From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 15:03:31 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.15.172~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=76826510c978765cbc9d439f7f16a52eec77a78c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch --- diff --git a/queue-6.1/alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch b/queue-6.1/alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch new file mode 100644 index 00000000000..e9e63f1f088 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch @@ -0,0 +1,31 @@ +From 0b04fbe886b4274c8e5855011233aaa69fec6e75 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Tue, 29 Oct 2024 16:16:52 +0100 +Subject: ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 + +From: Christoffer Sandberg + +commit 0b04fbe886b4274c8e5855011233aaa69fec6e75 upstream. + +Quirk is needed to enable headset microphone on missing pin 0x19. + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: +Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10015,6 +10015,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x1403, "Clevo N140CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-6.1/alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch b/queue-6.1/alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch new file mode 100644 index 00000000000..4aa5c5d1965 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch @@ -0,0 +1,45 @@ +From dabc44c28f118910dea96244d903f0c270225669 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 5 Nov 2024 13:02:17 +0100 +Subject: ALSA: usb-audio: Add quirk for HP 320 FHD Webcam + +From: Takashi Iwai + +commit dabc44c28f118910dea96244d903f0c270225669 upstream. + +HP 320 FHD Webcam (03f0:654a) seems to have flaky firmware like other +webcam devices that don't like the frequency inquiries. Also, Mic +Capture Volume has an invalid resolution, hence fix it to be 16 (as a +blind shot). + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1232768 +Cc: +Link: https://patch.msgid.link/20241105120220.5740-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 1 + + sound/usb/quirks.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1205,6 +1205,7 @@ static void volume_control_quirks(struct + } + break; + case USB_ID(0x1bcf, 0x2283): /* NexiGo N930AF FHD Webcam */ ++ case USB_ID(0x03f0, 0x654a): /* HP 320 FHD Webcam */ + if (!strcmp(kctl->id.name, "Mic Capture Volume")) { + usb_audio_info(chip, + "set resolution quirk: cval->res = 16\n"); +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2014,6 +2014,8 @@ struct usb_audio_quirk_flags_table { + + static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + /* Device matches */ ++ DEVICE_FLG(0x03f0, 0x654a, /* HP 320 FHD Webcam */ ++ QUIRK_FLAG_GET_SAMPLE_RATE), + DEVICE_FLG(0x041e, 0x3000, /* Creative SB Extigy */ + QUIRK_FLAG_IGNORE_CTL_ERROR), + DEVICE_FLG(0x041e, 0x4080, /* Creative Live Cam VF0610 */ diff --git a/queue-6.1/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch b/queue-6.1/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch new file mode 100644 index 00000000000..c09f66516d2 --- /dev/null +++ b/queue-6.1/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch @@ -0,0 +1,100 @@ +From 235d2e739fcbe964c9ce179b4c991025662dcdb6 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:12:22 +0800 +Subject: dm cache: correct the number of origin blocks to match the target length + +From: Ming-Hung Tsai + +commit 235d2e739fcbe964c9ce179b4c991025662dcdb6 upstream. + +When creating a cache device, the actual size of the cache origin might +be greater than the specified cache target length. In such case, the +number of origin blocks should match the cache target length, not the +full size of the origin device, since access beyond the cache target is +not possible. This issue occurs when reducing the origin device size +using lvm, as lvreduce preloads the new cache table before resuming the +cache origin, which can result in incorrect sizes for the discard bitset +and smq hotspot blocks. + +Reproduce steps: + +1. create a cache device consists of 4096 origin blocks + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +2. reduce the cache origin to 2048 oblocks, in lvreduce's approach + +dmsetup reload corig --table "0 262144 linear /dev/sdc 262144" +dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" +dmsetup suspend cache +dmsetup suspend corig +dmsetup suspend cdata +dmsetup suspend cmeta +dmsetup resume corig +dmsetup resume cdata +dmsetup resume cmeta +dmsetup resume cache + +3. shutdown the cache, and check the number of discard blocks in + superblock. The value is expected to be 2048, but actually is 4096. + +dmsetup remove