dev/null +++ b/queue-5.10/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch @@ -0,0 +1,38 @@ +From 3ba3941b50fda8ecd07a6f0b987ac973c6470db3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:02:47 +0800 +Subject: drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" + +From: Colin Ian King + +[ Upstream commit 233f56745be446b289edac2ba8184c09365c005e ] + +There is a spelling mistake in a gvt_vgpu_err error message. Fix it. + +Fixes: 695fbc08d80f ("drm/i915/gvt: replace the gvt_err with gvt_vgpu_err") +Signed-off-by: Colin Ian King +Signed-off-by: Zhi Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20220315202449.2952845-1-colin.i.king@gmail.com +Reviewed-by: Zhi Wang +Signed-off-by: Zhenyu Wang +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/handlers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c +index 0b1ea29dcffac..606e6c315fe24 100644 +--- a/drivers/gpu/drm/i915/gvt/handlers.c ++++ b/drivers/gpu/drm/i915/gvt/handlers.c +@@ -660,7 +660,7 @@ static int update_fdi_rx_iir_status(struct intel_vgpu *vgpu, + else if (FDI_RX_IMR_TO_PIPE(offset) != INVALID_INDEX) + index = FDI_RX_IMR_TO_PIPE(offset); + else { +- gvt_vgpu_err("Unsupport registers %x\n", offset); ++ gvt_vgpu_err("Unsupported registers %x\n", offset); + return -EINVAL; + } + +-- +2.35.1 + diff --git a/queue-5.10/gpio-pca953x-add-mutex_lock-for-regcache-sync-in-pm.patch b/queue-5.10/gpio-pca953x-add-mutex_lock-for-regcache-sync-in-pm.patch new file mode 100644 index 00000000000..0ef3adb122e --- /dev/null +++ b/queue-5.10/gpio-pca953x-add-mutex_lock-for-regcache-sync-in-pm.patch @@ -0,0 +1,65 @@ +From 6595abf19475352a3b1cbb2064361e9438389eef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 18:37:35 +0800 +Subject: gpio: pca953x: Add mutex_lock for regcache sync in PM + +From: Haibo Chen + +[ Upstream commit 518e26f11af2fe4f5bebf9a0351595d508c7077f ] + +The regcache sync will set the cache_bypass = true, at that +time, when there is regmap write operation, it will bypass +the regmap cache, then the regcache sync will write back the +value from cache to register, which is not as our expectation. + +Though regmap already use its internal lock to avoid such issue, +but this driver force disable the regmap internal lock in its +regmap config: disable_locking = true + +To avoid this issue, use the driver's own lock to do the protect +in system PM. + +Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle") +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 957be5f69406a..3ad1a9e432c8a 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -1162,7 +1162,9 @@ static int pca953x_suspend(struct device *dev) + { + struct pca953x_chip *chip = dev_get_drvdata(dev); + ++ mutex_lock(&chip->i2c_lock); + regcache_cache_only(chip->regmap, true); ++ mutex_unlock(&chip->i2c_lock); + + if (atomic_read(&chip->wakeup_path)) + device_set_wakeup_path(dev); +@@ -1185,13 +1187,17 @@ static int pca953x_resume(struct device *dev) + } + } + ++ mutex_lock(&chip->i2c_lock); + regcache_cache_only(chip->regmap, false); + regcache_mark_dirty(chip->regmap); + ret = pca953x_regcache_sync(dev); +- if (ret) ++ if (ret) { ++ mutex_unlock(&chip->i2c_lock); + return ret; ++ } + + ret = regcache_sync(chip->regmap); ++ mutex_unlock(&chip->i2c_lock); + if (ret) { + dev_err(dev, "Failed to restore register map: %d\n", ret); + return ret; +-- +2.35.1 + diff --git a/queue-5.10/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch b/queue-5.10/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..fe2eaafe383 --- /dev/null +++ b/queue-5.10/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch @@ -0,0 +1,100 @@ +From afbecabc5235b9eff86e6d00f76d2997843962b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 03:11:01 +0200 +Subject: hwmon: (gpio-fan) Fix array out of bounds access + +From: Armin Wolf + +[ Upstream commit f233d2be38dbbb22299192292983037f01ab363c ] + +The driver does not check if the cooling state passed to +gpio_fan_set_cur_state() exceeds the maximum cooling state as +stored in fan_data->num_speeds. Since the cooling state is later +used as an array index in set_fan_speed(), an array out of bounds +access can occur. +This can be exploited by setting the state of the thermal cooling device +to arbitrary values, causing for example a kernel oops when unavailable +memory is accessed this way. + +Example kernel oops: +[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064 +[ 807.987369] Mem abort info: +[ 807.987398] ESR = 0x96000005 +[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits +[ 807.987477] SET = 0, FnV = 0 +[ 807.987507] EA = 0, S1PTW = 0 +[ 807.987536] FSC = 0x05: level 1 translation fault +[ 807.987570] Data abort info: +[ 807.987763] ISV = 0, ISS = 0x00000005 +[ 807.987801] CM = 0, WnR = 0 +[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000 +[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 +[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 +[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575 +[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) +[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan] +[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] +[ 807.988691] sp : ffffffc008cf3bd0 +[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000 +[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920 +[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c +[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000 +[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70 +[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c +[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009 +[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8 +[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060 +[ 807.989084] Call trace: +[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan] +[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] +[ 807.989199] cur_state_store+0x84/0xd0 +[ 807.989221] dev_attr_store+0x20/0x38 +[ 807.989262] sysfs_kf_write+0x4c/0x60 +[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0 +[ 807.989298] new_sync_write+0x10c/0x190 +[ 807.989315] vfs_write+0x254/0x378 +[ 807.989362] ksys_write+0x70/0xf8 +[ 807.989379] __arm64_sys_write+0x24/0x30 +[ 807.989424] invoke_syscall+0x4c/0x110 +[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120 +[ 807.989458] do_el0_svc+0x2c/0x90 +[ 807.989473] el0_svc+0x24/0x60 +[ 807.989544] el0t_64_sync_handler+0x90/0xb8 +[ 807.989558] el0t_64_sync+0x1a0/0x1a4 +[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416) +[ 807.989627] ---[ end trace 8ded4c918658445b ]--- + +Fix this by checking the cooling state and return an error if it +exceeds the maximum cooling state. + +Tested on a Raspberry Pi 3. + +Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/gpio-fan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c +index 3ea4021f267cf..d96e435cc42b1 100644 +--- a/drivers/hwmon/gpio-fan.c ++++ b/drivers/hwmon/gpio-fan.c +@@ -391,6 +391,9 @@ static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev, + if (!fan_data) + return -EINVAL; + ++ if (state >= fan_data->num_speed) ++ return -EINVAL; ++ + set_fan_speed(fan_data, state); + return 0; + } +-- +2.35.1 + diff --git a/queue-5.10/input-rk805-pwrkey-fix-module-autoloading.patch b/queue-5.10/input-rk805-pwrkey-fix-module-autoloading.patch new file mode 100644 index 00000000000..97e385f7233 --- /dev/null +++ b/queue-5.10/input-rk805-pwrkey-fix-module-autoloading.patch @@ -0,0 +1,37 @@ +From 3ba2321bce156a5bbc7b607b60b542cea2363657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:33:18 -0700 +Subject: Input: rk805-pwrkey - fix module autoloading + +From: Peter Robinson + +[ Upstream commit 99077ad668ddd9b4823cc8ce3f3c7a3fc56f6fd9 ] + +Add the module alias so the rk805-pwrkey driver will +autoload when built as a module. + +Fixes: 5a35b85c2d92 ("Input: add power key driver for Rockchip RK805 PMIC") +Signed-off-by: Peter Robinson +Reviewed-by: Javier Martinez Canillas +Link: https://lore.kernel.org/r/20220612225437.3628788-1-pbrobinson@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/rk805-pwrkey.