From: Sasha Levin Date: Mon, 18 Mar 2024 22:55:59 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.8.2~96 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=76280aeec5e93c4c9a1c274ff9235d6b9bfdd034;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/asoc-intel-bytcr_rt5640-add-an-extra-entry-for-the-c.patch b/queue-5.10/asoc-intel-bytcr_rt5640-add-an-extra-entry-for-the-c.patch new file mode 100644 index 00000000000..978c777a519 --- /dev/null +++ b/queue-5.10/asoc-intel-bytcr_rt5640-add-an-extra-entry-for-the-c.patch @@ -0,0 +1,52 @@ +From 36ce329e666925b387642aa76f3e9d9710ad476d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 19:28:41 +0000 +Subject: ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 + tablet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alban Boyé + +[ Upstream commit f8b0127aca8c60826e7354e504a12d4a46b1c3bb ] + +The bios version can differ depending if it is a dual-boot variant of the tablet. +Therefore another DMI match is required. + +Signed-off-by: Alban Boyé +Reviewed-by: Cezary Rojewski +Acked-by: Pierre-Louis Bossart +Link: https://msgid.link/r/20240228192807.15130-1-alban.boye@protonmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index f5b1b3b876980..1d049685e7075 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -529,6 +529,18 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), + }, ++ { /* Chuwi Vi8 dual-boot (CWI506) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "i86"), ++ /* The above are too generic, also match BIOS info */ ++ DMI_MATCH(DMI_BIOS_VERSION, "CHUWI2.D86JHBNR02"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_MONO_SPEAKER | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, + { + /* Chuwi Vi10 (CWI505) */ + .matches = { +-- +2.43.0 + diff --git a/queue-5.10/asoc-rt5645-make-lattepanda-board-dmi-match-more-pre.patch b/queue-5.10/asoc-rt5645-make-lattepanda-board-dmi-match-more-pre.patch new file mode 100644 index 00000000000..3a9f8b1195e --- /dev/null +++ b/queue-5.10/asoc-rt5645-make-lattepanda-board-dmi-match-more-pre.patch @@ -0,0 +1,63 @@ +From d86be5f81d19ceab531b54e21b5b2b93f0a77e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 22:27:35 +0100 +Subject: ASoC: rt5645: Make LattePanda board DMI match more precise + +From: Hans de Goede + +[ Upstream commit 551539a8606e28cb2a130f8ef3e9834235b456c4 ] + +The DMI strings used for the LattePanda board DMI quirks are very generic. + +Using the dmidecode database from https://linux-hardware.org/ shows +that the chosen DMI strings also match the following 2 laptops +which also have a rt5645 codec: + +Insignia NS-P11W7100 https://linux-hardware.org/?computer=E092FFF8BA04 +Insignia NS-P10W8100 https://linux-hardware.org/?computer=AFB6C0BF7934 + +All 4 hw revisions of the LattePanda board have "S70CR" in their BIOS +version DMI strings: + +DF-BI-7-S70CR100-* +DF-BI-7-S70CR110-* +DF-BI-7-S70CR200-* +LP-BS-7-S70CR700-* + +See e.g. https://linux-hardware.org/?computer=D98250A817C0 + +Add a partial (non exact) DMI match on this string to make the LattePanda +board DMI match more precise to avoid false-positive matches. + +Signed-off-by: Hans de Goede +Link: https://msgid.link/r/20240211212736.179605-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5645.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c +index 04457cbed5b4e..5db63ef33f1a2 100644 +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -3772,6 +3772,16 @@ static const struct dmi_system_id dmi_platform_data[] = { + DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"), + DMI_EXACT_MATCH(DMI_BOARD_VERSION, "Default string"), ++ /* ++ * Above strings are too generic, LattePanda BIOS versions for ++ * all 4 hw revisions are: ++ * DF-BI-7-S70CR100-* ++ * DF-BI-7-S70CR110-* ++ * DF-BI-7-S70CR200-* ++ * LP-BS-7-S70CR700-* ++ * Do a partial match for S70CR to avoid false positive matches. ++ */ ++ DMI_MATCH(DMI_BIOS_VERSION, "S70CR"), + }, + .driver_data = (void *)&lattepanda_board_platform_data, + }, +-- +2.43.0 + diff --git a/queue-5.10/asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch b/queue-5.10/asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch new file mode 100644 index 00000000000..07ff17f9c55 --- /dev/null +++ b/queue-5.10/asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch @@ -0,0 +1,76 @@ +From 4134a152db7f93d1908e8a7d873bd2bf4ae6d867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 16:14:36 +0000 +Subject: ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode + +From: Stuart Henderson + +[ Upstream commit 6fa849e4d78b880e878138bf238e4fd2bac3c4fa ] + +Signed-off-by: Stuart Henderson +Link: https://msgid.link/r/20240306161439.1385643-2-stuarth@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index d6efc85f966b0..030471248e0e4 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2219,6 +2219,9 @@ SND_SOC_DAPM_PGA_E("HPOUT", SND_SOC_NOPM, 0, 0, NULL, 0, hp_event, + + SND_SOC_DAPM_OUTPUT("HPOUTL"), + SND_SOC_DAPM_OUTPUT("HPOUTR"), ++ ++SND_SOC_DAPM_PGA("SPKOUTL Output", WM8962_CLASS_D_CONTROL_1, 6, 0, NULL, 0), ++SND_SOC_DAPM_PGA("SPKOUTR Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), + }; + + static const struct snd_soc_dapm_widget wm8962_dapm_spk_mono_widgets[] = { +@@ -2226,7 +2229,6 @@ SND_SOC_DAPM_MIXER("Speaker Mixer", WM8962_MIXER_ENABLES, 1, 0, + spkmixl, ARRAY_SIZE(spkmixl)), + SND_SOC_DAPM_MUX_E("Speaker PGA", WM8962_PWR_MGMT_2, 4, 0, &spkoutl_mux, + out_pga_event, SND_SOC_DAPM_POST_PMU), +-SND_SOC_DAPM_PGA("Speaker Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), + SND_SOC_DAPM_OUTPUT("SPKOUT"), + }; + +@@ -2241,9 +2243,6 @@ SND_SOC_DAPM_MUX_E("SPKOUTL PGA", WM8962_PWR_MGMT_2, 4, 0, &spkoutl_mux, + SND_SOC_DAPM_MUX_E("SPKOUTR PGA", WM8962_PWR_MGMT_2, 3, 0, &spkoutr_mux, + out_pga_event, SND_SOC_DAPM_POST_PMU), + +-SND_SOC_DAPM_PGA("SPKOUTR Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), +-SND_SOC_DAPM_PGA("SPKOUTL Output", WM8962_CLASS_D_CONTROL_1, 6, 0, NULL, 0), +- + SND_SOC_DAPM_OUTPUT("SPKOUTL"), + SND_SOC_DAPM_OUTPUT("SPKOUTR"), + }; +@@ -2353,12 +2352,18 @@ static const struct snd_soc_dapm_route wm8962_spk_mono_intercon[] = { + { "Speaker PGA", "Mixer", "Speaker Mixer" }, + { "Speaker