cache corig cdata cmeta +dd if=/dev/sdc bs=1c count=8 skip=224 2>/dev/null | hexdump -e '1/8 "%u\n"' + +Fix by correcting the origin_blocks initialization in cache_create and +removing the unused origin_sectors from struct cache_args accordingly. + +Signed-off-by: Ming-Hung Tsai +Fixes: c6b4fcbad044 ("dm: add cache target") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1980,7 +1980,6 @@ struct cache_args { + sector_t cache_sectors; + + struct dm_dev *origin_dev; +- sector_t origin_sectors; + + uint32_t block_size; + +@@ -2061,6 +2060,7 @@ static int parse_cache_dev(struct cache_ + static int parse_origin_dev(struct cache_args *ca, struct dm_arg_set *as, + char **error) + { ++ sector_t origin_sectors; + int r; + + if (!at_least_one_arg(as, error)) +@@ -2073,8 +2073,8 @@ static int parse_origin_dev(struct cache + return r; + } + +- ca->origin_sectors = get_dev_size(ca->origin_dev); +- if (ca->ti->len > ca->origin_sectors) { ++ origin_sectors = get_dev_size(ca->origin_dev); ++ if (ca->ti->len > origin_sectors) { + *error = "Device size larger than cached device"; + return -EINVAL; + } +@@ -2384,7 +2384,7 @@ static int cache_create(struct cache_arg + + ca->metadata_dev = ca->origin_dev = ca->cache_dev = NULL; + +- origin_blocks = cache->origin_sectors = ca->origin_sectors; ++ origin_blocks = cache->origin_sectors = ti->len; + origin_blocks = block_div(origin_blocks, ca->block_size); + cache->origin_blocks = to_oblock(origin_blocks); + diff --git a/queue-6.1/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch b/queue-6.1/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch new file mode 100644 index 00000000000..5bb25f3260f --- /dev/null +++ b/queue-6.1/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch @@ -0,0 +1,107 @@ +From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:12:49 +0800 +Subject: dm cache: fix flushing uninitialized delayed_work on cache_ctr error + +From: Ming-Hung Tsai + +commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream. + +An unexpected WARN_ON from flush_work() may occur when cache creation +fails, caused by destroying the uninitialized delayed_work waker in the +error path of cache_create(). For example, the warning appears on the +superblock checksum error. + +Reproduce steps: + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +Kernel logs: + +(snip) +WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 + +Fix by pulling out the cancel_delayed_work_sync() from the constructor's +error path. This patch doesn't affect the use-after-free fix for +concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix +UAF in destroy()")) as cache_dtr is not changed. + +Signed-off-by: Ming-Hung Tsai +Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1882,16 +1882,13 @@ static void check_migrations(struct work + * This function gets called on the error paths of the constructor, so we + * have to cope with a partially initialised struct. + */ +-static void destroy(struct cache *cache) ++static void __destroy(struct cache *cache) + { +- unsigned int i; +- + mempool_exit(&cache->migration_pool); + + if (cache->prison) + dm_bio_prison_destroy_v2(cache->prison); + +- cancel_delayed_work_sync(&cache->waker); + if (cache->wq) + destroy_workqueue(cache->wq); + +@@ -1919,13 +1916,22 @@ static void destroy(struct cache *cache) + if (cache->policy) + dm_cache_policy_destroy(cache->policy); + ++ bioset_exit(&cache->bs); ++ ++ kfree(cache); ++} ++ ++static void destroy(struct cache *cache) ++{ ++ unsigned int i; ++ ++ cancel_delayed_work_sync(&cache->waker); ++ + for (i = 0; i < cache->nr_ctr_args ; i++) + kfree(cache->ctr_args[i]); + kfree(cache->ctr_args); + +- bioset_exit(&cache->bs); +- +- kfree(cache); ++ __destroy(cache); + } + + static void cache_dtr(struct dm_target *ti) +@@ -2538,7 +2544,7 @@ static int cache_create(struct cache_arg + *result = cache; + return 0; + bad: +- destroy(cache); ++ __destroy(cache); + return r; + } + +@@ -2589,7 +2595,7 @@ static int cache_ctr(struct dm_target *t + + r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); + if (r) { +- destroy(cache); ++ __destroy(cache); + goto out; + } + diff --git a/queue-6.1/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch b/queue-6.1/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch new file mode 100644 index 00000000000..fdf2df91bc4 --- /dev/null +++ b/queue-6.1/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch @@ -0,0 +1,80 @@ +From 792227719725497ce10a8039803bec13f89f8910 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:16 +0800 +Subject: dm cache: fix out-of-bounds access to the dirty bitset when resizing + +From: Ming-Hung Tsai + +commit 