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/rk805-pwrkey.c b/drivers/input/misc/rk805-pwrkey.c +index 3fb64dbda1a21..76873aa005b41 100644 +--- a/drivers/input/misc/rk805-pwrkey.c ++++ b/drivers/input/misc/rk805-pwrkey.c +@@ -98,6 +98,7 @@ static struct platform_driver rk805_pwrkey_driver = { + }; + module_platform_driver(rk805_pwrkey_driver); + ++MODULE_ALIAS("platform:rk805-pwrkey"); + MODULE_AUTHOR("Joseph Chen "); + MODULE_DESCRIPTION("RK805 PMIC Power Key driver"); + MODULE_LICENSE("GPL"); +-- +2.35.1 + diff --git a/queue-5.10/kvm-x86-mask-off-unsupported-and-unknown-bits-of-ia3.patch b/queue-5.10/kvm-x86-mask-off-unsupported-and-unknown-bits-of-ia3.patch new file mode 100644 index 00000000000..77dbeec17b5 --- /dev/null +++ b/queue-5.10/kvm-x86-mask-off-unsupported-and-unknown-bits-of-ia3.patch @@ -0,0 +1,84 @@ +From 2dd63a1f1cd332c7c5430c9a0390fe7736caa0b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 10:49:47 -0700 +Subject: KVM: x86: Mask off unsupported and unknown bits of + IA32_ARCH_CAPABILITIES + +From: Jim Mattson + +[ Upstream commit 0204750bd4c6ccc2fb7417618477f10373b33f56 ] + +KVM should not claim to virtualize unknown IA32_ARCH_CAPABILITIES +bits. When kvm_get_arch_capabilities() was originally written, there +were only a few bits defined in this MSR, and KVM could virtualize all +of them. However, over the years, several bits have been defined that +KVM cannot just blindly pass through to the guest without additional +work (such as virtualizing an MSR promised by the +IA32_ARCH_CAPABILITES feature bit). + +Define a mask of supported IA32_ARCH_CAPABILITIES bits, and mask off +any other bits that are set in the hardware MSR. + +Cc: Paolo Bonzini +Fixes: 5b76a3cff011 ("KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry") +Signed-off-by: Jim Mattson +Reviewed-by: Vipin Sharma +Reviewed-by: Xiaoyao Li +Message-Id: <20220830174947.2182144-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 5f4f855bb3b10..c5a08ec348e6f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1364,12 +1364,32 @@ static const u32 msr_based_features_all[] = { + static u32 msr_based_features[ARRAY_SIZE(msr_based_features_all)]; + static unsigned int num_msr_based_features; + ++/* ++ * Some IA32_ARCH_CAPABILITIES bits have dependencies on MSRs that KVM ++ * does not yet virtualize. These include: ++ * 10 - MISC_PACKAGE_CTRLS ++ * 11 - ENERGY_FILTERING_CTL ++ * 12 - DOITM ++ * 18 - FB_CLEAR_CTRL ++ * 21 - XAPIC_DISABLE_STATUS ++ * 23 - OVERCLOCKING_STATUS ++ */ ++ ++#define KVM_SUPPORTED_ARCH_CAP \ ++ (ARCH_CAP_RDCL_NO | ARCH_CAP_IBRS_ALL | ARCH_CAP_RSBA | \ ++ ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \ ++ ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \ ++ ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \ ++ ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO) ++ + static u64 kvm_get_arch_capabilities(void) + { + u64 data = 0; + +- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) ++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) { + rdmsrl(MSR_IA32_ARCH_CAPABILITIES, data); ++ data &= KVM_SUPPORTED_ARCH_CAP; ++ } + + /* + * If nx_huge_pages is enabled, KVM's shadow paging will ensure that +@@ -1417,9 +1437,6 @@ static u64 kvm_get_arch_capabilities(void) + */ + } + +- /* Guests don't need to know "Fill buffer clear