From: Sasha Levin Date: Fri, 22 Mar 2024 16:53:57 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.8.2~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8125e326e42defed9bfc66577c8b5757f04aeb6a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch b/queue-5.10/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch new file mode 100644 index 00000000000..46cfcd40913 --- /dev/null +++ b/queue-5.10/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch @@ -0,0 +1,61 @@ +From e48ae43693642be400887df75c9802143019950a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 01:41:58 +0100 +Subject: ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() + +From: Armin Wolf + +[ Upstream commit e18afcb7b2a12b635ac10081f943fcf84ddacc51 ] + +After unregistering the CPU idle device, the memory associated with +it is not freed, leading to a memory leak: + +unreferenced object 0xffff896282f6c000 (size 1024): + comm "swapper/0", pid 1, jiffies 4294893170 + hex dump (first 32 bytes): + 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 8836a742): + [] kmalloc_trace+0x29d/0x340 + [] acpi_processor_power_init+0xf3/0x1c0 + [] __acpi_processor_start+0xd3/0xf0 + [] acpi_processor_start+0x2c/0x50 + [] really_probe+0xe2/0x480 + [] __driver_probe_device+0x78/0x160 + [] driver_probe_device+0x1f/0x90 + [] __driver_attach+0xce/0x1c0 + [] bus_for_each_dev+0x70/0xc0 + [] bus_add_driver+0x112/0x210 + [] driver_register+0x55/0x100 + [] acpi_processor_driver_init+0x3b/0xc0 + [] do_one_initcall+0x41/0x300 + [] kernel_init_freeable+0x320/0x470 + [] kernel_init+0x16/0x1b0 + [] ret_from_fork+0x2d/0x50 + +Fix this by freeing the CPU idle device after unregistering it. + +Fixes: 3d339dcbb56d ("cpuidle / ACPI : move cpuidle_device field out of the acpi_processor_power structure") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 59781e765e0e2..3deeabb273940 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1427,6 +1427,8 @@ int acpi_processor_power_exit(struct acpi_processor *pr) + acpi_processor_registered--; + if (acpi_processor_registered == 0) + cpuidle_unregister_driver(&acpi_idle_driver); ++ ++ kfree(dev); + } + + pr->flags.power_setup_done = 0; +-- +2.43.0 + diff --git a/queue-5.10/acpi-scan-fix-device-check-notification-handling.patch b/queue-5.10/acpi-scan-fix-device-check-notification-handling.patch new file mode 100644 index 00000000000..e88427983ef --- /dev/null +++ b/queue-5.10/acpi-scan-fix-device-check-notification-handling.patch @@ -0,0 +1,57 @@ +From 7fb7ad326007a12c2906d78ef78760837c66ddf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 17:35:27 +0100 +Subject: ACPI: scan: Fix device check notification handling + +From: Rafael J. Wysocki + +[ Upstream commit 793551c965116d9dfaf0550dacae1396a20efa69 ] + +It is generally invalid to fail a Device Check notification if the scan +handler has not been attached to the given device after a bus rescan, +because there may be valid reasons for the scan handler to refuse +attaching to the device (for example, the device is not ready). + +For this reason, modify acpi_scan_device_check() to return 0 in that +case without printing a warning. + +While at it, reduce the log level of the "already enumerated" message +in the same function, because it is only interesting when debugging +notification handling + +Fixes: 443fc8202272 ("ACPI / hotplug: Rework generic code to handle suprise removals") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/acpi/scan.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index 67a5ee2fedfd3..f17f48bc13bc0 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -321,18 +321,14 @@ static int acpi_scan_device_check(struct acpi_device *adev) + * again). + */ + if (adev->handler) { +- dev_warn(&adev->dev, "Already enumerated\n"); +- return -EALREADY; ++ dev_dbg(&adev->dev, "Already enumerated\n"); ++ return 0; + } + error = acpi_bus_scan(adev->handle); + if (error) { + dev_warn(&adev->dev, "Namespace scan failure\n"); + return error; + } +- if (!adev->handler) { +- dev_warn(&adev->dev, "Enumeration failure\n"); +- error = -ENODEV; +- } + } else { + error = acpi_scan_device_not_present(adev); + } +-- +2.43.0 + diff --git a/queue-5.10/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch b/queue-5.10/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch new file mode 100644 index 00000000000..c2a84f9274f --- /dev/null +++ b/queue-5.10/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch @@ -0,0 +1,39 @@ +From 7ab34d8988c8085a8b98a9a6fca9515a071ca126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 09:08:52 -0800 +Subject: af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc(). + +From: Kuniyuki Iwashima + +[ Upstream commit 31e03207119a535d0b0e3b3a7f91983aeb2cb14d ] + +gc_in_progress is changed under spin_lock(&unix_gc_lock), +but wait_for_unix_gc() reads it locklessly. + +Let's use READ_ONCE(). + +Fixes: 5f23b734963e ("net: Fix soft lockups/OOM issues w/ unix garbage collector") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240123170856.41348-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index dc27635403932..9121a4d5436d5 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -198,7 +198,7 @@ void wait_for_unix_gc(void) + if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC && + !READ_ONCE(gc_in_progress)) + unix_gc(); +- wait_event(unix_gc_wait, gc_in_progress == false); ++ wait_event(unix_gc_wait, !READ_ONCE(gc_in_progress)); + } + + /* The external entry point: unix_gc() */ +-- +2.43.0 + diff --git a/queue-5.10/afs-revert-afs-hide-silly-rename-files-from-userspac.patch b/queue-5.10/afs-revert-afs-hide-silly-rename-files-from-userspac.patch new file mode 100644 index 00000000000..621c2176a9a --- /dev/null +++ b/queue-5.10/afs-revert-afs-hide-silly-rename-files-from-userspac.patch @@ -0,0 +1,55 @@ +From 877f2899f35dd7e21f14ebe114078a4106c3f6c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 11:08:41 +0000 +Subject: afs: Revert "afs: Hide silly-rename files from userspace" + +From: David Howells + +[ Upstream commit 0aec3847d044273733285dcff90afda89ad461d2 ] + +This reverts commit 57e9d49c54528c49b8bffe6d99d782ea051ea534. + +This undoes the hiding of .__afsXXXX silly-rename files. The problem with +hiding them is that rm can't then manually delete them. + +This also reverts commit 5f7a07646655fb4108da527565dcdc80124b14c4 ("afs: Fix +endless loop in directory parsing") as that's a bugfix for the above. + +Fixes: 57e9d49c5452 ("afs: Hide silly-rename files from userspace") +Reported-by: Markus Suvanto +Link: https://lists.infradead.org/pipermail/linux-afs/2024-February/008102.html +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/3085695.1710328121@warthog.procyon.org.uk +Reviewed-by: Jeffrey E Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index 88f0e719c6ac0..a59d6293a32b2 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -418,16 +418,6 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode, + continue; + } + +- /* Don't expose silly rename entries to userspace. */ +- if (nlen > 6 && +- dire->u.name[0] == '.' && +- ctx->actor != afs_lookup_filldir && +- ctx->actor != afs_lookup_one_filldir && +- memcmp(dire->u.name, ".__afs", 6) == 0) { +- ctx->pos = blkoff + next * sizeof(union afs_xdr_dirent); +- continue; +- } +- + /* found the next entry */ + if (!dir_emit(ctx, dire->u.name, nlen, + ntohl(dire->u.vnode), +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-realtek-fix-alc285-issues-on-hp-envy-x360-l.patch b/queue-5.10/alsa-hda-realtek-fix-alc285-issues-on-hp-envy-x360-l.patch new file mode 100644 index 00000000000..527baf5e1ca --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-alc285-issues-on-hp-envy-x360-l.patch @@ -0,0 +1,147 @@ +From 798cdcd86d8bef61daa89e980540d78de703b59e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Mar 2024 20:58:44 +0700 +Subject: ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops + +From: Athaariq Ardhiansyah + +[ Upstream commit c062166995c9e57d5cd508b332898f79da319802 ] + +Realtek codec on HP Envy laptop series are heavily modified by vendor. +Therefore, need intervention to make it work properly. The patch fixes: + +- B&O soundbar speakers (between lid and keyboard) activation +- Enable LED on mute button +- Add missing process coefficient which affects the output amplifier +- Volume control synchronization between B&O soundbar and side speakers +- Unmute headset output on several HP Envy models +- Auto-enable headset mic when plugged + +This patch was tested on HP Envy x360 13-AR0107AU with Realtek ALC285 + +The only unsolved problem is output amplifier of all built-in speakers +is too weak, which causes volume of built-in speakers cannot be loud +as vendor's proprietary driver due to missing _DSD parameter in the +firmware. The solution is currently on research. Expected to has another +patch in the future. + +Potential fix to related issues, need test before close those issues: + +- https://bugzilla.kernel.org/show_bug.cgi?id=189331 +- https://bugzilla.kernel.org/show_bug.cgi?id=216632 +- https://bugzilla.kernel.org/show_bug.cgi?id=216311 +- https://bugzilla.kernel.org/show_bug.cgi?id=213507 + +Signed-off-by: Athaariq Ardhiansyah +Message-ID: <20240310140249.3695-1-foss@athaariq.my.id> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 63 +++++++++++++++++++++++++++++++++++ + 1 file changed, 63 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 233449d982370..038837481c27c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6612,6 +6612,60 @@ static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec, + } + } + ++static void alc285_fixup_hp_envy_x360(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ static const struct coef_fw coefs[] = { ++ WRITE_COEF(0x08, 0x6a0c), WRITE_COEF(0x0d, 0xa023), ++ WRITE_COEF(0x10, 0x0320), WRITE_COEF(0x1a, 0x8c03), ++ WRITE_COEF(0x25, 0x1800), WRITE_COEF(0x26, 0x003a), ++ WRITE_COEF(0x28, 0x1dfe), WRITE_COEF(0x29, 0xb014), ++ WRITE_COEF(0x2b, 0x1dfe), WRITE_COEF(0x37, 0xfe15), ++ WRITE_COEF(0x38, 0x7909), WRITE_COEF(0x45, 0xd489), ++ WRITE_COEF(0x46, 0x00f4), WRITE_COEF(0x4a, 0x21e0), ++ WRITE_COEF(0x66, 0x03f0), WRITE_COEF(0x67, 0x1000), ++ WRITE_COEF(0x6e, 0x1005), { } ++ }; ++ ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x12, 0xb7a60130 }, /* Internal microphone*/ ++ { 0x14, 0x90170150 }, /* B&O soundbar speakers */ ++ { 0x17, 0x90170153 }, /* Side speakers */ ++ { 0x19, 0x03a11040 }, /* Headset microphone */ ++ { } ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ ++ /* Fixes volume control problem for side speakers */ ++ alc295_fixup_disable_dac3(codec, fix, action); ++ ++ /* Fixes no sound from headset speaker */ ++ snd_hda_codec_amp_stereo(codec, 0x21, HDA_OUTPUT, 0, -1, 0); ++ ++ /* Auto-enable headset mic when plugged */ ++ snd_hda_jack_set_gating_jack(codec, 0x19, 0x21); ++ ++ /* Headset mic volume enhancement */ ++ snd_hda_codec_set_pin_target(codec, 0x19, PIN_VREF50); ++ break; ++ case HDA_FIXUP_ACT_INIT: ++ alc_process_coef_fw(codec, coefs); ++ break; ++ case HDA_FIXUP_ACT_BUILD: ++ rename_ctl(codec, "Bass Speaker Playback Volume", ++ "B&O-Tuned Playback Volume"); ++ rename_ctl(codec, "Front Playback Switch", ++ "B&O Soundbar Playback Switch"); ++ rename_ctl(codec, "Bass Speaker Playback Switch", ++ "Side Speaker Playback Switch"); ++ break; ++ } ++} ++ + /* for hda_fixup_thinkpad_acpi() */ + #include "thinkpad_helper.c" + +@@ -6819,6 +6873,7 @@ enum { + ALC280_FIXUP_HP_9480M, + ALC245_FIXUP_HP_X360_AMP, + ALC285_FIXUP_HP_SPECTRE_X360_EB1, ++ ALC285_FIXUP_HP_ENVY_X360, + ALC288_FIXUP_DELL_HEADSET_MODE, + ALC288_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC288_FIXUP_DELL_XPS_13, +@@ -8614,6 +8669,12 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_spectre_x360_eb1 + }, ++ [ALC285_FIXUP_HP_ENVY_X360] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_envy_x360, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_HP_GPIO_AMP_INIT, ++ }, + [ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_ideapad_s740_coef, +@@ -9001,6 +9062,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), + SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360), + SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), +@@ -9517,6 +9579,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC295_FIXUP_HP_OMEN, .name = "alc295-hp-omen"}, + {.id = ALC285_FIXUP_HP_SPECTRE_X360, .name = "alc285-hp-spectre-x360"}, + {.id = ALC285_FIXUP_HP_SPECTRE_X360_EB1, .name = "alc285-hp-spectre-x360-eb1"}, ++ {.id = ALC285_FIXUP_HP_ENVY_X360, .name = "alc285-hp-envy-x360"}, + {.id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, .name = "alc287-ideapad-bass-spk-amp"}, + {.id = ALC623_FIXUP_LENOVO_THINKSTATION_P340, .name = "alc623-lenovo-thinkstation-p340"}, + {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"}, +-- +2.43.0 + diff --git a/queue-5.10/alsa-seq-fix-function-cast-warnings.patch b/queue-5.10/alsa-seq-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..a645bb6566b --- /dev/null +++ b/queue-5.10/alsa-seq-fix-function-cast-warnings.patch @@ -0,0 +1,95 @@ +From 44f0259e04910d1292749eea851dc2a18b908c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 14:53:43 +0100 +Subject: ALSA: seq: fix function cast warnings + +From: Takashi Iwai + +[ Upstream commit d7bf73809849463f76de42aad62c850305dd6c5d ] + +clang-16 points out a control flow integrity (kcfi) issue when event +callbacks get converted to incompatible types: + +sound/core/seq/seq_midi.c:135:30: error: cast from 'int (*)(struct snd_rawmidi_substream *, const char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 135 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +sound/core/seq/seq_virmidi.c:83:31: error: cast from 'int (*)(struct snd_rawmidi_substream *, const unsigned char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 83 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For addressing those errors, introduce wrapper functions that are used +for callbacks and bridge to the actual function call with pointer +cast. + +The code was originally added with the initial ALSA merge in linux-2.5.4. + +[ the patch description shamelessly copied from Arnd's original patch + -- tiwai ] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213101020.459183-1-arnd@kernel.org +Link: https://lore.kernel.org/r/20240213135343.16411-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_midi.c | 8 +++++++- + sound/core/seq/seq_virmidi.c | 9 ++++++++- + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_midi.c b/sound/core/seq/seq_midi.c +index 6825940ea2cf8..a741d1ae6639a 100644 +--- a/sound/core/seq/seq_midi.c ++++ b/sound/core/seq/seq_midi.c +@@ -111,6 +111,12 @@ static int dump_midi(struct snd_rawmidi_substream *substream, const char *buf, i + return 0; + } + ++/* callback for snd_seq_dump_var_event(), bridging to dump_midi() */ ++static int __dump_midi(void *ptr, void *buf, int count) ++{ ++ return dump_midi(ptr, buf, count); ++} ++ + static int event_process_midi(struct snd_seq_event *ev, int direct, + void *private_data, int atomic, int hop) + { +@@ -130,7 +136,7 @@ static int event_process_midi(struct snd_seq_event *ev, int direct, + pr_debug("ALSA: seq_midi: invalid sysex event flags = 0x%x\n", ev->flags); + return 0; + } +- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); ++ snd_seq_dump_var_event(ev, __dump_midi, substream); + snd_midi_event_reset_decode(msynth->parser); + } else { + if (msynth->parser == NULL) +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c +index 77d7037d1476f..82396b8c885a5 100644 +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -62,6 +62,13 @@ static void snd_virmidi_init_event(struct snd_virmidi *vmidi, + /* + * decode input event and put to read buffer of each opened file + */ ++ ++/* callback for snd_seq_dump_var_event(), bridging to snd_rawmidi_receive() */ ++static int dump_to_rawmidi(void *ptr, void *buf, int count) ++{ ++ return snd_rawmidi_receive(ptr, buf, count); ++} ++ + static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, + struct snd_seq_event *ev, + bool atomic) +@@ -80,7 +87,7 @@ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, + if (ev->type == SNDRV_SEQ_EVENT_SYSEX) { + if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE) + continue; +- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); ++ snd_seq_dump_var_event(ev, dump_to_rawmidi, vmidi->substream); + snd_midi_event_reset_decode(vmidi->parser); + } else { + len = snd_midi_event_decode(vmidi->parser, msg, sizeof(msg), ev); +-- +2.43.0 + diff --git a/queue-5.10/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch b/queue-5.10/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch new file mode 100644 index 00000000000..2fabc67ccc9 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch @@ -0,0 +1,43 @@ +From 1ce8790a429c40e792a4f6280bb5540492022773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 09:15:09 +0100 +Subject: ALSA: usb-audio: Stop parsing channels bits when all channels are + found. + +From: Johan Carlsson + +[ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ] + +If a usb audio device sets more bits than the amount of channels +it could write outside of the map array. + +Signed-off-by: Johan Carlsson +Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") +Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/stream.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index c4f4585f9b851..f51e901a9689e 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -301,9 +301,12 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, + c = 0; + + if (bits) { +- for (; bits && *maps; maps++, bits >>= 1) ++ for (; bits && *maps; maps++, bits >>= 1) { + if (bits & 1) + chmap->map[c++] = *maps; ++ if (c == chmap->channels) ++ break; ++ } + } else { + /* If we're missing wChannelConfig, then guess something + to make sure the channel map is not skipped entirely */ +-- +2.43.0 + diff --git a/queue-5.10/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/queue-5.10/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch new file mode 100644 index 00000000000..85620425d40 --- /dev/null +++ b/queue-5.10/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch @@ -0,0 +1,88 @@ +From 123d3ee286b386f3d82352ce6bd1286aa4cd8c4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 16:20:48 +0800 +Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts + +From: Chun-Yi Lee + +[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] + +This patch is against CVE-2023-6270. The description of cve is: + + A flaw was found in the ATA over Ethernet (AoE) driver in the Linux + kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on + `struct net_device`, and a use-after-free can be triggered by racing + between the free on the struct and the access through the `skbtxq` + global queue. This could lead to a denial of service condition or + potential code execution. + +In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial +code is finished. But the net_device ifp will still be used in +later tx()->dev_queue_xmit() in kthread. Which means that the +dev_put(ifp) should NOT be called in the success path of skb +initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into +use-after-free because the net_device is freed. + +This patch removed the dev_put(ifp) in the success path in +aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). + +Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 +Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") +Signed-off-by: Chun-Yi Lee +Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/aoe/aoecmd.c | 12 ++++++------ + drivers/block/aoe/aoenet.c | 1 + + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c +index 313f0b946fe2b..c805909c8e775 100644 +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -420,13 +420,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu + rcu_read_lock(); + for_each_netdev_rcu(&init_net, ifp) { + dev_hold(ifp); +- if (!is_aoe_netif(ifp)) +- goto cont; ++ if (!is_aoe_netif(ifp)) { ++ dev_put(ifp); ++ continue; ++ } + + skb = new_skb(sizeof *h + sizeof *ch); + if (skb == NULL) { + printk(KERN_INFO "aoe: skb alloc failure\n"); +- goto cont; ++ dev_put(ifp); ++ continue; + } + skb_put(skb, sizeof *h + sizeof *ch); + skb->dev = ifp; +@@ -441,9 +444,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu + h->major = cpu_to_be16(aoemajor); + h->minor = aoeminor; + h->cmd = AOECMD_CFG; +- +-cont: +- dev_put(ifp); + } + rcu_read_unlock(); + } +diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c +index 63773a90581dd..1e66c7a188a12 100644 +--- a/drivers/block/aoe/aoenet.c ++++ b/drivers/block/aoe/aoenet.c +@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock) + pr_warn("aoe: packet could not be sent on %s. %s\n", + ifp ? ifp->name : "netif", + "consider increasing tx_queue_len"); ++ dev_put(ifp); + spin_lock_irq(&txlock); + } + return 0; +-- +2.43.0 + diff --git a/queue-5.10/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch b/queue-5.10/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch new file mode 100644 index 00000000000..523cbce2f50 --- /dev/null +++ b/queue-5.10/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch @@ -0,0 +1,98 @@ +From 33f2ce1065b52243bda6f434c6ae14f1dad18067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 13:28:20 +0100 +Subject: arch/powerpc: Remove from backlight code + +From: Thomas Zimmermann + +[ Upstream commit 838f865802b9f26135ea7df4e30f89ac2f50c23e ] + +Replace with a forward declaration in to +resolve an unnecessary dependency. Remove pmac_backlight_curve_lookup() +and struct fb_info from source and header files. The function and the +framebuffer struct are unused. No functional changes. + +v3: + * Add Fixes tag (Christophe) + * fix typos in commit message (Jani) + +Signed-off-by: Thomas Zimmermann +Fixes: d565dd3b0824 ("[PATCH] powerpc: More via-pmu backlight fixes") +Reviewed-by: Jani Nikula +Acked-by: Michael Ellerman # (powerpc) +Link: https://patchwork.freedesktop.org/patch/msgid/20240306122935.10626-4-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/backlight.h | 5 ++-- + arch/powerpc/platforms/powermac/backlight.c | 26 --------------------- + 2 files changed, 2 insertions(+), 29 deletions(-) + +diff --git a/arch/powerpc/include/asm/backlight.h b/arch/powerpc/include/asm/backlight.h +index 1b5eab62ed047..061a910d74929 100644 +--- a/arch/powerpc/include/asm/backlight.h ++++ b/arch/powerpc/include/asm/backlight.h +@@ -10,15 +10,14 @@ + #define __ASM_POWERPC_BACKLIGHT_H + #ifdef __KERNEL__ + +-#include + #include + ++struct backlight_device; ++ + /* For locking instructions, see the implementation file */ + extern struct backlight_device *pmac_backlight; + extern struct mutex pmac_backlight_mutex; + +-extern int pmac_backlight_curve_lookup(struct fb_info *info, int value); +- + extern int pmac_has_backlight_type(const char *type); + + extern void pmac_backlight_key(int direction); +diff --git a/arch/powerpc/platforms/powermac/backlight.c b/arch/powerpc/platforms/powermac/backlight.c +index 32224cb489d75..eab339d2059d5 100644 +--- a/arch/powerpc/platforms/powermac/backlight.c ++++ b/arch/powerpc/platforms/powermac/backlight.c +@@ -9,7 +9,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -73,31 +72,6 @@ int pmac_has_backlight_type(const char *type) + return 0; + } + +-int pmac_backlight_curve_lookup(struct fb_info *info, int value) +-{ +- int level = (FB_BACKLIGHT_LEVELS - 1); +- +- if (info && info->bl_dev) { +- int i, max = 0; +- +- /* Look for biggest value */ +- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++) +- max = max((int)info->bl_curve[i], max); +- +- /* Look for nearest value */ +- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++) { +- int diff = abs(info->bl_curve[i] - value); +- if (diff < max) { +- max = diff; +- level = i; +- } +- } +- +- } +- +- return level; +-} +- + static void pmac_backlight_key_worker(struct work_struct *work) + { + if (atomic_read(&kernel_backlight_disabled)) +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-arm-realview-fix-development-chip-rom-compat.patch b/queue-5.10/arm-dts-arm-realview-fix-development-chip-rom-compat.patch new file mode 100644 index 00000000000..ffc6eeb592b --- /dev/null +++ b/queue-5.10/arm-dts-arm-realview-fix-development-chip-rom-compat.patch @@ -0,0 +1,43 @@ +From 998b8a4ecf4d1e82ee07cc90be6393696222938c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 17:03:04 +0200 +Subject: ARM: dts: arm: realview: Fix development chip ROM compatible value + +From: Geert Uytterhoeven + +[ Upstream commit 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 ] + +When the development chip ROM was added, the "direct-mapped" compatible +value was already obsolete. In addition, the device node lacked the +accompanying "probe-type" property, causing the old physmap_of_core +driver to fall back to trying all available probe types. +Unfortunately this fallback was lost when the DT and pdata cases were +merged. + +Fix this by using the modern "mtd-rom" compatible value instead. + +Fixes: 5c3f5edbe0a1dff3 ("ARM: realview: add flash devices to the PB1176 DTS") +Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/arm-realview-pb1176.