792227719725497ce10a8039803bec13f89f8910 upstream. + +dm-cache checks the dirty bits of the cache blocks to be dropped when +shrinking the fast device, but an index bug in bitset iteration causes +out-of-bounds access. + +Reproduce steps: + +1. create a cache device of 1024 cache blocks (128 bytes dirty bitset) + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +2. shrink the fast device to 512 cache blocks, triggering out-of-bounds + access to the dirty bitset (offset 0x80) + +dmsetup suspend cache +dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup resume cdata +dmsetup resume cache + +KASAN reports: + + BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 + Read of size 8 at addr ffffc900000f3080 by task dmsetup/131 + + (...snip...) + The buggy address belongs to the virtual mapping at + [ffffc900000f3000, ffffc900000f5000) created by: + cache_ctr+0x176a/0x35f0 + + (...snip...) + Memory state around the buggy address: + ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + +Fix by making the index post-incremented. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2889,13 +2889,13 @@ static bool can_resize(struct cache *cac + * We can't drop a dirty block when shrinking the cache. + */ + while (from_cblock(new_size) < from_cblock(cache->cache_size)) { +- new_size = to_cblock(from_cblock(new_size) + 1); + if (is_dirty(cache, new_size)) { + DMERR("%s: unable to shrink cache; cache block %llu is dirty", + cache_device_name(cache), + (unsigned long long) from_cblock(new_size)); + return false; + } ++ new_size = to_cblock(from_cblock(new_size) + 1); + } + + return true; diff --git a/queue-6.1/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch b/queue-6.1/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch new file mode 100644 index 00000000000..d14a61c4a9d --- /dev/null +++ b/queue-6.1/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch @@ -0,0 +1,137 @@ +From c0ade5d98979585d4f5a93e4514c2e9a65afa08d Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:54 +0800 +Subject: dm cache: fix potential out-of-bounds access on the first resume + +From: Ming-Hung Tsai + +commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream. + +Out-of-bounds access occurs if the fast device is expanded unexpectedly +before the first-time resume of the cache table. This happens because +expanding the fast device requires reloading the cache table for +cache_create to allocate new in-core data structures that fit the new +size, and the check in cache_preresume is not performed during the +first resume, leading to the issue. + +Reproduce steps: + +1. prepare component devices: + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct + +2. load a cache table of 512 cache blocks, and deliberately expand the + fast device before resuming the cache, making the in-core data + structures inadequate. + +dmsetup create cache --notable +dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" +dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192" +dmsetup resume cdata +dmsetup resume cache + +3. suspend the cache to write out the in-core dirty bitset and hint + array, leading to out-of-bounds access to the dirty bitset at offset + 0x40: + +dmsetup suspend cache + +KASAN reports: + + BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80 + Read of size 8 at addr ffffc90000085040 by task dmsetup/90 + + (...snip...) + The buggy address belongs to the virtual mapping at + [ffffc90000085000, ffffc90000087000) created by: + cache_ctr+0x176a/0x35f0 + + (...snip...) + Memory state around the buggy address: + ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + +Fix by checking the size change on the first resume. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 37 ++++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2878,24 +2878,24 @@ static dm_cblock_t get_cache_dev_size(st + static bool can_resize(struct cache *cache, dm_cblock_t new_size) + { + if (from_cblock(new_size) > from_cblock(cache->cache_size)) { +- if (cache->sized) { +- DMERR("%s: unable to extend cache due to missing cache table reload", +- cache_device_name(cache)); +- return false; +- } ++ DMERR("%s: unable to extend cache due to missing cache table reload", ++ cache_device_name(cache)); ++ return false; + } + + /* + * We can't drop a dirty block when shrinking the cache. + */ +- new_size = to_cblock(find_next_bit(cache->dirty_bitset, +- from_cblock(cache->cache_size), +- from_cblock(new_size))); +- if (new_size != cache->cache_size) { +- DMERR("%s: unable to shrink cache; cache block %llu is dirty", +- cache_device_name(cache), +- (unsigned long long) from_cblock(new_size)); +- return false; ++ if (cache->loaded_mappings) { ++ new_size = to_cblock(find_next_bit(cache->dirty_bitset, ++ from_cblock(cache->cache_size), ++ from_cblock(new_size))); ++ if (new_size != cache->cache_size) { ++ DMERR("%s: unable to shrink cache; cache block %llu is dirty", ++ cache_device_name(cache), ++ (unsigned long long) from_cblock(new_size)); ++ return false; ++ } + } + + return true; +@@ -2926,20 +2926,15 @@ static int cache_preresume(struct dm_tar + /* + * Check to see if the cache has resized. + */ +- if (!cache->sized) { +- r = resize_cache_dev(cache, csize); +- if (r) +- return r; +- +- cache->sized = true; +- +- } else if (csize != cache->cache_size) { ++ if (!cache->sized || csize != cache->cache_size) { + if (!can_resize(cache, csize)) + return -EINVAL; + + r = resize_cache_dev(cache, csize); + if (r) + return r; ++ ++ cache->sized = true; + } + + if (!cache->loaded_mappings) { diff --git a/queue-6.1/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch b/queue-6.1/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch new file mode 100644 index 00000000000..3b41af9c4e0 --- /dev/null +++ b/queue-6.1/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch @@ -0,0 +1,49 @@ +From f484697e619a83ecc370443a34746379ad99d204 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:39 +0800 +Subject: dm cache: optimize dirty bit checking with find_next_bit when resizing + +From: Ming-Hung Tsai + +commit f484697e619a83ecc370443a34746379ad99d204 upstream. + +When shrinking the fast device, dm-cache iteratively searches for a +dirty bit among the cache blocks to be dropped, which is less efficient. +Use find_next_bit instead, as it is twice as fast as the iterative +approach with test_bit. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2888,14 +2888,14 @@ static bool can_resize(struct cache *cac + /* + * We can't drop a dirty block when shrinking the cache. + */ +- while (from_cblock(new_size) < from_cblock(cache->cache_size)) { +- if (is_dirty(cache, new_size)) { +- DMERR("%s: unable to shrink cache; cache block %llu is dirty", +- cache_device_name(cache), +- (unsigned long long) from_cblock(new_size)); +- return false; +- } +- new_size = to_cblock(from_cblock(new_size) + 1); ++ new_size = to_cblock(find_next_bit(cache->dirty_bitset, ++ from_cblock(cache->cache_size), ++ from_cblock(new_size))); ++ if (new_size != cache->cache_size) { ++ DMERR("%s: unable to shrink cache; cache block %llu is dirty", ++ cache_device_name(cache), ++ (unsigned long long) from_cblock(new_size)); ++ return false; + } + + return true; diff --git a/queue-6.1/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch b/queue-6.1/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch new file mode 100644 index 00000000000..2efc594ce07 --- /dev/null +++ b/queue-6.1/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch @@ -0,0 +1,41 @@ +From 5a4510c762fc04c74cff264cd4d9e9f5bf364bae Mon Sep 17 00:00:00 2001 +From: Zichen Xie +Date: Mon, 21 Oct 2024 14:54:45 -0500 +Subject: dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow + +From: Zichen Xie + +commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream. + +This was found by a static analyzer. +There may be a potential integer overflow issue in +unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are +defined as "sector_t"(uint64_t), while uc->unstripe, +uc->chunk_size and uc->stripes are all defined as "uint32_t". +The result of the calculation will be limited to "uint32_t" +without correct casting. +So, we recommend adding an extra cast to prevent potential +integer overflow. + +Fixes: 18a5bf270532 ("dm: add unstriped target") +Signed-off-by: Zichen Xie +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-unstripe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-unstripe.c ++++ b/drivers/md/dm-unstripe.c +@@ -84,8 +84,8 @@ static int unstripe_ctr(struct dm_target + } + uc->physical_start = start; + +- uc->unstripe_offset = uc->unstripe * uc->chunk_size; +- uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size; ++ uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size; ++ uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size; + uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0; + + tmp_len = ti->len; diff --git a/queue-6.1/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch b/queue-6.1/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch new file mode 100644 index 00000000000..32d1061e427 --- /dev/null +++ b/queue-6.1/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch @@ -0,0 +1,31 @@ +From 4d75b9468021c73108b4439794d69e892b1d24e3 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 23 Oct 2024 16:52:08 -0400 +Subject: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() + +From: Alex Deucher + +commit 4d75b9468021c73108b4439794d69e892b1d24e3 upstream. + +Avoid a possible buffer overflow if size is larger than 4K. + +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -419,7 +419,7 @@ static ssize_t amdgpu_debugfs_regs_pcie_ + ssize_t result = 0; + int r; + +- if (size & 0x3 || *pos & 0x3) ++ if (size > 4096 || size & 0x3 || *pos & 0x3) + return -EINVAL; + + r = pm_runtime_get_sync(adev_to_drm(adev)->dev); diff --git a/queue-6.1/drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch b/queue-6.1/drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch new file mode 100644 index 00000000000..0db8e292bcb --- /dev/null +++ b/queue-6.1/drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch @@ -0,0 +1,37 @@ +From f790a2c494c4ef587eeeb9fca20124de76a1646f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 23 Oct 2024 16:39:36 -0400 +Subject: drm/amdgpu: Adjust debugfs eviction and IB access permissions + +From: Alex Deucher + +commit f790a2c494c4ef587eeeb9fca20124de76a1646f upstream. + +Users should not be able to run these. + +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +(cherry picked from commit 7ba9395430f611cfc101b1c2687732baafa239d5) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -2009,11 +2009,11 @@ int amdgpu_debugfs_init(struct amdgpu_de + amdgpu_securedisplay_debugfs_init(adev); + amdgpu_fw_attestation_debugfs_init(adev); + +- debugfs_create_file("amdgpu_evict_vram", 0444, root, adev, ++ debugfs_create_file("amdgpu_evict_vram", 0400, root, adev, + &amdgpu_evict_vram_fops); +- debugfs_create_file("amdgpu_evict_gtt", 0444, root, adev, ++ debugfs_create_file("amdgpu_evict_gtt", 0400, root, adev, + &amdgpu_evict_gtt_fops); +- debugfs_create_file("amdgpu_test_ib", 0444, root, adev, ++ debugfs_create_file("amdgpu_test_ib", 0400, root, adev, + &amdgpu_debugfs_test_ib_fops); + debugfs_create_file("amdgpu_vm_info", 0444, root, adev, + &amdgpu_debugfs_vm_info_fops); diff --git a/queue-6.1/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch b/queue-6.1/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch new file mode 100644 index 00000000000..9b1b08d417b --- /dev/null +++ b/queue-6.1/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch @@ -0,0 +1,46 @@ +From a6dd15981c03f2cdc9a351a278f09b5479d53d2e Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 31 Oct 2024 16:28:48 +0100 +Subject: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported + +From: Antonio Quartulli + +commit a6dd15981c03f2cdc9a351a278f09b5479d53d2e upstream. + +acpi_evaluate_object() may return AE_NOT_FOUND (failure), which +would result in dereferencing buffer.pointer (obj) while being NULL. + +Although this case may be unrealistic for the current code, it is +still better to protect against possible bugs. + +Bail out also when status is AE_NOT_FOUND. + +This fixes 1 FORWARD_NULL issue reported by Coverity +Report: CID 1600951: Null pointer dereferences (FORWARD_NULL) + +Signed-off-by: Antonio Quartulli +Fixes: c9b7c809b89f ("drm/amd: Guard against bad data for ATIF ACPI method") +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20241031152848.4716-1-antonio@mandelbit.com +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -132,8 +132,8 @@ static union acpi_object *amdgpu_atif_ca + &buffer); + obj = (union acpi_object *)buffer.pointer; + +- /* Fail if calling the method fails and ATIF is supported */ +- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) { ++ /* Fail if calling the method fails */ ++ if (ACPI_FAILURE(status)) { + DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n", + acpi_format_exception(status)); + kfree(obj); diff --git a/queue-6.1/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch b/queue-6.1/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch new file mode 100644 index 00000000000..92822d58946 --- /dev/null +++ b/queue-6.1/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch @@ -0,0 +1,44 @@ +From cc6a931d1f3b412263d515fd93b21fc0ca5147fe Mon Sep 17 00:00:00 2001 +From: Erik Schumacher +Date: Fri, 25 Oct 2024 08:37:00 +0000 +Subject: pwm: imx-tpm: Use correct MODULO value for EPWM mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Erik Schumacher + +commit cc6a931d1f3b412263d515fd93b21fc0ca5147fe upstream. + +The modulo register defines the period of the edge-aligned PWM mode +(which is the only mode implemented). The reference manual states: +"The EPWM period is determined by (MOD + 0001h) ..." So the value that +is written to the MOD register must therefore be one less than the +calculated period length. Return -EINVAL if the calculated length is +already zero. +A correct MODULO value is particularly relevant if the PWM has to output +a high frequency due to a low period value. + +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Cc: stable@vger.kernel.org +Signed-off-by: Erik Schumacher +Link: https://lore.kernel.org/r/1a3890966d68b9f800d457cbf095746627495e18.camel@iris-sensing.