From: Sasha Levin Date: Fri, 11 Oct 2024 19:35:14 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.10.227~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78eca2b60a169cc4f39f4ab43478987d6effa8f3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bpf-check-percpu-map-value-size-first.patch b/queue-5.15/bpf-check-percpu-map-value-size-first.patch new file mode 100644 index 00000000000..6d43695c626 --- /dev/null +++ b/queue-5.15/bpf-check-percpu-map-value-size-first.patch @@ -0,0 +1,59 @@ +From 8bd26f5c620eb04fb7062caf2d38e2239ecbe9dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 22:41:10 +0800 +Subject: bpf: Check percpu map value size first + +From: Tao Chen + +[ Upstream commit 1d244784be6b01162b732a5a7d637dfc024c3203 ] + +Percpu map is often used, but the map value size limit often ignored, +like issue: https://github.com/iovisor/bcc/issues/2519. Actually, +percpu map value size is bound by PCPU_MIN_UNIT_SIZE, so we +can check the value size whether it exceeds PCPU_MIN_UNIT_SIZE first, +like percpu map of local_storage. Maybe the error message seems clearer +compared with "cannot allocate memory". + +Signed-off-by: Jinke Han +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240910144111.1464912-2-chen.dylane@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/arraymap.c | 3 +++ + kernel/bpf/hashtab.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index c76870bfd8167..2788da290c216 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -74,6 +74,9 @@ int array_map_alloc_check(union bpf_attr *attr) + * access the elements. + */ + return -E2BIG; ++ /* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */ ++ if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE) ++ return -E2BIG; + + return 0; + } +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index f53b4f04b935c..d08fe64e0e453 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -464,6 +464,9 @@ static int htab_map_alloc_check(union bpf_attr *attr) + * kmalloc-able later in htab_map_update_elem() + */ + return -E2BIG; ++ /* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */ ++ if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE) ++ return -E2BIG; + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/bpf-x64-fix-a-jit-convergence-issue.patch b/queue-5.15/bpf-x64-fix-a-jit-convergence-issue.patch new file mode 100644 index 00000000000..da411e748ec --- /dev/null +++ b/queue-5.15/bpf-x64-fix-a-jit-convergence-issue.patch @@ -0,0 +1,186 @@ +From e33aa86a8f24499884ef54034bdcc4a507d534da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 15:12:51 -0700 +Subject: bpf, x64: Fix a jit convergence issue + +From: Yonghong Song + +[ Upstream commit c8831bdbfbab672c006a18006d36932a494b2fd6 ] + +Daniel Hodges reported a jit error when playing with a sched-ext program. +The error message is: + unexpected jmp_cond padding: -4 bytes + +But further investigation shows the error is actual due to failed +convergence. The following are some analysis: + + ... + pass4, final_proglen=4391: + ... + 20e: 48 85 ff test rdi,rdi + 211: 74 7d je 0x290 + 213: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] + ... + 289: 48 85 ff test rdi,rdi + 28c: 74 17 je 0x2a5 + 28e: e9 7f ff ff ff jmp 0x212 + 293: bf 03 00 00 00 mov edi,0x3 + +Note that insn at 0x211 is 2-byte cond jump insn for offset 0x7d (-125) +and insn at 0x28e is 5-byte jmp insn with offset -129. + + pass5, final_proglen=4392: + ... + 20e: 48 85 ff test rdi,rdi + 211: 0f 84 80 00 00 00 je 0x297 + 217: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] + ... + 28d: 48 85 ff test rdi,rdi + 290: 74 1a je 0x2ac + 292: eb 84 jmp 0x218 + 294: bf 03 00 00 00 mov edi,0x3 + +Note that insn at 0x211 is 6-byte cond jump insn now since its offset +becomes 0x80 based on previous round (0x293 - 0x213 = 0x80). At the same +time, insn at 0x292 is a 2-byte insn since its offset is -124. + +pass6 will repeat the same code as in pass4. pass7 will repeat the same +code as in pass5, and so on. This will prevent eventual convergence. + +Passes 1-14 are with padding = 0. At pass15, padding is 1 and related +insn looks like: + + 211: 0f 84 80 00 00 00 je 0x297 + 217: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] + ... + 24d: 48 85 d2 test rdx,rdx + +The similar code in pass14: + 211: 74 7d je 0x290 + 213: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] + ... + 249: 48 85 d2 test rdx,rdx + 24c: 74 21 je 0x26f + 24e: 48 01 f7 add rdi,rsi + ... + +Before generating the following insn, + 250: 74 21 je 0x273 +"padding = 1" enables some checking to ensure nops is either 0 or 4 +where + #define INSN_SZ_DIFF (((addrs[i] - addrs[i - 1]) - (prog - temp))) + nops = INSN_SZ_DIFF - 2 + +In this specific case, + addrs[i] = 0x24e // from pass14 + addrs[i-1] = 0x24d // from pass15 + prog - temp = 3 // from 'test rdx,rdx' in pass15 +so + nops = -4 +and this triggers the failure. + +To fix the issue, we need to break cycles of je <-> jmp. For example, +in the above case, we have + 211: 74 7d je 0x290 +the offset is 0x7d. If 2-byte je insn is generated only if +the offset is less than 0x7d (<= 0x7c), the cycle can be +break and we can achieve the convergence. + +I did some study on other cases like je <-> je, jmp <-> je and +jmp <-> jmp which may cause cycles. Those cases are not from actual +reproducible cases since it is pretty hard to construct a test case +for them. the results show that the offset <= 0x7b (0x7b = 123) should +be enough to cover all cases. This patch added a new helper to generate 8-bit +cond/uncond jmp insns only if the offset range is [-128, 123]. + +Reported-by: Daniel Hodges +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20240904221251.37109-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 54 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 52 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index f7a0e9708418d..ac06f53391ec1 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -51,6 +51,56 @@ static bool is_imm8(int value) + return value <= 127 && value >= -128; + } + ++/* ++ * Let us limit the positive offset to be <= 123. ++ * This is to ensure eventual jit convergence For the following patterns: ++ * ... ++ * pass4, final_proglen=4391: ++ * ... ++ * 20e: 48 85 ff test rdi,rdi ++ * 211: 74 7d je 0x290 ++ * 213: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] ++ * ... ++ * 289: 48 85 ff test rdi,rdi ++ * 28c: 74 17 je 0x2a5 ++ * 28e: e9 7f ff ff ff jmp 0x212 ++ * 293: bf 03 00 00 00 mov edi,0x3 ++ * Note that insn at 0x211 is 2-byte cond jump insn for offset 0x7d (-125) ++ * and insn at 0x28e is 5-byte jmp insn with offset -129. ++ * ++ * pass5, final_proglen=4392: ++ * ... ++ * 20e: 48 85 ff test rdi,rdi ++ * 211: 0f 84 80 00 00 00 je 0x297 ++ * 217: 48 8b 77 00 mov rsi,QWORD PTR [rdi+0x0] ++ * ... ++ * 28d: 48 85 ff test rdi,rdi ++ * 290: 74 1a je 0x2ac ++ * 292: eb 84 jmp 0x218 ++ * 294: bf 03 00 00 00 mov edi,0x3 ++ * Note that insn at 0x211 is 6-byte cond jump insn now since its offset ++ * becomes 0x80 based on previous round (0x293 - 0x213 = 0x80). ++ * At the same time, insn at 0x292 is a 2-byte insn since its offset is ++ * -124. ++ * ++ * pass6 will repeat the same code as in pass4 and this will prevent ++ * eventual convergence. ++ * ++ * To fix this issue, we need to break je (2->6 bytes) <-> jmp (5->2 bytes) ++ * cycle in the above. In the above example je offset <= 0x7c should work. ++ * ++ * For other cases, je <-> je needs offset <= 0x7b to avoid no convergence ++ * issue. For jmp <-> je and jmp <-> jmp cases, jmp offset <= 0x7c should ++ * avoid no convergence issue. ++ * ++ * Overall, let us limit the positive offset for 8bit cond/uncond jmp insn ++ * to maximum 123 (0x7b). This way, the jit pass can eventually converge. ++ */ ++static bool is_imm8_jmp_offset(int value) ++{ ++ return value <= 123 && value >= -128; ++} ++ + static bool is_simm32(s64 value) + { + return value == (s64)(s32)value; +@@ -1574,7 +1624,7 @@ st: if (is_imm8(insn->off)) + return -EFAULT; + } + jmp_offset = addrs[i + insn->off] - addrs[i]; +- if (is_imm8(jmp_offset)) { ++ if (is_imm8_jmp_offset(jmp_offset)) { + if (jmp_padding) { + /* To keep the jmp_offset valid, the extra bytes are + * padded before the jump insn, so we subtract the +@@ -1648,7 +1698,7 @@ st: if (is_imm8(insn->off)) + break; + } + emit_jmp: +- if (is_imm8(jmp_offset)) { ++ if (is_imm8_jmp_offset(jmp_offset)) { + if (jmp_padding) { + /* To avoid breaking jmp_offset, the extra bytes + * are padded before the actual jmp insn, so +-- +2.43.0 + diff --git a/queue-5.15/clk-bcm-bcm53573-fix-of-node-leak-in-init.patch b/queue-5.15/clk-bcm-bcm53573-fix-of-node-leak-in-init.patch new file mode 100644 index 00000000000..6399b33c841 --- /dev/null +++ b/queue-5.15/clk-bcm-bcm53573-fix-of-node-leak-in-init.patch @@ -0,0 +1,39 @@ +From f4f793be95e268d7d4352b8d7e7fd3ab4ff2ae0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 08:58:01 +0200 +Subject: clk: bcm: bcm53573: fix OF node leak in init + +From: Krzysztof Kozlowski + +[ Upstream commit