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/arm-realview-pb1176.dts b/arch/arm/boot/dts/arm-realview-pb1176.dts +index f925782f85604..f0be83eebb09d 100644 +--- a/arch/arm/boot/dts/arm-realview-pb1176.dts ++++ b/arch/arm/boot/dts/arm-realview-pb1176.dts +@@ -435,7 +435,7 @@ pb1176_serial3: serial@1010f000 { + + /* Direct-mapped development chip ROM */ + pb1176_rom@10200000 { +- compatible = "direct-mapped"; ++ compatible = "mtd-rom"; + reg = <0x10200000 0x4000>; + bank-width = <1>; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx6dl-yapp4-fix-typo-in-the-qca-switch-regi.patch b/queue-5.10/arm-dts-imx6dl-yapp4-fix-typo-in-the-qca-switch-regi.patch new file mode 100644 index 00000000000..9d2b989aec2 --- /dev/null +++ b/queue-5.10/arm-dts-imx6dl-yapp4-fix-typo-in-the-qca-switch-regi.patch @@ -0,0 +1,42 @@ +From b2a22bcab1f96508551fcf85176786b9085d9006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 10:03:27 +0100 +Subject: ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +[ Upstream commit 023bd910d3ab735459f84b22bb99fb9e00bd9d76 ] + +This change does not have any functional effect. The switch works just +fine without this patch as it has full access to all the addresses +on the bus. This is simply a clean-up to set the node name address +and reg address to the same value. + +Fixes: 15b43e497ffd ("ARM: dts: imx6dl-yapp4: Use correct pseudo PHY address for the switch") +Signed-off-by: Michal Vokáč +Reviewed-by: Andrew Lunn +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +index f18da2b70fdc9..b636faaddc510 100644 +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -125,7 +125,7 @@ phy_port3: phy@2 { + + switch@10 { + compatible = "qca,qca8334"; +- reg = <10>; ++ reg = <0x10>; + reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; + + switch_ports: ports { +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx6dl-yapp4-move-phy-reset-into-switch-node.patch b/queue-5.10/arm-dts-imx6dl-yapp4-move-phy-reset-into-switch-node.patch new file mode 100644 index 00000000000..74c957e91b5 --- /dev/null +++ b/queue-5.10/arm-dts-imx6dl-yapp4-move-phy-reset-into-switch-node.patch @@ -0,0 +1,47 @@ +From dbccfd3ef4d96cbc9eb0e9113217a5440b2642b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 19:06:04 +0100 +Subject: ARM: dts: imx6dl-yapp4: Move phy reset into switch node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +[ Upstream commit 7da7b84fee58c85a6075022023d31edea40e81a1 ] + +Drop the phy-reset-duration and phy-reset-gpios deprecated properties and +move reset-gpios under the switch node. + +Signed-off-by: Michal Vokáč +Signed-off-by: Shawn Guo +Stable-dep-of: 023bd910d3ab ("ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +index ebc0892e37c7a..f18da2b70fdc9 100644 +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -103,8 +103,6 @@ &fec { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii-id"; +- phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; +- phy-reset-duration = <20>; + phy-supply = <&sw2_reg>; + status = "okay"; + +@@ -128,6 +126,7 @@ phy_port3: phy@2 { + switch@10 { + compatible = "qca,qca8334"; + reg = <10>; ++ reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; + + switch_ports: ports { + #address-cells = <1>; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx6dl-yapp4-move-the-internal-switch-phys-u.patch b/queue-5.10/arm-dts-imx6dl-yapp4-move-the-internal-switch-phys-u.patch new file mode 100644 index 00000000000..5ac00777cb5 --- /dev/null +++ b/queue-5.10/arm-dts-imx6dl-yapp4-move-the-internal-switch-phys-u.patch @@ -0,0 +1,98 @@ +From d1e1c3b807dc886cd15182ce9c2e4de7ec01b706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 10:03:28 +0100 +Subject: ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the + switch node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +[ Upstream commit 79978bff2e4b8e05ebdf5fc3ee6b794002393484 ] + +We identified that the PHYs actually do not work since commit 7da7b84fee58 +("ARM: dts: imx6dl-yapp4: Move phy reset into switch node") as +a coincidence of several circumstances. + +The reset signal is kept asserted by a pull-down resistor on the board +unless it is deasserted by GPIO from the SoC. This is to keep the switch +dead until it is configured properly by the kernel and user space. + +Prior to the referenced commit the switch was reset by the FEC driver +and the reset GPIO was actively deasserted. The mdio-bus was scanned +and the attached switch and its PHYs were found and configured. + +With the referenced commit the switch is reset by the qca8k driver. +Because of another bug in the qca8k driver, functionality of the reset +pin depends on its pre-kernel configuration. See commit c44fc98f0a8f +("net: dsa: qca8k: fix illegal usage of GPIO") + +The problem did not appear until we removed support for the switch +and configuration of its reset pin from the bootloader. + +To fix that, properly describe the internal mdio-bus configuration of +the qca8334 switch. The PHYs are internal to the switch and sit on its +internal mdio-bus. + +Fixes: 7da7b84fee58 ("ARM: dts: imx6dl-yapp4: Move phy reset into switch node") +Signed-off-by: Michal Vokáč +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 23 ++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +index b636faaddc510..cbf5a76625e69 100644 +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -115,14 +115,6 @@ mdio { + #address-cells = <1>; + #size-cells = <0>; + +- phy_port2: phy@1 { +- reg = <1>; +- }; +- +- phy_port3: phy@2 { +- reg = <2>; +- }; +- + switch@10 { + compatible = "qca,qca8334"; + reg = <0x10>; +@@ -147,15 +139,30 @@ fixed-link { + eth2: port@2 { + reg = <2>; + label = "eth2"; ++ phy-mode = "internal"; + phy-handle = <&phy_port2>; + }; + + eth1: port@3 { + reg = <3>; + label = "eth1"; ++ phy-mode = "internal"; + phy-handle = <&phy_port3>; + }; + }; ++ ++ mdio { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ phy_port2: ethernet-phy@1 { ++ reg = <1>; ++ }; ++ ++ phy_port3: ethernet-phy@2 { ++ reg = <2>; ++ }; ++ }; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch b/queue-5.10/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch new file mode 100644 index 00000000000..8485d8848f9 --- /dev/null +++ b/queue-5.10/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch @@ -0,0 +1,82 @@ +From c5913a6677aab037f904ae4c749e1de0a3f55eb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jan 2024 12:03:03 +0100 +Subject: ARM: dts: renesas: r8a73a4: Fix external clocks and clock rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 090c4094574705b0afc7d37825cdc5d06f0e7e02 ] + +External clocks should be defined as zero-Hz clocks in the SoC .dtsi, +and overridden in the board .dts when present. + +Correct the clock rate of extal1 from 25 to 26 MHz, to match the crystal +oscillator present on the APE6-EVM board. + +Fixes: a76809a329d6ebae ("ARM: shmobile: r8a73a4: Common clock framework DT description") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Niklas Söderlund +Link: https://lore.kernel.org/r/1692bc8cd465d62168cbf110522ad62a7af3f606.1705315614.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/r8a73a4-ape6evm.dts | 12 ++++++++++++ + arch/arm/boot/dts/r8a73a4.dtsi | 9 ++++++--- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/r8a73a4-ape6evm.dts b/arch/arm/boot/dts/r8a73a4-ape6evm.dts +index b088e8e351d54..1028f721b38b0 100644 +--- a/arch/arm/boot/dts/r8a73a4-ape6evm.dts ++++ b/arch/arm/boot/dts/r8a73a4-ape6evm.dts +@@ -208,6 +208,18 @@ &cmt1 { + status = "okay"; + }; + ++&extal1_clk { ++ clock-frequency = <26000000>; ++}; ++ ++&extal2_clk { ++ clock-frequency = <48000000>; ++}; ++ ++&extalr_clk { ++ clock-frequency = <32768>; ++}; ++ + &pfc { + scifa0_pins: scifa0 { + groups = "scifa0_data"; +diff --git a/arch/arm/boot/dts/r8a73a4.dtsi b/arch/arm/boot/dts/r8a73a4.dtsi +index e5fb1ce261f72..bcde8d1005976 100644 +--- a/arch/arm/boot/dts/r8a73a4.dtsi ++++ b/arch/arm/boot/dts/r8a73a4.dtsi +@@ -494,17 +494,20 @@ clocks { + extalr_clk: extalr { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <32768>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + extal1_clk: extal1 { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <25000000>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + extal2_clk: extal2 { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <48000000>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + fsiack_clk: fsiack { + compatible = "fixed-clock"; +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-marvell-reorder-crypto-interrupts-on-armad.patch b/queue-5.10/arm64-dts-marvell-reorder-crypto-interrupts-on-armad.patch new file mode 100644 index 00000000000..76de0c3954c --- /dev/null +++ b/queue-5.10/arm64-dts-marvell-reorder-crypto-interrupts-on-armad.patch @@ -0,0 +1,88 @@ +From f93267c150cb445c6c756e96d0a09398bd16a51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 13:22:58 +0100 +Subject: arm64: dts: marvell: reorder crypto interrupts on Armada SoCs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit ec55a22149d64f9ac41845d923b884d4a666bf4d ] + +Match order specified in binding documentation. It says "mem" should be +the last interrupt. + +This fixes: +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:0: 'ring0' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:1: 'ring1' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:2: 'ring2' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:3: 'ring3' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:4: 'eip' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# +arch/arm64/boot/dts/marvell/armada-3720-db.dtb: crypto@90000: interrupt-names:5: 'mem' was expected + from schema $id: http://devicetree.org/schemas/crypto/inside-secure,safexcel.yaml# + +Signed-off-by: Rafał Miłecki +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 10 +++++----- + arch/arm64/boot/dts/marvell/armada-cp11x.dtsi | 10 +++++----- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +index 0f4bcd15d8580..086c3cc7d055c 100644 +--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +@@ -414,14 +414,14 @@ xor11 { + crypto: crypto@90000 { + compatible = "inside-secure,safexcel-eip97ies"; + reg = <0x90000 0x20000>; +- interrupts = , +- , ++ interrupts = , + , + , + , +- ; +- interrupt-names = "mem", "ring0", "ring1", +- "ring2", "ring3", "eip"; ++ , ++ ; ++ interrupt-names = "ring0", "ring1", "ring2", ++ "ring3", "eip", "mem"; + clocks = <&nb_periph_clk 15>; + }; + +diff --git a/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi b/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi +index 9dcf16beabf5d..da83bfdbe8432 100644 +--- a/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-cp11x.dtsi +@@ -477,14 +477,14 @@ CP11X_LABEL(sdhci0): sdhci@780000 { + CP11X_LABEL(crypto): crypto@800000 { + compatible = "inside-secure,safexcel-eip197b"; + reg = <0x800000 0x200000>; +- interrupts = <87 IRQ_TYPE_LEVEL_HIGH>, +- <88 IRQ_TYPE_LEVEL_HIGH>, ++ interrupts = <88 IRQ_TYPE_LEVEL_HIGH>, + <89 IRQ_TYPE_LEVEL_HIGH>, + <90 IRQ_TYPE_LEVEL_HIGH>, + <91 IRQ_TYPE_LEVEL_HIGH>, +- <92 IRQ_TYPE_LEVEL_HIGH>; +- interrupt-names = "mem", "ring0", "ring1", +- "ring2", "ring3", "eip"; ++ <92 IRQ_TYPE_LEVEL_HIGH>, ++ <87 IRQ_TYPE_LEVEL_HIGH>; ++ interrupt-names = "ring0", "ring1", "ring2", "ring3", ++ "eip", "mem"; + clock-names = "core", "reg"; + clocks = <&CP11X_LABEL(clk) 1 26>, + <&CP11X_LABEL(clk) 1 17>; +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-mediatek-mt7622-add-missing-device_type-to.patch b/queue-5.10/arm64-dts-mediatek-mt7622-add-missing-device_type-to.patch new file mode 100644 index 00000000000..3e45eba6109 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt7622-add-missing-device_type-to.patch @@ -0,0 +1,57 @@ +From 682f9aac86a9fa4ba7f721af28a4c5fdb58a7765 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 14:23:57 +0100 +Subject: arm64: dts: mediatek: mt7622: add missing "device_type" to memory + nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 99d100e00144bc01b49a697f4bc4398f2f7e7ce4 ] + +This fixes: +arch/arm64/boot/dts/mediatek/mt7622-rfb1.dtb: /: memory@40000000: 'device_type' is a required property + from schema $id: http://devicetree.org/schemas/memory.yaml# +arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dtb: /: memory@40000000: 'device_type' is a required property + from schema $id: http://devicetree.org/schemas/memory.yaml# + +Signed-off-by: Rafał Miłecki +Reviewed-by: Matthias Brugger +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240122132357.31264-1-zajec5@gmail.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts | 1 + + arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts b/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts +index 7e6cffdc5a551..778174a7d649b 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts ++++ b/arch/arm64/boot/dts/mediatek/mt7622-bananapi-bpi-r64.dts +@@ -71,6 +71,7 @@ red { + + memory@40000000 { + reg = <0 0x40000000 0 0x40000000>; ++ device_type = "memory"; + }; + + reg_1p8v: regulator-1p8v { +diff --git a/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts b/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts +index 993f033d0bf04..810575de66702 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts ++++ b/arch/arm64/boot/dts/mediatek/mt7622-rfb1.dts +@@ -57,6 +57,7 @@ wps { + + memory@40000000 { + reg = <0 0x40000000 0 0x20000000>; ++ device_type = "memory"; + }; + + reg_1p8v: regulator-1p8v { +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-qcom-msm8996-define-ufs-unipro-clock-limit.patch b/queue-5.10/arm64-dts-qcom-msm8996-define-ufs-unipro-clock-limit.patch new file mode 100644 index 00000000000..467860736b0 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8996-define-ufs-unipro-clock-limit.patch @@ -0,0 +1,42 @@ +From 98b893b14388eaa630ac2417cd2ab3f3633675df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 13:39:42 +0000 +Subject: arm64: dts: qcom: msm8996: Define UFS UniPro clock limits + +From: Yassine Oudjana + +[ Upstream commit 68c4c20848d71b0e69c3403becb5dd23e89e5896 ] + +These limits were always defined as 0, but that didn't cause any issue +since the driver had hardcoded limits. In commit b4e13e1ae95e ("scsi: ufs: +qcom: Add multiple frequency support for MAX_CORE_CLK_1US_CYCLES") the +hardcoded limits were removed and the driver started reading them from DT, +causing UFS to stop working on MSM8996. Add real UniPro clock limits to fix +UFS. + +Signed-off-by: Yassine Oudjana +Fixes: 57fc67ef0d35 ("arm64: dts: qcom: msm8996: Add ufs related nodes") +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231218133917.78770-1-y.oudjana@protonmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 1fdb03c86135f..25e56b6ccaf66 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -932,7 +932,7 @@ ufshc: ufshc@624000 { + <0 0>, + <0 0>, + <150000000 300000000>, +- <0 0>, ++ <75000000 150000000>, + <0 0>, + <0 0>, + <0 0>, +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-qcom-msm8996-fix-ufs-phy-clocks.patch b/queue-5.10/arm64-dts-qcom-msm8996-fix-ufs-phy-clocks.patch new file mode 100644 index 00000000000..e0a2d3480ba --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8996-fix-ufs-phy-clocks.patch @@ -0,0 +1,42 @@ +From f9ae001bedcecd607c19b4ec716fd1bb4c42edd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 12:37:28 +0530 +Subject: arm64: dts: qcom: msm8996: Fix UFS PHY clocks + +From: Manivannan Sadhasivam + +[ Upstream commit c83fdb4335cec507d685ba9661ed7c4ccbaf12ff ] + +QMP PHY used in MSM8996 requires 2 clocks: + +* ref - 19.2MHz reference clock from RPM +* qref - QREF clock from GCC + +Fixes: 27520210e881 ("arm64: dts: qcom: msm8996: Use generic QMP driver for UFS") +Reviewed-by: Konrad Dybcio +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240131-ufs-phy-clock-v3-5-58a49d2f4605@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index d766f3b5c03ec..1fdb03c86135f 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -954,8 +954,8 @@ ufsphy: phy@627000 { + #size-cells = <1>; + ranges; + +- clocks = <&gcc GCC_UFS_CLKREF_CLK>; +- clock-names = "ref"; ++ clocks = <&rpmcc RPM_SMD_LN_BB_CLK>, <&gcc GCC_UFS_CLKREF_CLK>; ++ clock-names = "ref", "qref"; + + resets = <&ufshc 0>; + reset-names = "ufsphy"; +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-qcom-msm8998-fix-ufs-phy-clocks.patch b/queue-5.10/arm64-dts-qcom-msm8998-fix-ufs-phy-clocks.patch new file mode 100644 index 00000000000..9f1407d1f6a --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8998-fix-ufs-phy-clocks.patch @@ -0,0 +1,51 @@ +From aab07b9de8aac8b7b3cb3de6d9e4b61d1e094fb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 12:37:29 +0530 +Subject: arm64: dts: qcom: msm8998: Fix UFS PHY clocks + +From: Manivannan Sadhasivam + +[ Upstream commit 5e653a7ff4426242f22dd8bc6af7f29e10ee0d68 ] + +QMP PHY used in MSM8998 requires 3 clocks: + +* ref - 19.2MHz reference clock from RPM +* ref_aux - Auxiliary reference clock from GCC +* qref - QREF clock from GCC + +Fixes: cd3dbe2a4e6c ("arm64: dts: qcom: msm8998: Add UFS nodes") +Reviewed-by: Konrad Dybcio +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240131-ufs-phy-clock-v3-6-58a49d2f4605@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8998.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi +index ca8e7848769a6..cccfef52520cd 100644 +--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi +@@ -1044,12 +1044,12 @@ ufsphy: phy@1da7000 { + #size-cells = <1>; + ranges; + +- clock-names = +- "ref", +- "ref_aux"; +- clocks = +- <&gcc GCC_UFS_CLKREF_CLK>, +- <&gcc GCC_UFS_PHY_AUX_CLK>; ++ clocks = <&rpmcc RPM_SMD_LN_BB_CLK1>, ++ <&gcc GCC_UFS_PHY_AUX_CLK>, ++ <&gcc GCC_UFS_CLKREF_CLK>; ++ clock-names = "ref", ++ "ref_aux", ++ "qref"; + + reset-names = "ufsphy"; + resets = <&ufshc 0>; +-- +2.43.0 + diff --git a/queue-5.10/asoc-meson-aiu-fix-function-pointer-type-mismatch.patch b/queue-5.10/asoc-meson-aiu-fix-function-pointer-type-mismatch.patch new file mode 100644 index 00000000000..53546c42e1d --- /dev/null +++ b/queue-5.10/asoc-meson-aiu-fix-function-pointer-type-mismatch.patch @@ -0,0 +1,85 @@ +From 42b9dd419e165860067753fc9abdb914ad2b2417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 22:58:03 +0100 +Subject: ASoC: meson: aiu: fix function pointer type mismatch + +From: Jerome Brunet + +[ Upstream commit 98ac85a00f31d2e9d5452b825a9ed0153d934043 ] + +clang-16 warns about casting functions to incompatible types, as is done +here to call clk_disable_unprepare: + +sound/soc/meson/aiu.c:243:12: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 243 | (void(*)(void *))clk_disable_unprepare, + +The pattern of getting, enabling and setting a disable callback for a +clock can be replaced with devm_clk_get_enabled(), which also fixes +this warning. + +Fixes: 6ae9ca9ce986 ("ASoC: meson: aiu: add i2s and spdif support") +Reported-by: Arnd Bergmann +Signed-off-by: Jerome Brunet +Reviewed-by: Justin Stitt +Link: https://msgid.link/r/20240213215807.3326688-2-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/aiu.c | 19 ++++--------------- + sound/soc/meson/aiu.h | 1 - + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/sound/soc/meson/aiu.c b/sound/soc/meson/aiu.c +index 386a31a044700..03bc3e5b6cab5 100644 +--- a/sound/soc/meson/aiu.c ++++ b/sound/soc/meson/aiu.c +@@ -215,11 +215,12 @@ static const char * const aiu_spdif_ids[] = { + static int aiu_clk_get(struct device *dev) + { + struct aiu *aiu = dev_get_drvdata(dev); ++ struct clk *pclk; + int ret; + +- aiu->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(aiu->pclk)) +- return dev_err_probe(dev, PTR_ERR(aiu->pclk), "Can't get the aiu pclk\n"); ++ pclk = devm_clk_get_enabled(dev, "pclk"); ++ if (IS_ERR(pclk)) ++ return dev_err_probe(dev, PTR_ERR(pclk), "Can't get the aiu pclk\n"); + + aiu->spdif_mclk = devm_clk_get(dev, "spdif_mclk"); + if (IS_ERR(aiu->spdif_mclk)) +@@ -236,18 +237,6 @@ static int aiu_clk_get(struct device *dev) + if (ret) + return dev_err_probe(dev, ret, "Can't get the spdif clocks\n"); + +- ret = clk_prepare_enable(aiu->pclk); +- if (ret) { +- dev_err(dev, "peripheral clock enable failed\n"); +- return ret; +- } +- +- ret = devm_add_action_or_reset(dev, +- (void(*)(void *))clk_disable_unprepare, +- aiu->pclk); +- if (ret) +- dev_err(dev, "failed to add reset action on pclk"); +- + return ret; + } + +diff --git a/sound/soc/meson/aiu.h b/sound/soc/meson/aiu.h +index 87aa19ac4af3a..44f8c213d35a0 100644 +--- a/sound/soc/meson/aiu.h ++++ b/sound/soc/meson/aiu.h +@@ -33,7 +33,6 @@ struct aiu_platform_data { + }; + + struct aiu { +- struct clk *pclk; + struct clk *spdif_mclk; + struct aiu_interface i2s; + struct aiu_interface spdif; +-- +2.43.0 + diff --git a/queue-5.10/asoc-meson-axg-tdm-interface-add-frame-rate-constrai.patch b/queue-5.10/asoc-meson-axg-tdm-interface-add-frame-rate-constrai.patch new file mode 100644 index 00000000000..907a713acb0 --- /dev/null +++ b/queue-5.10/asoc-meson-axg-tdm-interface-add-frame-rate-constrai.patch @@ -0,0 +1,86 @@ +From 0ecb3fad39a35699420b47f03b48115c1295bb73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:51:08 +0100 +Subject: ASoC: meson: axg-tdm-interface: add frame rate constraint + +From: Jerome Brunet + +[ Upstream commit 59c6a3a43b221cc2a211181b1298e43b2c2df782 ] + +According to Amlogic datasheets for the SoCs supported by this driver, the +maximum bit clock rate is 100MHz. + +The tdm interface allows the rates listed by the DAI driver, regardless of +the number slots or their width. However, these will impact the bit clock +rate. + +Hitting the 100MHz limit is very unlikely for most use cases but it is +possible. + +For example with 32 slots / 32 bits wide, the maximum rate is no longer +384kHz but ~96kHz. + +Add the constraint accordingly if the component is not already active. +If it is active, the rate is already constrained by the first stream rate. + +Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") +Signed-off-by: Jerome Brunet +Link: https://msgid.link/r/20240223175116.2005407-3-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-interface.