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-imx-tpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -106,7 +106,9 @@ static int pwm_imx_tpm_round_state(struc + p->prescale = prescale; + + period_count = (clock_unit + ((1 << prescale) >> 1)) >> prescale; +- p->mod = period_count; ++ if (period_count == 0) ++ return -EINVAL; ++ p->mod = period_count - 1; + + /* calculate real period HW can support */ + tmp = (u64)period_count << prescale; diff --git a/queue-6.1/series b/queue-6.1/series index b46bdf556fa..320d65573db 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -52,3 +52,16 @@ can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-c ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch ksmbd-fix-the-missing-xa_store-error-check.patch ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch +pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch +drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch +drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch +drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch +thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch +dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch +dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch +dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch +dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch +dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch +dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch +alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch +alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch diff --git a/queue-6.1/thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch b/queue-6.1/thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch new file mode 100644 index 00000000000..4af5abdb635 --- /dev/null +++ b/queue-6.1/thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch @@ -0,0 +1,86 @@ +From f16beaaee248eaa37ad40b5905924fcf70ae02e3 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Fri, 11 Oct 2024 08:48:39 +0300 +Subject: thermal/drivers/qcom/lmh: Remove false lockdep backtrace + +From: Dmitry Baryshkov + +commit f16beaaee248eaa37ad40b5905924fcf70ae02e3 upstream. + +Annotate LMH IRQs with lockdep classes so that the lockdep doesn't +report possible recursive locking issue between LMH and GIC interrupts. + +For the reference: + + CPU0 + ---- + lock(&irq_desc_lock_class); + lock(&irq_desc_lock_class); + + *** DEADLOCK *** + +Call trace: + dump_backtrace+0x98/0xf0 + show_stack+0x18/0x24 + dump_stack_lvl+0x90/0xd0 + dump_stack+0x18/0x24 + print_deadlock_bug+0x258/0x348 + __lock_acquire+0x1078/0x1f44 + lock_acquire+0x1fc/0x32c + _raw_spin_lock_irqsave+0x60/0x88 + __irq_get_desc_lock+0x58/0x98 + enable_irq+0x38/0xa0 + lmh_enable_interrupt+0x2c/0x38 + irq_enable+0x40/0x8c + __irq_startup+0x78/0xa4 + irq_startup+0x78/0x168 + __enable_irq+0x70/0x7c + enable_irq+0x4c/0xa0 + qcom_cpufreq_ready+0x20/0x2c + cpufreq_online+0x2a8/0x988 + cpufreq_add_dev+0x80/0x98 + subsys_interface_register+0x104/0x134 + cpufreq_register_driver+0x150/0x234 + qcom_cpufreq_hw_driver_probe+0x2a8/0x388 + platform_probe+0x68/0xc0 + really_probe+0xbc/0x298 + __driver_probe_device+0x78/0x12c + driver_probe_device+0x3c/0x160 + __device_attach_driver+0xb8/0x138 + bus_for_each_drv+0x84/0xe0 + __device_attach+0x9c/0x188 + device_initial_probe+0x14/0x20 + bus_probe_device+0xac/0xb0 + deferred_probe_work_func+0x8c/0xc8 + process_one_work+0x20c/0x62c + worker_thread+0x1bc/0x36c + kthread+0x120/0x124 + ret_from_fork+0x10/0x20 + +Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241011-lmh-lockdep-v1-1-495cbbe6fef1@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/qcom/lmh.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/thermal/qcom/lmh.c ++++ b/drivers/thermal/qcom/lmh.c +@@ -73,7 +73,14 @@ static struct irq_chip lmh_irq_chip = { + static int lmh_irq_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw) + { + struct lmh_hw_data *lmh_data = d->host_data; ++ static struct lock_class_key lmh_lock_key; ++ static struct lock_class_key lmh_request_key; + ++ /* ++ * This lock class tells lockdep that GPIO irqs are in a different ++ * category than their parents, so it won't report false recursion. ++ */ ++ irq_set_lockdep_class(irq, &lmh_lock_key, &lmh_request_key); + irq_set_chip_and_handler(irq, &lmh_irq_chip, handle_simple_irq); + irq_set_chip_data(irq, lmh_data); +