control" exists */ +- data &= ~ARCH_CAP_FB_CLEAR_CTRL; +- + return data; + } + +-- +2.35.1 + diff --git a/queue-5.10/mm-pagewalk-fix-race-between-unmap-and-page-walker.patch b/queue-5.10/mm-pagewalk-fix-race-between-unmap-and-page-walker.patch new file mode 100644 index 00000000000..684428d9380 --- /dev/null +++ b/queue-5.10/mm-pagewalk-fix-race-between-unmap-and-page-walker.patch @@ -0,0 +1,166 @@ +From ed9d6a679077598cc39476ab56e5d077b05ebd8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 12:26:12 +0100 +Subject: mm: pagewalk: Fix race between unmap and page walker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Price + +[ Upstream commit 8782fb61cc848364e1e1599d76d3c9dd58a1cc06 ] + +The mmap lock protects the page walker from changes to the page tables +during the walk. However a read lock is insufficient to protect those +areas which don't have a VMA as munmap() detaches the VMAs before +downgrading to a read lock and actually tearing down PTEs/page tables. + +For users of walk_page_range() the solution is to simply call pte_hole() +immediately without checking the actual page tables when a VMA is not +present. We now never call __walk_page_range() without a valid vma. + +For walk_page_range_novma() the locking requirements are tightened to +require the mmap write lock to be taken, and then walking the pgd +directly with 'no_vma' set. + +This in turn means that all page walkers either have a valid vma, or +it's that special 'novma' case for page table debugging. As a result, +all the odd '(!walk->vma && !walk->no_vma)' tests can be removed. + +Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") +Reported-by: Jann Horn +Signed-off-by: Steven Price +Cc: Vlastimil Babka +Cc: Thomas Hellström +Cc: Konstantin Khlebnikov +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/pageattr.c | 4 ++-- + mm/pagewalk.c | 21 ++++++++++++--------- + mm/ptdump.c | 4 ++-- + 3 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c +index 19fecb362d815..09f6be19ba7b3 100644 +--- a/arch/riscv/mm/pageattr.c ++++ b/arch/riscv/mm/pageattr.c +@@ -118,10 +118,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask, + if (!numpages) + return 0; + +- mmap_read_lock(&init_mm); ++ mmap_write_lock(&init_mm); + ret = walk_page_range_novma(&init_mm, start, end, &pageattr_ops, NULL, + &masks); +- mmap_read_unlock(&init_mm); ++ mmap_write_unlock(&init_mm); + + flush_tlb_kernel_range(start, end); + +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index e81640d9f1770..371ec21a19899 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -71,7 +71,7 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end, + do { + again: + next = pmd_addr_end(addr, end); +- if (pmd_none(*pmd) || (!walk->vma && !walk->no_vma)) { ++ if (pmd_none(*pmd)) { + if (ops->pte_hole) + err = ops->pte_hole(addr, next, depth, walk); + if (err) +@@ -129,7 +129,7 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end, + do { + again: + next = pud_addr_end(addr, end); +- if (pud_none(*pud) || (!walk->vma && !walk->no_vma)) { ++ if (pud_none(*pud)) { + if (ops->pte_hole) + err = ops->pte_hole(addr, next, depth, walk); + if (err) +@@ -318,19 +318,19 @@ static int __walk_page_range(unsigned long start, unsigned long end, + struct vm_area_struct *vma = walk->vma; + const struct mm_walk_ops *ops = walk->ops; + +- if (vma && ops->pre_vma) { ++ if (ops->pre_vma) { + err = ops->pre_vma(start, end, walk); + if (err) + return err; + } + +- if (vma && is_vm_hugetlb_page(vma)) { ++ if (is_vm_hugetlb_page(vma)) { + if (ops->hugetlb_entry) + err = walk_hugetlb_range(start, end, walk); + } else + err = walk_pgd_range(start, end, walk); + +- if (vma && ops->post_vma) ++ if (ops->post_vma) + ops->post_vma(walk); + + return err; +@@ -402,9 +402,13 @@ int walk_page_range(struct mm_struct *mm, unsigned long