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index ac43a7ab7bcf6..60d132ab1ab78 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -12,6 +12,9 @@ + + #include "axg-tdm.h" + ++/* Maximum bit clock frequency according the datasheets */ ++#define MAX_SCLK 100000000 /* Hz */ ++ + enum { + TDM_IFACE_PAD, + TDM_IFACE_LOOPBACK, +@@ -155,19 +158,27 @@ static int axg_tdm_iface_startup(struct snd_pcm_substream *substream, + return -EINVAL; + } + +- /* Apply component wide rate symmetry */ + if (snd_soc_component_active(dai->component)) { ++ /* Apply component wide rate symmetry */ + ret = snd_pcm_hw_constraint_single(substream->runtime, + SNDRV_PCM_HW_PARAM_RATE, + iface->rate); +- if (ret < 0) { +- dev_err(dai->dev, +- "can't set iface rate constraint\n"); +- return ret; +- } ++ ++ } else { ++ /* Limit rate according to the slot number and width */ ++ unsigned int max_rate = ++ MAX_SCLK / (iface->slots * iface->slot_width); ++ ret = snd_pcm_hw_constraint_minmax(substream->runtime, ++ SNDRV_PCM_HW_PARAM_RATE, ++ 0, max_rate); + } + +- return 0; ++ if (ret < 0) ++ dev_err(dai->dev, "can't set iface rate constraint\n"); ++ else ++ ret = 0; ++ ++ return ret; + } + + static int axg_tdm_iface_set_stream(struct snd_pcm_substream *substream, +-- +2.43.0 + diff --git a/queue-5.10/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch b/queue-5.10/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch new file mode 100644 index 00000000000..196b9b243bd --- /dev/null +++ b/queue-5.10/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch @@ -0,0 +1,49 @@ +From 88643204ca145c5bcfdc44a659b8db6ce03343d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:51:07 +0100 +Subject: ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs + +From: Jerome Brunet + +[ Upstream commit e3741a8d28a1137f8b19ae6f3d6e3be69a454a0a ] + +By default, when mclk-fs is not provided, the tdm-interface driver +requests an MCLK that is 4x the bit clock, SCLK. + +However there is no justification for this: + +* If the codec needs MCLK for its operation, mclk-fs is expected to be set + according to the codec requirements. +* If the codec does not need MCLK the minimum is 2 * SCLK, because this is + minimum the divider between SCLK and MCLK can do. + +Multiplying by 4 may cause problems because the PLL limit may be reached +sooner than it should, so use 2x instead. + +Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") +Signed-off-by: Jerome Brunet +Link: https://msgid.link/r/20240223175116.2005407-2-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-interface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index e076ced300257..ac43a7ab7bcf6 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -266,8 +266,8 @@ static int axg_tdm_iface_set_sclk(struct snd_soc_dai *dai, + srate = iface->slots * iface->slot_width * params_rate(params); + + if (!iface->mclk_rate) { +- /* If no specific mclk is requested, default to bit clock * 4 */ +- clk_set_rate(iface->mclk, 4 * srate); ++ /* If no specific mclk is requested, default to bit clock * 2 */ ++ clk_set_rate(iface->mclk, 2 * srate); + } else { + /* Check if we can actually get the bit clock from mclk */ + if (iface->mclk_rate % srate) { +-- +2.43.0 + diff --git a/queue-5.10/asoc-meson-t9015-fix-function-pointer-type-mismatch.patch b/queue-5.10/asoc-meson-t9015-fix-function-pointer-type-mismatch.patch new file mode 100644 index 00000000000..b033c7c82f9 --- /dev/null +++ b/queue-5.10/asoc-meson-t9015-fix-function-pointer-type-mismatch.patch @@ -0,0 +1,83 @@ +From 43778655732a877b951aa757617d94df769226a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 22:58:04 +0100 +Subject: ASoC: meson: t9015: fix function pointer type mismatch + +From: Jerome Brunet + +[ Upstream commit 5ad992c71b6a8e8a547954addc7af9fbde6ca10a ] + +clang-16 warns about casting functions to incompatible types, as is done +here to call clk_disable_unprepare: + +sound/soc/meson/t9015.c:274:4: error: cast from 'void (*)(struct clk *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 274 | (void(*)(void *))clk_disable_unprepare, + +The pattern of getting, enabling and setting a disable callback for a +clock can be replaced with devm_clk_get_enabled(), which also fixes +this warning. + +Fixes: 33901f5b9b16 ("ASoC: meson: add t9015 internal DAC driver") +Reported-by: Arnd Bergmann +Signed-off-by: Jerome Brunet +Reviewed-by: Justin Stitt +Link: https://msgid.link/r/20240213215807.3326688-3-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/t9015.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/sound/soc/meson/t9015.c b/sound/soc/meson/t9015.c +index cb1eaf678fc3f..b085aa65c688c 100644 +--- a/sound/soc/meson/t9015.c ++++ b/sound/soc/meson/t9015.c +@@ -48,7 +48,6 @@ + #define POWER_CFG 0x10 + + struct t9015 { +- struct clk *pclk; + struct regulator *avdd; + }; + +@@ -250,6 +249,7 @@ static int t9015_probe(struct platform_device *pdev) + struct t9015 *priv; + void __iomem *regs; + struct regmap *regmap; ++ struct clk *pclk; + int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -257,26 +257,14 @@ static int t9015_probe(struct platform_device *pdev) + return -ENOMEM; + platform_set_drvdata(pdev, priv); + +- priv->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(priv->pclk)) +- return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get core clock\n"); ++ pclk = devm_clk_get_enabled(dev, "pclk"); ++ if (IS_ERR(pclk)) ++ return dev_err_probe(dev, PTR_ERR(pclk), "failed to get core clock\n"); + + priv->avdd = devm_regulator_get(dev, "AVDD"); + if (IS_ERR(priv->avdd)) + return dev_err_probe(dev, PTR_ERR(priv->avdd), "failed to AVDD\n"); + +- ret = clk_prepare_enable(priv->pclk); +- if (ret) { +- dev_err(dev, "core clock enable failed\n"); +- return ret; +- } +- +- ret = devm_add_action_or_reset(dev, +- (void(*)(void *))clk_disable_unprepare, +- priv->pclk); +- if (ret) +- return ret; +- + ret = device_reset(dev); + if (ret) { + dev_err(dev, "reset failed\n"); +-- +2.43.0 + diff --git a/queue-5.10/asoc-meson-use-dev_err_probe-helper.patch b/queue-5.10/asoc-meson-use-dev_err_probe-helper.patch new file mode 100644 index 00000000000..07043dc266d --- /dev/null +++ b/queue-5.10/asoc-meson-use-dev_err_probe-helper.patch @@ -0,0 +1,420 @@ +From f2712da341a75b54211499a421b5477d7c45a957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 11:08:37 +0900 +Subject: ASoC: meson: Use dev_err_probe() helper + +From: Kuninori Morimoto + +[ Upstream commit 2ff4e003e8e105fb65c682c876a5cb0e00f854bf ] + +Use the dev_err_probe() helper, instead of open-coding the same +operation. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20211214020843.2225831-17-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 98ac85a00f31 ("ASoC: meson: aiu: fix function pointer type mismatch") +Signed-off-by: Sasha Levin +--- + sound/soc/meson/aiu.c | 36 +++++++-------------- + sound/soc/meson/axg-fifo.c | 16 +++------ + sound/soc/meson/axg-pdm.c | 25 ++++----------- + sound/soc/meson/axg-spdifin.c | 17 +++------- + sound/soc/meson/axg-spdifout.c | 17 +++------- + sound/soc/meson/axg-tdm-formatter.c | 50 ++++++++--------------------- + sound/soc/meson/axg-tdm-interface.c | 25 ++++----------- + sound/soc/meson/meson-card-utils.c | 8 ++--- + sound/soc/meson/t9015.c | 14 +++----- + 9 files changed, 56 insertions(+), 152 deletions(-) + +diff --git a/sound/soc/meson/aiu.c b/sound/soc/meson/aiu.c +index dc35ca79021c5..386a31a044700 100644 +--- a/sound/soc/meson/aiu.c ++++ b/sound/soc/meson/aiu.c +@@ -218,34 +218,23 @@ static int aiu_clk_get(struct device *dev) + int ret; + + aiu->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(aiu->pclk)) { +- if (PTR_ERR(aiu->pclk) != -EPROBE_DEFER) +- dev_err(dev, "Can't get the aiu pclk\n"); +- return PTR_ERR(aiu->pclk); +- } ++ if (IS_ERR(aiu->pclk)) ++ return dev_err_probe(dev, PTR_ERR(aiu->pclk), "Can't get the aiu pclk\n"); + + aiu->spdif_mclk = devm_clk_get(dev, "spdif_mclk"); +- if (IS_ERR(aiu->spdif_mclk)) { +- if (PTR_ERR(aiu->spdif_mclk) != -EPROBE_DEFER) +- dev_err(dev, "Can't get the aiu spdif master clock\n"); +- return PTR_ERR(aiu->spdif_mclk); +- } ++ if (IS_ERR(aiu->spdif_mclk)) ++ return dev_err_probe(dev, PTR_ERR(aiu->spdif_mclk), ++ "Can't get the aiu spdif master clock\n"); + + ret = aiu_clk_bulk_get(dev, aiu_i2s_ids, ARRAY_SIZE(aiu_i2s_ids), + &aiu->i2s); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "Can't get the i2s clocks\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "Can't get the i2s clocks\n"); + + ret = aiu_clk_bulk_get(dev, aiu_spdif_ids, ARRAY_SIZE(aiu_spdif_ids), + &aiu->spdif); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "Can't get the spdif clocks\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "Can't get the spdif clocks\n"); + + ret = clk_prepare_enable(aiu->pclk); + if (ret) { +@@ -281,11 +270,8 @@ static int aiu_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, aiu); + + ret = device_reset(dev); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "Failed to reset device\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to reset device\n"); + + regs = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(regs)) +diff --git a/sound/soc/meson/axg-fifo.c b/sound/soc/meson/axg-fifo.c +index b2e867113226b..295c0fc30745e 100644 +--- a/sound/soc/meson/axg-fifo.c ++++ b/sound/soc/meson/axg-fifo.c +@@ -350,20 +350,12 @@ int axg_fifo_probe(struct platform_device *pdev) + } + + fifo->pclk = devm_clk_get(dev, NULL); +- if (IS_ERR(fifo->pclk)) { +- if (PTR_ERR(fifo->pclk) != -EPROBE_DEFER) +- dev_err(dev, "failed to get pclk: %ld\n", +- PTR_ERR(fifo->pclk)); +- return PTR_ERR(fifo->pclk); +- } ++ if (IS_ERR(fifo->pclk)) ++ return dev_err_probe(dev, PTR_ERR(fifo->pclk), "failed to get pclk\n"); + + fifo->arb = devm_reset_control_get_exclusive(dev, NULL); +- if (IS_ERR(fifo->arb)) { +- if (PTR_ERR(fifo->arb) != -EPROBE_DEFER) +- dev_err(dev, "failed to get arb reset: %ld\n", +- PTR_ERR(fifo->arb)); +- return PTR_ERR(fifo->arb); +- } ++ if (IS_ERR(fifo->arb)) ++ return dev_err_probe(dev, PTR_ERR(fifo->arb), "failed to get arb reset\n"); + + fifo->irq = of_irq_get(dev->of_node, 0); + if (fifo->irq <= 0) { +diff --git a/sound/soc/meson/axg-pdm.c b/sound/soc/meson/axg-pdm.c +index bfd37d49a73ef..672e43a9729dc 100644 +--- a/sound/soc/meson/axg-pdm.c ++++ b/sound/soc/meson/axg-pdm.c +@@ -586,7 +586,6 @@ static int axg_pdm_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct axg_pdm *priv; + void __iomem *regs; +- int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) +@@ -611,28 +610,16 @@ static int axg_pdm_probe(struct platform_device *pdev) + } + + priv->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(priv->pclk)) { +- ret = PTR_ERR(priv->pclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get pclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->pclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n"); + + priv->dclk = devm_clk_get(dev, "dclk"); +- if (IS_ERR(priv->dclk)) { +- ret = PTR_ERR(priv->dclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get dclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->dclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->dclk), "failed to get dclk\n"); + + priv->sysclk = devm_clk_get(dev, "sysclk"); +- if (IS_ERR(priv->sysclk)) { +- ret = PTR_ERR(priv->sysclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get dclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->sysclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->sysclk), "failed to get dclk\n"); + + return devm_snd_soc_register_component(dev, &axg_pdm_component_drv, + &axg_pdm_dai_drv, 1); +diff --git a/sound/soc/meson/axg-spdifin.c b/sound/soc/meson/axg-spdifin.c +index 7aaded1fc376b..245189d2ee95f 100644 +--- a/sound/soc/meson/axg-spdifin.c ++++ b/sound/soc/meson/axg-spdifin.c +@@ -439,7 +439,6 @@ static int axg_spdifin_probe(struct platform_device *pdev) + struct axg_spdifin *priv; + struct snd_soc_dai_driver *dai_drv; + void __iomem *regs; +- int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) +@@ -464,20 +463,12 @@ static int axg_spdifin_probe(struct platform_device *pdev) + } + + priv->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(priv->pclk)) { +- ret = PTR_ERR(priv->pclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get pclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->pclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n"); + + priv->refclk = devm_clk_get(dev, "refclk"); +- if (IS_ERR(priv->refclk)) { +- ret = PTR_ERR(priv->refclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get mclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->refclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->refclk), "failed to get mclk\n"); + + dai_drv = axg_spdifin_get_dai_drv(dev, priv); + if (IS_ERR(dai_drv)) { +diff --git a/sound/soc/meson/axg-spdifout.c b/sound/soc/meson/axg-spdifout.c +index e769a5ee6e27e..3960d082e1436 100644 +--- a/sound/soc/meson/axg-spdifout.c ++++ b/sound/soc/meson/axg-spdifout.c +@@ -403,7 +403,6 @@ static int axg_spdifout_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct axg_spdifout *priv; + void __iomem *regs; +- int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); + if (!priv) +@@ -422,20 +421,12 @@ static int axg_spdifout_probe(struct platform_device *pdev) + } + + priv->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(priv->pclk)) { +- ret = PTR_ERR(priv->pclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get pclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->pclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get pclk\n"); + + priv->mclk = devm_clk_get(dev, "mclk"); +- if (IS_ERR(priv->mclk)) { +- ret = PTR_ERR(priv->mclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get mclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(priv->mclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->mclk), "failed to get mclk\n"); + + return devm_snd_soc_register_component(dev, &axg_spdifout_component_drv, + axg_spdifout_dai_drv, ARRAY_SIZE(axg_spdifout_dai_drv)); +diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c +index 4834cfd163c03..63333a2b0a9c3 100644 +--- a/sound/soc/meson/axg-tdm-formatter.c ++++ b/sound/soc/meson/axg-tdm-formatter.c +@@ -265,7 +265,6 @@ int axg_tdm_formatter_probe(struct platform_device *pdev) + const struct axg_tdm_formatter_driver *drv; + struct axg_tdm_formatter *formatter; + void __iomem *regs; +- int ret; + + drv = of_device_get_match_data(dev); + if (!drv) { +@@ -292,57 +291,34 @@ int axg_tdm_formatter_probe(struct platform_device *pdev) + + /* Peripharal clock */ + formatter->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(formatter->pclk)) { +- ret = PTR_ERR(formatter->pclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get pclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->pclk)) ++ return dev_err_probe(dev, PTR_ERR(formatter->pclk), "failed to get pclk\n"); + + /* Formatter bit clock */ + formatter->sclk = devm_clk_get(dev, "sclk"); +- if (IS_ERR(formatter->sclk)) { +- ret = PTR_ERR(formatter->sclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get sclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->sclk)) ++ return dev_err_probe(dev, PTR_ERR(formatter->sclk), "failed to get sclk\n"); + + /* Formatter sample clock */ + formatter->lrclk = devm_clk_get(dev, "lrclk"); +- if (IS_ERR(formatter->lrclk)) { +- ret = PTR_ERR(formatter->lrclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get lrclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->lrclk)) ++ return dev_err_probe(dev, PTR_ERR(formatter->lrclk), "failed to get lrclk\n"); + + /* Formatter bit clock input multiplexer */ + formatter->sclk_sel = devm_clk_get(dev, "sclk_sel"); +- if (IS_ERR(formatter->sclk_sel)) { +- ret = PTR_ERR(formatter->sclk_sel); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get sclk_sel: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->sclk_sel)) ++ return dev_err_probe(dev, PTR_ERR(formatter->sclk_sel), "failed to get sclk_sel\n"); + + /* Formatter sample clock input multiplexer */ + formatter->lrclk_sel = devm_clk_get(dev, "lrclk_sel"); +- if (IS_ERR(formatter->lrclk_sel)) { +- ret = PTR_ERR(formatter->lrclk_sel); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get lrclk_sel: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->lrclk_sel)) ++ return dev_err_probe(dev, PTR_ERR(formatter->lrclk_sel), ++ "failed to get lrclk_sel\n"); + + /* Formatter dedicated reset line */ + formatter->reset = devm_reset_control_get_optional_exclusive(dev, NULL); +- if (IS_ERR(formatter->reset)) { +- ret = PTR_ERR(formatter->reset); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get reset: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(formatter->reset)) ++ return dev_err_probe(dev, PTR_ERR(formatter->reset), "failed to get reset\n"); + + return devm_snd_soc_register_component(dev, drv->component_drv, + NULL, 0); +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index 87cac440b3693..e076ced300257 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -517,21 +517,13 @@ static int axg_tdm_iface_probe(struct platform_device *pdev) + + /* Bit clock provided on the pad */ + iface->sclk = devm_clk_get(dev, "sclk"); +- if (IS_ERR(iface->sclk)) { +- ret = PTR_ERR(iface->sclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get sclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(iface->sclk)) ++ return dev_err_probe(dev, PTR_ERR(iface->sclk), "failed to get sclk\n"); + + /* Sample clock provided on the pad */ + iface->lrclk = devm_clk_get(dev, "lrclk"); +- if (IS_ERR(iface->lrclk)) { +- ret = PTR_ERR(iface->lrclk); +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get lrclk: %d\n", ret); +- return ret; +- } ++ if (IS_ERR(iface->lrclk)) ++ return dev_err_probe(dev, PTR_ERR(iface->lrclk), "failed to get lrclk\n"); + + /* + * mclk maybe be missing when the cpu dai is in slave mode and +@@ -542,13 +534,10 @@ static int axg_tdm_iface_probe(struct platform_device *pdev) + iface->mclk = devm_clk_get(dev, "mclk"); + if (IS_ERR(iface->mclk)) { + ret = PTR_ERR(iface->mclk); +- if (ret == -ENOENT) { ++ if (ret == -ENOENT) + iface->mclk = NULL; +- } else { +- if (ret != -EPROBE_DEFER) +- dev_err(dev, "failed to get mclk: %d\n", ret); +- return ret; +- } ++ else ++ return dev_err_probe(dev, ret, "failed to get mclk\n"); + } + + return devm_snd_soc_register_component(dev, +diff --git a/sound/soc/meson/meson-card-utils.c b/sound/soc/meson/meson-card-utils.c +index 300ac8be46ef8..0e2691f011b7b 100644 +--- a/sound/soc/meson/meson-card-utils.c ++++ b/sound/soc/meson/meson-card-utils.c +@@ -85,11 +85,9 @@ int meson_card_parse_dai(struct snd_soc_card *card, + + ret = of_parse_phandle_with_args(node, "sound-dai", + "#sound-dai-cells", 0, &args); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(card->dev, "can't parse dai %d\n", ret); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(card->dev, ret, "can't parse dai\n"); ++ + *dai_of_node = args.np; + + return snd_soc_get_dai_name(&args, dai_name); +diff --git a/sound/soc/meson/t9015.c b/sound/soc/meson/t9015.c +index 56d2592c16d53..cb1eaf678fc3f 100644 +--- a/sound/soc/meson/t9015.c ++++ b/sound/soc/meson/t9015.c +@@ -258,18 +258,12 @@ static int t9015_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, priv); + + priv->pclk = devm_clk_get(dev, "pclk"); +- if (IS_ERR(priv->pclk)) { +- if (PTR_ERR(priv->pclk) != -EPROBE_DEFER) +- dev_err(dev, "failed to get core clock\n"); +- return PTR_ERR(priv->pclk); +- } ++ if (IS_ERR(priv->pclk)) ++ return dev_err_probe(dev, PTR_ERR(priv->pclk), "failed to get core clock\n"); + + priv->avdd = devm_regulator_get(dev, "AVDD"); +- if (IS_ERR(priv->avdd)) { +- if (PTR_ERR(priv->avdd) != -EPROBE_DEFER) +- dev_err(dev, "failed to AVDD\n"); +- return PTR_ERR(priv->avdd); +- } ++ if (IS_ERR(priv->avdd)) ++ return dev_err_probe(dev, PTR_ERR(priv->avdd), "failed to AVDD\n"); + + ret = clk_prepare_enable(priv->pclk); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.10/backlight-da9052-fully-initialize-backlight_properti.patch b/queue-5.10/backlight-da9052-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..101b8f6846f --- /dev/null +++ b/queue-5.10/backlight-da9052-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From d52710c639fb5edb1db04c63a4b77c8e0280cfd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:24 +0000 +Subject: backlight: da9052: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit 0285e9efaee8276305db5c52a59baf84e9731556 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: 6ede3d832aaa ("backlight: add driver for DA9052/53 PMIC v1") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-2-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/da9052_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/da9052_bl.c b/drivers/video/backlight/da9052_bl.c +index 882359dd288c0..aa00379392a0f 100644 +--- a/drivers/video/backlight/da9052_bl.c ++++ b/drivers/video/backlight/da9052_bl.c +@@ -117,6 +117,7 @@ static int da9052_backlight_probe(struct platform_device *pdev) + wleds->led_reg = platform_get_device_id(pdev)->driver_data; + wleds->state = DA9052_WLEDS_OFF; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.max_brightness = DA9052_MAX_BRIGHTNESS; + +-- +2.43.0 + diff --git a/queue-5.10/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch b/queue-5.10/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch new file mode 100644 index 00000000000..5931f523731 --- /dev/null +++ b/queue-5.10/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch @@ -0,0 +1,77 @@ +From c3de243c72ce1d14f632d745239f3acc2226296b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 00:11:20 +0100 +Subject: backlight: lm3630a: Don't set bl->props.brightness in get_brightness + +From: Luca Weiss + +[ Upstream commit 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 ] + +There's no need to set bl->props.brightness, the get_brightness function +is just supposed to return the current brightness and not touch the +struct. + +With that done we can also remove the 'goto out' and just return the +value. + +Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") +Signed-off-by: Luca Weiss +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-2-9ca62f7e4a33@z3ntu.xyz +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3630a_bl.