PGA", "DAC", "DACL" }, + +- { "Speaker Output", NULL, "Speaker PGA" }, +- { "Speaker Output", NULL, "SYSCLK" }, +- { "Speaker Output", NULL, "TOCLK" }, +- { "Speaker Output", NULL, "TEMP_SPK" }, ++ { "SPKOUTL Output", NULL, "Speaker PGA" }, ++ { "SPKOUTL Output", NULL, "SYSCLK" }, ++ { "SPKOUTL Output", NULL, "TOCLK" }, ++ { "SPKOUTL Output", NULL, "TEMP_SPK" }, ++ ++ { "SPKOUTR Output", NULL, "Speaker PGA" }, ++ { "SPKOUTR Output", NULL, "SYSCLK" }, ++ { "SPKOUTR Output", NULL, "TOCLK" }, ++ { "SPKOUTR Output", NULL, "TEMP_SPK" }, + +- { "SPKOUT", NULL, "Speaker Output" }, ++ { "SPKOUT", NULL, "SPKOUTL Output" }, ++ { "SPKOUT", NULL, "SPKOUTR Output" }, + }; + + static const struct snd_soc_dapm_route wm8962_spk_stereo_intercon[] = { +-- +2.43.0 + diff --git a/queue-5.10/asoc-wm8962-enable-oscillator-if-selecting-wm8962_fl.patch b/queue-5.10/asoc-wm8962-enable-oscillator-if-selecting-wm8962_fl.patch new file mode 100644 index 00000000000..c4e0b0f0bec --- /dev/null +++ b/queue-5.10/asoc-wm8962-enable-oscillator-if-selecting-wm8962_fl.patch @@ -0,0 +1,37 @@ +From 21cd4bf6df5711caa732ae472bad55c6c62ebe70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 16:14:35 +0000 +Subject: ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC + +From: Stuart Henderson + +[ Upstream commit 03c7874106ca5032a312626b927b1c35f07b1f35 ] + +Signed-off-by: Stuart Henderson +Link: https://msgid.link/r/20240306161439.1385643-1-stuarth@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index 57aeded978c28..d6efc85f966b0 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2898,8 +2898,12 @@ static int wm8962_set_fll(struct snd_soc_component *component, int fll_id, int s + switch (fll_id) { + case WM8962_FLL_MCLK: + case WM8962_FLL_BCLK: ++ fll1 |= (fll_id - 1) << WM8962_FLL_REFCLK_SRC_SHIFT; ++ break; + case WM8962_FLL_OSC: + fll1 |= (fll_id - 1) << WM8962_FLL_REFCLK_SRC_SHIFT; ++ snd_soc_component_update_bits(component, WM8962_PLL2, ++ WM8962_OSC_ENA, WM8962_OSC_ENA); + break; + case WM8962_FLL_INT: + snd_soc_component_update_bits(component, WM8962_FLL_CONTROL_1, +-- +2.43.0 + diff --git a/queue-5.10/asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch b/queue-5.10/asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch new file mode 100644 index 00000000000..c683a3f86df --- /dev/null +++ b/queue-5.10/asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch @@ -0,0 +1,36 @@ +From d9967fa37bd1bbad546f95d4f2cb998d32496cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 16:14:39 +0000 +Subject: ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll + +From: Stuart Henderson + +[ Upstream commit 96e202f8c52ac49452f83317cf3b34cd1ad81e18 ] + +Use source instead of ret, which seems to be unrelated and will always +be zero. + +Signed-off-by: Stuart Henderson +Link: https://msgid.link/r/20240306161439.1385643-5-stuarth@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index 030471248e0e4..272932e200d87 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2917,7 +2917,7 @@ static int wm8962_set_fll(struct snd_soc_component *component, int fll_id, int s + WM8962_FLL_FRC_NCO, WM8962_FLL_FRC_NCO); + break; + default: +- dev_err(component->dev, "Unknown FLL source %d\n", ret); ++ dev_err(component->dev, "Unknown FLL source %d\n", source); + return -EINVAL; + } + +-- +2.43.0 + diff --git a/queue-5.10/block-sed-opal-handle-empty-atoms-when-parsing-respo.patch b/queue-5.10/block-sed-opal-handle-empty-atoms-when-parsing-respo.patch new file mode 100644 index 00000000000..3053b360db5 --- /dev/null +++ b/queue-5.10/block-sed-opal-handle-empty-atoms-when-parsing-respo.patch @@ -0,0 +1,65 @@ +From 6ec12933eaf8df82aba82f4d9aae44c0a4769cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 15:04:17 -0600 +Subject: block: sed-opal: handle empty atoms when parsing response + +From: Greg Joyce + +[ Upstream commit 5429c8de56f6b2bd8f537df3a1e04e67b9c04282 ] + +The SED Opal response parsing function response_parse() does not +handle the case of an empty atom in the response. This causes +the entry count to be too high and the response fails to be +parsed. Recognizing, but ignoring, empty atoms allows response +handling to succeed. + +Signed-off-by: Greg Joyce +Link: https://lore.kernel.org/r/20240216210417.3526064-2-gjoyce@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/opal_proto.h | 1 + + block/sed-opal.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/opal_proto.h b/block/opal_proto.h +index b486b3ec7dc41..a50191bddbc26 100644 +--- a/block/opal_proto.h ++++ b/block/opal_proto.h +@@ -66,6 +66,7 @@ enum opal_response_token { + #define SHORT_ATOM_BYTE 0xBF + #define MEDIUM_ATOM_BYTE 0xDF + #define LONG_ATOM_BYTE 0xE3 ++#define EMPTY_ATOM_BYTE 0xFF + + #define OPAL_INVAL_PARAM 12 + #define OPAL_MANUFACTURED_INACTIVE 0x08 +diff --git a/block/sed-opal.c b/block/sed-opal.c +index 0ac5a4f3f2261..00e4d23ac49e7 100644 +--- a/block/sed-opal.c ++++ b/block/sed-opal.c +@@ -895,16 +895,20 @@ static int response_parse(const u8 *buf, size_t length, + token_length = response_parse_medium(iter, pos); + else if (pos[0] <= LONG_ATOM_BYTE) /* long atom */ + token_length = response_parse_long(iter, pos); ++ else if (pos[0] == EMPTY_ATOM_BYTE) /* empty atom */ ++ token_length = 1; + else /* TOKEN */ + token_length = response_parse_token(iter, pos); + + if (token_length < 0) + return token_length; + ++ if (pos[0] != EMPTY_ATOM_BYTE) ++ num_entries++; ++ + pos += token_length; + total -= token_length; + iter++; +- num_entries++; + } + + resp->num = num_entries; +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-rfcomm-fix-null-ptr-deref-in-rfcomm_check_.patch b/queue-5.10/bluetooth-rfcomm-fix-null-ptr-deref-in-rfcomm_check_.patch new file mode 100644 index 00000000000..65790d60a3c --- /dev/null +++ b/queue-5.10/bluetooth-rfcomm-fix-null-ptr-deref-in-rfcomm_check_.patch @@ -0,0 +1,58 @@ +From b143ccbfe4e3ba6dd91de785ccd3b07787cd6eb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 17:10:43 +0800 +Subject: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security + +From: Yuxuan Hu <20373622@buaa.edu.cn> + +[ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ] + +During our fuzz testing of the connection and disconnection