start, + if (!vma) { /* after the last vma */ + walk.vma = NULL; + next = end; ++ if (ops->pte_hole) ++ err = ops->pte_hole(start, next, -1, &walk); + } else if (start < vma->vm_start) { /* outside vma */ + walk.vma = NULL; + next = min(end, vma->vm_start); ++ if (ops->pte_hole) ++ err = ops->pte_hole(start, next, -1, &walk); + } else { /* inside vma */ + walk.vma = vma; + next = min(end, vma->vm_end); +@@ -422,9 +426,8 @@ int walk_page_range(struct mm_struct *mm, unsigned long start, + } + if (err < 0) + break; +- } +- if (walk.vma || walk.ops->pte_hole) + err = __walk_page_range(start, next, &walk); ++ } + if (err) + break; + } while (start = next, start < end); +@@ -453,9 +456,9 @@ int walk_page_range_novma(struct mm_struct *mm, unsigned long start, + if (start >= end || !walk.mm) + return -EINVAL; + +- mmap_assert_locked(walk.mm); ++ mmap_assert_write_locked(walk.mm); + +- return __walk_page_range(start, end, &walk); ++ return walk_pgd_range(start, end, &walk); + } + + int walk_page_vma(struct vm_area_struct *vma, const struct mm_walk_ops *ops, +diff --git a/mm/ptdump.c b/mm/ptdump.c +index 93f2f63dc52dc..a917bf55c61ea 100644 +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -141,13 +141,13 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd) + { + const struct ptdump_range *range = st->range; + +- mmap_read_lock(mm); ++ mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, + &ptdump_ops, pgd, st); + range++; + } +- mmap_read_unlock(mm); ++ mmap_write_unlock(mm); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); +-- +2.35.1 + diff --git a/queue-5.10/revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch b/queue-5.10/revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch new file mode 100644 index 00000000000..d58db1381d1 --- /dev/null +++ b/queue-5.10/revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch @@ -0,0 +1,117 @@ +From 7b82219bde71f593e86d2e2c318ae696be110628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 10:53:25 -0700 +Subject: Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops" + +From: Stephen Boyd + +[ Upstream commit abb5f3f4b1f5f0ad50eb067a00051d3587dec9fb ] + +This reverts commit 35b0fac808b95eea1212f8860baf6ad25b88b087. Alexander +reports that it causes boot failures on i.MX8M Plus based boards +(specifically imx8mp-tqma8mpql-mba8mpxl.dts). + +Reported-by: Alexander Stein +Cc: Chen-Yu Tsai +Fixes: 35b0fac808b9 ("clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops") +Link: https://lore.kernel.org/r/12115951.O9o76ZdvQC@steina-w +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20220831175326.2523912-1-sboyd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 28 ---------------------------- + 1 file changed, 28 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 4f20d5318183f..2e56cc0a3bce6 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -203,9 +203,6 @@ static bool clk_core_rate_is_protected(struct clk_core *core) + return core->protect_count; + } + +-static int clk_core_prepare_enable(struct clk_core *core); +-static void clk_core_disable_unprepare(struct clk_core *core); +- + static bool clk_core_is_prepared(struct clk_core *core) + { + bool ret = false; +@@ -218,11 +215,7 @@ static bool clk_core_is_prepared(struct clk_core *core) + return core->prepare_count; + + if (!clk_pm_runtime_get(core)) { +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_prepare_enable(core->parent); + ret = core->ops->is_prepared(core->hw); +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_disable_unprepare(core->parent); + clk_pm_runtime_put(core); + } + +@@ -258,13 +251,7 @@ static bool clk_core_is_enabled(struct clk_core *core) + } + } + +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_prepare_enable(core->parent); +- + ret = core->ops->is_enabled(core->hw); +- +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_disable_unprepare(core->parent); + done: + if (core->rpm_enabled) + pm_runtime_put(core->dev); +@@ -831,9 +818,6 @@ int clk_rate_exclusive_get(struct clk *clk) + } + EXPORT_SYMBOL_GPL(clk_rate_exclusive_get); + +-static int clk_core_enable_lock(struct clk_core *core); +-static void clk_core_disable_lock(struct clk_core *core); +- + static void clk_core_unprepare(struct clk_core *core) + { + lockdep_assert_held(&prepare_lock); +@@ -857,9 +841,6 @@ static void clk_core_unprepare(struct clk_core *core) + + WARN(core->enable_count > 0, "Unpreparing enabled %s\n", core->name); + +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_enable_lock(core->parent); +- + trace_clk_unprepare(core); + + if (core->ops->unprepare) +@@ -868,9 +849,6 @@ static void clk_core_unprepare(struct clk_core *core) + clk_pm_runtime_put(core); + + trace_clk_unprepare_complete(core); +- +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_disable_lock(core->parent); + clk_core_unprepare(core->parent); + } + +@@ -919,9 +897,6 @@ static int clk_core_prepare(struct clk_core *core) + if (ret) + goto runtime_put; + +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_enable_lock(core->parent); +- + trace_clk_prepare(core); + + if (core->ops->prepare) +@@ -929,9 +904,6 @@ static int clk_core_prepare(struct clk_core *core) + + trace_clk_prepare_complete(core); + +- if (core->flags & CLK_OPS_PARENT_ENABLE) +- clk_core_disable_lock(core->parent); +- + if (ret) + goto unprepare; + } +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index cf8ff6f9ff7..62521a60af7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -32,3 +32,17 @@ misc-fastrpc-fix-memory-corruption-on-open.patch usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch +clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch +revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch +clk-core-fix-runtime-pm-sequence-in-clk_core_unprepa.patch +input-rk805-pwrkey-fix-module-autoloading.patch +clk-bcm-rpi-fix-error-handling-of-raspberrypi_fw_get.patch +clk-bcm-rpi-use-correct-order-for-the-parameters-of-.patch +clk-bcm-rpi-prevent-out-of-bounds-access.patch +clk-bcm-rpi-add-missing-newline.patch +hwmon-gpio-fan-fix-array-out-of-bounds-access.patch +gpio-pca953x-add-mutex_lock-for-regcache-sync-in-pm.patch +kvm-x86-mask-off-unsupported-and-unknown-bits-of-ia3.patch +xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch +mm-pagewalk-fix-race-between-unmap-and-page-walker.patch diff --git a/queue-5.10/xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch b/queue-5.10/xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch new file mode 100644 index 00000000000..56a1bf03878 --- /dev/null +++ b/queue-5.10/xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch @@ -0,0 +1,40 @@ +From c562a7c1c17c32db7e26e5da946e6c755afa0efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 18:35:20 +0300 +Subject: xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() + +From: Dan Carpenter + +[ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ] + +The change from kcalloc() to kvmalloc() means that arg->nr_pages +might now be large enough that the "args->nr_pages << PAGE_SHIFT" can +result in an integer overflow. + +Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()") +Signed-off-by: Dan Carpenter +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/grant-table.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c +index 5c83d41766c85..0a2d24d6ac6f7 100644 +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args) + size_t size; + int i, ret; + ++ if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT)) ++ return -ENOMEM; ++ + size = args->nr_pages << PAGE_SHIFT; + if (args->coherent) + args->vaddr = dma_alloc_coherent(args->dev, size, +-- +2.35.1 +