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c +index 2aade66db3cf4..2134342c2c97d 100644 +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -229,7 +229,7 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) + if (rval < 0) + goto out_i2c_err; + brightness |= rval; +- goto out; ++ return brightness; + } + + /* disable sleep */ +@@ -240,11 +240,8 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) + rval = lm3630a_read(pchip, REG_BRT_A); + if (rval < 0) + goto out_i2c_err; +- brightness = rval; ++ return rval; + +-out: +- bl->props.brightness = brightness; +- return bl->props.brightness; + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access register\n"); + return 0; +@@ -306,7 +303,7 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) + if (rval < 0) + goto out_i2c_err; + brightness |= rval; +- goto out; ++ return brightness; + } + + /* disable sleep */ +@@ -317,11 +314,8 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) + rval = lm3630a_read(pchip, REG_BRT_B); + if (rval < 0) + goto out_i2c_err; +- brightness = rval; ++ return rval; + +-out: +- bl->props.brightness = brightness; +- return bl->props.brightness; + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access register\n"); + return 0; +-- +2.43.0 + diff --git a/queue-5.10/backlight-lm3630a-initialize-backlight_properties-on.patch b/queue-5.10/backlight-lm3630a-initialize-backlight_properties-on.patch new file mode 100644 index 00000000000..64e86642cdb --- /dev/null +++ b/queue-5.10/backlight-lm3630a-initialize-backlight_properties-on.patch @@ -0,0 +1,37 @@ +From 71b4a10c51dcabadf06d81300a557cb3cf557502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 00:11:19 +0100 +Subject: backlight: lm3630a: Initialize backlight_properties on init + +From: Luca Weiss + +[ Upstream commit ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 ] + +The backlight_properties struct should be initialized to zero before +using, otherwise there will be some random values in the struct. + +Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") +Signed-off-by: Luca Weiss +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-1-9ca62f7e4a33@z3ntu.xyz +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3630a_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c +index 419b0334cf087..2aade66db3cf4 100644 +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -339,6 +339,7 @@ static int lm3630a_backlight_register(struct lm3630a_chip *pchip) + struct backlight_properties props; + const char *label; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + if (pdata->leda_ctrl != LM3630A_LEDA_DISABLE) { + props.brightness = pdata->leda_init_brt; +-- +2.43.0 + diff --git a/queue-5.10/backlight-lm3639-fully-initialize-backlight_properti.patch b/queue-5.10/backlight-lm3639-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..7b4e5a5ddec --- /dev/null +++ b/queue-5.10/backlight-lm3639-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From 17b6516ff4724474672c3df0046e92111a6f0f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:25 +0000 +Subject: backlight: lm3639: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: 0f59858d5119 ("backlight: add new lm3639 backlight driver") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-3-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3639_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lm3639_bl.c b/drivers/video/backlight/lm3639_bl.c +index 48c04155a5f9d..bb617f4673e94 100644 +--- a/drivers/video/backlight/lm3639_bl.c ++++ b/drivers/video/backlight/lm3639_bl.c +@@ -339,6 +339,7 @@ static int lm3639_probe(struct i2c_client *client, + } + + /* backlight */ ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.brightness = pdata->init_brt_led; + props.max_brightness = pdata->max_brt_led; +-- +2.43.0 + diff --git a/queue-5.10/backlight-lp8788-fully-initialize-backlight_properti.patch b/queue-5.10/backlight-lp8788-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..2afe8f3464d --- /dev/null +++ b/queue-5.10/backlight-lp8788-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From 265946b5e6b4911b6ef4f9071c7e0adfb6c85cfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:26 +0000 +Subject: backlight: lp8788: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit 392346827fbe8a7fd573dfb145170d7949f639a6 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: c5a51053cf3b ("backlight: add new lp8788 backlight driver") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-4-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lp8788_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lp8788_bl.c b/drivers/video/backlight/lp8788_bl.c +index ba42f3fe0c739..d9b95dbd40d30 100644 +--- a/drivers/video/backlight/lp8788_bl.c ++++ b/drivers/video/backlight/lp8788_bl.c +@@ -191,6 +191,7 @@ static int lp8788_backlight_register(struct lp8788_bl *bl) + int init_brt; + char *name; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_PLATFORM; + props.max_brightness = MAX_BRIGHTNESS; + +-- +2.43.0 + diff --git a/queue-5.10/block-add-a-new-set_read_only-method.patch b/queue-5.10/block-add-a-new-set_read_only-method.patch new file mode 100644 index 00000000000..1a300811628 --- /dev/null +++ b/queue-5.10/block-add-a-new-set_read_only-method.patch @@ -0,0 +1,53 @@ +From 033470fd2bd01bb3c90d5f94ca3967c0ebcfc862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 11:00:11 +0100 +Subject: block: add a new set_read_only method + +From: Christoph Hellwig + +[ Upstream commit e00adcadf3af7a8335026d71ab9f0e0a922191ac ] + +Add a new method to allow for driver-specific processing when setting or +clearing the block device read-only state. This allows to replace the +cumbersome and error-prone override of the whole ioctl implementation. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") +Signed-off-by: Sasha Levin +--- + block/ioctl.c | 5 +++++ + include/linux/blkdev.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/block/ioctl.c b/block/ioctl.c +index e7eed7dadb5cf..24f8042f12b60 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -405,6 +405,11 @@ static int blkdev_roset(struct block_device *bdev, fmode_t mode, + return ret; + if (get_user(n, (int __user *)arg)) + return -EFAULT; ++ if (bdev->bd_disk->fops->set_read_only) { ++ ret = bdev->bd_disk->fops->set_read_only(bdev, n); ++ if (ret) ++ return ret; ++ } + set_device_ro(bdev, n); + return 0; + } +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 98fdf5a31fd66..583824f111079 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1883,6 +1883,7 @@ struct block_device_operations { + void (*unlock_native_capacity) (struct gendisk *); + int (*revalidate_disk) (struct gendisk *); + int (*getgeo)(struct block_device *, struct hd_geometry *); ++ int (*set_read_only)(struct block_device *bdev, bool ro); + /* this callback is with swap_lock and sometimes page table lock held */ + void (*swap_slot_free_notify) (struct block_device *, unsigned long); + int (*report_zones)(struct gendisk *, sector_t sector, +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-hci_core-fix-possible-buffer-overflow.patch b/queue-5.10/bluetooth-hci_core-fix-possible-buffer-overflow.patch new file mode 100644 index 00000000000..67c8396dce0 --- /dev/null +++ b/queue-5.10/bluetooth-hci_core-fix-possible-buffer-overflow.patch @@ -0,0 +1,36 @@ +From 716698ec608f72c255894e06c676bcbc19b7e067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 10:49:26 -0500 +Subject: Bluetooth: hci_core: Fix possible buffer overflow + +From: Luiz Augusto von Dentz + +[ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ] + +struct hci_dev_info has a fixed size name[8] field so in the event that +hdev->name is bigger than that strcpy would attempt to write past its +size, so this fixes this problem by switching to use strscpy. + +Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 5f1fbf86e0ceb..b9cf5bc9364c1 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2175,7 +2175,7 @@ int hci_get_dev_info(void __user *arg) + else + flags = hdev->flags; + +- strcpy(di.name, hdev->name); ++ strscpy(di.name, hdev->name, sizeof(di.name)); + di.bdaddr = hdev->bdaddr; + di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4); + di.flags = flags; +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch b/queue-5.10/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch new file mode 100644 index 00000000000..b0974fe0035 --- /dev/null +++ b/queue-5.10/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch @@ -0,0 +1,62 @@ +From 60c4fa71bac2344b91be35ad9a648abc9ed7b7ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jan 2024 23:46:06 +0100 +Subject: Bluetooth: Remove superfluous call to hci_conn_check_pending() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit 78e3639fc8031275010c3287ac548c0bc8de83b1 ] + +The "pending connections" feature was originally introduced with commit +4c67bc74f016 ("[Bluetooth] Support concurrent connect requests") and +6bd57416127e ("[Bluetooth] Handling pending connect attempts after +inquiry") to handle controllers supporting only a single connection request +at a time. Later things were extended to also cancel ongoing inquiries on +connect() with commit 89e65975fea5 ("Bluetooth: Cancel Inquiry before +Create Connection"). + +With commit a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only +opcodes"), hci_conn_check_pending() was introduced as a helper to +consolidate a few places where we check for pending connections (indicated +by the BT_CONNECT2 flag) and then try to connect. + +This refactoring commit also snuck in two more calls to +hci_conn_check_pending(): + +- One is in the failure callback of hci_cs_inquiry(), this one probably +makes sense: If we send an "HCI Inquiry" command and then immediately +after a "Create Connection" command, the "Create Connection" command might +fail before the "HCI Inquiry" command, and then we want to retry the +"Create Connection" on failure of the "HCI Inquiry". + +- The other added call to hci_conn_check_pending() is in the event handler +for the "Remote Name" event, this seems unrelated and is possibly a +copy-paste error, so remove that one. + +Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes") +Signed-off-by: Jonas Dreßler +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 47f37080c0c55..a0d9bc99f4e14 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2979,8 +2979,6 @@ static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) + + BT_DBG("%s", hdev->name); + +- hci_conn_check_pending(hdev); +- + hci_dev_lock(hdev); + + conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); +-- +2.43.0 + diff --git a/queue-5.10/bpf-eliminate-rlimit-based-memory-accounting-for-dev.patch b/queue-5.10/bpf-eliminate-rlimit-based-memory-accounting-for-dev.patch new file mode 100644 index 00000000000..afbe3cd433a --- /dev/null +++ b/queue-5.10/bpf-eliminate-rlimit-based-memory-accounting-for-dev.patch @@ -0,0 +1,77 @@ +From 0ccde59284e55972fa086e2c82dd6668ee1b5f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Dec 2020 13:58:48 -0800 +Subject: bpf: Eliminate rlimit-based memory accounting for devmap maps + +From: Roman Gushchin + +[ Upstream commit 844f157f6c0a905d039d2e20212ab3231f2e5eaf ] + +Do not use rlimit-based memory accounting for devmap maps. +It has been replaced with the memcg-based memory accounting. + +Signed-off-by: Roman Gushchin +Signed-off-by: Alexei Starovoitov +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20201201215900.3569844-23-guro@fb.com +Stable-dep-of: 281d464a34f5 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches") +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 01149821ded91..ca2cade2871b8 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -109,8 +109,6 @@ static inline struct hlist_head *dev_map_index_hash(struct bpf_dtab *dtab, + static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) + { + u32 valsize = attr->value_size; +- u64 cost = 0; +- int err; + + /* check sanity of attributes. 2 value sizes supported: + * 4 bytes: ifindex +@@ -135,21 +133,13 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) + + if (!dtab->n_buckets) /* Overflow check */ + return -EINVAL; +- cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; +- } else { +- cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); + } + +- /* if map size is larger than memlock limit, reject it */ +- err = bpf_map_charge_init(&dtab->map.memory, cost); +- if (err) +- return -EINVAL; +- + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, + dtab->map.numa_node); + if (!dtab->dev_index_head) +- goto free_charge; ++ return -ENOMEM; + + spin_lock_init(&dtab->index_lock); + } else { +@@ -157,14 +147,10 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) + sizeof(struct bpf_dtab_netdev *), + dtab->map.numa_node); + if (!dtab->netdev_map) +- goto free_charge; ++ return -ENOMEM; + } + + return 0; +- +-free_charge: +- bpf_map_charge_finish(&dtab->map.memory); +- return -ENOMEM; + } + + static struct bpf_map *dev_map_alloc(union bpf_attr *attr) +-- +2.43.0 + diff --git a/queue-5.10/bpf-factor-out-bpf_spin_lock-into-helpers.patch b/queue-5.10/bpf-factor-out-bpf_spin_lock-into-helpers.patch new file mode 100644 index 00000000000..b11c6d09171 --- /dev/null +++ b/queue-5.10/bpf-factor-out-bpf_spin_lock-into-helpers.patch @@ -0,0 +1,86 @@ +From 28cb1c740d08481e0e277d4e0b863d13d5fec295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 17:54:08 -0700 +Subject: bpf: Factor out bpf_spin_lock into helpers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexei Starovoitov + +[ Upstream commit c1b3fed319d32a721d4b9c17afaeb430444ff773 ] + +Move ____bpf_spin_lock/unlock into helpers to make it more clear +that quadruple underscore bpf_spin_lock/unlock are irqsave/restore variants. + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Acked-by: Andrii Nakryiko +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/20210715005417.78572-3-alexei.starovoitov@gmail.com +Stable-dep-of: 178c54666f9c ("bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly") +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 0efe7c7bfe5e9..d758641973d6d 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -278,13 +278,18 @@ static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock) + + static DEFINE_PER_CPU(unsigned long, irqsave_flags); + +-notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) ++static inline void __bpf_spin_lock_irqsave(struct bpf_spin_lock *lock) + { + unsigned long flags; + + local_irq_save(flags); + __bpf_spin_lock(lock); + __this_cpu_write(irqsave_flags, flags); ++} ++ ++notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) ++{ ++ __bpf_spin_lock_irqsave(lock); + return 0; + } + +@@ -295,13 +300,18 @@ const struct bpf_func_proto bpf_spin_lock_proto = { + .arg1_type = ARG_PTR_TO_SPIN_LOCK, + }; + +-notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) ++static inline void __bpf_spin_unlock_irqrestore(struct bpf_spin_lock *lock) + { + unsigned long flags; + + flags = __this_cpu_read(irqsave_flags); + __bpf_spin_unlock(lock); + local_irq_restore(flags); ++} ++ ++notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) ++{ ++ __bpf_spin_unlock_irqrestore(lock); + return 0; + } + +@@ -322,9 +332,9 @@ void copy_map_value_locked(struct bpf_map *map, void *dst, void *src, + else + lock = dst + map->spin_lock_off; + preempt_disable(); +- ____bpf_spin_lock(lock); ++ __bpf_spin_lock_irqsave(lock); + copy_map_value(map, dst, src); +- ____bpf_spin_unlock(lock); ++ __bpf_spin_unlock_irqrestore(lock); + preempt_enable(); + } + +-- +2.43.0 + diff --git a/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch b/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..f3c9625cb17 --- /dev/null +++ b/queue-5.10/bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,66 @@ +From 92736ec35be1fd638f6dc87fb03751e1dd4e2634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:03:35 +0100 +Subject: bpf: Fix DEVMAP_HASH overflow check on 32-bit arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ] + +The devmap code allocates a number hash buckets equal to the next power +of two of the max_entries value provided when creating the map. When +rounding up to the next power of two, the 32-bit variable storing the +number of buckets can overflow, and the code checks for overflow by +checking if the truncated 32-bit value is equal to 0. However, on 32-bit +arches the rounding up itself can overflow mid-way through, because it +ends up doing a left-shift of 32 bits on an unsigned long value. If the +size of an unsigned long is four bytes, this is undefined behaviour, so +there is no guarantee that we'll end up with a nice and tidy 0-value at +the end. + +Syzbot managed to turn this into a crash on arm32 by creating a +DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. +Fix this by moving the overflow check to before the rounding up +operation. + +Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") +Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com +Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Message-ID: <20240307120340.99577-2-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index ca2cade2871b8..07b5edb2c70f5 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -129,13 +129,14 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) + bpf_map_init_from_attr(&dtab->map, attr); + + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { +- dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); +- +- if (!dtab->n_buckets) /* Overflow check */ ++ /* hash table size must be power of 2; roundup_pow_of_two() can ++ * overflow into UB on 32-bit arches, so check that first ++ */ ++ if (dtab->map.max_entries > 1UL << 31) + return -EINVAL; +- } + +- if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { ++ dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); ++ + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, + dtab->map.numa_node); + if (!dtab->dev_index_head) +-- +2.43.0 + diff --git a/queue-5.10/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch b/queue-5.10/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..42e543a4e7c --- /dev/null +++ b/queue-5.10/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,65 @@ +From c140d6b37e3e8653f4687dd3f7f1c1b8507cf2ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:03:36 +0100 +Subject: bpf: Fix hashtab overflow check on 32-bit arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ] + +The hashtab code relies on roundup_pow_of_two() to compute the number of +hash buckets, and contains an overflow check by checking if the +resulting value is 0. However, on 32-bit arches, the roundup code itself +can overflow by doing a 32-bit left-shift of an unsigned long value, +which is undefined behaviour, so it is not guaranteed to truncate +neatly. This was triggered by syzbot on the DEVMAP_HASH type, which +contains the same check, copied from the hashtab code. So apply the same +fix to hashtab, by moving the overflow check to before the roundup. + +Fixes: daaf427c6ab3 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") +Signed-off-by: Toke Høiland-Jørgensen +Message-ID: <20240307120340.99577-3-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index ec84973142725..72bc5f5752543 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -443,7 +443,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) + num_possible_cpus()); + } + +- /* hash table size must be power of 2 */ ++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow ++ * into UB on 32-bit arches, so check that first ++ */ ++ err = -E2BIG; ++ if (htab->map.max_entries > 1UL << 31) ++ goto free_htab; ++ + htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); + + htab->elem_size = sizeof(struct htab_elem) + +@@ -453,10 +459,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) + else + htab->elem_size += round_up(htab->map.value_size, 8); + +- err = -E2BIG; +- /* prevent zero size kmalloc and check for u32 overflow */ +- if (htab->n_buckets == 0 || +- htab->n_buckets > U32_MAX / sizeof(struct bucket)) ++ /* check for u32 overflow */ ++ if (htab->n_buckets > U32_MAX / sizeof(struct bucket)) + goto free_htab; + + cost = (u64) htab->n_buckets * sizeof(struct bucket) + +-- +2.43.0 + diff --git a/queue-5.10/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch b/queue-5.10/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..57d918a3578 --- /dev/null +++ b/queue-5.10/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,61 @@ +From 099387f027bf018db0b153aeb0ed32fe5191c580 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:03:37 +0100 +Subject: bpf: Fix stackmap overflow check on 32-bit arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ] + +The stackmap code relies on roundup_pow_of_two() to compute the number +of hash buckets, and contains an overflow check by checking if the +resulting value is 0. However, on 32-bit arches, the roundup code itself +can overflow by doing a 32-bit left-shift of an unsigned long value, +which is undefined behaviour, so it is not guaranteed to truncate +neatly. This was triggered by syzbot on the DEVMAP_HASH type, which +contains the same check, copied from the hashtab code. + +The commit in the fixes tag actually attempted to fix this, but the fix +did not account for the UB, so the fix only works on CPUs where an +overflow does result in a neat truncation to zero, which is not +guaranteed. Checking the value before rounding does not have this +problem. + +Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()") +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Bui Quang Minh +Message-ID: <20240307120340.99577-4-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/stackmap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c +index b8afea2ceeeb1..3ec76cb5f240d 100644 +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -115,11 +115,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) + } else if (value_size / 8 > sysctl_perf_event_max_stack) + return ERR_PTR(-EINVAL); + +- /* hash table size must be power of 2 */ +- n_buckets = roundup_pow_of_two(attr->max_entries); +- if (!n_buckets) ++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow ++ * into UB on 32-bit arches, so check that first ++ */ ++ if (attr->max_entries > 1UL << 31) + return ERR_PTR(-E2BIG); + ++ n_buckets = roundup_pow_of_two(attr->max_entries); ++ + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); + err = bpf_map_charge_init(&mem, cost + attr->max_entries * + (sizeof(struct stack_map_bucket) + (u64)value_size)); +-- +2.43.0 + diff --git a/queue-5.10/bpf-mark-bpf_spin_-lock-unlock-helpers-with-notrace-.patch b/queue-5.10/bpf-mark-bpf_spin_-lock-unlock-helpers-with-notrace-.patch new file mode 100644 index 00000000000..9b8a30b4e79 --- /dev/null +++ b/queue-5.10/bpf-mark-bpf_spin_-lock-unlock-helpers-with-notrace-.patch @@ -0,0 +1,133 @@ +From 084903879e0b55fee422582a2507aa7ba13ee20c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 23:01:02 -0800 +Subject: bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly + +From: Yonghong Song + +[ Upstream commit 178c54666f9c4d2f49f2ea661d0c11b52f0ed190 ] + +Currently tracing is supposed not to allow for bpf_spin_{lock,unlock}() +helper calls. This is to prevent deadlock for the following cases: + - there is a prog (prog-A) calling bpf_spin_{lock,unlock}(). + - there is a tracing program (prog-B), e.g., fentry, attached + to bpf_spin_lock() and/or bpf_spin_unlock(). + - prog-B calls bpf_spin_{lock,unlock}(). +For such a case, when prog-A calls bpf_spin_{lock,unlock}(), +a deadlock will happen. + +The related source codes are below in kernel/bpf/helpers.c: + notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) + notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) +notrace is supposed to prevent fentry prog from attaching to +bpf_spin_{lock,unlock}(). + +But actually this is not the case and fentry prog can successfully +attached to bpf_spin_lock(). Siddharth Chintamaneni reported +the issue in [1]. The following is the macro definition for +above BPF_CALL_1: + #define BPF_CALL_x(x, name, ...) \ + static __always_inline \ + u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \ + typedef u64 (*btf_##name)(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \ + u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \ + u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \ + { \ + return ((btf_##name)____##name)(__BPF_MAP(x,__BPF_CAST,__BPF_N,__VA_ARGS__));\ + } \ + static __always_inline \ + u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)) + + #define BPF_CALL_1(name, ...) BPF_CALL_x(1, name, __VA_ARGS__) + +The notrace attribute is actually applied to the static always_inline function +____bpf_spin_{lock,unlock}(). The actual callback function +bpf_spin_{lock,unlock}() is not marked with notrace, hence +allowing fentry prog to attach to two helpers, and this +may cause the above mentioned deadlock. Siddharth Chintamaneni +actually has a reproducer in [2]. + +To fix the issue, a new macro NOTRACE_BPF_CALL_1 is introduced which +will add notrace attribute to the original function instead of +the hidden always_inline function and this fixed the problem. + + [1] https://lore.kernel.org/bpf/CAE5sdEigPnoGrzN8WU7Tx-h-iFuMZgW06qp0KHWtpvoXxf1OAQ@mail.gmail.com/ + [2] https://lore.kernel.org/bpf/CAE5sdEg6yUc_Jz50AnUXEEUh6O73yQ1Z6NV2srJnef0ZrQkZew@mail.gmail.com/ + +Fixes: d83525ca62cf ("bpf: introduce bpf_spin_lock") +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20240207070102.335167-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 21 ++++++++++++--------- + kernel/bpf/helpers.c | 4 ++-- + 2 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index cd56e53bd42e2..840b2a05c1b9f 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -480,24 +480,27 @@ static inline bool insn_is_zext(const struct bpf_insn *insn) + __BPF_MAP(n, __BPF_DECL_ARGS, __BPF_N, u64, __ur_1, u64, __ur_2, \ + u64, __ur_3, u64, __ur_4, u64, __ur_5) + +-#define BPF_CALL_x(x, name, ...) \ ++#define BPF_CALL_x(x, attr, name, ...) \ + static __always_inline \ + u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \ + typedef u64 (*btf_##name)(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)); \ +- u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \ +- u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \ ++ attr u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)); \ ++ attr u64 name(__BPF_REG(x, __BPF_DECL_REGS, __BPF_N, __VA_ARGS__)) \ + { \ + return ((btf_##name)____##name)(__BPF_MAP(x,__BPF_CAST,__BPF_N,__VA_ARGS__));\ + } \ + static __always_inline \ + u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__)) + +-#define BPF_CALL_0(name, ...) BPF_CALL_x(0, name, __VA_ARGS__) +-#define BPF_CALL_1(name, ...) BPF_CALL_x(1, name, __VA_ARGS__) +-#define BPF_CALL_2(name, ...) BPF_CALL_x(2, name, __VA_ARGS__) +-#define BPF_CALL_3(name, ...) BPF_CALL_x(3, name, __VA_ARGS__) +-#define BPF_CALL_4(name, ...) BPF_CALL_x(4, name, __VA_ARGS__) +-#define BPF_CALL_5(name, ...) BPF_CALL_x(5, name, __VA_ARGS__) ++#define __NOATTR ++#define BPF_CALL_0(name, ...) BPF_CALL_x(0, __NOATTR, name, __VA_ARGS__) ++#define BPF_CALL_1(name, ...) BPF_CALL_x(1, __NOATTR, name, __VA_ARGS__) ++#define BPF_CALL_2(name, ...) BPF_CALL_x(2, __NOATTR, name, __VA_ARGS__) ++#define BPF_CALL_3(name, ...) BPF_CALL_x(3, __NOATTR, name, __VA_ARGS__) ++#define BPF_CALL_4(name, ...) BPF_CALL_x(4, __NOATTR, name, __VA_ARGS__) ++#define BPF_CALL_5(name, ...) BPF_CALL_x(5, __NOATTR, name, __VA_ARGS__) ++ ++#define NOTRACE_BPF_CALL_1(name, ...) BPF_CALL_x(1, notrace, name, __VA_ARGS__) + + #define bpf_ctx_range(TYPE, MEMBER) \ + offsetof(TYPE, MEMBER) ... offsetofend(TYPE, MEMBER) - 1 +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index d758641973d6d..084ac7e429199 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -287,7 +287,7 @@ static inline void __bpf_spin_lock_irqsave(struct bpf_spin_lock *lock) + __this_cpu_write(irqsave_flags, flags); + } + +-notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) ++NOTRACE_BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) + { + __bpf_spin_lock_irqsave(lock); + return 0; +@@ -309,7 +309,7 @@ static inline void __bpf_spin_unlock_irqrestore(struct bpf_spin_lock *lock) + local_irq_restore(flags); + } + +-notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) ++NOTRACE_BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) + { + __bpf_spin_unlock_irqrestore(lock); + return 0; +-- +2.43.0 + diff --git a/queue-5.10/bpf-net-change-do_ip_getsockopt-to-take-the-sockptr_.patch b/queue-5.10/bpf-net-change-do_ip_getsockopt-to-take-the-sockptr_.patch new file mode 100644 index 00000000000..53b5bca9bed --- /dev/null +++ b/queue-5.10/bpf-net-change-do_ip_getsockopt-to-take-the-sockptr_.patch @@ -0,0 +1,382 @@ +From 057dd7499e3b07ae3bbece5f7a5f442fcd558c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 17:28:28 -0700 +Subject: bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument + +From: Martin KaFai Lau + +[ Upstream commit 728f064cd7ebea8c182e99e6f152c8b4a0a6b071 ] + +Similar to the earlier patch that changes sk_getsockopt() to +take the sockptr_t argument. This patch also changes +do_ip_getsockopt() to take the sockptr_t argument such that +a latter patch can make bpf_getsockopt(SOL_IP) to reuse +do_ip_getsockopt(). + +Note on the change in ip_mc_gsfget(). This function is to +return an array of sockaddr_storage in optval. This function +is shared between ip_get_mcast_msfilter() and +compat_ip_get_mcast_msfilter(). However, the sockaddr_storage +is stored at different offset of the optval because of +the difference between group_filter and compat_group_filter. +Thus, a new 'ss_offset' argument is added to ip_mc_gsfget(). + +Signed-off-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20220902002828.2890585-1-kafai@fb.