process at the +RFCOMM layer, we discovered this bug. By comparing the packets from a +normal connection and disconnection process with the testcase that +triggered a KASAN report. We analyzed the cause of this bug as follows: + +1. In the packets captured during a normal connection, the host sends a +`Read Encryption Key Size` type of `HCI_CMD` packet +(Command Opcode: 0x1408) to the controller to inquire the length of +encryption key.After receiving this packet, the controller immediately +replies with a Command Completepacket (Event Code: 0x0e) to return the +Encryption Key Size. + +2. In our fuzz test case, the timing of the controller's response to this +packet was delayed to an unexpected point: after the RFCOMM and L2CAP +layers had disconnected but before the HCI layer had disconnected. + +3. After receiving the Encryption Key Size Response at the time described +in point 2, the host still called the rfcomm_check_security function. +However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` +had already been released, and when the function executed +`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, +specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. + +To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling +rfcomm_recv_frame in rfcomm_process_rx. + +Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn> +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/rfcomm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c +index 8d6fce9005bdd..4f54c7df3a94f 100644 +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) + /* Get data directly from socket receive queue without copying it. */ + while ((skb = skb_dequeue(&sk->sk_receive_queue))) { + skb_orphan(skb); +- if (!skb_linearize(skb)) { ++ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { + s = rfcomm_recv_frame(s, skb); + if (!s) + break; +-- +2.43.0 + diff --git a/queue-5.10/btrfs-add-and-use-helper-to-check-if-block-group-is-.patch b/queue-5.10/btrfs-add-and-use-helper-to-check-if-block-group-is-.patch new file mode 100644 index 00000000000..f73b496fd79 --- /dev/null +++ b/queue-5.10/btrfs-add-and-use-helper-to-check-if-block-group-is-.patch @@ -0,0 +1,60 @@ +From b8912dfa6807a2a31faec7c9fdc7d5c7609f3c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 09:53:06 +0000 +Subject: btrfs: add and use helper to check if block group is used + +From: Filipe Manana + +[ Upstream commit 1693d5442c458ae8d5b0d58463b873cd879569ed ] + +Add a helper function to determine if a block group is being used and make +use of it at btrfs_delete_unused_bgs(). This helper will also be used in +future code changes. + +Reviewed-by: Johannes Thumshirn +Reviewed-by: Josef Bacik +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 3 +-- + fs/btrfs/block-group.h | 7 +++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index c4e3c1a5de059..9a7c7e0f7c233 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1393,8 +1393,7 @@ void btrfs_delete_unused_bgs(struct btrfs_fs_info *fs_info) + } + + spin_lock(&block_group->lock); +- if (block_group->reserved || block_group->pinned || +- block_group->used || block_group->ro || ++ if (btrfs_is_block_group_used(block_group) || block_group->ro || + list_is_singular(&block_group->list)) { + /* + * We want to bail if we made new allocations or have +diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h +index 4c7614346f724..0d02b75f9e7e3 100644 +--- a/fs/btrfs/block-group.h ++++ b/fs/btrfs/block-group.h +@@ -196,6 +196,13 @@ static inline u64 btrfs_block_group_end(struct btrfs_block_group *block_group) + return (block_group->start + block_group->length); + } + ++static inline bool btrfs_is_block_group_used(const struct btrfs_block_group *bg) ++{ ++ lockdep_assert_held(&bg->lock); ++ ++ return (bg->used > 0 || bg->reserved > 0 || bg->pinned > 0); ++} ++ + static inline bool btrfs_is_block_group_data_only( + struct btrfs_block_group *block_group) + { +-- +2.43.0 + diff --git a/queue-5.10/dm-verity-dm-crypt-align-struct-bvec_iter-correctly.patch b/queue-5.10/dm-verity-dm-crypt-align-struct-bvec_iter-correctly.patch new file mode 100644 index 00000000000..4054b576928 --- /dev/null +++ b/queue-5.10/dm-verity-dm-crypt-align-struct-bvec_iter-correctly.patch @@ -0,0 +1,70 @@ +From 0c7560792b0b22d4ba1f8d36963820feb9bfceb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 19:11:51 +0100 +Subject: dm-verity, dm-crypt: align "struct bvec_iter" correctly + +From: Mikulas Patocka + +[ Upstream commit 787f1b2800464aa277236a66eb3c279535edd460 ] + +"struct bvec_iter" is defined with the __packed attribute, so it is +aligned on a single byte. On X86 (and on other architectures that support +unaligned addresses in hardware), "struct bvec_iter" is accessed using the +8-byte and 4-byte memory instructions, however these instructions are less +efficient if they operate on unaligned addresses. + +(on RISC machines that don't have unaligned access in hardware, GCC +generates byte-by-byte accesses that are very inefficient - see [1]) + +This commit reorders the entries in "struct dm_verity_io" and "struct +convert_context", so that "struct bvec_iter" is aligned on 8 bytes. + +[1] https://lore.kernel.org/all/ZcLuWUNRZadJr0tQ@fedora/T/ + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 4 ++-- + drivers/md/dm-verity.