f92d67e23b8caa81f6322a2bad1d633b00ca000e ] + +Driver code is leaking OF node reference from of_get_parent() in +bcm53573_ilp_init(). Usage of of_get_parent() is not needed in the +first place, because the parent node will not be freed while we are +processing given node (triggered by CLK_OF_DECLARE()). Thus fix the +leak by accessing parent directly, instead of of_get_parent(). + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240826065801.17081-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm53573-ilp.c b/drivers/clk/bcm/clk-bcm53573-ilp.c +index 84f2af736ee8a..83ef41d618be3 100644 +--- a/drivers/clk/bcm/clk-bcm53573-ilp.c ++++ b/drivers/clk/bcm/clk-bcm53573-ilp.c +@@ -112,7 +112,7 @@ static void bcm53573_ilp_init(struct device_node *np) + goto err_free_ilp; + } + +- ilp->regmap = syscon_node_to_regmap(of_get_parent(np)); ++ ilp->regmap = syscon_node_to_regmap(np->parent); + if (IS_ERR(ilp->regmap)) { + err = PTR_ERR(ilp->regmap); + goto err_free_ilp; +-- +2.43.0 + diff --git a/queue-5.15/clk-imx-remove-clk_set_parent_gate-for-dram-mux-for-.patch b/queue-5.15/clk-imx-remove-clk_set_parent_gate-for-dram-mux-for-.patch new file mode 100644 index 00000000000..1521ec4b76b --- /dev/null +++ b/queue-5.15/clk-imx-remove-clk_set_parent_gate-for-dram-mux-for-.patch @@ -0,0 +1,44 @@ +From 12fd00c4eb9840e0962689f931740a98a062b844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 21:33:39 +0800 +Subject: clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D + +From: Peng Fan + +[ Upstream commit a54c441b46a0745683c2eef5a359d22856d27323 ] + +For i.MX7D DRAM related mux clock, the clock source change should ONLY +be done done in low level asm code without accessing DRAM, and then +calling clk API to sync the HW clock status with clk tree, it should never +touch real clock source switch via clk API, so CLK_SET_PARENT_GATE flag +should NOT be added, otherwise, DRAM's clock parent will be disabled when +DRAM is active, and system will hang. + +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20240607133347.3291040-8-peng.fan@oss.nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx7d.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx7d.c b/drivers/clk/imx/clk-imx7d.c +index 3f6fd7ef2a68f..0e68e5f2d7e7d 100644 +--- a/drivers/clk/imx/clk-imx7d.c ++++ b/drivers/clk/imx/clk-imx7d.c +@@ -498,9 +498,9 @@ static void __init imx7d_clocks_init(struct device_node *ccm_node) + hws[IMX7D_ENET_AXI_ROOT_SRC] = imx_clk_hw_mux2_flags("enet_axi_src", base + 0x8900, 24, 3, enet_axi_sel, ARRAY_SIZE(enet_axi_sel), CLK_SET_PARENT_GATE); + hws[IMX7D_NAND_USDHC_BUS_ROOT_SRC] = imx_clk_hw_mux2_flags("nand_usdhc_src", base + 0x8980, 24, 3, nand_usdhc_bus_sel, ARRAY_SIZE(nand_usdhc_bus_sel), CLK_SET_PARENT_GATE); + hws[IMX7D_DRAM_PHYM_ROOT_SRC] = imx_clk_hw_mux2_flags("dram_phym_src", base + 0x9800, 24, 1, dram_phym_sel, ARRAY_SIZE(dram_phym_sel), CLK_SET_PARENT_GATE); +- hws[IMX7D_DRAM_ROOT_SRC] = imx_clk_hw_mux2_flags("dram_src", base + 0x9880, 24, 1, dram_sel, ARRAY_SIZE(dram_sel), CLK_SET_PARENT_GATE); ++ hws[IMX7D_DRAM_ROOT_SRC] = imx_clk_hw_mux2("dram_src", base + 0x9880, 24, 1, dram_sel, ARRAY_SIZE(dram_sel)); + hws[IMX7D_DRAM_PHYM_ALT_ROOT_SRC] = imx_clk_hw_mux2_flags("dram_phym_alt_src", base + 0xa000, 24, 3, dram_phym_alt_sel, ARRAY_SIZE(dram_phym_alt_sel), CLK_SET_PARENT_GATE); +- hws[IMX7D_DRAM_ALT_ROOT_SRC] = imx_clk_hw_mux2_flags("dram_alt_src", base + 0xa080, 24, 3, dram_alt_sel, ARRAY_SIZE(dram_alt_sel), CLK_SET_PARENT_GATE); ++ hws[IMX7D_DRAM_ALT_ROOT_SRC] = imx_clk_hw_mux2("dram_alt_src", base + 0xa080, 24, 3, dram_alt_sel, ARRAY_SIZE(dram_alt_sel)); + hws[IMX7D_USB_HSIC_ROOT_SRC] = imx_clk_hw_mux2_flags("usb_hsic_src", base + 0xa100, 24, 3, usb_hsic_sel, ARRAY_SIZE(usb_hsic_sel), CLK_SET_PARENT_GATE); + hws[IMX7D_PCIE_CTRL_ROOT_SRC] = imx_clk_hw_mux2_flags("pcie_ctrl_src", base + 0xa180, 24, 3, pcie_ctrl_sel, ARRAY_SIZE(pcie_ctrl_sel), CLK_SET_PARENT_GATE); + hws[IMX7D_PCIE_PHY_ROOT_SRC] = imx_clk_hw_mux2_flags("pcie_phy_src", base + 0xa200, 24, 3, pcie_phy_sel, ARRAY_SIZE(pcie_phy_sel), CLK_SET_PARENT_GATE); +-- +2.43.0 + diff --git a/queue-5.15/comedi-ni_routing-tools-check-when-the-file-could-no.patch b/queue-5.15/comedi-ni_routing-tools-check-when-the-file-could-no.patch new file mode 100644 index 00000000000..9e81968c4c1 --- /dev/null +++ b/queue-5.15/comedi-ni_routing-tools-check-when-the-file-could-no.patch @@ -0,0 +1,38 @@ +From 815a893b195a7e3025ced9b5eef5551843c4fae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Sep 2024 05:30:25 +0900 +Subject: comedi: ni_routing: tools: Check when the file could not be opened + +From: Ruffalo Lavoisier + +[ Upstream commit 5baeb157b341b1d26a5815aeaa4d3bb9e0444fda ] + +- After fopen check NULL before using the file pointer use + +Signed-off-by: Ruffalo Lavoisier +Link: https://lore.kernel.org/r/20240906203025.89588-1-RuffaloLavoisier@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/comedi/drivers/ni_routing/tools/convert_c_to_py.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/comedi/drivers/ni_routing/tools/convert_c_to_py.c b/drivers/comedi/drivers/ni_routing/tools/convert_c_to_py.c +index d55521b5bdcb2..892a66b2cea66 100644 +--- a/drivers/comedi/drivers/ni_routing/tools/convert_c_to_py.c ++++ b/drivers/comedi/drivers/ni_routing/tools/convert_c_to_py.c +@@ -140,6 +140,11 @@ int main(void) + { + FILE *fp = fopen("ni_values.py", "w"); + ++ if (fp == NULL) { ++ fprintf(stderr, "Could not open file!"); ++ return -1; ++ } ++ + /* write route register values */ + fprintf(fp, "ni_route_values = {\n"); + for (int i = 0; ni_all_route_values[i]; ++i) +-- +2.43.0 + diff --git a/queue-5.15/driver-core-bus-return-eio-instead-of-0-when-show-st.patch b/queue-5.15/driver-core-bus-return-eio-instead-of-0-when-show-st.patch new file mode 100644 index 00000000000..8eaf57e5077 --- /dev/null +++ b/queue-5.15/driver-core-bus-return-eio-instead-of-0-when-show-st.patch @@ -0,0 +1,49 @@ +From 52cd141735960ecdd7646cb6435df82b6c85389c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 21:54:48 +0800 +Subject: driver core: bus: Return -EIO instead of 0 when show/store invalid + bus attribute + +From: Zijun Hu + +[ Upstream commit c0fd973c108cdc22a384854bc4b3e288a9717bb2 ] + +Return -EIO instead of 0 for below erroneous bus attribute operations: + - read a bus attribute without show(). + - write a bus attribute without store(). + +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20240724-bus_fix-v2-1-5adbafc698fb@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index d171535fc18f5..548291d15c290 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -104,7 +104,8 @@ static ssize_t bus_attr_show(struct kobject *kobj, struct attribute *attr, + { + struct bus_attribute *bus_attr = to_bus_attr(attr); + struct subsys_private *subsys_priv = to_subsys_private(kobj); +- ssize_t ret = 0; ++ /* return -EIO for reading a bus attribute without show() */ ++ ssize_t ret = -EIO; + + if (bus_attr->show) + ret = bus_attr->show(subsys_priv->bus, buf); +@@ -116,7 +117,8 @@ static ssize_t bus_attr_store(struct kobject *kobj, struct attribute *attr, + { + struct bus_attribute *bus_attr = to_bus_attr(attr); + struct subsys_private *subsys_priv = to_subsys_private(kobj); +- ssize_t ret = 0; ++ /* return -EIO for writing a bus attribute without store() */ ++ ssize_t ret = -EIO; + + if (bus_attr->store) + ret = bus_attr->store(subsys_priv->bus, buf, count); +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-check-null-pointer-before-dereferenc.patch b/queue-5.15/drm-amd-display-check-null-pointer-before-dereferenc.patch new file mode 100644 index 00000000000..a322ac109ec --- /dev/null +++ b/queue-5.15/drm-amd-display-check-null-pointer-before-dereferenc.patch @@ -0,0 +1,41 @@ +From 2216ae68f3e390f60d4a7ab0b59beb30288f5b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 17:30:26 -0600 +Subject: drm/amd/display: Check null pointer before dereferencing se + +From: Alex Hung + +[ Upstream commit ff599ef6970ee000fa5bc38d02fa5ff5f3fc7575 ] + +[WHAT & HOW] +se is null checked previously in the same function, indicating +it might be null; therefore, it must be checked when used again. + +This fixes 1 FORWARD_NULL issue reported by Coverity. + +Acked-by: Alex Hung +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index db7a758ab778d..d3d638252e2b9 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1464,7 +1464,7 @@ bool dc_validate_seamless_boot_timing(const struct dc *dc, + if (crtc_timing->pix_clk_100hz != pix_clk_100hz) + return false; + +- if (!se->funcs->dp_get_pixel_format) ++ if (!se || !se->funcs->dp_get_pixel_format) + return false; + + if (!se->funcs->dp_get_pixel_format( +-- +2.43.0 + diff --git a/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch b/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch new file mode 100644 index 00000000000..c63d2d37921 --- /dev/null +++ b/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch @@ -0,0 +1,56 @@ +From 738f53a2ac291c50e4ed9432472d614b053933f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 