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function") +Signed-off-by: Sasha Levin +--- + include/linux/igmp.h | 4 +-- + include/linux/mroute.h | 6 ++-- + net/ipv4/igmp.c | 22 +++++++----- + net/ipv4/ip_sockglue.c | 80 ++++++++++++++++++++++++------------------ + net/ipv4/ipmr.c | 9 ++--- + 5 files changed, 68 insertions(+), 53 deletions(-) + +diff --git a/include/linux/igmp.h b/include/linux/igmp.h +index 64ce8cd1cfaf1..4adab8ada85af 100644 +--- a/include/linux/igmp.h ++++ b/include/linux/igmp.h +@@ -121,9 +121,9 @@ extern int ip_mc_source(int add, int omode, struct sock *sk, + struct ip_mreq_source *mreqs, int ifindex); + extern int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf,int ifindex); + extern int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, +- struct ip_msfilter __user *optval, int __user *optlen); ++ sockptr_t optval, sockptr_t optlen); + extern int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf, +- struct sockaddr_storage __user *p); ++ sockptr_t optval, size_t offset); + extern int ip_mc_sf_allow(struct sock *sk, __be32 local, __be32 rmt, + int dif, int sdif); + extern void ip_mc_init_dev(struct in_device *); +diff --git a/include/linux/mroute.h b/include/linux/mroute.h +index 6cbbfe94348ce..80b8400ab8b24 100644 +--- a/include/linux/mroute.h ++++ b/include/linux/mroute.h +@@ -17,7 +17,7 @@ static inline int ip_mroute_opt(int opt) + } + + int ip_mroute_setsockopt(struct sock *, int, sockptr_t, unsigned int); +-int ip_mroute_getsockopt(struct sock *, int, char __user *, int __user *); ++int ip_mroute_getsockopt(struct sock *, int, sockptr_t, sockptr_t); + int ipmr_ioctl(struct sock *sk, int cmd, void __user *arg); + int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg); + int ip_mr_init(void); +@@ -29,8 +29,8 @@ static inline int ip_mroute_setsockopt(struct sock *sock, int optname, + return -ENOPROTOOPT; + } + +-static inline int ip_mroute_getsockopt(struct sock *sock, int optname, +- char __user *optval, int __user *optlen) ++static inline int ip_mroute_getsockopt(struct sock *sk, int optname, ++ sockptr_t optval, sockptr_t optlen) + { + return -ENOPROTOOPT; + } +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 4ba1c92fb3524..f0a313747b950 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2526,11 +2526,10 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex) + err = ip_mc_leave_group(sk, &imr); + return err; + } +- + int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, +- struct ip_msfilter __user *optval, int __user *optlen) ++ sockptr_t optval, sockptr_t optlen) + { +- int err, len, count, copycount; ++ int err, len, count, copycount, msf_size; + struct ip_mreqn imr; + __be32 addr = msf->imsf_multiaddr; + struct ip_mc_socklist *pmc; +@@ -2573,12 +2572,15 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, + copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc; + len = flex_array_size(psl, sl_addr, copycount); + msf->imsf_numsrc = count; +- if (put_user(IP_MSFILTER_SIZE(copycount), optlen) || +- copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) { ++ msf_size = IP_MSFILTER_SIZE(copycount); ++ if (copy_to_sockptr(optlen, &msf_size, sizeof(int)) || ++ copy_to_sockptr(optval, msf, IP_MSFILTER_SIZE(0))) { + return -EFAULT; + } + if (len && +- copy_to_user(&optval->imsf_slist_flex[0], psl->sl_addr, len)) ++ copy_to_sockptr_offset(optval, ++ offsetof(struct ip_msfilter, imsf_slist_flex), ++ psl->sl_addr, len)) + return -EFAULT; + return 0; + done: +@@ -2586,7 +2588,7 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, + } + + int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf, +- struct sockaddr_storage __user *p) ++ sockptr_t optval, size_t ss_offset) + { + int i, count, copycount; + struct sockaddr_in *psin; +@@ -2616,15 +2618,17 @@ int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf, + count = psl ? psl->sl_count : 0; + copycount = count < gsf->gf_numsrc ? count : gsf->gf_numsrc; + gsf->gf_numsrc = count; +- for (i = 0; i < copycount; i++, p++) { ++ for (i = 0; i < copycount; i++) { + struct sockaddr_storage ss; + + psin = (struct sockaddr_in *)&ss; + memset(&ss, 0, sizeof(ss)); + psin->sin_family = AF_INET; + psin->sin_addr.s_addr = psl->sl_addr[i]; +- if (copy_to_user(p, &ss, sizeof(ss))) ++ if (copy_to_sockptr_offset(optval, ss_offset, ++ &ss, sizeof(ss))) + return -EFAULT; ++ ss_offset += sizeof(ss); + } + return 0; + } +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 9bea014309ded..b300d0988d525 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -1460,37 +1460,37 @@ static bool getsockopt_needs_rtnl(int optname) + return false; + } + +-static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval, +- int __user *optlen, int len) ++static int ip_get_mcast_msfilter(struct sock *sk, sockptr_t optval, ++ sockptr_t optlen, int len) + { + const int size0 = offsetof(struct group_filter, gf_slist_flex); +- struct group_filter __user *p = optval; + struct group_filter gsf; +- int num; ++ int num, gsf_size; + int err; + + if (len < size0) + return -EINVAL; +- if (copy_from_user(&gsf, p, size0)) ++ if (copy_from_sockptr(&gsf, optval, size0)) + return -EFAULT; + + num = gsf.gf_numsrc; +- err = ip_mc_gsfget(sk, &gsf, p->gf_slist_flex); ++ err = ip_mc_gsfget(sk, &gsf, optval, ++ offsetof(struct group_filter, gf_slist_flex)); + if (err) + return err; + if (gsf.gf_numsrc < num) + num = gsf.gf_numsrc; +- if (put_user(GROUP_FILTER_SIZE(num), optlen) || +- copy_to_user(p, &gsf, size0)) ++ gsf_size = GROUP_FILTER_SIZE(num); ++ if (copy_to_sockptr(optlen, &gsf_size, sizeof(int)) || ++ copy_to_sockptr(optval, &gsf, size0)) + return -EFAULT; + return 0; + } + +-static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval, +- int __user *optlen, int len) ++static int compat_ip_get_mcast_msfilter(struct sock *sk, sockptr_t optval, ++ sockptr_t optlen, int len) + { + const int size0 = offsetof(struct compat_group_filter, gf_slist_flex); +- struct compat_group_filter __user *p = optval; + struct compat_group_filter gf32; + struct group_filter gf; + int num; +@@ -1498,7 +1498,7 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + + if (len < size0) + return -EINVAL; +- if (copy_from_user(&gf32, p, size0)) ++ if (copy_from_sockptr(&gf32, optval, size0)) + return -EFAULT; + + gf.gf_interface = gf32.gf_interface; +@@ -1506,21 +1506,24 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + num = gf.gf_numsrc = gf32.gf_numsrc; + gf.gf_group = gf32.gf_group; + +- err = ip_mc_gsfget(sk, &gf, p->gf_slist_flex); ++ err = ip_mc_gsfget(sk, &gf, optval, ++ offsetof(struct compat_group_filter, gf_slist_flex)); + if (err) + return err; + if (gf.gf_numsrc < num) + num = gf.gf_numsrc; + len = GROUP_FILTER_SIZE(num) - (sizeof(gf) - sizeof(gf32)); +- if (put_user(len, optlen) || +- put_user(gf.gf_fmode, &p->gf_fmode) || +- put_user(gf.gf_numsrc, &p->gf_numsrc)) ++ if (copy_to_sockptr(optlen, &len, sizeof(int)) || ++ copy_to_sockptr_offset(optval, offsetof(struct compat_group_filter, gf_fmode), ++ &gf.gf_fmode, sizeof(gf.gf_fmode)) || ++ copy_to_sockptr_offset(optval, offsetof(struct compat_group_filter, gf_numsrc), ++ &gf.gf_numsrc, sizeof(gf.gf_numsrc))) + return -EFAULT; + return 0; + } + + static int do_ip_getsockopt(struct sock *sk, int level, int optname, +- char __user *optval, int __user *optlen) ++ sockptr_t optval, sockptr_t optlen) + { + struct inet_sock *inet = inet_sk(sk); + bool needs_rtnl = getsockopt_needs_rtnl(optname); +@@ -1533,7 +1536,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + if (ip_mroute_opt(optname)) + return ip_mroute_getsockopt(sk, optname, optval, optlen); + +- if (get_user(len, optlen)) ++ if (copy_from_sockptr(&len, optlen, sizeof(int))) + return -EFAULT; + if (len < 0) + return -EINVAL; +@@ -1558,15 +1561,17 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + inet_opt->opt.optlen); + release_sock(sk); + +- if (opt->optlen == 0) +- return put_user(0, optlen); ++ if (opt->optlen == 0) { ++ len = 0; ++ return copy_to_sockptr(optlen, &len, sizeof(int)); ++ } + + ip_options_undo(opt); + + len = min_t(unsigned int, len, opt->optlen); +- if (put_user(len, optlen)) ++ if (copy_to_sockptr(optlen, &len, sizeof(int))) + return -EFAULT; +- if (copy_to_user(optval, opt->__data, len)) ++ if (copy_to_sockptr(optval, opt->__data, len)) + return -EFAULT; + return 0; + } +@@ -1657,9 +1662,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + addr.s_addr = inet->mc_addr; + release_sock(sk); + +- if (put_user(len, optlen)) ++ if (copy_to_sockptr(optlen, &len, sizeof(int))) + return -EFAULT; +- if (copy_to_user(optval, &addr, len)) ++ if (copy_to_sockptr(optval, &addr, len)) + return -EFAULT; + return 0; + } +@@ -1671,12 +1676,11 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + err = -EINVAL; + goto out; + } +- if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) { ++ if (copy_from_sockptr(&msf, optval, IP_MSFILTER_SIZE(0))) { + err = -EFAULT; + goto out; + } +- err = ip_mc_msfget(sk, &msf, +- (struct ip_msfilter __user *)optval, optlen); ++ err = ip_mc_msfget(sk, &msf, optval, optlen); + goto out; + } + case MCAST_MSFILTER: +@@ -1698,8 +1702,13 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + if (sk->sk_type != SOCK_STREAM) + return -ENOPROTOOPT; + +- msg.msg_control_is_user = true; +- msg.msg_control_user = optval; ++ if (optval.is_kernel) { ++ msg.msg_control_is_user = false; ++ msg.msg_control = optval.kernel; ++ } else { ++ msg.msg_control_is_user = true; ++ msg.msg_control_user = optval.user; ++ } + msg.msg_controllen = len; + msg.msg_flags = in_compat_syscall() ? MSG_CMSG_COMPAT : 0; + +@@ -1720,7 +1729,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + put_cmsg(&msg, SOL_IP, IP_TOS, sizeof(tos), &tos); + } + len -= msg.msg_controllen; +- return put_user(len, optlen); ++ return copy_to_sockptr(optlen, &len, sizeof(int)); + } + case IP_FREEBIND: + val = inet->freebind; +@@ -1743,15 +1752,15 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + if (len < sizeof(int) && len > 0 && val >= 0 && val <= 255) { + unsigned char ucval = (unsigned char)val; + len = 1; +- if (put_user(len, optlen)) ++ if (copy_to_sockptr(optlen, &len, sizeof(int))) + return -EFAULT; +- if (copy_to_user(optval, &ucval, 1)) ++ if (copy_to_sockptr(optval, &ucval, 1)) + return -EFAULT; + } else { + len = min_t(unsigned int, sizeof(int), len); +- if (put_user(len, optlen)) ++ if (copy_to_sockptr(optlen, &len, sizeof(int))) + return -EFAULT; +- if (copy_to_user(optval, &val, len)) ++ if (copy_to_sockptr(optval, &val, len)) + return -EFAULT; + } + return 0; +@@ -1768,7 +1777,8 @@ int ip_getsockopt(struct sock *sk, int level, + { + int err; + +- err = do_ip_getsockopt(sk, level, optname, optval, optlen); ++ err = do_ip_getsockopt(sk, level, optname, ++ USER_SOCKPTR(optval), USER_SOCKPTR(optlen)); + + #if IS_ENABLED(CONFIG_BPFILTER_UMH) + if (optname >= BPFILTER_IPT_SO_GET_INFO && +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index be1976536f1c0..cdc0a1781fd28 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1540,7 +1540,8 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, sockptr_t optval, + } + + /* Getsock opt support for the multicast routing system. */ +-int ip_mroute_getsockopt(struct sock *sk, int optname, char __user *optval, int __user *optlen) ++int ip_mroute_getsockopt(struct sock *sk, int optname, sockptr_t optval, ++ sockptr_t optlen) + { + int olr; + int val; +@@ -1571,14 +1572,14 @@ int ip_mroute_getsockopt(struct sock *sk, int optname, char __user *optval, int + return -ENOPROTOOPT; + } + +- if (get_user(olr, optlen)) ++ if (copy_from_sockptr(&olr, optlen, sizeof(int))) + return -EFAULT; + olr = min_t(unsigned int, olr, sizeof(int)); + if (olr < 0) + return -EINVAL; +- if (put_user(olr, optlen)) ++ if (copy_to_sockptr(optlen, &olr, sizeof(int))) + return -EFAULT; +- if (copy_to_user(optval, &val, olr)) ++ if (copy_to_sockptr(optval, &val, olr)) + return -EFAULT; + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/bpftool-silence-build-warning-about-calloc.patch b/queue-5.10/bpftool-silence-build-warning-about-calloc.patch new file mode 100644 index 00000000000..986176d89e6 --- /dev/null +++ b/queue-5.10/bpftool-silence-build-warning-about-calloc.patch @@ -0,0 +1,54 @@ +From 6a9bd52f24b8380a727e29c916f7c1ffd7d143c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jan 2024 14:19:20 +0800 +Subject: bpftool: Silence build warning about calloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tiezhu Yang + +[ Upstream commit f5f30386c78105cba520e443a6a9ee945ec1d066 ] + +There exists the following warning when building bpftool: + + CC prog.o +prog.c: In function ‘profile_open_perf_events’: +prog.c:2301:24: warning: ‘calloc’ sizes specified with ‘sizeof’ in the earlier argument and not in the later argument [-Wcalloc-transposed-args] + 2301 | sizeof(int), obj->rodata->num_cpu * obj->rodata->num_metric); + | ^~~ +prog.c:2301:24: note: earlier argument should specify number of elements, later size of each element + +Tested with the latest upstream GCC which contains a new warning option +-Wcalloc-transposed-args. The first argument to calloc is documented to +be number of elements in array, while the second argument is size of each +element, just switch the first and second arguments of calloc() to silence +the build warning, compile tested only. + +Fixes: 47c09d6a9f67 ("bpftool: Introduce "prog profile" command") +Signed-off-by: Tiezhu Yang +Signed-off-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20240116061920.31172-1-yangtiezhu@loongson.cn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index d2bcce627b320..d07996e7952f3 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -1946,7 +1946,7 @@ static int profile_open_perf_events(struct profiler_bpf *obj) + int map_fd; + + profile_perf_events = calloc( +- sizeof(int), obj->rodata->num_cpu * obj->rodata->num_metric); ++ obj->rodata->num_cpu * obj->rodata->num_metric, sizeof(int)); + if (!profile_perf_events) { + p_err("failed to allocate memory for perf_event array: %s", + strerror(errno)); +-- +2.43.0 + diff --git a/queue-5.10/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch b/queue-5.10/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch new file mode 100644 index 00000000000..dffccb2dd12 --- /dev/null +++ b/queue-5.10/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch @@ -0,0 +1,47 @@ +From 553d2c62da770c121fabc8a6a283236c0f2aa8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 10:02:37 +0000 +Subject: bus: tegra-aconnect: Update dependency to ARCH_TEGRA + +From: Peter Robinson + +[ Upstream commit 4acd21a45c1446277e2abaece97d7fa7c2e692a9 ] + +Update the architecture dependency to be the generic Tegra +because the driver works on the four latest Tegra generations +not just Tegra210, if you build a kernel with a specific +ARCH_TEGRA_xxx_SOC option that excludes Tegra210 you don't get +this driver. + +Fixes: 46a88534afb59 ("bus: Add support for Tegra ACONNECT") +Signed-off-by: Peter Robinson +Cc: Jon Hunter +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/bus/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig +index 0c262c2aeaf2f..01f2349dbfaed 100644 +--- a/drivers/bus/Kconfig ++++ b/drivers/bus/Kconfig +@@ -176,11 +176,12 @@ config SUNXI_RSB + + config TEGRA_ACONNECT + tristate "Tegra ACONNECT Bus Driver" +- depends on ARCH_TEGRA_210_SOC ++ depends on ARCH_TEGRA + depends on OF && PM + help + Driver for the Tegra ACONNECT bus which is used to interface with +- the devices inside the Audio Processing Engine (APE) for Tegra210. ++ the devices inside the Audio Processing Engine (APE) for ++ Tegra210 and later. + + config TEGRA_GMI + tristate "Tegra Generic Memory Interface bus driver" +-- +2.43.0 + diff --git a/queue-5.10/clk-fix-clk_core_get-null-dereference.patch b/queue-5.10/clk-fix-clk_core_get-null-dereference.patch new file mode 100644 index 00000000000..03c0c8abb50 --- /dev/null +++ b/queue-5.10/clk-fix-clk_core_get-null-dereference.patch @@ -0,0 +1,56 @@ +From f6bdb6229a57047a38715e29387eeadcc4ad281a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Mar 2024 00:52:14 +0000 +Subject: clk: Fix clk_core_get NULL dereference + +From: Bryan O'Donoghue + +[ Upstream commit e97fe4901e0f59a0bfd524578fe3768f8ca42428 ] + +It is possible for clk_core_get to dereference a NULL in the following +sequence: + +clk_core_get() + of_clk_get_hw_from_clkspec() + __of_clk_get_hw_from_provider() + __clk_get_hw() + +__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at +hw->core. + +Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based +clk_lookups") the check IS_ERR_OR_NULL() was performed which would have +caught the NULL. + +Reading the description of this function it talks about returning NULL but +that cannot be so at the moment. + +Update the function to check for hw before dereferencing it and return NULL +if hw is NULL. + +Fixes: dde4eff47c82 ("clk: Look for parents with clkdev based clk_lookups") +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20240302-linux-next-24-03-01-simple-clock-fixes-v1-1-25f348a5982b@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 62572d59e7e38..aa2f1f8aa2994 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -425,6 +425,9 @@ static struct clk_core *clk_core_get(struct clk_core *core, u8 p_index) + if (IS_ERR(hw)) + return ERR_CAST(hw); + ++ if (!hw) ++ return NULL; ++ + return hw->core; + } + +-- +2.43.0 + diff --git a/queue-5.10/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch b/queue-5.10/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch new file mode 100644 index 00000000000..97f9aa03a38 --- /dev/null +++ b/queue-5.10/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch @@ -0,0 +1,39 @@ +From 308722fa24aa18a2dcdda96599d59042dcd82f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 19:58:21 +0100 +Subject: clk: hisilicon: hi3519: Release the correct number of gates in + hi3519_clk_unregister() + +From: Christophe JAILLET + +[ Upstream commit 74e39f526d95c0c119ada1874871ee328c59fbee ] + +The gates are stored in 'hi3519_gate_clks', not 'hi3519_mux_clks'. +This is also in line with how hisi_clk_register_gate() is called in the +probe. + +Fixes: 224b3b262c52 ("clk: hisilicon: hi3519: add driver remove path and fix some issues") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/c3f1877c9a0886fa35c949c8f0ef25547f284f18.1704912510.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/hisilicon/clk-hi3519.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/hisilicon/clk-hi3519.c b/drivers/clk/hisilicon/clk-hi3519.c +index ad0c7f350cf03..60d8a27a90824 100644 +--- a/drivers/clk/hisilicon/clk-hi3519.c ++++ b/drivers/clk/hisilicon/clk-hi3519.c +@@ -130,7 +130,7 @@ static void hi3519_clk_unregister(struct platform_device *pdev) + of_clk_del_provider(pdev->dev.of_node); + + hisi_clk_unregister_gate(hi3519_gate_clks, +- ARRAY_SIZE(hi3519_mux_clks), ++ ARRAY_SIZE(hi3519_gate_clks), + crg->clk_data); + hisi_clk_unregister_mux(hi3519_mux_clks, + ARRAY_SIZE(hi3519_mux_clks), +-- +2.43.0 + diff --git a/queue-5.10/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch b/queue-5.10/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch new file mode 100644 index 00000000000..c92ea0fb039 --- /dev/null +++ b/queue-5.10/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch @@ -0,0 +1,38 @@ +From ee6797e23ab43dc169de11f1b7ba2858a96e9838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 21:20:18 +0100 +Subject: clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times + +From: Konrad Dybcio + +[ Upstream commit 117e7dc697c2739d754db8fe0c1e2d4f1f5d5f82 ] + +SDM845 downstream uses non-default values for GDSC internal waits. +Program them accordingly to avoid surprises. + +Fixes: 81351776c9fb ("clk: qcom: Add display clock controller driver for SDM845") +Signed-off-by: Konrad Dybcio +Tested-by: Caleb Connolly # OnePlus 6 +Link: https://lore.kernel.org/r/20240103-topic-845gdsc-v1-1-368efbe1a61d@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sdm845.