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index 5edcdcee91c23..5deda6c6fa2e7 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -48,11 +48,11 @@ + struct convert_context { + struct completion restart; + struct bio *bio_in; +- struct bio *bio_out; + struct bvec_iter iter_in; ++ struct bio *bio_out; + struct bvec_iter iter_out; +- u64 cc_sector; + atomic_t cc_pending; ++ u64 cc_sector; + union { + struct skcipher_request *req; + struct aead_request *req_aead; +diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h +index 78d1e51195ada..f61c89c79cf5b 100644 +--- a/drivers/md/dm-verity.h ++++ b/drivers/md/dm-verity.h +@@ -74,11 +74,11 @@ struct dm_verity_io { + /* original value of bio->bi_end_io */ + bio_end_io_t *orig_bi_end_io; + ++ struct bvec_iter iter; ++ + sector_t block; + unsigned n_blocks; + +- struct bvec_iter iter; +- + struct work_struct work; + + /* +-- +2.43.0 + diff --git a/queue-5.10/firewire-core-use-long-bus-reset-on-gap-count-error.patch b/queue-5.10/firewire-core-use-long-bus-reset-on-gap-count-error.patch new file mode 100644 index 00000000000..73b8382574b --- /dev/null +++ b/queue-5.10/firewire-core-use-long-bus-reset-on-gap-count-error.patch @@ -0,0 +1,65 @@ +From 31af727e0b5599d3e35960f117f3d08f9ea8826d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 22:17:37 +0900 +Subject: firewire: core: use long bus reset on gap count error + +From: Takashi Sakamoto + +[ Upstream commit d0b06dc48fb15902d7da09c5c0861e7f042a9381 ] + +When resetting the bus after a gap count error, use a long rather than +short bus reset. + +IEEE 1394-1995 uses only long bus resets. IEEE 1394a adds the option of +short bus resets. When video or audio transmission is in progress and a +device is hot-plugged elsewhere on the bus, the resulting bus reset can +cause video frame drops or audio dropouts. Short bus resets reduce or +eliminate this problem. Accordingly, short bus resets are almost always +preferred. + +However, on a mixed 1394/1394a bus, a short bus reset can trigger an +immediate additional bus reset. This double bus reset can be interpreted +differently by different nodes on the bus, resulting in an inconsistent gap +count after the bus reset. An inconsistent gap count will cause another bus +reset, leading to a neverending bus reset loop. This only happens for some +bus topologies, not for all mixed 1394/1394a buses. + +By instead sending a long bus reset after a gap count inconsistency, we +avoid the doubled bus reset, restoring the bus to normal operation. + +Signed-off-by: Adam Goldman +Link: https://sourceforge.net/p/linux1394/mailman/message/58741624/ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/core-card.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c +index be195ba834632..d446a72629414 100644 +--- a/drivers/firewire/core-card.c ++++ b/drivers/firewire/core-card.c +@@ -500,7 +500,19 @@ static void bm_work(struct work_struct *work) + fw_notice(card, "phy config: new root=%x, gap_count=%d\n", + new_root_id, gap_count); + fw_send_phy_config(card, new_root_id, generation, gap_count); +- reset_bus(card, true); ++ /* ++ * Where possible, use a short bus reset to minimize ++ * disruption to isochronous transfers. But in the event ++ * of a gap count inconsistency, use a long bus reset. ++ * ++ * As noted in 1394a 8.4.6.2, nodes on a mixed 1394/1394a bus ++ * may set different gap counts after a bus reset. On a mixed ++ * 1394/1394a bus, a short bus reset can get doubled. Some ++ * nodes may treat the double reset as one bus reset and others ++ * may treat it as two, causing a gap count inconsistency ++ * again. Using a long bus reset prevents this. ++ */ ++ reset_bus(card, card->gap_count != 0); + /* Will allocate broadcast channel after the reset. */ + goto out; + } +-- +2.43.0 + diff --git a/queue-5.10/gen_compile_commands-fix-invalid-escape-sequence-war.patch b/queue-5.10/gen_compile_commands-fix-invalid-escape-sequence-war.patch new file mode 100644 index 00000000000..311fe933c63 --- /dev/null +++ b/queue-5.10/gen_compile_commands-fix-invalid-escape-sequence-war.patch @@ -0,0 +1,36 @@ +From a3b89993072245ed9ba3c0625adbc2116cdac098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 19:23:05 -0600 +Subject: gen_compile_commands: fix invalid escape sequence warning + +From: Andrew Ballance + +[ Upstream commit dae4a0171e25884787da32823b3081b4c2acebb2 ] + +With python 3.12, '\#' results in this warning + SyntaxWarning: invalid escape sequence '\#' + +Signed-off-by: Andrew Ballance +Reviewed-by: Justin Stitt +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/clang-tools/gen_compile_commands.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/clang-tools/gen_compile_commands.py b/scripts/clang-tools/gen_compile_commands.py +index 8bf55bb4f515c..96e4865ee934d 100755 +--- a/scripts/clang-tools/gen_compile_commands.py ++++ b/scripts/clang-tools/gen_compile_commands.py +@@ -176,7 +176,7 @@ def process_line(root_directory, command_prefix, file_path): + # escape the pound sign '#', either as '\#' or '$(pound)' (depending on the + # kernel version). The compile_commands.json file is not interepreted + # by Make, so this code replaces the escaped version with '#'. +- prefix = command_prefix.replace('\#', '#').replace('$(pound)', '#') ++ prefix = command_prefix.replace(r'\#', '#').replace('$(pound)', '#') + + # Use os.path.abspath() to normalize the path resolving '.' and '..' . + abs_path = os.path.abspath(os.path.join(root_directory, file_path)) +-- +2.43.0 + diff --git a/queue-5.10/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch b/queue-5.10/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch new file mode 100644 index 00000000000..3066ac341f2 --- /dev/null +++ b/queue-5.10/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch @@ -0,0 +1,40 @@ +From 96e3020c61d16bd587c1fa422df0f7020fc4f285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 19:04:29 +0000 +Subject: HID: multitouch: Add required quirk for Synaptics 0xcddc device + +From: Manuel Fombuena + +[ Upstream commit 1741a8269e1c51fa08d4bfdf34667387a6eb10ec ] + +Add support for the pointing stick (Accupoint) and 2 mouse buttons. + +Present on some Toshiba/dynabook Portege X30 and X40 laptops. + +It should close https://bugzilla.kernel.org/show_bug.cgi?id=205817 + +Signed-off-by: Manuel Fombuena +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 7d43d62df2409..8dcd636daf270 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2067,6 +2067,10 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_SYNAPTICS, 0xcd7e) }, + ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_SYNAPTICS, 0xcddc) }, ++ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_SYNAPTICS, 0xce08) }, +-- +2.43.0 + diff --git a/queue-5.10/input-gpio_keys_polled-suppress-deferred-probe-error.patch b/queue-5.10/input-gpio_keys_polled-suppress-deferred-probe-error.patch new file mode 100644 index 00000000000..e32c0cf56f7 --- /dev/null +++ b/queue-5.10/input-gpio_keys_polled-suppress-deferred-probe-error.patch @@ -0,0 +1,55 @@ +From cd5f4af557174c0b93f21b198948ced89e9a6b4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 11:10:42 +0100 +Subject: Input: gpio_keys_polled - suppress deferred probe error for gpio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 963465a33141d0d52338e77f80fe543d2c9dc053 ] + +On a PC Engines APU our admins are faced with: + + $ dmesg | grep -c "gpio-keys-polled gpio-keys-polled: unable to claim gpio 0, err=-517" + 261 + +Such a message always appears when e.g. a new USB device is plugged in. + +Suppress this message which considerably clutters the kernel log for +EPROBE_DEFER (i.e. -517). + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20240305101042.10953-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/gpio_keys_polled.