22:12:41 +0200 +Subject: ext4: don't set SB_RDONLY after filesystem errors + +From: Jan Kara + +[ Upstream commit d3476f3dad4ad68ae5f6b008ea6591d1520da5d8 ] + +When the filesystem is mounted with errors=remount-ro, we were setting +SB_RDONLY flag to stop all filesystem modifications. We knew this misses +proper locking (sb->s_umount) and does not go through proper filesystem +remount procedure but it has been the way this worked since early ext2 +days and it was good enough for catastrophic situation damage +mitigation. Recently, syzbot has found a way (see link) to trigger +warnings in filesystem freezing because the code got confused by +SB_RDONLY changing under its hands. Since these days we set +EXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all +filesystem modifications, modifying SB_RDONLY shouldn't be needed. So +stop doing that. + +Link: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com +Reported-by: Christian Brauner +Signed-off-by: Jan Kara +Reviewed-by: Christian Brauner +Link: https://patch.msgid.link/20240805201241.27286-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b09b7a6b7a154..93eb26c162422 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -674,11 +674,12 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error, + + ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only"); + /* +- * Make sure updated value of ->s_mount_flags will be visible before +- * ->s_flags update ++ * EXT4_FLAGS_SHUTDOWN was set which stops all filesystem ++ * modifications. We don't set SB_RDONLY because that requires ++ * sb->s_umount semaphore and setting it without proper remount ++ * procedure is confusing code such as freeze_super() leading to ++ * deadlocks and other problems. + */ +- smp_wmb(); +- sb->s_flags |= SB_RDONLY; + } + + static void flush_stashed_error_work(struct work_struct *work) +-- +2.43.0 + diff --git a/queue-5.15/ext4-nested-locking-for-xattr-inode.patch b/queue-5.15/ext4-nested-locking-for-xattr-inode.patch new file mode 100644 index 00000000000..e57404a908f --- /dev/null +++ b/queue-5.15/ext4-nested-locking-for-xattr-inode.patch @@ -0,0 +1,189 @@ +From 702ad7b5368aa2b2b2a66741957e99064b6273c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 16:38:27 +0200 +Subject: ext4: nested locking for xattr inode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wojciech Gładysz + +[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ] + +Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning +while handling xattr inode on file open syscall at ext4_xattr_inode_iget. + +Backtrace +EXT4-fs (loop0): Ignoring removed oldalloc option +====================================================== +WARNING: possible circular locking dependency detected +5.10.0-syzkaller #0 Not tainted +------------------------------------------------------ +syz-executor543/2794 is trying to acquire lock: +ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline] +ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 + +but task is already holding lock: +ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&ei->i_data_sem/3){++++}-{3:3}: + lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 + down_write+0x93/0x180 kernel/locking/rwsem.c:1564 + ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline] + ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline] + ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline] + ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662 + ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228 + ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385 + ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498 + ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40 + __vfs_setxattr+0x404/0x450 fs/xattr.c:177 + __vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208 + __vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266 + vfs_setxattr+0x112/0x2c0 fs/xattr.c:283 + setxattr+0x1db/0x3e0 fs/xattr.c:548 + path_setxattr+0x15a/0x240 fs/xattr.c:567 + __do_sys_setxattr fs/xattr.c:582 [inline] + __se_sys_setxattr fs/xattr.c:578 [inline] + __x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578 + do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +-> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}: + check_prev_add kernel/locking/lockdep.c:2988 [inline] + check_prevs_add kernel/locking/lockdep.c:3113 [inline] + validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729 + __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955 + lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 + down_write+0x93/0x180 kernel/locking/rwsem.c:1564 + inode_lock include/linux/fs.h:782 [inline] + ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 + ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485 + ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline] + ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline] + ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774 + __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898 + ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline] + __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018 + ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562 + notify_change+0xbb6/0xe60 fs/attr.c:435 + do_truncate+0x1de/0x2c0 fs/open.c:64 + handle_truncate fs/namei.c:2970 [inline] + do_open fs/namei.c:3311 [inline] + path_openat+0x29f3/0x3290 fs/namei.c:3425 + do_filp_open+0x20b/0x450 fs/namei.c:3452 + do_sys_openat2+0x124/0x460 fs/open.c:1207 + do_sys_open fs/open.c:1223 [inline] + __do_sys_open fs/open.c:1231 [inline] + __se_sys_open fs/open.c:1227 [inline] + __x64_sys_open+0x221/0x270 fs/open.c:1227 + do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ei->i_data_sem/3); + lock(&ea_inode->i_rwsem#7/1); + lock(&ei->i_data_sem/3); + lock(&ea_inode->i_rwsem#7/1); + + *** DEADLOCK *** + +5 locks held by syz-executor543/2794: + #0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365 + #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline] + #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62 + #2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519 + #3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559 + #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline] + #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline] + #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018 + +stack backtrace: +CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x177/0x211 lib/dump_stack.c:118 + print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002 + check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123 + check_prev_add kernel/locking/lockdep.c:2988 [inline] + check_prevs_add kernel/locking/lockdep.c:3113 [inline] + validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729 + __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955 + lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566 + down_write+0x93/0x180 kernel/locking/rwsem.c:1564 + inode_lock include/linux/fs.h:782 [inline] + ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425 + ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485 + ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline] + ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline] + ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774 + __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898 + ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline] + __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018 + ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562 + notify_change+0xbb6/0xe60 fs/attr.c:435 + do_truncate+0x1de/0x2c0 fs/open.c:64 + handle_truncate fs/namei.c:2970 [inline] + do_open fs/namei.c:3311 [inline] + path_openat+0x29f3/0x3290 fs/namei.c:3425 + do_filp_open+0x20b/0x450 fs/namei.c:3452 + do_sys_openat2+0x124/0x460 fs/open.c:1207 + do_sys_open fs/open.c:1223 [inline] + __do_sys_open fs/open.c:1231 [inline] + __se_sys_open fs/open.c:1227 [inline] + __x64_sys_open+0x221/0x270 fs/open.c:1227 + do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62 + entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7f0cde4ea229 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 +RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229 +RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0 +RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0 +R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003 +EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr + +Signed-off-by: Wojciech Gładysz +Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 03d90e4c20b86..a22c85bf8ae96 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -422,7 +422,7 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + ext4_set_inode_state(inode, EXT4_STATE_LUSTRE_EA_INODE); + ext4_xattr_inode_set_ref(inode, 1); + } else { +- inode_lock(inode); ++ inode_lock_nested(inode, I_MUTEX_XATTR); + inode->i_flags |= S_NOQUOTA; + inode_unlock(inode); + } +@@ -990,7 +990,7 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode, + s64 ref_count; + int ret; + +- inode_lock(ea_inode); ++ inode_lock_nested(ea_inode, I_MUTEX_XATTR); + + ret = ext4_reserve_inode_write(handle, ea_inode, &iloc); + if (ret) +-- +2.43.0 + diff --git a/queue-5.15/fbdev-sisfb-fix-strbuf-array-overflow.patch b/queue-5.15/fbdev-sisfb-fix-strbuf-array-overflow.patch new file mode 100644 index 00000000000..c525ce96ac2 --- /dev/null +++ b/queue-5.15/fbdev-sisfb-fix-strbuf-array-overflow.patch @@ -0,0 +1,42 @@ +From 9361e24dccaaa18582a3a5e76204bbfba0133a3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 22:34:24 +0300 +Subject: fbdev: sisfb: Fix strbuf array overflow + +From: Andrey Shumilin + +[ Upstream commit 9cf14f5a2746c19455ce9cb44341b5527b5e19c3 ] + +The values of the variables xres and yres are placed in strbuf. +These variables are obtained from strbuf1. +The strbuf1 array contains digit characters +and a space if the array contains non-digit characters. +Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); +more than 16 bytes will be written to strbuf. +It is suggested to increase the size of the strbuf array to 24. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Andrey Shumilin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/sis_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c +index c6e21ba008953..ce9dc1e8bcdca 100644 +--- a/drivers/video/fbdev/sis/sis_main.c ++++ b/drivers/video/fbdev/sis/sis_main.c +@@ -183,7 +183,7 @@ static void sisfb_search_mode(char *name, bool quiet) + { + unsigned int j = 0, xres = 0, yres = 0, depth = 0, rate = 0; + int i = 0; +- char strbuf[16], strbuf1[20]; ++ char strbuf[24], strbuf1[20]; + char *nameptr = name; + + /* We don't know the hardware specs yet and there is no ivideo */ +-- +2.43.0 + diff --git a/queue-5.15/i2c-i801-use-a-different-adapter-name-for-idf-adapte.patch b/queue-5.15/i2c-i801-use-a-different-adapter-name-for-idf-adapte.patch new file mode 100644 index 00000000000..a475d55276f --- /dev/null +++ b/queue-5.15/i2c-i801-use-a-different-adapter-name-for-idf-adapte.patch @@ -0,0 +1,55 @@ +From 8ff10648ecba0ac334681d06a28e85ba5803a3ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 22:39:48 +0200 +Subject: i2c: i801: Use a different adapter-name for IDF adapters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 43457ada98c824f310adb7bd96bd5f2fcd9a3279 ] + +On chipsets with a second 'Integrated Device Function' SMBus controller use +a different adapter-name for the second IDF adapter. + +This allows platform glue code which is looking for the primary i801 +adapter to manually instantiate i2c_clients on to differentiate +between the 2. + +This allows such code to find the primary i801 adapter by name, without +needing to duplicate the PCI-ids to feature-flags mapping from i2c-i801.c. + +Reviewed-by: Pali Rohár +Signed-off-by: Hans de Goede +Acked-by: Wolfram Sang +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 758bbb13b8be3..e983ad07c4951 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1851,8 +1851,15 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id) + + i801_add_tco(priv); + ++ /* ++ * adapter.name is used by platform code to find the main I801 adapter ++ * to instantiante i2c_clients, do not change. ++ */ + snprintf(priv->adapter.name, sizeof(priv->adapter.name), +- "SMBus I801 adapter at %04lx", priv->smba); ++ "SMBus %s adapter at %04lx", ++ (priv->features & FEATURE_IDF) ? "I801 IDF" : "I801", ++ priv->smba); ++ + err = i2c_add_adapter(&priv->adapter); + if (err) { + platform_device_unregister(priv->tco_pdev); +-- +2.43.0 + diff --git a/queue-5.15/ktest.pl-avoid-false-positives-with-grub2-skip-regex.patch b/queue-5.15/ktest.pl-avoid-false-positives-with-grub2-skip-regex.patch new file mode 100644 index 00000000000..c2dcc4ced8b --- /dev/null +++ b/queue-5.15/ktest.pl-avoid-false-positives-with-grub2-skip-regex.patch @@ -0,0 +1,52 @@ +From 644bf05b3ae8cf94554aff7a8f0f29c537928e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 13:55:30 -0400 +Subject: ktest.pl: Avoid false positives with grub2 skip regex + +From: Daniel Jordan + +[ Upstream commit 2351e8c65404aabc433300b6bf90c7a37e8bbc4d ] + +Some distros have grub2 config files with the lines + + if [ x"${feature_menuentry_id}" = xy ]; then + menuentry_id_option="--id" + else + menuentry_id_option="" + fi + +which match the skip regex defined for grub2 in get_grub_index(): + + $skip = '^\s*menuentry'; + +These false positives cause the grub number to be higher than it +should be, and the wrong kernel can end up booting. + +Grub documents the menuentry command with whitespace between it and the +title, so make the skip regex reflect this. + +Link: https://lore.kernel.org/20240904175530.84175-1-daniel.m.jordan@oracle.com +Signed-off-by: Daniel Jordan +Acked-by: John 'Warthog9' Hawley (Tenstorrent) +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index 449e45bd69665..99e17a0a13649 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -2036,7 +2036,7 @@ sub get_grub_index { + } elsif ($reboot_type eq "grub2") { + $command = "cat $grub_file"; + $target = '^\s*menuentry.*' . $grub_menu_qt; +- $skip = '^\s*menuentry'; ++ $skip = '^\s*menuentry\s'; + $submenu = '^\s*submenu\s'; + } elsif ($reboot_type eq "grub2bls") { + $command = $grub_bls_get; +-- +2.43.0 + diff --git a/queue-5.15/media-videobuf2-core-clear-memory-related-fields-in-.patch b/queue-5.15/media-videobuf2-core-clear-memory-related-fields-in-.patch new file mode 100644 index 00000000000..6a0ee5df2ff --- /dev/null +++ b/queue-5.15/media-videobuf2-core-clear-memory-related-fields-in-.patch @@ -0,0 +1,52 @@ +From d3a9c10a17ab9bbaa42b004332eac37e0bb75e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 11:06:40 +0900 +Subject: media: videobuf2-core: clear memory related fields in + __vb2_plane_dmabuf_put() + +From: Yunke Cao + +[ Upstream commit 6a9c97ab6b7e85697e0b74e86062192a5ffffd99 ] + +Clear vb2_plane's memory related fields in __vb2_plane_dmabuf_put(), +including bytesused, length, fd and data_offset. + +Remove the duplicated code in __prepare_dmabuf(). + +Signed-off-by: Yunke Cao +Acked-by: Tomasz Figa +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/common/videobuf2/videobuf2-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c +index 30c8497f7c118..b66e80e6924e5 100644 +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -302,6 +302,10 @@ static void __vb2_plane_dmabuf_put(struct vb2_buffer *vb, struct vb2_plane *p) + p->mem_priv = NULL; + p->dbuf = NULL; + p->dbuf_mapped = 0; ++ p->bytesused = 0; ++ p->length = 0; ++ p->m.fd = 0; ++ p->data_offset = 0; + } + + /* +@@ -1280,10 +1284,6 @@ static int __prepare_dmabuf(struct vb2_buffer *vb) + + /* Release previously acquired memory if present */ + __vb2_plane_dmabuf_put(vb, &vb->planes[plane]); +- vb->planes[plane].bytesused = 0; +- vb->planes[plane].length = 0; +- vb->planes[plane].m.fd = 0; +- vb->planes[plane].data_offset = 0; + + /* Acquire each plane's memory */ + mem_priv = call_ptr_memop(attach_dmabuf, +-- +2.43.0 + diff --git a/queue-5.15/ntb-ntb_hw_switchtec-fix-use-after-free-vulnerabilit.patch b/queue-5.15/ntb-ntb_hw_switchtec-fix-use-after-free-vulnerabilit.patch new file mode 100644 index 00000000000..f75224f35d4 --- /dev/null +++ b/queue-5.15/ntb-ntb_hw_switchtec-fix-use-after-free-vulnerabilit.patch @@ -0,0 +1,54 @@ +From 50bef56070f6e75771ad2c65f4adfbfa92027958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 01:20:07 +0800 +Subject: ntb: ntb_hw_switchtec: Fix use after free vulnerability in + switchtec_ntb_remove due to race condition + +From: Kaixin Wang + +[ Upstream commit e51aded92d42784313ba16c12f4f88cc4f973bbb ] + +In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev +function, then &sndev->check_link_status_work is bound with +check_link_status_work. switchtec_ntb_link_notification may be called +to start the work. + +If we remove the module which will call switchtec_ntb_remove to make +cleanup, it will free sndev through kfree(sndev), while the work +mentioned above will be used. The sequence of operations that may lead +to a UAF bug is as follows: + +CPU0 CPU1 + + | check_link_status_work +switchtec_ntb_remove | +kfree(sndev); | + | if (sndev->link_force_down) + | // use sndev + +Fix it by ensuring that the work is canceled before proceeding with +the cleanup in switchtec_ntb_remove. + +Signed-off-by: Kaixin Wang +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +index ec9cb6c81edae..759248415b5c2 100644 +--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c ++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +@@ -1556,6 +1556,7 @@ static void switchtec_ntb_remove(struct device *dev, + switchtec_ntb_deinit_db_msg_irq(sndev); + switchtec_ntb_deinit_shared_mw(sndev); + switchtec_ntb_deinit_crosslink(sndev); ++ cancel_work_sync(&sndev->check_link_status_work); + kfree(sndev); + dev_info(dev, "ntb device unregistered\n"); + } +-- +2.43.0 + diff --git a/queue-5.15/pci-add-acs-quirk-for-qualcomm-sa8775p.patch b/queue-5.15/pci-add-acs-quirk-for-qualcomm-sa8775p.patch new file mode 100644 index 00000000000..0813df2be76 --- /dev/null +++ b/queue-5.15/pci-add-acs-quirk-for-qualcomm-sa8775p.patch @@ -0,0 +1,42 @@ +From 1104adca0c8c70fb322c888c50f1d349f885e167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 10:52:27 +0530 +Subject: PCI: Add ACS quirk for Qualcomm SA8775P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Subramanian Ananthanarayanan + +[ Upstream commit 026f84d3fa62d215b11cbeb5a5d97df941e93b5c ] + +The Qualcomm SA8775P root ports don't advertise an ACS capability, but they +do provide ACS-like features to disable peer transactions and validate bus +numbers in requests. + +Thus, add an ACS quirk for the SA8775P. + +Link: https://lore.kernel.org/linux-pci/20240906052228.1829485-1-quic_skananth@quicinc.com +Signed-off-by: Subramanian Ananthanarayanan +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 2d648967aa85f..965e2c9406dbd 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4946,6 +4946,8 @@ static const struct pci_dev_acs_enabled { + /* QCOM QDF2xxx root ports */ + { PCI_VENDOR_ID_QCOM, 0x0400, pci_quirk_qcom_rp_acs }, + { PCI_VENDOR_ID_QCOM, 0x0401, pci_quirk_qcom_rp_acs }, ++ /* QCOM SA8775P root port */ ++ { PCI_VENDOR_ID_QCOM, 0x0115, pci_quirk_qcom_rp_acs }, + /* HXT SD4800 root ports. The ACS design is same as QCOM QDF2xxx */ + { PCI_VENDOR_ID_HXT, 0x0401, pci_quirk_qcom_rp_acs }, + /* Intel PCH root ports */ +-- +2.43.0 + diff --git a/queue-5.15/pci-add-function-0-dma-alias-quirk-for-glenfly-arise.patch b/queue-5.15/pci-add-function-0-dma-alias-quirk-for-glenfly-arise.patch new file mode 100644 index 00000000000..fea770a3603 --- /dev/null +++ b/queue-5.15/pci-add-function-0-dma-alias-quirk-for-glenfly-arise.patch @@ -0,0 +1,69 @@ +From 683f04cd686e002940b0eb331417aa21d2b81ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 17:57:08 +0800 +Subject: PCI: Add function 0 DMA alias quirk for Glenfly Arise chip + +From: WangYuli + +[ Upstream commit 9246b487ab3c3b5993aae7552b7a4c541cc14a49 ] + +Add DMA support for audio function of Glenfly Arise chip, which uses +Requester ID of function 0. + +Link: https://lore.kernel.org/r/CA2BBD087345B6D1+20240823095708.3237375-1-wangyuli@uniontech.com +Signed-off-by: SiyuLi +Signed-off-by: WangYuli +[bhelgaas: lower-case hex to match local code, drop unused Device IDs] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 4 ++++ + include/linux/pci_ids.h | 2 ++ + sound/pci/hda/hda_intel.c | 2 +- + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 4d4267105cd2b..2d648967aa85f 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4118,6 +4118,10 @@ static void quirk_dma_func0_alias(struct pci_dev *dev) + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_RICOH, 0xe832, quirk_dma_func0_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_RICOH, 0xe476, quirk_dma_func0_alias); + ++/* Some Glenfly chips use function 0 as the PCIe Requester ID for DMA */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_GLENFLY, 0x3d40, quirk_dma_func0_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_GLENFLY, 0x3d41, quirk_dma_func0_alias); ++ + static void quirk_dma_func1_alias(struct pci_dev *dev) + { + if (PCI_FUNC(dev->devfn) != 1) +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 66e95df2e6867..d1997eda6b1ad 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -2635,6 +2635,8 @@ + #define PCI_DEVICE_ID_DCI_PCCOM8 0x0002 + #define PCI_DEVICE_ID_DCI_PCCOM2 0x0004 + ++#define PCI_VENDOR_ID_GLENFLY 0x6766 ++ + #define PCI_VENDOR_ID_INTEL 0x8086 + #define PCI_DEVICE_ID_INTEL_EESSC 0x0008 + #define PCI_DEVICE_ID_INTEL_PXHD_0 0x0320 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index dd4d802c9e71c..6913d113bb4ea 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2715,7 +2715,7 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS | + AZX_DCAPS_PM_RUNTIME }, + /* GLENFLY */ +- { PCI_DEVICE(0x6766, PCI_ANY_ID), ++ { PCI_DEVICE(PCI_VENDOR_ID_GLENFLY, PCI_ANY_ID), + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, + .class_mask = 0xffffff, + .driver_data = AZX_DRIVER_GFHDMI | AZX_DCAPS_POSFIX_LPIB | +-- +2.43.0 + diff --git a/queue-5.15/pci-mark-creative-labs-emu20k2-intx-masking-as-broke.patch b/queue-5.15/pci-mark-creative-labs-emu20k2-intx-masking-as-broke.patch new file mode 100644 index 00000000000..4a59172c371 --- /dev/null +++ b/queue-5.15/pci-mark-creative-labs-emu20k2-intx-masking-as-broke.patch @@ -0,0 +1,45 @@ +From 0fad6ee63fa31635b6b82e09c7bc78a2a652d346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 15:53:27 -0600 +Subject: PCI: Mark Creative Labs EMU20k2 INTx masking as broken +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +[ Upstream commit 2910306655a7072640021563ec9501bfa67f0cb1 ] + +Per user reports, the Creative Labs EMU20k2 (Sound Blaster X-Fi +Titanium Series) generates spurious interrupts when used with +vfio-pci unless DisINTx masking support is disabled. + +Thus, quirk the device to mark INTx masking as broken. + +Closes: https://lore.kernel.org/all/VI1PR10MB8207C507DB5420AB4C7281E0DB9A2@VI1PR10MB8207.EURPRD10.PROD.OUTLOOK.COM +Link: https://lore.kernel.org/linux-pci/20240912215331.839220-1-alex.williamson@redhat.com +Reported-by: zdravko delineshev +Signed-off-by: Alex Williamson +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 965e2c9406dbd..4ce4ca3df7432 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3482,6 +3482,8 @@ DECLARE_PCI_FIXUP_FINAL(0x1814, 0x0601, /* Ralink RT2800 802.11n PCI */ + quirk_broken_intx_masking); + DECLARE_PCI_FIXUP_FINAL(0x1b7c, 0x0004, /* Ceton InfiniTV4 */ + quirk_broken_intx_masking); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CREATIVE, PCI_DEVICE_ID_CREATIVE_20K2, ++ quirk_broken_intx_masking); + + /* + * Realtek RTL8169 PCI Gigabit Ethernet Controller (rev 10) +-- +2.43.0 + diff --git a/queue-5.15/rdma-mad-improve-handling-of-timed-out-wrs-of-mad-ag.patch b/queue-5.15/rdma-mad-improve-handling-of-timed-out-wrs-of-mad-ag.patch new file mode 100644 index 00000000000..410abbbec4f --- /dev/null +++ b/queue-5.15/rdma-mad-improve-handling-of-timed-out-wrs-of-mad-ag.patch @@ -0,0 +1,142 @@ +From 1c8981807a4523fb61caa3121ae454d86ee24f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 16:33:25 +0530 +Subject: RDMA/mad: Improve handling of timed out WRs of mad agent + +From: Saravanan Vajravel + +[ Upstream commit 2a777679b8ccd09a9a65ea0716ef10365179caac ] + +Current timeout handler of mad agent acquires/releases mad_agent_priv +lock for every timed out WRs. This causes heavy locking contention +when higher no. of WRs are to be handled inside timeout handler. + +This leads to softlockup with below trace in some use cases where +rdma-cm path is used to establish connection between peer nodes + +Trace: +----- + BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767] + CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE + ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1 + Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019 + Workqueue: ib_mad1 timeout_sends [ib_core] + RIP: 0010:__do_softirq+0x78/0x2ac + RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246 + RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f + RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b + RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000 + R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040 + FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ? show_trace_log_lvl+0x1c4/0x2df + ? show_trace_log_lvl+0x1c4/0x2df + ? __irq_exit_rcu+0xa1/0xc0 + ? watchdog_timer_fn+0x1b2/0x210 + ? __pfx_watchdog_timer_fn+0x10/0x10 + ? __hrtimer_run_queues+0x127/0x2c0 + ? hrtimer_interrupt+0xfc/0x210 + ? __sysvec_apic_timer_interrupt+0x5c/0x110 + ? sysvec_apic_timer_interrupt+0x37/0x90 + ? asm_sysvec_apic_timer_interrupt+0x16/0x20 + ? __do_softirq+0x78/0x2ac + ? __do_softirq+0x60/0x2ac + __irq_exit_rcu+0xa1/0xc0 + sysvec_call_function_single+0x72/0x90 + + + asm_sysvec_call_function_single+0x16/0x20 + RIP: 0010:_raw_spin_unlock_irq+0x14/0x30 + RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247 + RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800 + RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c + RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000 + R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538 + R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c + cm_process_send_error+0x122/0x1d0 [ib_cm] + timeout_sends+0x1dd/0x270 [ib_core] + process_one_work+0x1e2/0x3b0 + ? __pfx_worker_thread+0x10/0x10 + worker_thread+0x50/0x3a0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xdd/0x100 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x29/0x50 + + +Simplified timeout handler by creating local list of timed out WRs +and invoke send handler post creating the list. The new method acquires/ +releases lock once to fetch the list and hence helps to reduce locking +contetiong when processing higher no. of WRs + +Signed-off-by: Saravanan Vajravel +Link: https://lore.kernel.org/r/20240722110325.195085-1-saravanan.vajravel@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 674344eb8e2f4..58befbaaf0ad5 