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/qcom/dispcc-sdm845.c b/drivers/clk/qcom/dispcc-sdm845.c +index 5c932cd17b140..8cd8174ac9aa7 100644 +--- a/drivers/clk/qcom/dispcc-sdm845.c ++++ b/drivers/clk/qcom/dispcc-sdm845.c +@@ -768,6 +768,8 @@ static struct clk_branch disp_cc_mdss_vsync_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x3000, ++ .en_few_wait_val = 0x6, ++ .en_rest_wait_val = 0x5, + .pd = { + .name = "mdss_gdsc", + }, +-- +2.43.0 + diff --git a/queue-5.10/clk-qcom-reset-commonize-the-de-assert-functions.patch b/queue-5.10/clk-qcom-reset-commonize-the-de-assert-functions.patch new file mode 100644 index 00000000000..928e4124cd0 --- /dev/null +++ b/queue-5.10/clk-qcom-reset-commonize-the-de-assert-functions.patch @@ -0,0 +1,69 @@ +From 8b68146acba22153781962bec865a80114b350bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 19:43:35 +0100 +Subject: clk: qcom: reset: Commonize the de/assert functions + +From: Konrad Dybcio + +[ Upstream commit eda40d9c583e95e0b6ac69d2950eec10f802e0e8 ] + +They do the same thing, except the last argument of the last function +call differs. Commonize them. + +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-2-c37eba13b5ce@linaro.org +Signed-off-by: Bjorn Andersson +Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index e45e32804d2c7..20d1d35aaf229 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -22,8 +22,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + return 0; + } + +-static int +-qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) ++static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, ++ unsigned long id, bool assert) + { + struct qcom_reset_controller *rst; + const struct qcom_reset_map *map; +@@ -33,21 +33,17 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + map = &rst->reset_map[id]; + mask = map->bitmask ? map->bitmask : BIT(map->bit); + +- return regmap_update_bits(rst->regmap, map->reg, mask, mask); ++ return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); + } + +-static int +-qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) ++static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + { +- struct qcom_reset_controller *rst; +- const struct qcom_reset_map *map; +- u32 mask; +- +- rst = to_qcom_reset_controller(rcdev); +- map = &rst->reset_map[id]; +- mask = map->bitmask ? map->bitmask : BIT(map->bit); ++ return qcom_reset_set_assert(rcdev, id, true); ++} + +- return regmap_update_bits(rst->regmap, map->reg, mask, 0); ++static int qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) ++{ ++ return qcom_reset_set_assert(rcdev, id, false); + } + + const struct reset_control_ops qcom_reset_ops = { +-- +2.43.0 + diff --git a/queue-5.10/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch b/queue-5.10/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch new file mode 100644 index 00000000000..43510ce62c1 --- /dev/null +++ b/queue-5.10/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch @@ -0,0 +1,45 @@ +From 5e654784b258a00b3339f9039072b0cfa04f51ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 19:43:36 +0100 +Subject: clk: qcom: reset: Ensure write completion on reset de/assertion + +From: Konrad Dybcio + +[ Upstream commit 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf ] + +Trying to toggle the resets in a rapid fashion can lead to the changes +not actually arriving at the clock controller block when we expect them +to. This was observed at least on SM8250. + +Read back the value after regmap_update_bits to ensure write completion. + +Fixes: b36ba30c8ac6 ("clk: qcom: Add reset controller support") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-3-c37eba13b5ce@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 20d1d35aaf229..d96c96a9089f4 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -33,7 +33,12 @@ static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, + map = &rst->reset_map[id]; + mask = map->bitmask ? map->bitmask : BIT(map->bit); + +- return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); ++ regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); ++ ++ /* Read back the register to ensure write completion, ignore the value */ ++ regmap_read(rst->regmap, map->reg, &mask); ++ ++ return 0; + } + + static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) +-- +2.43.0 + diff --git a/queue-5.10/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch b/queue-5.10/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch new file mode 100644 index 00000000000..f91ad610749 --- /dev/null +++ b/queue-5.10/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch @@ -0,0 +1,39 @@ +From 18173352cc5079ed0dddf2e1ece6c32716d093b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jan 2024 10:12:20 +0300 +Subject: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return + value + +From: Anastasia Belova + +[ Upstream commit f661017e6d326ee187db24194cabb013d81bc2a6 ] + +cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it +and return 0 in case of error. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") +Signed-off-by: Anastasia Belova +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/brcmstb-avs-cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c +index f644c5e325fb2..38ec0fedb247f 100644 +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -481,6 +481,8 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv) + static unsigned int brcm_avs_cpufreq_get(unsigned int cpu) + { + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); ++ if (!policy) ++ return 0; + struct private_data *priv = policy->driver_data; + + cpufreq_cpu_put(policy); +-- +2.43.0 + diff --git a/queue-5.10/crypto-arm-sha-fix-function-cast-warnings.patch b/queue-5.10/crypto-arm-sha-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..078ad5be978 --- /dev/null +++ b/queue-5.10/crypto-arm-sha-fix-function-cast-warnings.patch @@ -0,0 +1,115 @@ +From b01459c66a0147d6ff4c7b15974db93bb7a26ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 14:49:46 +0100 +Subject: crypto: arm/sha - fix function cast warnings + +From: Arnd Bergmann + +[ Upstream commit 53cc9baeb9bc2a187eb9c9790d30995148852b12 ] + +clang-16 warns about casting between incompatible function types: + +arch/arm/crypto/sha256_glue.c:37:5: error: cast from 'void (*)(u32 *, const void *, unsigned int)' (aka 'void (*)(unsigned int *, const void *, unsigned int)') to 'sha256_block_fn *' (aka 'void (*)(struct sha256_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 37 | (sha256_block_fn *)sha256_block_data_order); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/arm/crypto/sha512-glue.c:34:3: error: cast from 'void (*)(u64 *, const u8 *, int)' (aka 'void (*)(unsigned long long *, const unsigned char *, int)') to 'sha512_block_fn *' (aka 'void (*)(struct sha512_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 34 | (sha512_block_fn *)sha512_block_data_order); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fix the prototypes for the assembler functions to match the typedef. +The code already relies on the digest being the first part of the +state structure, so there is no change in behavior. + +Fixes: c80ae7ca3726 ("crypto: arm/sha512 - accelerated SHA-512 using ARM generic ASM and NEON") +Fixes: b59e2ae3690c ("crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer") +Signed-off-by: Arnd Bergmann +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/sha256_glue.c | 13 +++++-------- + arch/arm/crypto/sha512-glue.c | 12 +++++------- + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c +index b8a4f79020cf8..e36b86778468e 100644 +--- a/arch/arm/crypto/sha256_glue.c ++++ b/arch/arm/crypto/sha256_glue.c +@@ -24,8 +24,8 @@ + + #include "sha256_glue.h" + +-asmlinkage void sha256_block_data_order(u32 *digest, const void *data, +- unsigned int num_blks); ++asmlinkage void sha256_block_data_order(struct sha256_state *state, ++ const u8 *data, int num_blks); + + int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, + unsigned int len) +@@ -33,23 +33,20 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, + /* make sure casting to sha256_block_fn() is safe */ + BUILD_BUG_ON(offsetof(struct sha256_state, state) != 0); + +- return sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ return sha256_base_do_update(desc, data, len, sha256_block_data_order); + } + EXPORT_SYMBOL(crypto_sha256_arm_update); + + static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out) + { +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ sha256_base_do_finalize(desc, sha256_block_data_order); + return sha256_base_finish(desc, out); + } + + int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) + { +- sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ sha256_base_do_update(desc, data, len, sha256_block_data_order); + return crypto_sha256_arm_final(desc, out); + } + EXPORT_SYMBOL(crypto_sha256_arm_finup); +diff --git a/arch/arm/crypto/sha512-glue.c b/arch/arm/crypto/sha512-glue.c +index 8775aa42bbbe8..1a16b98ec1085 100644 +--- a/arch/arm/crypto/sha512-glue.c ++++ b/arch/arm/crypto/sha512-glue.c +@@ -25,27 +25,25 @@ MODULE_ALIAS_CRYPTO("sha512"); + MODULE_ALIAS_CRYPTO("sha384-arm"); + MODULE_ALIAS_CRYPTO("sha512-arm"); + +-asmlinkage void sha512_block_data_order(u64 *state, u8 const *src, int blocks); ++asmlinkage void sha512_block_data_order(struct sha512_state *state, ++ u8 const *src, int blocks); + + int sha512_arm_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { +- return sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ return sha512_base_do_update(desc, data, len, sha512_block_data_order); + } + + static int sha512_arm_final(struct shash_desc *desc, u8 *out) + { +- sha512_base_do_finalize(desc, +- (sha512_block_fn *)sha512_block_data_order); ++ sha512_base_do_finalize(desc, sha512_block_data_order); + return sha512_base_finish(desc, out); + } + + int sha512_arm_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) + { +- sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ sha512_base_do_update(desc, data, len, sha512_block_data_order); + return sha512_arm_final(desc, out); + } + +-- +2.43.0 + diff --git a/queue-5.10/crypto-xilinx-call-finalize-with-bh-disabled.patch b/queue-5.10/crypto-xilinx-call-finalize-with-bh-disabled.patch new file mode 100644 index 00000000000..3eb3138854c --- /dev/null +++ b/queue-5.10/crypto-xilinx-call-finalize-with-bh-disabled.patch @@ -0,0 +1,72 @@ +From dbd9508131cf9e9214a058ec19ff29f33bdcd00d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 12:29:06 +0800 +Subject: crypto: xilinx - call finalize with bh disabled + +From: Quanyang Wang + +[ Upstream commit a853450bf4c752e664abab0b2fad395b7ad7701c ] + +When calling crypto_finalize_request, BH should be disabled to avoid +triggering the following calltrace: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118 + Modules linked in: cryptodev(O) + CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G O 6.8.0-rc1-yocto-standard #323 + Hardware name: ZynqMP ZCU102 Rev1.0 (DT) + pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : crypto_finalize_request+0xa0/0x118 + lr : crypto_finalize_request+0x104/0x118 + sp : ffffffc085353ce0 + x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688 + x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00 + x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000 + x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450 + x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0 + x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8 + x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001 + x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000 + x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000 + Call trace: + crypto_finalize_request+0xa0/0x118 + crypto_finalize_aead_request+0x18/0x30 + zynqmp_handle_aes_req+0xcc/0x388 + crypto_pump_work+0x168/0x2d8 + kthread_worker_fn+0xfc/0x3a0 + kthread+0x118/0x138 + ret_from_fork+0x10/0x20 + irq event stamp: 40 + hardirqs last enabled at (39): [] _raw_spin_unlock_irqrestore+0x70/0xb0 + hardirqs last disabled at (40): [] el1_dbg+0x28/0x90 + softirqs last enabled at (36): [] kernel_neon_begin+0x8c/0xf0 + softirqs last disabled at (34): [] kernel_neon_begin+0x60/0xf0 + ---[ end trace 0000000000000000 ]--- + +Fixes: 4d96f7d48131 ("crypto: xilinx - Add Xilinx AES driver") +Signed-off-by: Quanyang Wang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/xilinx/zynqmp-aes-gcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/xilinx/zynqmp-aes-gcm.c b/drivers/crypto/xilinx/zynqmp-aes-gcm.c +index bf1f421e05f25..74bd3eb63734d 100644 +--- a/drivers/crypto/xilinx/zynqmp-aes-gcm.c ++++ b/drivers/crypto/xilinx/zynqmp-aes-gcm.c +@@ -231,7 +231,10 @@ static int zynqmp_handle_aes_req(struct crypto_engine *engine, + err = zynqmp_aes_aead_cipher(areq); + } + ++ local_bh_disable(); + crypto_finalize_aead_request(engine, areq, err); ++ local_bh_enable(); ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.10/dm-call-the-resume-method-on-internal-suspend.patch b/queue-5.10/dm-call-the-resume-method-on-internal-suspend.patch new file mode 100644 index 00000000000..2ce97335018 --- /dev/null +++ b/queue-5.10/dm-call-the-resume-method-on-internal-suspend.patch @@ -0,0 +1,123 @@ +From 606ae1d70a585ddbf30940deab8ce72b70b3eba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 15:06:39 +0100 +Subject: dm: call the resume method on internal suspend + +From: Mikulas Patocka + +[ Upstream commit 65e8fbde64520001abf1c8d0e573561b4746ef38 ] + +There is this reported crash when experimenting with the lvm2 testsuite. +The list corruption is caused by the fact that the postsuspend and resume +methods were not paired correctly; there were two consecutive calls to the +origin_postsuspend function. The second call attempts to remove the +"hash_list" entry from a list, while it was already removed by the first +call. + +Fix __dm_internal_resume so that it calls the preresume and resume +methods of the table's targets. + +If a preresume method of some target fails, we are in a tricky situation. +We can't return an error because dm_internal_resume isn't supposed to +return errors. We can't return success, because then the "resume" and +"postsuspend" methods would not be paired correctly. So, we set the +DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace +tools, but it won't cause a kernel crash. + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:56! +invalid opcode: 0000 [#1] PREEMPT SMP +CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 + +RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 +RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff +RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 +R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 +R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 +FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 +Call Trace: + + ? die+0x2d/0x80 + ? do_trap+0xeb/0xf0 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? do_error_trap+0x60/0x80 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? exc_invalid_op+0x49/0x60 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? asm_exc_invalid_op+0x16/0x20 + ? table_deps+0x1b0/0x1b0 [dm_mod] + ? __list_del_entry_valid_or_report+0x77/0xc0 + origin_postsuspend+0x1a/0x50 [dm_snapshot] + dm_table_postsuspend_targets+0x34/0x50 [dm_mod] + dm_suspend+0xd8/0xf0 [dm_mod] + dev_suspend+0x1f2/0x2f0 [dm_mod] + ? table_deps+0x1b0/0x1b0 [dm_mod] + ctl_ioctl+0x300/0x5f0 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] + __x64_compat_sys_ioctl+0x104/0x170 + do_syscall_64+0x184/0x1b0 + entry_SYSCALL_64_after_hwframe+0x46/0x4e +RIP: 0033:0xf7e6aead + +---[ end trace 0000000000000000 ]--- + +Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 9029c1004b933..dc8498b4b5c13 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2733,6 +2733,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla + + static void __dm_internal_resume(struct mapped_device *md) + { ++ int r; ++ struct dm_table *map; ++ + BUG_ON(!md->internal_suspend_count); + + if (--md->internal_suspend_count) +@@ -2741,12 +2744,23 @@ static void __dm_internal_resume(struct mapped_device *md) + if (dm_suspended_md(md)) + goto done; /* resume from nested suspend */ + +- /* +- * NOTE: existing callers don't need to call dm_table_resume_targets +- * (which may fail -- so best to avoid it for now by passing NULL map) +- */ +- (void) __dm_resume(md, NULL); +- ++ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); ++ r = __dm_resume(md, map); ++ if (r) { ++ /* ++ * If a preresume method of some target failed, we are in a ++ * tricky situation. We can't return an error to the caller. We ++ * can't fake success because then the "resume" and ++ * "postsuspend" methods would not be paired correctly, and it ++ * would break various targets, for example it would cause list ++ * corruption in the "origin" target. ++ * ++ * So, we fake normal suspend here, to make sure that the ++ * "resume" and "postsuspend" methods will be paired correctly. ++ */ ++ DMERR("Preresume method failed: %d", r); ++ set_bit(DMF_SUSPENDED, &md->flags); ++ } + done: + clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); + smp_mb__after_atomic(); +-- +2.43.0 + diff --git a/queue-5.10/dm-raid-fix-false-positive-for-requeue-needed-during.patch b/queue-5.10/dm-raid-fix-false-positive-for-requeue-needed-during.patch new file mode 100644 index 00000000000..981e73bd438 --- /dev/null +++ b/queue-5.10/dm-raid-fix-false-positive-for-requeue-needed-during.patch @@ -0,0 +1,46 @@ +From dbf878e1f52c60c02bba794bbf721bb96dcb53e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 13:42:55 -0400 +Subject: dm raid: fix false positive for requeue needed during reshape + +From: Ming Lei + +[ Upstream commit b25b8f4b8ecef0f48c05f0c3572daeabefe16526 ] + +An empty flush doesn't have a payload, so it should never be looked at +when considering to possibly requeue a bio for the case when a reshape +is in progress. + +Fixes: 9dbd1aa3a81c ("dm raid: add reshaping support to the target") +Reported-by: Patrick Plenefisch +Signed-off-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 140bdf2a6ee11..e523ecdf947f4 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3329,14 +3329,14 @@ static int raid_map(struct dm_target *ti, struct bio *bio) + struct mddev *mddev = &rs->md; + + /* +- * If we're reshaping to add disk(s)), ti->len and ++ * If we're reshaping to add disk(s), ti->len and + * mddev->array_sectors will differ during the process + * (ti->len > mddev->array_sectors), so we have to requeue + * bios with addresses > mddev->array_sectors here or + * there will occur accesses past EOD of the component + * data images thus erroring the raid set. + */ +- if (unlikely(bio_end_sector(bio) > mddev->array_sectors)) ++ if (unlikely(bio_has_data(bio) && bio_end_sector(bio) > mddev->array_sectors)) + return DM_MAPIO_REQUEUE; + + md_handle_request(mddev, bio); +-- +2.43.0 + diff --git a/queue-5.10/dmaengine-tegra210-adma-update-dependency-to-arch_te.patch b/queue-5.10/dmaengine-tegra210-adma-update-dependency-to-arch_te.patch new file mode 100644 index 00000000000..a511f1fa3ea --- /dev/null +++ b/queue-5.10/dmaengine-tegra210-adma-update-dependency-to-arch_te.patch @@ -0,0 +1,60 @@ +From e500f42a12ce93b524800042e0bbd2adec34f628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 09:32:56 +0000 +Subject: dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA + +From: Peter Robinson + +[ Upstream commit 33b7db45533af240fe44e809f9dc4d604cf82d07 ] + +Update the architecture dependency to be the generic Tegra +because the driver works on the four latest Tegra generations +not just T210, if you build a kernel with a specific +ARCH_TEGRA_xxx_SOC option that excludes 210 you don't get +this driver. + +Fixes: 433de642a76c9 ("dmaengine: tegra210-adma: add support for Tegra186/Tegra194") +Signed-off-by: Peter Robinson +Cc: Jon Hunter +Cc: Thierry Reding +Cc: Sameer Pujar +Cc: Laxman Dewangan +Reviewed-by: Jon Hunter +Link: https://lore.kernel.org/r/20240112093310.329642-2-pbrobinson@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/Kconfig | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index 7e1bd79fbee8f..02b98f979479a 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -614,16 +614,16 @@ config TEGRA20_APB_DMA + + config TEGRA210_ADMA + tristate "NVIDIA Tegra210 ADMA support" +- depends on (ARCH_TEGRA_210_SOC || COMPILE_TEST) ++ depends on (ARCH_TEGRA || COMPILE_TEST) + select DMA_ENGINE + select DMA_VIRTUAL_CHANNELS + help +- Support for the NVIDIA Tegra210 ADMA controller driver. The +- DMA controller has multiple DMA channels and is used to service +- various audio clients in the Tegra210 audio processing engine +- (APE). This DMA controller transfers data from memory to +- peripheral and vice versa. It does not support memory to +- memory data transfer. ++ Support for the NVIDIA Tegra210/Tegra186/Tegra194/Tegra234 ADMA ++ controller driver. The DMA controller has multiple DMA channels ++ and is used to service various audio clients in the Tegra210 ++ audio processing engine (APE). This DMA controller transfers ++ data from memory to peripheral and vice versa. It does not ++ support memory to memory data transfer. + + config TIMB_DMA + tristate "Timberdale FPGA DMA support" +-- +2.43.0 + diff --git a/queue-5.10/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch b/queue-5.10/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch new file mode 100644 index 00000000000..8f09d773b27 --- /dev/null +++ b/queue-5.10/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch @@ -0,0 +1,72 @@ +From 683c20095e71af780f30cb1d9e527c5eaf938586 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 07:39:06 -0800 +Subject: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak + +From: Nikita Zhandarovich + +[ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ] + +syzbot identified a kernel information leak vulnerability in +do_sys_name_to_handle() and issued the following report [1]. + +[1] +"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + do_sys_name_to_handle fs/fhandle.c:73 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 + __do_kmalloc_node mm/slab_common.c:1006 [inline] + __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 + kmalloc include/linux/slab.h:604 [inline] + do_sys_name_to_handle fs/fhandle.c:39 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Bytes 18-19 of 20 are uninitialized +Memory access of size 20 starts at ffff888128a46380 +Data copied to user address 0000000020000240" + +Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to +solve the problem. + +Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") +Suggested-by: Chuck Lever III +Reported-and-tested-by: +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/fhandle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fhandle.c b/fs/fhandle.c +index 01263ffbc4c08..9a5f153c8919e 100644 +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -37,7 +37,7 @@ static long do_sys_name_to_handle(struct path *path, + if (f_handle.handle_bytes > MAX_HANDLE_SZ) + return -EINVAL; + +- handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, ++ handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + GFP_KERNEL); + if (!handle) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-fix-a-potential-buffer-overflow-in-d.patch b/queue-5.10/drm-amd-display-fix-a-potential-buffer-overflow-in-d.patch new file mode 100644 index 00000000000..68d983d6ab8 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-a-potential-buffer-overflow-in-d.patch @@ -0,0 +1,46 @@ +From 2098d4f6b43c80ffe1790459f9a488ec4ac1373e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 20:18:07 +0530 +Subject: drm/amd/display: Fix a potential buffer overflow in + 'dp_dsc_clock_en_read()' + +From: Srinivasan Shanmugam + +[ Upstream commit 4b09715f1504f1b6e8dff0e9643630610bc05141 ] + +Tell snprintf() to store at most 10 bytes in the output buffer +instead of 30. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10 + +Fixes: c06e09b76639 ("drm/amd/display: Add DSC parameters logging to debugfs") +Cc: Alex Hung +Cc: Qingqing Zhuo +Cc: Rodrigo Siqueira +Cc: Aurabindo Pillai +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +index e43f82bcb231a..32dbd2a270887 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1179,7 +1179,7 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, + const uint32_t rd_buf_size = 10; + struct pipe_ctx *pipe_ctx; + ssize_t result = 0; +- int i, r, str_len = 30; ++ int i, r, str_len = 10; + + rd_buf = kcalloc(rd_buf_size, sizeof(char), GFP_KERNEL); + +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-fix-potential-null-pointer-dereferen.patch b/queue-5.10/drm-amd-display-fix-potential-null-pointer-dereferen.patch new file mode 100644 index 00000000000..283fead5822 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-potential-null-pointer-dereferen.patch @@ -0,0 +1,57 @@ +From a890e623933831ebc3c386fc90d6a5dc06c9edbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 21:16:04 +0530 +Subject: drm/amd/display: Fix potential NULL pointer dereferences in + 'dcn10_set_output_transfer_func()' + +From: Srinivasan Shanmugam + +[ Upstream commit 9ccfe80d022df7c595f1925afb31de2232900656 ] + +The 'stream' pointer is used in dcn10_set_output_transfer_func() before +the check if 'stream' is NULL. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875) + +Fixes: ddef02de0d71 ("drm/amd/display: add null checks before logging") +Cc: Wyatt Wood +Cc: Anthony Koo +Cc: Rodrigo Siqueira +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Anthony Koo +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index 1c669f115dd80..8cf6e307ae36e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -1669,6 +1669,9 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx, + { + struct dpp *dpp = pipe_ctx->plane_res.dpp; + ++ if (!stream) ++ return false; ++ + if (dpp == NULL) + return false; + +@@ -1691,8 +1694,8 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx, + } else + dpp->funcs->dpp_program_regamma_pwl(dpp, NULL, OPP_REGAMMA_BYPASS); + +- if (stream != NULL && stream->ctx != NULL && +- stream->out_transfer_func != NULL) { ++ if (stream->ctx && ++ stream->out_transfer_func) { + log_tf(stream->ctx, + stream->out_transfer_func, + dpp->regamma_params.hw_points_num); +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch b/queue-5.10/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch new file mode 100644 index 00000000000..a15b0b64388 --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch @@ -0,0 +1,48 @@ +From 41954355b4449262adfa3cbd54df98c9d2a5e93e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 07:48:52 +0530 +Subject: drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of + atom_get_src_int() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit 7cf1ad2fe10634238b38442a851d89514cb14ea2 ] + +Missing break statement in the ATOM_ARG_IMM case of a switch statement, +adds the missing break statement, ensuring that the program's control +flow is as intended. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/atom.c:323 atom_get_src_int() warn: ignoring unreachable code. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Cc: Jammy Zhou +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/atom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index 4cfc786699c7f..c1841fa873f56 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -310,7 +310,7 @@ static uint32_t atom_get_src_int(atom_exec_context *ctx, uint8_t attr, + DEBUG("IMM 0x%02X\n", val); + return val; + } +- return 0; ++ break; + case ATOM_ARG_PLL: + idx = U8(*ptr); + (*ptr)++; +-- +2.43.0 + diff --git a/queue-5.10/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch b/queue-5.10/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch new file mode 100644 index 00000000000..5054e4cf098 --- /dev/null +++ b/queue-5.10/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch @@ -0,0 +1,41 @@ +From 928355233e8e5a36c038b9dbc668b63695a41aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 11:36:20 -0500 +Subject: drm: Don't treat 0 as -1 in drm_fixp2int_ceil + +From: Harry Wentland + +[ Upstream commit cf8837d7204481026335461629b84ac7f4538fa5 ] + +Unit testing this in VKMS shows that passing 0 into +this function returns -1, which is highly counter- +intuitive. Fix it by checking whether the input is +>= 0 instead of > 0. + +Fixes: 64566b5e767f ("drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil") +Signed-off-by: Harry Wentland +Reviewed-by: Simon Ser +Reviewed-by: Melissa Wen +Signed-off-by: Melissa Wen +Link: https://patchwork.freedesktop.org/patch/msgid/20231108163647.106853-2-harry.wentland@amd.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_fixed.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/drm/drm_fixed.h b/include/drm/drm_fixed.h +index 553210c02ee0f..627efa56e59fb 100644 +--- a/include/drm/drm_fixed.h ++++ b/include/drm/drm_fixed.h +@@ -88,7 +88,7 @@ static inline int drm_fixp2int(s64 a) + + static inline int drm_fixp2int_ceil(s64 a) + { +- if (a > 0) ++ if (a >= 0) + return drm_fixp2int(a + DRM_FIXED_ALMOST_ONE); + else + return drm_fixp2int(a - DRM_FIXED_ALMOST_ONE); +-- +2.43.0 + diff --git a/queue-5.10/drm-lima-fix-a-memleak-in-lima_heap_alloc.patch b/queue-5.10/drm-lima-fix-a-memleak-in-lima_heap_alloc.patch new file mode 100644 index 00000000000..35c5158e3a2 --- /dev/null +++ b/queue-5.10/drm-lima-fix-a-memleak-in-lima_heap_alloc.patch @@ -0,0 +1,72 @@ +From c4862cd028aa66e71712b1f40533f8a6ef462f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jan 2024 15:13:28 +0800 +Subject: drm/lima: fix a memleak in lima_heap_alloc + +From: Zhipeng Lu + +[ Upstream commit 04ae3eb470e52a3c41babe85ff8cee195e4dcbea ] + +When lima_vm_map_bo fails, the resources need to be deallocated, or +there will be memleaks. + +Fixes: 6aebc51d7aef ("drm/lima: support heap buffer creation") +Signed-off-by: Zhipeng Lu +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240117071328.3811480-1-alexious@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gem.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c +index 11223fe348dfe..894175f2ed492 100644 +--- a/drivers/gpu/drm/lima/lima_gem.c ++++ b/drivers/gpu/drm/lima/lima_gem.c +@@ -74,29 +74,34 @@ int lima_heap_alloc(struct lima_bo *bo, struct lima_vm *vm) + } else { + bo->base.sgt = kmalloc(sizeof(*bo->base.sgt), GFP_KERNEL); + if (!bo->base.sgt) { +- sg_free_table(&sgt); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_out0; + } + } + + ret = dma_map_sgtable(dev, &sgt, DMA_BIDIRECTIONAL, 0); +- if (ret) { +- sg_free_table(&sgt); +- kfree(bo->base.sgt); +- bo->base.sgt = NULL; +- return ret; +- } ++ if (ret) ++ goto err_out1; + + *bo->base.sgt = sgt; + + if (vm) { + ret = lima_vm_map_bo(vm, bo, old_size >> PAGE_SHIFT); + if (ret) +- return ret; ++ goto err_out2; + } + + bo->heap_size = new_size; + return 0; ++ ++err_out2: ++ dma_unmap_sgtable(dev, &sgt, DMA_BIDIRECTIONAL, 0); ++err_out1: ++ kfree(bo->base.sgt); ++ bo->base.sgt = NULL; ++err_out0: ++ sg_free_table(&sgt); ++ return ret; + } + + int lima_gem_create_handle(struct drm_device *dev, struct drm_file *file, +-- +2.43.0 + diff --git a/queue-5.10/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch b/queue-5.10/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch new file mode 100644 index 00000000000..40d365ccf07 --- /dev/null +++ b/queue-5.10/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch @@ -0,0 +1,78 @@ +From 2655af046dc84ad256a8328cc11820d47d457cde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 09:53:09 +0100 +Subject: drm/mediatek: dsi: Fix DSI RGB666 formats and definitions + +From: AngeloGioacchino Del Regno + +[ Upstream commit fae6f815505301b92d9113764f4d76d0bfe45607 ] + +The register bits definitions for RGB666 formats are wrong in multiple +ways: first, in the DSI_PS_SEL bits region, the Packed 18-bits RGB666 +format is selected with bit 1, while the Loosely Packed one is bit 2, +and second - the definition name "LOOSELY_PS_18BIT_RGB666" is wrong +because the loosely packed format is 24 bits instead! + +Either way, functions mtk_dsi_ps_control_vact() and mtk_dsi_ps_control() +do not even agree on the DSI_PS_SEL bit to set in DSI_PSCTRL: one sets +loosely packed (24) on RGB666, the other sets packed (18), and the other +way around for RGB666_PACKED. + +Fixing this entire stack of issues is done in one go: + - Use the correct bit for the Loosely Packed RGB666 definition + - Rename LOOSELY_PS_18BIT_RGB666 to LOOSELY_PS_24BIT_RGB666 + - Change ps_bpp_mode in mtk_dsi_ps_control_vact() to set: + - Loosely Packed, 24-bits for MIPI_DSI_FMT_RGB666 + - Packed, 18-bits for MIPI_DSI_FMT_RGB666_PACKED + +Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") +Reviewed-by: Alexandre Mergnat +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240215085316.56835-3-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c +index a6e71b7b69b83..17d45f06cedf3 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -68,8 +68,8 @@ + #define DSI_PS_WC 0x3fff + #define DSI_PS_SEL (3 << 16) + #define PACKED_PS_16BIT_RGB565 (0 << 16) +-#define LOOSELY_PS_18BIT_RGB666 (1 << 16) +-#define PACKED_PS_18BIT_RGB666 (2 << 16) ++#define PACKED_PS_18BIT_RGB666 (1 << 16) ++#define LOOSELY_PS_24BIT_RGB666 (2 << 16) + #define PACKED_PS_24BIT_RGB888 (3 << 16) + + #define DSI_VSA_NL 0x20 +@@ -365,10 +365,10 @@ static void mtk_dsi_ps_control_vact(struct mtk_dsi *dsi) + ps_bpp_mode |= PACKED_PS_24BIT_RGB888; + break; + case MIPI_DSI_FMT_RGB666: +- ps_bpp_mode |= PACKED_PS_18BIT_RGB666; ++ ps_bpp_mode |= LOOSELY_PS_24BIT_RGB666; + break; + case MIPI_DSI_FMT_RGB666_PACKED: +- ps_bpp_mode |= LOOSELY_PS_18BIT_RGB666; ++ ps_bpp_mode |= PACKED_PS_18BIT_RGB666; + break; + case MIPI_DSI_FMT_RGB565: + ps_bpp_mode |= PACKED_PS_16BIT_RGB565; +@@ -419,7 +419,7 @@ static void mtk_dsi_ps_control(struct mtk_dsi *dsi) + dsi_tmp_buf_bpp = 3; + break; + case MIPI_DSI_FMT_RGB666: +- tmp_reg = LOOSELY_PS_18BIT_RGB666; ++ tmp_reg = LOOSELY_PS_24BIT_RGB666; + dsi_tmp_buf_bpp = 3; + break; + case MIPI_DSI_FMT_RGB666_PACKED: +-- +2.43.0 + diff --git a/queue-5.10/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch b/queue-5.10/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch new file mode 100644 index 00000000000..5a1b2aeae78 --- /dev/null +++ b/queue-5.10/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch @@ -0,0 +1,81 @@ +From a60753c33f56189bf6921013e8f4f396a756be2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 13:23:29 -0800 +Subject: drm/mediatek: Fix a null pointer crash in + mtk_drm_crtc_finish_page_flip + +From: Hsin-Yi Wang + +[ Upstream commit c958e86e9cc1b48cac004a6e245154dfba8e163b ] + +It's possible that mtk_crtc->event is NULL in +mtk_drm_crtc_finish_page_flip(). + +pending_needs_vblank value is set by mtk_crtc->event, but in +mtk_drm_crtc_atomic_flush(), it's is not guarded by the same +lock in mtk_drm_finish_page_flip(), thus a race condition happens. + +Consider the following case: + +CPU1 CPU2 +step 1: +mtk_drm_crtc_atomic_begin() +mtk_crtc->event is not null, + step 1: + mtk_drm_crtc_atomic_flush: + mtk_drm_crtc_update_config( + !!mtk_crtc->event) +step 2: +mtk_crtc_ddp_irq -> +mtk_drm_finish_page_flip: +lock +mtk_crtc->event set to null, +pending_needs_vblank set to false +unlock + pending_needs_vblank set to true, + + step 2: + mtk_crtc_ddp_irq -> + mtk_drm_finish_page_flip called again, + pending_needs_vblank is still true + //null pointer + +Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more +efficient to just check if mtk_crtc->event is null before use. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690-1-hsinyi@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 1eaf513166a1a..d08827803a32f 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -84,11 +84,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) + struct drm_crtc *crtc = &mtk_crtc->base; + unsigned long flags; + +- spin_lock_irqsave(&crtc->dev->event_lock, flags); +- drm_crtc_send_vblank_event(crtc, mtk_crtc->event); +- drm_crtc_vblank_put(crtc); +- mtk_crtc->event = NULL; +- spin_unlock_irqrestore(&crtc->dev->event_lock, flags); ++ if (mtk_crtc->event) { ++ spin_lock_irqsave(&crtc->dev->event_lock, flags); ++ drm_crtc_send_vblank_event(crtc, mtk_crtc->event); ++ drm_crtc_vblank_put(crtc); ++ mtk_crtc->event = NULL; ++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags); ++ } + } + + static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) +-- +2.43.0 + diff --git a/queue-5.10/drm-msm-dpu-add-division-of-drm_display_mode-s-hskew.patch b/queue-5.10/drm-msm-dpu-add-division-of-drm_display_mode-s-hskew.patch new file mode 100644 index 00000000000..9944ada5d7b --- /dev/null +++ b/queue-5.10/drm-msm-dpu-add-division-of-drm_display_mode-s-hskew.patch @@ -0,0 +1,49 @@ +From c389422e08a96507361ec3b638b9836112863b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 11:39:47 -0800 +Subject: drm/msm/dpu: add division of drm_display_mode's hskew parameter + +From: Paloma Arellano + +[ Upstream commit 551ee0f210991d25f336bc27262353bfe99d3eed ] + +Setting up the timing engine when the physical encoder has a split role +neglects dividing the drm_display_mode's hskew parameter. Let's fix this +since this must also be done in preparation for implementing YUV420 over +DP. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Paloma Arellano +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/579605/ +Link: https://lore.kernel.org/r/20240222194025.25329-3-quic_parellan@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +index 805e059b50b71..33880f66625e6 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +@@ -265,12 +265,14 @@ static void dpu_encoder_phys_vid_setup_timing_engine( + mode.htotal >>= 1; + mode.hsync_start >>= 1; + mode.hsync_end >>= 1; ++ mode.hskew >>= 1; + + DPU_DEBUG_VIDENC(phys_enc, +- "split_role %d, halve horizontal %d %d %d %d\n", ++ "split_role %d, halve horizontal %d %d %d %d %d\n", + phys_enc->split_role, + mode.hdisplay, mode.htotal, +- mode.hsync_start, mode.hsync_end); ++ mode.hsync_start, mode.hsync_end, ++ mode.hskew); + } + + drm_mode_to_intf_timing_params(phys_enc, &mode, &timing_params); +-- +2.43.0 + diff --git a/queue-5.10/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch b/queue-5.10/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch new file mode 100644 index 00000000000..82412053427 --- /dev/null +++ b/queue-5.10/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch @@ -0,0 +1,39 @@ +From 021da9833190c408f5d104a7bdeb2664c69c9d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:48:14 -0800 +Subject: drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() + +From: Nikita Zhandarovich + +[ Upstream commit c4891d979c7668b195a0a75787967ec95a24ecef ] + +Clean up a typo in pr_err() erroneously printing NI MC 'rdev->mc_fw->size' +during SMC firmware load. Log 'rdev->smc_fw->size' instead. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 6596afd48af4 ("drm/radeon/kms: add dpm support for btc (v3)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c +index 02feb0801fd30..50c7430f8cd33 100644 +--- a/drivers/gpu/drm/radeon/ni.c ++++ b/drivers/gpu/drm/radeon/ni.c +@@ -826,7 +826,7 @@ int ni_init_microcode(struct radeon_device *rdev) + err = 0; + } else if (rdev->smc_fw->size != smc_req_size) { + pr_err("ni_mc: Bogus length %zu in firmware \"%s\"\n", +- rdev->mc_fw->size, fw_name); ++ rdev->smc_fw->size, fw_name); + err = -EINVAL; + } + } +-- +2.43.0 + diff --git a/queue-5.10/drm-rockchip-inno_hdmi-fix-video-timing.patch b/queue-5.10/drm-rockchip-inno_hdmi-fix-video-timing.patch new file mode 100644 index 00000000000..283bf0628d5 --- /dev/null +++ b/queue-5.10/drm-rockchip-inno_hdmi-fix-video-timing.patch @@ -0,0 +1,51 @@ +From fed715175ee37a94f8ea6fa146e72ededcb0de43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 18:41:54 +0100 +Subject: drm/rockchip: inno_hdmi: Fix video timing + +From: Alex Bee + +[ Upstream commit 47a145c03484d33e65d773169d5ca1b9fe2a492e ] + +The controller wants the difference between *total and *sync_start in the +HDMI_VIDEO_EXT_*DELAY registers. Otherwise the signal is very unstable for +certain non-VIC modes. See downstream commit [0]. + +[0] https://github.com/rockchip-linux/kernel/commit/8eb559f2502c + +Fixes: 412d4ae6b7a5 ("drm/rockchip: hdmi: add Innosilicon HDMI support") +Co-developed-by: Zheng Yang +Signed-off-by: Zheng Yang +Signed-off-by: Alex Bee +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231222174220.55249-4-knaerzche@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/inno_hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c +index 78120da5e63aa..27540d308ccb9 100644 +--- a/drivers/gpu/drm/rockchip/inno_hdmi.c ++++ b/drivers/gpu/drm/rockchip/inno_hdmi.c +@@ -402,7 +402,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_L, value & 0xFF); + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_H, (value >> 8) & 0xFF); + +- value = mode->hsync_start - mode->hdisplay; ++ value = mode->htotal - mode->hsync_start; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_L, value & 0xFF); + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_H, (value >> 8) & 0xFF); + +@@ -417,7 +417,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, + value = mode->vtotal - mode->vdisplay; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VBLANK, value & 0xFF); + +- value = mode->vsync_start - mode->vdisplay; ++ value = mode->vtotal - mode->vsync_start; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VDELAY, value & 0xFF); + + value = mode->vsync_end - mode->vsync_start; +-- +2.43.0 + diff --git a/queue-5.10/drm-rockchip-lvds-do-not-overwrite-error-code.patch b/queue-5.10/drm-rockchip-lvds-do-not-overwrite-error-code.patch new file mode 100644 index 00000000000..ed559b0983f --- /dev/null +++ b/queue-5.10/drm-rockchip-lvds-do-not-overwrite-error-code.patch @@ -0,0 +1,38 @@ +From 4a8a5ee6e25acfd8426686a01c121cfa9af365a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:29:48 +0100 +Subject: drm/rockchip: lvds: do not overwrite error code + +From: Quentin Schulz + +[ Upstream commit 79b09453c4e369ca81cfb670d0136d089e3b92f0 ] + +ret variable stores the return value of drm_of_find_panel_or_bridge +which can return error codes different from EPROBE_DEFER. Therefore, +let's just return that error code instead of forcing it to EPROBE_DEFER. + +Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") +Cc: Quentin Schulz +Signed-off-by: Quentin Schulz +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-1-9c59a5779cf9@theobroma-systems.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_lvds.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c +index e2487937c4e3d..1ffb2f710e4bd 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c ++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c +@@ -573,7 +573,6 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master, + goto err_put_port; + } else if (ret) { + DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n"); +- ret = -EPROBE_DEFER; + goto err_put_port; + } + if (lvds->panel) +-- +2.43.0 + diff --git a/queue-5.10/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch b/queue-5.10/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch new file mode 100644 index 00000000000..636f594024f --- /dev/null +++ b/queue-5.10/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch @@ -0,0 +1,41 @@ +From 80e4d58a3768578c6c30f23567340c516158f065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:29:49 +0100 +Subject: drm/rockchip: lvds: do not print scary message when probing defer + +From: Quentin Schulz + +[ Upstream commit 52d11c863ac92e36a0365249f7f6d27ac48c78bc ] + +This scary message can misled the user into thinking something bad has +happened and needs to be fixed, however it could simply be part of a +normal boot process where EPROBE_DEFER is taken into account. Therefore, +let's use dev_err_probe so that this message doesn't get shown (by +default) when the return code is EPROBE_DEFER. + +Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") +Cc: Quentin Schulz +Signed-off-by: Quentin Schulz +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-2-9c59a5779cf9@theobroma-systems.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_lvds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c +index 1ffb2f710e4bd..96c13c182809e 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c ++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c +@@ -572,7 +572,7 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master, + ret = -EINVAL; + goto err_put_port; + } else if (ret) { +- DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n"); ++ dev_err_probe(dev, ret, "failed to find panel and bridge node\n"); + goto err_put_port; + } + if (lvds->panel) +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch b/queue-5.10/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch new file mode 100644 index 00000000000..789003ccc4a --- /dev/null +++ b/queue-5.10/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch @@ -0,0 +1,41 @@ +From 60c9985692ed40decad1d8abe5495fe457346fe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 08:07:38 +0000 +Subject: drm/tegra: dsi: Add missing check for of_find_device_by_node + +From: Chen Ni + +[ Upstream commit afe6fcb9775882230cd29b529203eabd5d2a638d ] + +Add check for the return value of of_find_device_by_node() and return +the error if it fails in order to avoid NULL pointer dereference. + +Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") +Signed-off-by: Chen Ni +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20231024080738.825553-1-nichen@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index de1333dc0d867..0adce882f157b 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1534,9 +1534,11 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) + np = of_parse_phandle(dsi->dev->of_node, "nvidia,ganged-mode", 0); + if (np) { + struct platform_device *gangster = of_find_device_by_node(np); ++ of_node_put(np); ++ if (!gangster) ++ return -EPROBE_DEFER; + + dsi->slave = platform_get_drvdata(gangster); +- of_node_put(np); + + if (!dsi->slave) { + put_device(&gangster->dev); +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch b/queue-5.10/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch new file mode 100644 index 00000000000..d08b7f46bf5 --- /dev/null +++ b/queue-5.10/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch @@ -0,0 +1,37 @@ +From e4292f59ebad6e54fcd6f7a9885ed532934200d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 17:22:09 +0200 +Subject: drm/tegra: dsi: Fix missing pm_runtime_disable() in the error + handling path of tegra_dsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 5286a9fc280c45b6b307ee1b07f7a997e042252c ] + +If an error occurs after calling pm_runtime_enable(), pm_runtime_disable() +should be called as already done in the remove function. + +Fixes: ef8187d75265 ("drm/tegra: dsi: Implement runtime PM") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/ee4a15c9cd4b574a55cd67c30d2411239ba2cee9.1693667005.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 815e32e05f600..7bb26655cb3cc 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1665,6 +1665,7 @@ static int tegra_dsi_probe(struct platform_device *pdev) + return 0; + + unregister: ++ pm_runtime_disable(&pdev->dev); + mipi_dsi_host_unregister(&dsi->host); + mipi_free: + tegra_mipi_free(dsi->mipi); +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch b/queue-5.10/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch new file mode 100644 index 00000000000..5aee5058ba3 --- /dev/null +++ b/queue-5.10/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch @@ -0,0 +1,116 @@ +From 97c9280ccdd8237c32db8c0b792908afaf14ba49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 17:22:08 +0200 +Subject: drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 830c1ded356369cd1303e8bb87ce3fea6e744de8 ] + +If an error occurs after calling tegra_output_probe(), +tegra_output_remove() should be called as already done in the remove +function. + +Fixes: dec727399a4b ("drm/tegra: Add DSI support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/16820073278d031f6c474a08d5f22a255158585e.1693667005.