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/keyboard/gpio_keys_polled.c b/drivers/input/keyboard/gpio_keys_polled.c +index c3937d2fc7446..a0f9978c68f55 100644 +--- a/drivers/input/keyboard/gpio_keys_polled.c ++++ b/drivers/input/keyboard/gpio_keys_polled.c +@@ -319,12 +319,10 @@ static int gpio_keys_polled_probe(struct platform_device *pdev) + + error = devm_gpio_request_one(dev, button->gpio, + flags, button->desc ? : DRV_NAME); +- if (error) { +- dev_err(dev, +- "unable to claim gpio %u, err=%d\n", +- button->gpio, error); +- return error; +- } ++ if (error) ++ return dev_err_probe(dev, error, ++ "unable to claim gpio %u\n", ++ button->gpio); + + bdata->gpiod = gpio_to_desc(button->gpio); + if (!bdata->gpiod) { +-- +2.43.0 + diff --git a/queue-5.10/mips-clear-cause.bd-in-instruction_pointer_set.patch b/queue-5.10/mips-clear-cause.bd-in-instruction_pointer_set.patch new file mode 100644 index 00000000000..5f61e4f1863 --- /dev/null +++ b/queue-5.10/mips-clear-cause.bd-in-instruction_pointer_set.patch @@ -0,0 +1,39 @@ +From 3ab3e11f49f2c70ff497678d1a0f5797bf57d7c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 12:30:27 +0000 +Subject: MIPS: Clear Cause.BD in instruction_pointer_set + +From: Jiaxun Yang + +[ Upstream commit 9d6e21ddf20293b3880ae55b9d14de91c5891c59 ] + +Clear Cause.BD after we use instruction_pointer_set to override +EPC. + +This can prevent exception_epc check against instruction code at +new return address. +It won't be considered as "in delay slot" after epc being overridden +anyway. + +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/ptrace.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h +index 1e76774b36ddf..2849a9b65a055 100644 +--- a/arch/mips/include/asm/ptrace.h ++++ b/arch/mips/include/asm/ptrace.h +@@ -60,6 +60,7 @@ static inline void instruction_pointer_set(struct pt_regs *regs, + unsigned long val) + { + regs->cp0_epc = val; ++ regs->cp0_cause &= ~CAUSEF_BD; + } + + /* Query offset/name of register from its name/offset */ +-- +2.43.0 + diff --git a/queue-5.10/net-iucv-fix-the-allocation-size-of-iucv_path_table-.patch b/queue-5.10/net-iucv-fix-the-allocation-size-of-iucv_path_table-.patch new file mode 100644 index 00000000000..82715c5522e --- /dev/null +++ b/queue-5.10/net-iucv-fix-the-allocation-size-of-iucv_path_table-.patch @@ -0,0 +1,46 @@ +From 86771e89af662c85b0047afa8001b460ac2dd199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 17:32:40 +0100 +Subject: net/iucv: fix the allocation size of iucv_path_table array + +From: Alexander Gordeev + +[ Upstream commit b4ea9b6a18ebf7f9f3a7a60f82e925186978cfcf ] + +iucv_path_table is a dynamically allocated array of pointers to +struct iucv_path items. Yet, its size is calculated as if it was +an array of struct iucv_path items. + +Signed-off-by: Alexander Gordeev +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 6f84978a77265..ed0dbdbba4d94 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -156,7 +156,7 @@ static char iucv_error_pathid[16] = "INVALID PATHID"; + static LIST_HEAD(iucv_handler_list); + + /* +- * iucv_path_table: an array of iucv_path structures. ++ * iucv_path_table: array of pointers to iucv_path structures. + */ + static struct iucv_path **iucv_path_table; + static unsigned long iucv_max_pathid; +@@ -542,7 +542,7 @@ static int iucv_enable(void) + + get_online_cpus(); + rc = -ENOMEM; +- alloc_size = iucv_max_pathid * sizeof(struct iucv_path); ++ alloc_size = iucv_max_pathid * sizeof(*iucv_path_table); + iucv_path_table = kzalloc(alloc_size, GFP_KERNEL); + if (!iucv_path_table) + goto out; +-- +2.43.0 + diff --git a/queue-5.10/parisc-ftrace-add-missing-config_dynamic_ftrace-chec.patch b/queue-5.10/parisc-ftrace-add-missing-config_dynamic_ftrace-chec.patch new file mode 100644 index 00000000000..ea4a9560202 --- /dev/null +++ b/queue-5.10/parisc-ftrace-add-missing-config_dynamic_ftrace-chec.patch @@ -0,0 +1,42 @@ +From 2ebba6605a3c249a19c9104929d86c5d629208e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 23:43:14 +0100 +Subject: parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check + +From: Max Kellermann + +[ Upstream commit 250f5402e636a5cec9e0e95df252c3d54307210f ] + +Fixes a bug revealed by -Wmissing-prototypes when +CONFIG_FUNCTION_GRAPH_TRACER is enabled but not CONFIG_DYNAMIC_FTRACE: + + arch/parisc/kernel/ftrace.c:82:5: error: no previous prototype for 'ftrace_enable_ftrace_graph_caller' [-Werror=missing-prototypes] + 82 | int ftrace_enable_ftrace_graph_caller(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/parisc/kernel/ftrace.c:88:5: error: no previous prototype for 'ftrace_disable_ftrace_graph_caller' [-Werror=missing-prototypes] + 88 | int ftrace_disable_ftrace_graph_caller(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Max Kellermann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/kernel/ftrace.c b/arch/parisc/kernel/ftrace.c +index 63e3ecb9da812..8538425cc43e0 100644 +--- a/arch/parisc/kernel/ftrace.c ++++ b/arch/parisc/kernel/ftrace.c +@@ -81,7 +81,7 @@ void notrace __hot ftrace_function_trampoline(unsigned long parent, + #endif + } + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER ++#if defined(CONFIG_DYNAMIC_FTRACE) && defined(CONFIG_FUNCTION_GRAPH_TRACER) + int ftrace_enable_ftrace_graph_caller(void) + { + return 0; +-- +2.43.0 + diff --git a/queue-5.10/rdma-mlx5-fix-fortify-source-warning-while-accessing.patch b/queue-5.10/rdma-mlx5-fix-fortify-source-warning-while-accessing.patch new file mode 100644 index 