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2616,14 +2616,16 @@ static int retry_send(struct ib_mad_send_wr_private *mad_send_wr) + + static void timeout_sends(struct work_struct *work) + { ++ struct ib_mad_send_wr_private *mad_send_wr, *n; + struct ib_mad_agent_private *mad_agent_priv; +- struct ib_mad_send_wr_private *mad_send_wr; + struct ib_mad_send_wc mad_send_wc; ++ struct list_head local_list; + unsigned long flags, delay; + + mad_agent_priv = container_of(work, struct ib_mad_agent_private, + timed_work.work); + mad_send_wc.vendor_err = 0; ++ INIT_LIST_HEAD(&local_list); + + spin_lock_irqsave(&mad_agent_priv->lock, flags); + while (!list_empty(&mad_agent_priv->wait_list)) { +@@ -2641,13 +2643,16 @@ static void timeout_sends(struct work_struct *work) + break; + } + +- list_del(&mad_send_wr->agent_list); ++ list_del_init(&mad_send_wr->agent_list); + if (mad_send_wr->status == IB_WC_SUCCESS && + !retry_send(mad_send_wr)) + continue; + +- spin_unlock_irqrestore(&mad_agent_priv->lock, flags); ++ list_add_tail(&mad_send_wr->agent_list, &local_list); ++ } ++ spin_unlock_irqrestore(&mad_agent_priv->lock, flags); + ++ list_for_each_entry_safe(mad_send_wr, n, &local_list, agent_list) { + if (mad_send_wr->status == IB_WC_SUCCESS) + mad_send_wc.status = IB_WC_RESP_TIMEOUT_ERR; + else +@@ -2655,11 +2660,8 @@ static void timeout_sends(struct work_struct *work) + mad_send_wc.send_buf = &mad_send_wr->send_buf; + mad_agent_priv->agent.send_handler(&mad_agent_priv->agent, + &mad_send_wc); +- + deref_mad_agent(mad_agent_priv); +- spin_lock_irqsave(&mad_agent_priv->lock, flags); + } +- spin_unlock_irqrestore(&mad_agent_priv->lock, flags); + } + + /* +-- +2.43.0 + diff --git a/queue-5.15/rdma-rtrs-srv-avoid-null-pointer-deref-during-path-e.patch b/queue-5.15/rdma-rtrs-srv-avoid-null-pointer-deref-during-path-e.patch new file mode 100644 index 00000000000..3809634f5cf --- /dev/null +++ b/queue-5.15/rdma-rtrs-srv-avoid-null-pointer-deref-during-path-e.patch @@ -0,0 +1,66 @@ +From 66fd9ef62c071255eadf97fc5aa1598a19815029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 13:22:14 +0200 +Subject: RDMA/rtrs-srv: Avoid null pointer deref during path establishment + +From: Md Haris Iqbal + +[ Upstream commit d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb ] + +For RTRS path establishment, RTRS client initiates and completes con_num +of connections. After establishing all its connections, the information +is exchanged between the client and server through the info_req message. +During this exchange, it is essential that all connections have been +established, and the state of the RTRS srv path is CONNECTED. + +So add these sanity checks, to make sure we detect and abort process in +error scenarios to avoid null pointer deref. + +Signed-off-by: Md Haris Iqbal +Signed-off-by: Jack Wang +Signed-off-by: Grzegorz Prajsner +Link: https://patch.msgid.link/20240821112217.41827-9-haris.iqbal@ionos.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index 1af6db9a6511a..4fa916a8f3865 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -943,12 +943,11 @@ static void rtrs_srv_info_req_done(struct ib_cq *cq, struct ib_wc *wc) + if (err) + goto close; + +-out: + rtrs_iu_free(iu, srv_path->s.dev->ib_dev, 1); + return; + close: ++ rtrs_iu_free(iu, srv_path->s.dev->ib_dev, 1); + close_path(srv_path); +- goto out; + } + + static int post_recv_info_req(struct rtrs_srv_con *con) +@@ -999,6 +998,16 @@ static int post_recv_path(struct rtrs_srv_path *srv_path) + q_size = SERVICE_CON_QUEUE_DEPTH; + else + q_size = srv->queue_depth; ++ if (srv_path->state != RTRS_SRV_CONNECTING) { ++ rtrs_err(s, "Path state invalid. state %s\n", ++ rtrs_srv_state_str(srv_path->state)); ++ return -EIO; ++ } ++ ++ if (!srv_path->s.con[cid]) { ++ rtrs_err(s, "Conn not set for %d\n", cid); ++ return -EIO; ++ } + + err = post_recv_io(to_srv_con(srv_path->s.con[cid]), q_size); + if (err) { +-- +2.43.0 + diff --git a/queue-5.15/remoteproc-imx_rproc-use-imx-specific-hook-for-find_.patch b/queue-5.15/remoteproc-imx_rproc-use-imx-specific-hook-for-find_.patch new file mode 100644 index 00000000000..02651c8f468 --- /dev/null +++ b/queue-5.15/remoteproc-imx_rproc-use-imx-specific-hook-for-find_.patch @@ -0,0 +1,69 @@ +From 9fc154c79db48ea87683cc090f18c168d1334257 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 16:36:12 +0800 +Subject: remoteproc: imx_rproc: Use imx specific hook for + find_loaded_rsc_table + +From: Peng Fan + +[ Upstream commit e954a1bd16102abc800629f9900715d8ec4c3130 ] + +If there is a resource table device tree node, use the address as +the resource table address, otherwise use the address(where +.resource_table section loaded) inside the Cortex-M elf file. + +And there is an update in NXP SDK that Resource Domain Control(RDC) +enabled to protect TCM, linux not able to write the TCM space when +updating resource table status and cause kernel dump. So use the address +from device tree could avoid kernel dump. + +Note: NXP M4 SDK not check resource table update, so it does not matter +use whether resource table address specified in elf file or in device +tree. But to reflect the fact that if people specific resource table +address in device tree, it means people are aware and going to use it, +not the address specified in elf file. + +Reviewed-by: Iuliana Prodan +Signed-off-by: Peng Fan +Reviewed-by: Daniel Baluta +Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-2-10d0268c7eb1@nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index c45c87a94d62a..107da44ab3b76 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -529,6 +529,17 @@ static struct resource_table *imx_rproc_get_loaded_rsc_table(struct rproc *rproc + return (struct resource_table *)priv->rsc_table; + } + ++static struct resource_table * ++imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *fw) ++{ ++ struct imx_rproc *priv = rproc->priv; ++ ++ if (priv->rsc_table) ++ return (struct resource_table *)priv->rsc_table; ++ ++ return rproc_elf_find_loaded_rsc_table(rproc, fw); ++} ++ + static const struct rproc_ops imx_rproc_ops = { + .prepare = imx_rproc_prepare, + .attach = imx_rproc_attach, +@@ -538,7 +549,7 @@ static const struct rproc_ops imx_rproc_ops = { + .da_to_va = imx_rproc_da_to_va, + .load = rproc_elf_load_segments, + .parse_fw = imx_rproc_parse_fw, +- .find_loaded_rsc_table = rproc_elf_find_loaded_rsc_table, ++ .find_loaded_rsc_table = imx_rproc_elf_find_loaded_rsc_table, + .get_loaded_rsc_table = imx_rproc_get_loaded_rsc_table, + .sanity_check = rproc_elf_sanity_check, + .get_boot_addr = rproc_elf_get_boot_addr, +-- +2.43.0 + diff --git a/queue-5.15/s390-boot-compile-all-files-with-the-same-march-flag.patch b/queue-5.15/s390-boot-compile-all-files-with-the-same-march-flag.patch new file mode 100644 index 00000000000..7ceab245062 --- /dev/null +++ b/queue-5.15/s390-boot-compile-all-files-with-the-same-march-flag.patch @@ -0,0 +1,66 @@ +From d18675f60edfeeb1fc5156dd6cdd7c11d26567ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:39:27 +0200 +Subject: s390/boot: Compile all files with the same march flag + +From: Heiko Carstens + +[ Upstream commit fccb175bc89a0d37e3ff513bb6bf1f73b3a48950 ] + +Only a couple of files of the decompressor are compiled with the +minimum architecture level. This is problematic for potential function +calls between compile units, especially if a target function is within +a compile until compiled for a higher architecture level, since that +may lead to an unexpected operation exception. + +Therefore compile all files of the decompressor for the same (minimum) +architecture level. + +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/boot/Makefile | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/boot/Makefile b/arch/s390/boot/Makefile +index 0ba6468991316..cbfa9c150bd32 100644 +--- a/arch/s390/boot/Makefile ++++ b/arch/s390/boot/Makefile +@@ -9,11 +9,8 @@ UBSAN_SANITIZE := n + KASAN_SANITIZE := n + KCSAN_SANITIZE := n + +-KBUILD_AFLAGS := $(KBUILD_AFLAGS_DECOMPRESSOR) +-KBUILD_CFLAGS := $(KBUILD_CFLAGS_DECOMPRESSOR) +- + # +-# Use minimum architecture for als.c to be able to print an error ++# Use minimum architecture level so it is possible to print an error + # message if the kernel is started on a machine which is too old + # + ifndef CONFIG_CC_IS_CLANG +@@ -22,16 +19,10 @@ else + CC_FLAGS_MARCH_MINIMUM := -march=z10 + endif + +-ifneq ($(CC_FLAGS_MARCH),$(CC_FLAGS_MARCH_MINIMUM)) +-AFLAGS_REMOVE_head.o += $(CC_FLAGS_MARCH) +-AFLAGS_head.o += $(CC_FLAGS_MARCH_MINIMUM) +-AFLAGS_REMOVE_mem.o += $(CC_FLAGS_MARCH) +-AFLAGS_mem.o += $(CC_FLAGS_MARCH_MINIMUM) +-CFLAGS_REMOVE_als.o += $(CC_FLAGS_MARCH) +-CFLAGS_als.o += $(CC_FLAGS_MARCH_MINIMUM) +-CFLAGS_REMOVE_sclp_early_core.o += $(CC_FLAGS_MARCH) +-CFLAGS_sclp_early_core.o += $(CC_FLAGS_MARCH_MINIMUM) +-endif ++KBUILD_AFLAGS := $(filter-out $(CC_FLAGS_MARCH),$(KBUILD_AFLAGS_DECOMPRESSOR)) ++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_MARCH),$(KBUILD_CFLAGS_DECOMPRESSOR)) ++KBUILD_AFLAGS += $(CC_FLAGS_MARCH_MINIMUM) ++KBUILD_CFLAGS += $(CC_FLAGS_MARCH_MINIMUM) + + CFLAGS_sclp_early_core.o += -I$(srctree)/drivers/s390/char + +-- +2.43.0 + diff --git a/queue-5.15/s390-cpum_sf-remove-warn_on_once-statements.patch b/queue-5.15/s390-cpum_sf-remove-warn_on_once-statements.patch new file mode 100644 index 00000000000..16a90ab0607 --- /dev/null +++ b/queue-5.15/s390-cpum_sf-remove-warn_on_once-statements.patch @@ -0,0 +1,71 @@ +From d84cd1b1ee01d649289475f4a6562f932e792631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 12:23:47 +0200 +Subject: s390/cpum_sf: Remove WARN_ON_ONCE statements + +From: Thomas Richter + +[ Upstream commit b495e710157606889f2d8bdc62aebf2aa02f67a7 ] + +Remove WARN_ON_ONCE statements. These have not triggered in the +past. + +Signed-off-by: Thomas Richter +Acked-by: Sumanth Korikkar +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 4e6fadaeaa1a6..a8ba3887b367f 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1432,7 +1432,7 @@ static int aux_output_begin(struct perf_output_handle *handle, + unsigned long head, base, offset; + struct hws_trailer_entry *te; + +- if (WARN_ON_ONCE(handle->head & ~PAGE_MASK)) ++ if (handle->head & ~PAGE_MASK) + return -EINVAL; + + aux->head = handle->head >> PAGE_SHIFT; +@@ -1613,7 +1613,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw) + unsigned long num_sdb; + + aux = perf_get_aux(handle); +- if (WARN_ON_ONCE(!aux)) ++ if (!aux) + return; + + /* Inform user space new data arrived */ +@@ -1635,7 +1635,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw) + __func__); + break; + } +- if (WARN_ON_ONCE(!aux)) ++ if (!aux) + return; + + /* Update head and alert_mark to new position */ +@@ -1870,12 +1870,8 @@ static void cpumsf_pmu_start(struct perf_event *event, int flags) + { + struct cpu_hw_sf *cpuhw = this_cpu_ptr(&cpu_hw_sf); + +- if (WARN_ON_ONCE(!(event->hw.state & PERF_HES_STOPPED))) ++ if (!(event->hw.state & PERF_HES_STOPPED)) + return; +- +- if (flags & PERF_EF_RELOAD) +- WARN_ON_ONCE(!(event->hw.state & PERF_HES_UPTODATE)); +- + perf_pmu_disable(event->pmu); + event->hw.state = 0; + cpuhw->lsctl.cs = 1; +-- +2.43.0 + diff --git a/queue-5.15/s390-facility-disable-compile-time-optimization-for-.patch b/queue-5.15/s390-facility-disable-compile-time-optimization-for-.patch new file mode 100644 index 00000000000..ad13c778738 --- /dev/null +++ b/queue-5.15/s390-facility-disable-compile-time-optimization-for-.patch @@ -0,0 +1,45 @@ +From 2f38c3bca402a071cc78b2852930e5382fe8b7bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:39:24 +0200 +Subject: s390/facility: Disable compile time optimization for decompressor + code + +From: Heiko Carstens + +[ Upstream commit 0147addc4fb72a39448b8873d8acdf3a0f29aa65 ] + +Disable compile time optimizations of test_facility() for the +decompressor. The decompressor should not contain any optimized code +depending on the architecture level set the kernel image is compiled +for to avoid unexpected operation exceptions. + +Add a __DECOMPRESSOR check to test_facility() to enforce that +facilities are always checked during runtime for the decompressor. + +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/facility.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/include/asm/facility.h b/arch/s390/include/asm/facility.h +index e3aa354ab9f46..bd7dc6fc139e6 100644 +--- a/arch/s390/include/asm/facility.h ++++ b/arch/s390/include/asm/facility.h +@@ -56,8 +56,10 @@ static inline int test_facility(unsigned long nr) + unsigned long facilities_als[] = { FACILITIES_ALS }; + + if (__builtin_constant_p(nr) && nr < sizeof(facilities_als) * 8) { +- if (__test_facility(nr, &facilities_als)) +- return 1; ++ if (__test_facility(nr, &facilities_als)) { ++ if (!__is_defined(__DECOMPRESSOR)) ++ return 1; ++ } + } + return __test_facility(nr, &stfle_fac_list); + } +-- +2.43.0 + diff --git a/queue-5.15/s390-mm-add-cond_resched-to-cmm_alloc-free_pages.patch b/queue-5.15/s390-mm-add-cond_resched-to-cmm_alloc-free_pages.patch new file mode 100644 index 00000000000..d049a68875e --- /dev/null +++ b/queue-5.15/s390-mm-add-cond_resched-to-cmm_alloc-free_pages.patch @@ -0,0 +1,69 @@ +From dd3d160b827deaa0595355e105cdc4572a0f264f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 14:02:19 +0200 +Subject: s390/mm: Add cond_resched() to cmm_alloc/free_pages() + +From: Gerald Schaefer + +[ Upstream commit 131b8db78558120f58c5dc745ea9655f6b854162 ] + +Adding/removing large amount of pages at once to/from the CMM balloon +can result in rcu_sched stalls or workqueue lockups, because of busy +looping w/o cond_resched(). + +Prevent this by adding a cond_resched(). cmm_free_pages() holds a +spin_lock while looping, so it cannot be added directly to the existing +loop. Instead, introduce a wrapper function that operates on maximum 256 +pages at once, and add it there. + +Signed-off-by: Gerald Schaefer +Reviewed-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/mm/cmm.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c +index 1141c8d5c0d03..9b4304fa37bfc 100644 +--- a/arch/s390/mm/cmm.c ++++ b/arch/s390/mm/cmm.c +@@ -95,11 +95,12 @@ static long cmm_alloc_pages(long nr, long *counter, + (*counter)++; + spin_unlock(&cmm_lock); + nr--; ++ cond_resched(); + } + return nr; + } + +-static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list) ++static long __cmm_free_pages(long nr, long *counter, struct cmm_page_array **list) + { + struct cmm_page_array *pa; + unsigned long addr; +@@ -123,6 +124,21 @@ static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list) + return nr; + } + ++static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list) ++{ ++ long inc = 0; ++ ++ while (nr) { ++ inc = min(256L, nr); ++ nr -= inc; ++ inc = __cmm_free_pages(inc, counter, list); ++ if (inc) ++ break; ++ cond_resched(); ++ } ++ return nr + inc; ++} ++ + static int cmm_oom_notify(struct notifier_block *self, + unsigned long dummy, void *parm) + { +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 82e5579dac5..eca9dac562b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -599,3 +599,31 @@ selftests-net-remove-executable-bits-from-library-sc.patch fs-ntfs3-refactor-enum_rstbl-to-suppress-static-chec.patch virtio_console-fix-misc-probe-bugs.patch input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch +bpf-check-percpu-map-value-size-first.patch +s390-boot-compile-all-files-with-the-same-march-flag.patch +s390-facility-disable-compile-time-optimization-for-.patch +s390-mm-add-cond_resched-to-cmm_alloc-free_pages.patch +bpf-x64-fix-a-jit-convergence-issue.patch +ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch +ext4-nested-locking-for-xattr-inode.patch +s390-cpum_sf-remove-warn_on_once-statements.patch +ktest.pl-avoid-false-positives-with-grub2-skip-regex.patch +rdma-mad-improve-handling-of-timed-out-wrs-of-mad-ag.patch +pci-add-function-0-dma-alias-quirk-for-glenfly-arise.patch +rdma-rtrs-srv-avoid-null-pointer-deref-during-path-e.patch +clk-bcm-bcm53573-fix-of-node-leak-in-init.patch +pci-add-acs-quirk-for-qualcomm-sa8775p.patch +i2c-i801-use-a-different-adapter-name-for-idf-adapte.patch +pci-mark-creative-labs-emu20k2-intx-masking-as-broke.patch +ntb-ntb_hw_switchtec-fix-use-after-free-vulnerabilit.patch +media-videobuf2-core-clear-memory-related-fields-in-.patch +remoteproc-imx_rproc-use-imx-specific-hook-for-find_.patch +clk-imx-remove-clk_set_parent_gate-for-dram-mux-for-.patch +usb-chipidea-udc-enable-suspend-interrupt-after-usb-.patch +usb-dwc2-adjust-the-timing-of-usb-driver-interrupt-r.patch +comedi-ni_routing-tools-check-when-the-file-could-no.patch +virtio_pmem-check-device-status-before-requesting-fl.patch +tools-iio-add-memory-allocation-failure-check-for-tr.patch +driver-core-bus-return-eio-instead-of-0-when-show-st.patch +drm-amd-display-check-null-pointer-before-dereferenc.patch +fbdev-sisfb-fix-strbuf-array-overflow.patch diff --git a/queue-5.15/tools-iio-add-memory-allocation-failure-check-for-tr.patch b/queue-5.15/tools-iio-add-memory-allocation-failure-check-for-tr.patch new file mode 100644 index 00000000000..7ee1c1413c2 --- /dev/null +++ b/queue-5.15/tools-iio-add-memory-allocation-failure-check-for-tr.patch @@ -0,0 +1,38 @@ +From 4f831d45af565e94043d1abd957fa11ca07ee30e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 02:31:29 -0700 +Subject: tools/iio: Add memory allocation failure check for trigger_name + +From: Zhu Jun + +[ Upstream commit 3c6b818b097dd6932859bcc3d6722a74ec5931c1 ] + +Added a check to handle memory allocation failure for `trigger_name` +and return `-ENOMEM`. + +Signed-off-by: Zhu Jun +Link: https://patch.msgid.link/20240828093129.3040-1-zhujun2@cmss.chinamobile.