00000000000..6fde8f2008c --- /dev/null +++ b/queue-5.10/rdma-mlx5-fix-fortify-source-warning-while-accessing.patch @@ -0,0 +1,131 @@ +From 05c3160cfd7147df54d4882feb38539a2fc3d92a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 11:29:11 +0200 +Subject: RDMA/mlx5: Fix fortify source warning while accessing Eth segment + +From: Leon Romanovsky + +[ Upstream commit 4d5e86a56615cc387d21c629f9af8fb0e958d350 ] + + ------------[ cut here ]------------ + memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) + WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] + Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy + [last unloaded: mlx_compat(OE)] + CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] + Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 + RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 + R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 + FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ? show_regs+0x72/0x90 + ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] + ? __warn+0x8d/0x160 + ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] + ? report_bug+0x1bb/0x1d0 + ? handle_bug+0x46/0x90 + ? exc_invalid_op+0x19/0x80 + ? asm_exc_invalid_op+0x1b/0x20 + ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] + mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] + ipoib_send+0x2ec/0x770 [ib_ipoib] + ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] + dev_hard_start_xmit+0x8e/0x1e0 + ? validate_xmit_skb_list+0x4d/0x80 + sch_direct_xmit+0x116/0x3a0 + __dev_xmit_skb+0x1fd/0x580 + __dev_queue_xmit+0x284/0x6b0 + ? _raw_spin_unlock_irq+0xe/0x50 + ? __flush_work.isra.0+0x20d/0x370 + ? push_pseudo_header+0x17/0x40 [ib_ipoib] + neigh_connected_output+0xcd/0x110 + ip_finish_output2+0x179/0x480 + ? __smp_call_single_queue+0x61/0xa0 + __ip_finish_output+0xc3/0x190 + ip_finish_output+0x2e/0xf0 + ip_output+0x78/0x110 + ? __pfx_ip_finish_output+0x10/0x10 + ip_local_out+0x64/0x70 + __ip_queue_xmit+0x18a/0x460 + ip_queue_xmit+0x15/0x30 + __tcp_transmit_skb+0x914/0x9c0 + tcp_write_xmit+0x334/0x8d0 + tcp_push_one+0x3c/0x60 + tcp_sendmsg_locked+0x2e1/0xac0 + tcp_sendmsg+0x2d/0x50 + inet_sendmsg+0x43/0x90 + sock_sendmsg+0x68/0x80 + sock_write_iter+0x93/0x100 + vfs_write+0x326/0x3c0 + ksys_write+0xbd/0xf0 + ? do_syscall_64+0x69/0x90 + __x64_sys_write+0x19/0x30 + do_syscall_64+0x59/0x90 + ? do_user_addr_fault+0x1d0/0x640 + ? exit_to_user_mode_prepare+0x3b/0xd0 + ? irqentry_exit_to_user_mode+0x9/0x20 + ? irqentry_exit+0x43/0x50 + ? exc_page_fault+0x92/0x1b0 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + RIP: 0033:0x7fc03ad14a37 + Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 + RSP: 002b:00007ffdf8697fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000008024 RCX: 00007fc03ad14a37 + RDX: 0000000000008024 RSI: 0000556f46bd8270 RDI: 0000000000000003 + RBP: 0000556f46bb1800 R08: 0000000000007fe3 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 + R13: 0000556f46bc66b0 R14: 000000000000000a R15: 0000556f46bb2f50 + + ---[ end trace 0000000000000000 ]--- + +Link: https://lore.kernel.org/r/8228ad34bd1a25047586270f7b1fb4ddcd046282.1706433934.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/wr.c | 2 +- + include/linux/mlx5/qp.h | 5 ++++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/wr.c b/drivers/infiniband/hw/mlx5/wr.c +index d6038fb6c50c6..19fd440a6ce38 100644 +--- a/drivers/infiniband/hw/mlx5/wr.c ++++ b/drivers/infiniband/hw/mlx5/wr.c +@@ -128,7 +128,7 @@ static void set_eth_seg(const struct ib_send_wr *wr, struct mlx5_ib_qp *qp, + */ + copysz = min_t(u64, *cur_edge - (void *)eseg->inline_hdr.start, + left); +- memcpy(eseg->inline_hdr.start, pdata, copysz); ++ memcpy(eseg->inline_hdr.data, pdata, copysz); + stride = ALIGN(sizeof(struct mlx5_wqe_eth_seg) - + sizeof(eseg->inline_hdr.start) + copysz, 16); + *size += stride / 16; +diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h +index d75ef8aa8fac0..28d44061d6700 100644 +--- a/include/linux/mlx5/qp.h ++++ b/include/linux/mlx5/qp.h +@@ -261,7 +261,10 @@ struct mlx5_wqe_eth_seg { + union { + struct { + __be16 sz; +- u8 start[2]; ++ union { ++ u8 start[2]; ++ DECLARE_FLEX_ARRAY(u8, data); ++ }; + } inline_hdr; + struct { + __be16 type; +-- +2.43.0 + diff --git a/queue-5.10/rdma-mlx5-relax-devx-access-upon-modify-commands.patch b/queue-5.10/rdma-mlx5-relax-devx-access-upon-modify-commands.patch new file mode 100644 index 00000000000..81429598091 --- /dev/null +++ b/queue-5.10/rdma-mlx5-relax-devx-access-upon-modify-commands.patch @@ -0,0 +1,47 @@ +From 0c8f2253bfc76fa853cef48c693ed3fa961bb249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 11:29:13 +0200 +Subject: RDMA/mlx5: Relax DEVX access upon modify commands + +From: Yishai Hadas + +[ Upstream commit be551ee1574280ef8afbf7c271212ac3e38933ef ] + +Relax DEVX access upon modify commands to be UVERBS_ACCESS_READ. + +The kernel doesn't need to protect what firmware protects, or what +causes no damage to anyone but the user. + +As firmware needs to protect itself from parallel access to the same +object, don't block parallel modify/query commands on the same object in +the kernel side. + +This change will allow user space application to run parallel updates to +different entries in the same bulk object. + +Tested-by: Tamar Mashiah +Signed-off-by: Yishai Hadas +Reviewed-by: Michael Guralnik +Link: https://lore.kernel.org/r/7407d5ed35dc427c1097699e12b49c01e1073406.1706433934.