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_generic_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c +index 0d0a7a19d6f95..9ef5ee087eda3 100644 +--- a/tools/iio/iio_generic_buffer.c ++++ b/tools/iio/iio_generic_buffer.c +@@ -498,6 +498,10 @@ int main(int argc, char **argv) + return -ENOMEM; + } + trigger_name = malloc(IIO_MAX_NAME_LENGTH); ++ if (!trigger_name) { ++ ret = -ENOMEM; ++ goto error; ++ } + ret = read_sysfs_string("name", trig_dev_name, trigger_name); + free(trig_dev_name); + if (ret < 0) { +-- +2.43.0 + diff --git a/queue-5.15/usb-chipidea-udc-enable-suspend-interrupt-after-usb-.patch b/queue-5.15/usb-chipidea-udc-enable-suspend-interrupt-after-usb-.patch new file mode 100644 index 00000000000..a2d70978b6a --- /dev/null +++ b/queue-5.15/usb-chipidea-udc-enable-suspend-interrupt-after-usb-.patch @@ -0,0 +1,59 @@ +From 29df37d6746967e7dfea9051aecccc7e43f4b14e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 15:38:32 +0800 +Subject: usb: chipidea: udc: enable suspend interrupt after usb reset + +From: Xu Yang + +[ Upstream commit e4fdcc10092fb244218013bfe8ff01c55d54e8e4 ] + +Currently, suspend interrupt is enabled before pullup enable operation. +This will cause a suspend interrupt assert right after pullup DP. This +suspend interrupt is meaningless, so this will ignore such interrupt +by enable it after usb reset completed. + +Signed-off-by: Xu Yang +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20240823073832.1702135-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/udc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index aacc37736db6e..8b6745b7588c7 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -84,7 +84,7 @@ static int hw_device_state(struct ci_hdrc *ci, u32 dma) + hw_write(ci, OP_ENDPTLISTADDR, ~0, dma); + /* interrupt, error, port change, reset, sleep/suspend */ + hw_write(ci, OP_USBINTR, ~0, +- USBi_UI|USBi_UEI|USBi_PCI|USBi_URI|USBi_SLI); ++ USBi_UI|USBi_UEI|USBi_PCI|USBi_URI); + } else { + hw_write(ci, OP_USBINTR, ~0, 0); + } +@@ -868,6 +868,7 @@ __releases(ci->lock) + __acquires(ci->lock) + { + int retval; ++ u32 intr; + + spin_unlock(&ci->lock); + if (ci->gadget.speed != USB_SPEED_UNKNOWN) +@@ -881,6 +882,11 @@ __acquires(ci->lock) + if (retval) + goto done; + ++ /* clear SLI */ ++ hw_write(ci, OP_USBSTS, USBi_SLI, USBi_SLI); ++ intr = hw_read(ci, OP_USBINTR, ~0); ++ hw_write(ci, OP_USBINTR, ~0, intr | USBi_SLI); ++ + ci->status = usb_ep_alloc_request(&ci->ep0in->ep, GFP_ATOMIC); + if (ci->status == NULL) + retval = -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/usb-dwc2-adjust-the-timing-of-usb-driver-interrupt-r.patch b/queue-5.15/usb-dwc2-adjust-the-timing-of-usb-driver-interrupt-r.patch new file mode 100644 index 00000000000..c62ca95f98f --- /dev/null +++ b/queue-5.15/usb-dwc2-adjust-the-timing-of-usb-driver-interrupt-r.patch @@ -0,0 +1,125 @@ +From 51eacabbac445f57d6f5ac82a168eeaed41d507f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 11:17:09 +0800 +Subject: usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in + the Crashkernel Scenario + +From: Shawn Shao + +[ Upstream commit 4058c39bd176daf11a826802d940d86292a6b02b ] + +The issue is that before entering the crash kernel, the DWC USB controller +did not perform operations such as resetting the interrupt mask bits. +After entering the crash kernel,before the USB interrupt handler +registration was completed while loading the DWC USB driver,an GINTSTS_SOF +interrupt was received.This triggered the misroute_irq process within the +GIC handling framework,ultimately leading to the misrouting of the +interrupt,causing it to be handled by the wrong interrupt handler +and resulting in the issue. + +Summary:In a scenario where the kernel triggers a panic and enters +the crash kernel,it is necessary to ensure that the interrupt mask +bit is not enabled before the interrupt registration is complete. +If an interrupt reaches the CPU at this moment,it will certainly +not be handled correctly,especially in cases where this interrupt +is reported frequently. + +Please refer to the Crashkernel dmesg information as follows +(the message on line 3 was added before devm_request_irq is +called by the dwc2_driver_probe function): +[ 5.866837][ T1] dwc2 JMIC0010:01: supply vusb_d not found, using dummy regulator +[ 5.874588][ T1] dwc2 JMIC0010:01: supply vusb_a not found, using dummy regulator +[ 5.882335][ T1] dwc2 JMIC0010:01: before devm_request_irq irq: [71], gintmsk[0xf300080e], gintsts[0x04200009] +[ 5.892686][ C0] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.0-jmnd1.2_RC #18 +[ 5.900327][ C0] Hardware name: CMSS HyperCard4-25G/HyperCard4-25G, BIOS 1.6.4 Jul 8 2024 +[ 5.908836][ C0] Call trace: +[ 5.911965][ C0] dump_backtrace+0x0/0x1f0 +[ 5.916308][ C0] show_stack+0x20/0x30 +[ 5.920304][ C0] dump_stack+0xd8/0x140 +[ 5.924387][ C0] pcie_xxx_handler+0x3c/0x1d8 +[ 5.930121][ C0] __handle_irq_event_percpu+0x64/0x1e0 +[ 5.935506][ C0] handle_irq_event+0x80/0x1d0 +[ 5.940109][ C0] try_one_irq+0x138/0x174 +[ 5.944365][ C0] misrouted_irq+0x134/0x140 +[ 5.948795][ C0] note_interrupt+0x1d0/0x30c +[ 5.953311][ C0] handle_irq_event+0x13c/0x1d0 +[ 5.958001][ C0] handle_fasteoi_irq+0xd4/0x260 +[ 5.962779][ C0] __handle_domain_irq+0x88/0xf0 +[ 5.967555][ C0] gic_handle_irq+0x9c/0x2f0 +[ 5.971985][ C0] el1_irq+0xb8/0x140 +[ 5.975807][ C0] __setup_irq+0x3dc/0x7cc +[ 5.980064][ C0] request_threaded_irq+0xf4/0x1b4 +[ 5.985015][ C0] devm_request_threaded_irq+0x80/0x100 +[ 5.990400][ C0] dwc2_driver_probe+0x1b8/0x6b0 +[ 5.995178][ C0] platform_drv_probe+0x5c/0xb0 +[ 5.999868][ C0] really_probe+0xf8/0x51c +[ 6.004125][ C0] driver_probe_device+0xfc/0x170 +[ 6.008989][ C0] device_driver_attach+0xc8/0xd0 +[ 6.013853][ C0] __driver_attach+0xe8/0x1b0 +[ 6.018369][ C0] bus_for_each_dev+0x7c/0xdc +[ 6.022886][ C0] driver_attach+0x2c/0x3c +[ 6.027143][ C0] bus_add_driver+0xdc/0x240 +[ 6.031573][ C0] driver_register+0x80/0x13c +[ 6.036090][ C0] __platform_driver_register+0x50/0x5c +[ 6.041476][ C0] dwc2_platform_driver_init+0x24/0x30 +[ 6.046774][ C0] do_one_initcall+0x50/0x25c +[ 6.051291][ C0] do_initcall_level+0xe4/0xfc +[ 6.055894][ C0] do_initcalls+0x80/0xa4 +[ 6.060064][ C0] kernel_init_freeable+0x198/0x240 +[ 6.065102][ C0] kernel_init+0x1c/0x12c + +Signed-off-by: Shawn Shao +Link: https://lore.kernel.org/r/20240830031709.134-1-shawn.shao@jaguarmicro.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/platform.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 79094384d8fd4..5ff8186936790 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -484,18 +484,6 @@ static int dwc2_driver_probe(struct platform_device *dev) + + spin_lock_init(&hsotg->lock); + +- hsotg->irq = platform_get_irq(dev, 0); +- if (hsotg->irq < 0) +- return hsotg->irq; +- +- dev_dbg(hsotg->dev, "registering common handler for irq%d\n", +- hsotg->irq); +- retval = devm_request_irq(hsotg->dev, hsotg->irq, +- dwc2_handle_common_intr, IRQF_SHARED, +- dev_name(hsotg->dev), hsotg); +- if (retval) +- return retval; +- + hsotg->vbus_supply = devm_regulator_get_optional(hsotg->dev, "vbus"); + if (IS_ERR(hsotg->vbus_supply)) { + retval = PTR_ERR(hsotg->vbus_supply); +@@ -539,6 +527,20 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (retval) + goto error; + ++ hsotg->irq = platform_get_irq(dev, 0); ++ if (hsotg->irq < 0) { ++ retval = hsotg->irq; ++ goto error; ++ } ++ ++ dev_dbg(hsotg->dev, "registering common handler for irq%d\n", ++ hsotg->irq); ++ retval = devm_request_irq(hsotg->dev, hsotg->irq, ++ dwc2_handle_common_intr, IRQF_SHARED, ++ dev_name(hsotg->dev), hsotg); ++ if (retval) ++ goto error; ++ + /* + * For OTG cores, set the force mode bits to reflect the value + * of dr_mode. Force mode bits should not be touched at any +-- +2.43.0 + diff --git a/queue-5.15/virtio_pmem-check-device-status-before-requesting-fl.patch b/queue-5.15/virtio_pmem-check-device-status-before-requesting-fl.patch new file mode 100644 index 00000000000..4b6a148b2a1 --- /dev/null +++ b/queue-5.15/virtio_pmem-check-device-status-before-requesting-fl.patch @@ -0,0 +1,47 @@ +From 9318f9eda8e64e2e1dd72a538923da303c5c4b4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 21:53:13 +0000 +Subject: virtio_pmem: Check device status before requesting flush + +From: Philip Chen + +[ Upstream commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 ] + +If a pmem device is in a bad status, the driver side could wait for +host ack forever in virtio_pmem_flush(), causing the system to hang. + +So add a status check in the beginning of virtio_pmem_flush() to return +early if the device is not activated. + +Signed-off-by: Philip Chen +Message-Id: <20240826215313.2673566-1-philipchen@chromium.org> +Signed-off-by: Michael S. Tsirkin +Acked-by: Pankaj Gupta +--- + drivers/nvdimm/nd_virtio.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c +index 10351d5b49fac..41e97c6567cf9 100644 +--- a/drivers/nvdimm/nd_virtio.c ++++ b/drivers/nvdimm/nd_virtio.c +@@ -44,6 +44,15 @@ static int virtio_pmem_flush(struct nd_region *nd_region) + unsigned long flags; + int err, err1; + ++ /* ++ * Don't bother to submit the request to the device if the device is ++ * not activated. ++ */ ++ if (vdev->config->get_status(vdev) & VIRTIO_CONFIG_S_NEEDS_RESET) { ++ dev_info(&vdev->dev, "virtio pmem device needs a reset\n"); ++ return -EIO; ++ } ++ + might_sleep(); + req_data = kmalloc(sizeof(*req_data), GFP_KERNEL); + if (!req_data) +-- +2.43.0 +