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/devx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index a56ebdc15723c..f67ebd9f3cdd1 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -2780,7 +2780,7 @@ DECLARE_UVERBS_NAMED_METHOD( + MLX5_IB_METHOD_DEVX_OBJ_MODIFY, + UVERBS_ATTR_IDR(MLX5_IB_ATTR_DEVX_OBJ_MODIFY_HANDLE, + UVERBS_IDR_ANY_OBJECT, +- UVERBS_ACCESS_WRITE, ++ UVERBS_ACCESS_READ, + UA_MANDATORY), + UVERBS_ATTR_PTR_IN( + MLX5_IB_ATTR_DEVX_OBJ_MODIFY_CMD_IN, +-- +2.43.0 + diff --git a/queue-5.10/scsi-mpt3sas-prevent-sending-diag_reset-when-the-con.patch b/queue-5.10/scsi-mpt3sas-prevent-sending-diag_reset-when-the-con.patch new file mode 100644 index 00000000000..41496273640 --- /dev/null +++ b/queue-5.10/scsi-mpt3sas-prevent-sending-diag_reset-when-the-con.patch @@ -0,0 +1,44 @@ +From a560e0b13936a4564ae5ed290d8e0e2887bee8e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 12:47:24 +0530 +Subject: scsi: mpt3sas: Prevent sending diag_reset when the controller is + ready + +From: Ranjan Kumar + +[ Upstream commit ee0017c3ed8a8abfa4d40e42f908fb38c31e7515 ] + +If the driver detects that the controller is not ready before sending the +first IOC facts command, it will wait for a maximum of 10 seconds for it to +become ready. However, even if the controller becomes ready within 10 +seconds, the driver will still issue a diagnostic reset. + +Modify the driver to avoid sending a diag reset if the controller becomes +ready within the 10-second wait time. + +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20240221071724.14986-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 814ac25238058..105d781d0cacf 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -6357,7 +6357,9 @@ _base_wait_for_iocstate(struct MPT3SAS_ADAPTER *ioc, int timeout) + return -EFAULT; + } + +- issue_diag_reset: ++ return 0; ++ ++issue_diag_reset: + rc = _base_diag_reset(ioc); + return rc; + } +-- +2.43.0 + diff --git a/queue-5.10/selftests-tls-use-exact-comparison-in-recv_partial.patch b/queue-5.10/selftests-tls-use-exact-comparison-in-recv_partial.patch new file mode 100644 index 00000000000..323669135bc --- /dev/null +++ b/queue-5.10/selftests-tls-use-exact-comparison-in-recv_partial.patch @@ -0,0 +1,44 @@ +From ff44487512076b18bdd0aabc79842ca43079e77b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 17:18:23 -0800 +Subject: selftests: tls: use exact comparison in recv_partial + +From: Jakub Kicinski + +[ Upstream commit 49d821064c44cb5ffdf272905236012ea9ce50e3 ] + +This exact case was fail for async crypto and we weren't +catching it. + +Signed-off-by: Jakub Kicinski +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tls.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c +index 44a25a9f1f722..956ee3c01dd1a 100644 +--- a/tools/testing/selftests/net/tls.c ++++ b/tools/testing/selftests/net/tls.c +@@ -653,12 +653,12 @@ TEST_F(tls, recv_partial) + + memset(recv_mem, 0, sizeof(recv_mem)); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); +- EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first), +- MSG_WAITALL), -1); ++ EXPECT_EQ(recv(self->cfd, recv_mem, strlen(test_str_first), ++ MSG_WAITALL), strlen(test_str_first)); + EXPECT_EQ(memcmp(test_str_first, recv_mem, strlen(test_str_first)), 0); + memset(recv_mem, 0, sizeof(recv_mem)); +- EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_second), +- MSG_WAITALL), -1); ++ EXPECT_EQ(recv(self->cfd, recv_mem, strlen(test_str_second), ++ MSG_WAITALL), strlen(test_str_second)); + EXPECT_EQ(memcmp(test_str_second, recv_mem, strlen(test_str_second)), + 0); + } +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 8fca5ae2cdd..9738ea56029 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -2,3 +2,26 @@ io_uring-unix-drop-usage-of-io_uring-socket.patch io_uring-drop-any-code-related-to-scm_rights.patch rcu-tasks-provide-rcu_trace_implies_rcu_gp.patch bpf-defer-the-free-of-inner-map-when-necessary.patch +btrfs-add-and-use-helper-to-check-if-block-group-is-.patch +selftests-tls-use-exact-comparison-in-recv_partial.patch +asoc-rt5645-make-lattepanda-board-dmi-match-more-pre.patch +x86-xen-add-some-null-pointer-checking-to-smp.c.patch +mips-clear-cause.bd-in-instruction_pointer_set.patch +hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch +gen_compile_commands-fix-invalid-escape-sequence-war.patch +rdma-mlx5-fix-fortify-source-warning-while-accessing.patch +rdma-mlx5-relax-devx-access-upon-modify-commands.patch +x86-mm-move-is_vsyscall_vaddr-into-asm-vsyscall.h.patch +x86-mm-disallow-vsyscall-page-read-for-copy_from_ker.patch +net-iucv-fix-the-allocation-size-of-iucv_path_table-.patch +parisc-ftrace-add-missing-config_dynamic_ftrace-chec.patch +block-sed-opal-handle-empty-atoms-when-parsing-respo.patch +dm-verity-dm-crypt-align-struct-bvec_iter-correctly.patch +scsi-mpt3sas-prevent-sending-diag_reset-when-the-con.patch +bluetooth-rfcomm-fix-null-ptr-deref-in-rfcomm_check_.patch +firewire-core-use-long-bus-reset-on-gap-count-error.patch +asoc-intel-bytcr_rt5640-add-an-extra-entry-for-the-c.patch +input-gpio_keys_polled-suppress-deferred-probe-error.patch +asoc-wm8962-enable-oscillator-if-selecting-wm8962_fl.patch +asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch +asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch diff --git a/queue-5.10/x86-mm-disallow-vsyscall-page-read-for-copy_from_ker.patch b/queue-5.10/x86-mm-disallow-vsyscall-page-read-for-copy_from_ker.patch new file mode 100644 index 00000000000..0b7aa2682b4 --- /dev/null +++ b/queue-5.10/x86-mm-disallow-vsyscall-page-read-for-copy_from_ker.patch @@ -0,0 +1,100 @@ +From b510d28b1c5a4a4cba5ab9a0123532e2ccba552d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 18:39:34 +0800 +Subject: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() + +From: Hou Tao + +[ Upstream commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58 ] + +When trying to use copy_from_kernel_nofault() to read vsyscall page +through a bpf program, the following oops was reported: + + BUG: unable to handle page fault for address: ffffffffff600000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... + RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 + ...... + Call Trace: + + ? copy_from_kernel_nofault+0x6f/0x110 + bpf_probe_read_kernel+0x1d/0x50 + bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d + trace_call_bpf+0xc5/0x1c0 + perf_call_bpf_enter.isra.0+0x69/0xb0 + perf_syscall_enter+0x13e/0x200 + syscall_trace_enter+0x188/0x1c0 + do_syscall_64+0xb5/0xe0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + + ...... + ---[ end trace 0000000000000000 ]--- + +The oops is triggered when: + +1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall +page and invokes copy_from_kernel_nofault() which in turn calls +__get_user_asm(). + +2) Because the vsyscall page address is not readable from kernel space, +a page fault exception is triggered accordingly. + +3) handle_page_fault() considers the vsyscall page address as a user +space address instead of a kernel space address. This results in the +fix-up setup by bpf not being applied and a page_fault_oops() is invoked +due to SMAP. + +Considering handle_page_fault() has already considered the vsyscall page +address as a userspace address, fix the problem by disallowing vsyscall +page read for copy_from_kernel_nofault(). + +Originally-by: Thomas Gleixner +Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com +Reported-by: xingwei lee +Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com +Signed-off-by: Hou Tao +Reviewed-by: Sohil Mehta +Acked-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/mm/maccess.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c +index 6993f026adec9..42115ac079cfe 100644 +--- a/arch/x86/mm/maccess.c ++++ b/arch/x86/mm/maccess.c +@@ -3,6 +3,8 @@ + #include + #include + ++#include ++ + #ifdef CONFIG_X86_64 + bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) + { +@@ -15,6 +17,14 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) + if (vaddr < TASK_SIZE_MAX + PAGE_SIZE) + return false; + ++ /* ++ * Reading from the vsyscall page may cause an unhandled fault in ++ * certain cases. Though it is at an address above TASK_SIZE_MAX, it is ++ * usually considered as a user space address. ++ */ ++ if (is_vsyscall_vaddr(vaddr)) ++ return false; ++ + /* + * Allow everything during early boot before 'x86_virt_bits' + * is initialized. Needed for instruction decoding in early +-- +2.43.0 + diff --git a/queue-5.10/x86-mm-move-is_vsyscall_vaddr-into-asm-vsyscall.h.patch b/queue-5.10/x86-mm-move-is_vsyscall_vaddr-into-asm-vsyscall.h.patch new file mode 100644 index 00000000000..3e7b31d658e --- /dev/null +++ b/queue-5.10/x86-mm-move-is_vsyscall_vaddr-into-asm-vsyscall.h.patch @@ -0,0 +1,71 @@ +From cae65b30be4c1c986f2970617a5fdca8431414f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 18:39:33 +0800 +Subject: x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h + +From: Hou Tao + +[ Upstream commit ee0e39a63b78849f8abbef268b13e4838569f646 ] + +Move is_vsyscall_vaddr() into asm/vsyscall.h to make it available for +copy_from_kernel_nofault_allowed() in arch/x86/mm/maccess.c. + +Reviewed-by: Sohil Mehta +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20240202103935.3154011-2-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/vsyscall.h | 10 ++++++++++ + arch/x86/mm/fault.c | 9 --------- + 2 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h +index ab60a71a8dcb9..472f0263dbc61 100644 +--- a/arch/x86/include/asm/vsyscall.h ++++ b/arch/x86/include/asm/vsyscall.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + + #ifdef CONFIG_X86_VSYSCALL_EMULATION + extern void map_vsyscall(void); +@@ -24,4 +25,13 @@ static inline bool emulate_vsyscall(unsigned long error_code, + } + #endif + ++/* ++ * The (legacy) vsyscall page is the long page in the kernel portion ++ * of the address space that has user-accessible permissions. ++ */ ++static inline bool is_vsyscall_vaddr(unsigned long vaddr) ++{ ++ return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR); ++} ++ + #endif /* _ASM_X86_VSYSCALL_H */ +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 9c1545c376e9b..cdb337cf92bae 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -781,15 +781,6 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code, + show_opcodes(regs, loglvl); + } + +-/* +- * The (legacy) vsyscall page is the long page in the kernel portion +- * of the address space that has user-accessible permissions. +- */ +-static bool is_vsyscall_vaddr(unsigned long vaddr) +-{ +- return unlikely((vaddr & PAGE_MASK) == VSYSCALL_ADDR); +-} +- + static void + __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + unsigned long address, u32 pkey, int si_code) +-- +2.43.0 + diff --git a/queue-5.10/x86-xen-add-some-null-pointer-checking-to-smp.c.patch b/queue-5.10/x86-xen-add-some-null-pointer-checking-to-smp.c.patch new file mode 100644 index 00000000000..dccc3b9da2f --- /dev/null +++ b/queue-5.10/x86-xen-add-some-null-pointer-checking-to-smp.c.patch @@ -0,0 +1,79 @@ +From 598feb5a12e955d0765af45475dd4463cdcf121a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 17:49:48 +0800 +Subject: x86/xen: Add some null pointer checking to smp.c + +From: Kunwu Chan + +[ Upstream commit 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Signed-off-by: Kunwu Chan +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202401161119.iof6BQsf-lkp@intel.com/ +Suggested-by: Markus Elfring +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20240119094948.275390-1-chentao@kylinos.cn +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/smp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index cdec892b28e2e..a641e0d452194 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu) + char *resched_name, *callfunc_name, *debug_name; + + resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); ++ if (!resched_name) ++ goto fail_mem; + per_cpu(xen_resched_irq, cpu).name = resched_name; + rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, + cpu, +@@ -77,6 +79,8 @@ int xen_smp_intr_init(unsigned int cpu) + per_cpu(xen_resched_irq, cpu).irq = rc; + + callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu); ++ if (!callfunc_name) ++ goto fail_mem; + per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; + rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR, + cpu, +@@ -90,6 +94,9 @@ int xen_smp_intr_init(unsigned int cpu) + + if (!xen_fifo_events) { + debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); ++ if (!debug_name) ++ goto fail_mem; ++ + per_cpu(xen_debug_irq, cpu).name = debug_name; + rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, + xen_debug_interrupt, +@@ -101,6 +108,9 @@ int xen_smp_intr_init(unsigned int cpu) + } + + callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); ++ if (!callfunc_name) ++ goto fail_mem; ++ + per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; + rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, + cpu, +@@ -114,6 +124,8 @@ int xen_smp_intr_init(unsigned int cpu) + + return 0; + ++ fail_mem: ++ rc = -ENOMEM; + fail: + xen_smp_intr_free(cpu); + return rc; +-- +2.43.0 +