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 54 ++++++++++++++++++++++++------------- + 1 file changed, 35 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 6cbba2adb6e5a..815e32e05f600 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1586,44 +1586,58 @@ static int tegra_dsi_probe(struct platform_device *pdev) + + if (!pdev->dev.pm_domain) { + dsi->rst = devm_reset_control_get(&pdev->dev, "dsi"); +- if (IS_ERR(dsi->rst)) +- return PTR_ERR(dsi->rst); ++ if (IS_ERR(dsi->rst)) { ++ err = PTR_ERR(dsi->rst); ++ goto remove; ++ } + } + + dsi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(dsi->clk)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), +- "cannot get DSI clock\n"); ++ if (IS_ERR(dsi->clk)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), ++ "cannot get DSI clock\n"); ++ goto remove; ++ } + + dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); +- if (IS_ERR(dsi->clk_lp)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), +- "cannot get low-power clock\n"); ++ if (IS_ERR(dsi->clk_lp)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), ++ "cannot get low-power clock\n"); ++ goto remove; ++ } + + dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); +- if (IS_ERR(dsi->clk_parent)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), +- "cannot get parent clock\n"); ++ if (IS_ERR(dsi->clk_parent)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), ++ "cannot get parent clock\n"); ++ goto remove; ++ } + + dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); +- if (IS_ERR(dsi->vdd)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), +- "cannot get VDD supply\n"); ++ if (IS_ERR(dsi->vdd)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), ++ "cannot get VDD supply\n"); ++ goto remove; ++ } + + err = tegra_dsi_setup_clocks(dsi); + if (err < 0) { + dev_err(&pdev->dev, "cannot setup clocks\n"); +- return err; ++ goto remove; + } + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); + dsi->regs = devm_ioremap_resource(&pdev->dev, regs); +- if (IS_ERR(dsi->regs)) +- return PTR_ERR(dsi->regs); ++ if (IS_ERR(dsi->regs)) { ++ err = PTR_ERR(dsi->regs); ++ goto remove; ++ } + + dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node); +- if (IS_ERR(dsi->mipi)) +- return PTR_ERR(dsi->mipi); ++ if (IS_ERR(dsi->mipi)) { ++ err = PTR_ERR(dsi->mipi); ++ goto remove; ++ } + + dsi->host.ops = &tegra_dsi_host_ops; + dsi->host.dev = &pdev->dev; +@@ -1654,6 +1668,8 @@ static int tegra_dsi_probe(struct platform_device *pdev) + mipi_dsi_host_unregister(&dsi->host); + mipi_free: + tegra_mipi_free(dsi->mipi); ++remove: ++ tegra_output_remove(&dsi->output); + return err; + } + +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch b/queue-5.10/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch new file mode 100644 index 00000000000..56ea58be3ca --- /dev/null +++ b/queue-5.10/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch @@ -0,0 +1,71 @@ +From afb20416ebe6603d2efc0de06d74e2c3646b7151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 18:56:40 +0800 +Subject: drm/tegra: dsi: Make use of the helper function dev_err_probe() + +From: Cai Huoqing + +[ Upstream commit fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 ] + +When possible use dev_err_probe help to properly deal with the +PROBE_DEFER error, the benefit is that DEFER issue will be logged +in the devices_deferred debugfs file. +And using dev_err_probe() can reduce code size, the error value +gets printed. + +Signed-off-by: Cai Huoqing +Signed-off-by: Thierry Reding +Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 0adce882f157b..6cbba2adb6e5a 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1591,28 +1591,24 @@ static int tegra_dsi_probe(struct platform_device *pdev) + } + + dsi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(dsi->clk)) { +- dev_err(&pdev->dev, "cannot get DSI clock\n"); +- return PTR_ERR(dsi->clk); +- } ++ if (IS_ERR(dsi->clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), ++ "cannot get DSI clock\n"); + + dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); +- if (IS_ERR(dsi->clk_lp)) { +- dev_err(&pdev->dev, "cannot get low-power clock\n"); +- return PTR_ERR(dsi->clk_lp); +- } ++ if (IS_ERR(dsi->clk_lp)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), ++ "cannot get low-power clock\n"); + + dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); +- if (IS_ERR(dsi->clk_parent)) { +- dev_err(&pdev->dev, "cannot get parent clock\n"); +- return PTR_ERR(dsi->clk_parent); +- } ++ if (IS_ERR(dsi->clk_parent)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), ++ "cannot get parent clock\n"); + + dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); +- if (IS_ERR(dsi->vdd)) { +- dev_err(&pdev->dev, "cannot get VDD supply\n"); +- return PTR_ERR(dsi->vdd); +- } ++ if (IS_ERR(dsi->vdd)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), ++ "cannot get VDD supply\n"); + + err = tegra_dsi_setup_clocks(dsi); + if (err < 0) { +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-output-fix-missing-i2c_put_adapter-in-the-.patch b/queue-5.10/drm-tegra-output-fix-missing-i2c_put_adapter-in-the-.patch new file mode 100644 index 00000000000..593c5244525 --- /dev/null +++ b/queue-5.10/drm-tegra-output-fix-missing-i2c_put_adapter-in-the-.patch @@ -0,0 +1,75 @@ +From eb7f2c5ad2fc9f240063d838a04fbb84d7f4e1a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 17:22:13 +0200 +Subject: drm/tegra: output: Fix missing i2c_put_adapter() in the error + handling paths of tegra_output_probe() + +From: Christophe JAILLET + +[ Upstream commit 2db4578ef6ffb2b52115ca0ebf897b60ec559556 ] + +If an error occurs after a successful of_get_i2c_adapter_by_node() call, it +should be undone by a corresponding i2c_put_adapter(). + +Add the missing i2c_put_adapter() call. + +Fixes: 9be7d864cf07 ("drm/tegra: Implement panel support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/b38604178991e1f08b2cda219103be266be2d680.1693667005.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/output.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/output.c b/drivers/gpu/drm/tegra/output.c +index 47d26b5d99456..7ccd010a821b7 100644 +--- a/drivers/gpu/drm/tegra/output.c ++++ b/drivers/gpu/drm/tegra/output.c +@@ -139,8 +139,10 @@ int tegra_output_probe(struct tegra_output *output) + GPIOD_IN, + "HDMI hotplug detect"); + if (IS_ERR(output->hpd_gpio)) { +- if (PTR_ERR(output->hpd_gpio) != -ENOENT) +- return PTR_ERR(output->hpd_gpio); ++ if (PTR_ERR(output->hpd_gpio) != -ENOENT) { ++ err = PTR_ERR(output->hpd_gpio); ++ goto put_i2c; ++ } + + output->hpd_gpio = NULL; + } +@@ -149,7 +151,7 @@ int tegra_output_probe(struct tegra_output *output) + err = gpiod_to_irq(output->hpd_gpio); + if (err < 0) { + dev_err(output->dev, "gpiod_to_irq(): %d\n", err); +- return err; ++ goto put_i2c; + } + + output->hpd_irq = err; +@@ -162,7 +164,7 @@ int tegra_output_probe(struct tegra_output *output) + if (err < 0) { + dev_err(output->dev, "failed to request IRQ#%u: %d\n", + output->hpd_irq, err); +- return err; ++ goto put_i2c; + } + + output->connector.polled = DRM_CONNECTOR_POLL_HPD; +@@ -176,6 +178,12 @@ int tegra_output_probe(struct tegra_output *output) + } + + return 0; ++ ++put_i2c: ++ if (output->ddc) ++ i2c_put_adapter(output->ddc); ++ ++ return err; + } + + void tegra_output_remove(struct tegra_output *output) +-- +2.43.0 + diff --git a/queue-5.10/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch b/queue-5.10/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch new file mode 100644 index 00000000000..299f2289e9e --- /dev/null +++ b/queue-5.10/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch @@ -0,0 +1,40 @@ +From 505c33419111c1c4884e1c7462b35e53c11a9d8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:33:55 +0300 +Subject: drm/tegra: put drm_gem_object ref on error in tegra_fb_create + +From: Fedor Pchelkin + +[ Upstream commit 32e5a120a5105bce01561978ee55aee8e40ac0dc ] + +Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of +the found object. But if the following size check fails then the last +found object's ref count should be put there as the unreferencing loop +can't detect this situation. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/fb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/tegra/fb.c b/drivers/gpu/drm/tegra/fb.c +index 01939c57fc74d..2040dbfed7e21 100644 +--- a/drivers/gpu/drm/tegra/fb.c ++++ b/drivers/gpu/drm/tegra/fb.c +@@ -155,6 +155,7 @@ struct drm_framebuffer *tegra_fb_create(struct drm_device *drm, + + if (gem->size < size) { + err = -EINVAL; ++ drm_gem_object_put(gem); + goto unreference; + } + +-- +2.43.0 + diff --git a/queue-5.10/drm-tidss-fix-initial-plane-zpos-values.patch b/queue-5.10/drm-tidss-fix-initial-plane-zpos-values.patch new file mode 100644 index 00000000000..def4180fe78 --- /dev/null +++ b/queue-5.10/drm-tidss-fix-initial-plane-zpos-values.patch @@ -0,0 +1,56 @@ +From 0b2c500ec225110a4e247bfc30ccf78fc7f48a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:16:36 +0200 +Subject: drm/tidss: Fix initial plane zpos values + +From: Tomi Valkeinen + +[ Upstream commit 3ec948ccb2c4b99e8fbfdd950adbe92ea577b395 ] + +When the driver sets up the zpos property it sets the default zpos value +to the HW id of the plane. That is fine as such, but as on many DSS +versions the driver arranges the DRM planes in a different order than +the HW planes (to keep the non-scalable planes first), this leads to odd +initial zpos values. An example is J721e, where the initial zpos values +for DRM planes are 1, 3, 0, 2. + +In theory the userspace should configure the zpos values properly when +using multiple planes, and in that sense the initial zpos values +shouldn't matter, but there's really no reason not to fix this and help +the userspace apps which don't handle zpos perfectly. In particular, +some versions of Weston seem to have issues dealing with the planes +with the current default zpos values. + +So let's change the zpos values for the DRM planes to 0, 1, 2, 3. + +Another option would be to configure the planes marked as primary planes +to zpos 0. On a two display system this would give us plane zpos values +of 0, 0, 1, 2. The end result and behavior would be very similar in this +option, and I'm not aware that this would actually help us in any way. +So, to keep the code simple, I opted for the 0, 1, 2, 3 values. + +Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") +Reviewed-by: Aradhya Bhatia +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240213-tidss-fixes-v1-1-d709e8dfa505@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tidss/tidss_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tidss/tidss_plane.c b/drivers/gpu/drm/tidss/tidss_plane.c +index 43e72d0b2d84d..e2ebd5fdc1138 100644 +--- a/drivers/gpu/drm/tidss/tidss_plane.c ++++ b/drivers/gpu/drm/tidss/tidss_plane.c +@@ -202,7 +202,7 @@ struct tidss_plane *tidss_plane_create(struct tidss_device *tidss, + + drm_plane_helper_add(&tplane->plane, &tidss_plane_helper_funcs); + +- drm_plane_create_zpos_property(&tplane->plane, hw_plane_id, 0, ++ drm_plane_create_zpos_property(&tplane->plane, tidss->num_planes, 0, + num_planes - 1); + + ret = drm_plane_create_color_properties(&tplane->plane, +-- +2.43.0 + diff --git a/queue-5.10/f2fs-compress-fix-to-check-unreleased-compressed-clu.patch b/queue-5.10/f2fs-compress-fix-to-check-unreleased-compressed-clu.patch new file mode 100644 index 00000000000..829a2576e6b --- /dev/null +++ b/queue-5.10/f2fs-compress-fix-to-check-unreleased-compressed-clu.patch @@ -0,0 +1,56 @@ +From 1238eed74e598b29cfdb02540ac96f70866a9ba6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jan 2024 03:41:29 +0800 +Subject: f2fs: compress: fix to check unreleased compressed cluster + +From: Sheng Yong + +[ Upstream commit eb8fbaa53374e0a2d4381190abfe708481517bbb ] + +Compressed cluster may not be released due to we can fail in +release_compress_blocks(), fix to handle reserved compressed +cluster correctly in reserve_compress_blocks(). + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Signed-off-by: Sheng Yong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 55818bd510fb0..40e805014f719 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -3663,7 +3663,13 @@ static int reserve_compress_blocks(struct dnode_of_data *dn, pgoff_t count) + goto next; + } + +- if (__is_valid_data_blkaddr(blkaddr)) { ++ /* ++ * compressed cluster was not released due to it ++ * fails in release_compress_blocks(), so NEW_ADDR ++ * is a possible case. ++ */ ++ if (blkaddr == NEW_ADDR || ++ __is_valid_data_blkaddr(blkaddr)) { + compr_blocks++; + continue; + } +@@ -3673,6 +3679,11 @@ static int reserve_compress_blocks(struct dnode_of_data *dn, pgoff_t count) + } + + reserved = cluster_size - compr_blocks; ++ ++ /* for the case all blocks in cluster were reserved */ ++ if (reserved == 1) ++ goto next; ++ + ret = inc_valid_block_count(sbi, dn->inode, &reserved); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-5.10/fs-select-rework-stack-allocation-hack-for-clang.patch b/queue-5.10/fs-select-rework-stack-allocation-hack-for-clang.patch new file mode 100644 index 00000000000..4e0c5ab0b4c --- /dev/null +++ b/queue-5.10/fs-select-rework-stack-allocation-hack-for-clang.patch @@ -0,0 +1,67 @@ +From c5b0b90120680d9cde7dc7f416de80519dc692e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 21:23:34 +0100 +Subject: fs/select: rework stack allocation hack for clang + +From: Arnd Bergmann + +[ Upstream commit ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 ] + +A while ago, we changed the way that select() and poll() preallocate +a temporary buffer just under the size of the static warning limit of +1024 bytes, as clang was frequently going slightly above that limit. + +The warnings have recently returned and I took another look. As it turns +out, clang is not actually inherently worse at reserving stack space, +it just happens to inline do_select() into core_sys_select(), while gcc +never inlines it. + +Annotate do_select() to never be inlined and in turn remove the special +case for the allocation size. This should give the same behavior for +both clang and gcc all the time and once more avoids those warnings. + +Fixes: ad312f95d41c ("fs/select: avoid clang stack usage warning") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240216202352.2492798-1-arnd@kernel.org +Reviewed-by: Kees Cook +Reviewed-by: Andi Kleen +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/select.c | 2 +- + include/linux/poll.h | 4 ---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/fs/select.c b/fs/select.c +index 5edffee1162c2..668a5200503ae 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -475,7 +475,7 @@ static inline void wait_key_set(poll_table *wait, unsigned long in, + wait->_key |= POLLOUT_SET; + } + +-static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) ++static noinline_for_stack int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) + { + ktime_t expire, *to = NULL; + struct poll_wqueues table; +diff --git a/include/linux/poll.h b/include/linux/poll.h +index 1cdc32b1f1b08..7e0fdcf905d2e 100644 +--- a/include/linux/poll.h ++++ b/include/linux/poll.h +@@ -16,11 +16,7 @@ + extern struct ctl_table epoll_table[]; /* for sysctl */ + /* ~832 bytes of stack space used max in sys_select/sys_poll before allocating + additional memory. */ +-#ifdef __clang__ +-#define MAX_STACK_ALLOC 768 +-#else + #define MAX_STACK_ALLOC 832 +-#endif + #define FRONTEND_STACK_ALLOC 256 + #define SELECT_STACK_ALLOC FRONTEND_STACK_ALLOC + #define POLL_STACK_ALLOC FRONTEND_STACK_ALLOC +-- +2.43.0 + diff --git a/queue-5.10/hid-lenovo-add-middleclick_workaround-sysfs-knob-for.patch b/queue-5.10/hid-lenovo-add-middleclick_workaround-sysfs-knob-for.patch new file mode 100644 index 00000000000..81602b09926 --- /dev/null +++ b/queue-5.10/hid-lenovo-add-middleclick_workaround-sysfs-knob-for.patch @@ -0,0 +1,134 @@ +From 3fa603bf1a22f1c5ca8ba9711dcb3cc8df4a8999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Dec 2023 21:12:13 +0200 +Subject: HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd + +From: Mikhail Khvainitski + +[ Upstream commit 2814646f76f8518326964f12ff20aaee70ba154d ] + +Previous attempt to autodetect well-behaving patched firmware +introduced in commit 46a0a2c96f0f ("HID: lenovo: Detect quirk-free fw +on cptkbd and stop applying workaround") has shown that there are +false-positives on original firmware (on both 1st gen and 2nd gen +keyboards) which causes the middle button click workaround to be +mistakenly disabled. + +This commit adds explicit parameter to sysfs to control this +workaround. + +Fixes: 46a0a2c96f0f ("HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround") +Fixes: 43527a0094c1 ("HID: lenovo: Restrict detection of patched firmware only to USB cptkbd") +Signed-off-by: Mikhail Khvainitski +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-lenovo.c | 57 +++++++++++++++++++++++++++------------- + 1 file changed, 39 insertions(+), 18 deletions(-) + +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index 249af8d26fe78..c9fdeffbe1a9e 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -53,10 +53,10 @@ struct lenovo_drvdata { + /* 0: Up + * 1: Down (undecided) + * 2: Scrolling +- * 3: Patched firmware, disable workaround + */ + u8 middlebutton_state; + bool fn_lock; ++ bool middleclick_workaround_cptkbd; + }; + + #define map_key_clear(c) hid_map_usage_clear(hi, usage, bit, max, EV_KEY, (c)) +@@ -418,6 +418,36 @@ static ssize_t attr_sensitivity_store_cptkbd(struct device *dev, + return count; + } + ++static ssize_t attr_middleclick_workaround_show_cptkbd(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct hid_device *hdev = to_hid_device(dev); ++ struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev); ++ ++ return snprintf(buf, PAGE_SIZE, "%u\n", ++ cptkbd_data->middleclick_workaround_cptkbd); ++} ++ ++static ssize_t attr_middleclick_workaround_store_cptkbd(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, ++ size_t count) ++{ ++ struct hid_device *hdev = to_hid_device(dev); ++ struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev); ++ int value; ++ ++ if (kstrtoint(buf, 10, &value)) ++ return -EINVAL; ++ if (value < 0 || value > 1) ++ return -EINVAL; ++ ++ cptkbd_data->middleclick_workaround_cptkbd = !!value; ++ ++ return count; ++} ++ + + static struct device_attribute dev_attr_fn_lock = + __ATTR(fn_lock, S_IWUSR | S_IRUGO, +@@ -429,10 +459,16 @@ static struct device_attribute dev_attr_sensitivity_cptkbd = + attr_sensitivity_show_cptkbd, + attr_sensitivity_store_cptkbd); + ++static struct device_attribute dev_attr_middleclick_workaround_cptkbd = ++ __ATTR(middleclick_workaround, S_IWUSR | S_IRUGO, ++ attr_middleclick_workaround_show_cptkbd, ++ attr_middleclick_workaround_store_cptkbd); ++ + + static struct attribute *lenovo_attributes_cptkbd[] = { + &dev_attr_fn_lock.attr, + &dev_attr_sensitivity_cptkbd.attr, ++ &dev_attr_middleclick_workaround_cptkbd.attr, + NULL + }; + +@@ -483,23 +519,7 @@ static int lenovo_event_cptkbd(struct hid_device *hdev, + { + struct lenovo_drvdata *cptkbd_data = hid_get_drvdata(hdev); + +- if (cptkbd_data->middlebutton_state != 3) { +- /* REL_X and REL_Y events during middle button pressed +- * are only possible on patched, bug-free firmware +- * so set middlebutton_state to 3 +- * to never apply workaround anymore +- */ +- if (hdev->product == USB_DEVICE_ID_LENOVO_CUSBKBD && +- cptkbd_data->middlebutton_state == 1 && +- usage->type == EV_REL && +- (usage->code == REL_X || usage->code == REL_Y)) { +- cptkbd_data->middlebutton_state = 3; +- /* send middle button press which was hold before */ +- input_event(field->hidinput->input, +- EV_KEY, BTN_MIDDLE, 1); +- input_sync(field->hidinput->input); +- } +- ++ if (cptkbd_data->middleclick_workaround_cptkbd) { + /* "wheel" scroll events */ + if (usage->type == EV_REL && (usage->code == REL_WHEEL || + usage->code == REL_HWHEEL)) { +@@ -976,6 +996,7 @@ static int lenovo_probe_cptkbd(struct hid_device *hdev) + cptkbd_data->middlebutton_state = 0; + cptkbd_data->fn_lock = true; + cptkbd_data->sensitivity = 0x05; ++ cptkbd_data->middleclick_workaround_cptkbd = true; + lenovo_features_set_cptkbd(hdev); + + ret = sysfs_create_group(&hdev->dev.kobj, &lenovo_attr_group_cptkbd); +-- +2.43.0 + diff --git a/queue-5.10/igb-fix-missing-time-sync-events.patch b/queue-5.10/igb-fix-missing-time-sync-events.patch new file mode 100644 index 00000000000..47f7820d651 --- /dev/null +++ b/queue-5.10/igb-fix-missing-time-sync-events.patch @@ -0,0 +1,94 @@ +From 0a0630a9ee284476021ae999ce4f471651bd9681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:57:11 -0800 +Subject: igb: Fix missing time sync events + +From: Vinicius Costa Gomes + +[ Upstream commit ee14cc9ea19ba9678177e2224a9c58cce5937c73 ] + +Fix "double" clearing of interrupts, which can cause external events +or timestamps to be missed. + +The E1000_TSIRC Time Sync Interrupt Cause register can be cleared in two +ways, by either reading it or by writing '1' into the specific cause +bit. This is documented in section 8.16.1. + +The following flow was used: + 1. read E1000_TSIRC into 'tsicr'; + 2. handle the interrupts present into 'tsirc' and mark them in 'ack'; + 3. write 'ack' into E1000_TSICR; + +As both (1) and (3) will clear the interrupt cause, if the same +interrupt happens again between (1) and (3) it will be ignored, +causing events to be missed. + +Remove the extra clear in (3). + +Fixes: 00c65578b47b ("igb: enable internal PPS for the i210") +Acked-by: Richard Cochran +Signed-off-by: Vinicius Costa Gomes +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 23 +++++------------------ + 1 file changed, 5 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 05dde67a69dd0..0848613c3f45a 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6806,44 +6806,31 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { + struct e1000_hw *hw = &adapter->hw; +- u32 ack = 0, tsicr = rd32(E1000_TSICR); ++ u32 tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; + + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; + if (adapter->ptp_caps.pps) + ptp_clock_event(adapter->ptp_clock, &event); +- ack |= TSINTR_SYS_WRAP; + } + + if (tsicr & E1000_TSICR_TXTS) { + /* retrieve hardware timestamp */ + schedule_work(&adapter->ptp_tx_work); +- ack |= E1000_TSICR_TXTS; + } + +- if (tsicr & TSINTR_TT0) { ++ if (tsicr & TSINTR_TT0) + igb_perout(adapter, 0); +- ack |= TSINTR_TT0; +- } + +- if (tsicr & TSINTR_TT1) { ++ if (tsicr & TSINTR_TT1) + igb_perout(adapter, 1); +- ack |= TSINTR_TT1; +- } + +- if (tsicr & TSINTR_AUTT0) { ++ if (tsicr & TSINTR_AUTT0) + igb_extts(adapter, 0); +- ack |= TSINTR_AUTT0; +- } + +- if (tsicr & TSINTR_AUTT1) { ++ if (tsicr & TSINTR_AUTT1) + igb_extts(adapter, 1); +- ack |= TSINTR_AUTT1; +- } +- +- /* acknowledge the interrupts */ +- wr32(E1000_TSICR, ack); + } + + static irqreturn_t igb_msix_other(int irq, void *data) +-- +2.43.0 + diff --git a/queue-5.10/igb-move-perout-and-extts-isr-logic-to-separate-func.patch b/queue-5.10/igb-move-perout-and-extts-isr-logic-to-separate-func.patch new file mode 100644 index 00000000000..9187e99e5ae --- /dev/null +++ b/queue-5.10/igb-move-perout-and-extts-isr-logic-to-separate-func.patch @@ -0,0 +1,141 @@ +From caf937db3ed5d38d7f3354e07b6ca91e55cd0db8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 16:34:57 +0200 +Subject: igb: move PEROUT and EXTTS isr logic to separate functions + +From: Ruud Bos + +[ Upstream commit cf99c1dd7b7729091043374b90807c7a5f9fd9b1 ] + +Remove code duplication in the tsync interrupt handler function by moving +this logic to separate functions. This keeps the interrupt handler readable +and allows the new functions to be extended for adapter types other than +i210. + +Signed-off-by: Ruud Bos +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Stable-dep-of: ee14cc9ea19b ("igb: Fix missing time sync events") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 81 +++++++++++++---------- + 1 file changed, 46 insertions(+), 35 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 01176c86be125..05dde67a69dd0 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6762,12 +6762,52 @@ void igb_update_stats(struct igb_adapter *adapter) + } + } + ++static void igb_perout(struct igb_adapter *adapter, int tsintr_tt) ++{ ++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_PEROUT, tsintr_tt); ++ struct e1000_hw *hw = &adapter->hw; ++ struct timespec64 ts; ++ u32 tsauxc; ++ ++ if (pin < 0 || pin >= IGB_N_PEROUT) ++ return; ++ ++ spin_lock(&adapter->tmreg_lock); ++ ts = timespec64_add(adapter->perout[pin].start, ++ adapter->perout[pin].period); ++ /* u32 conversion of tv_sec is safe until y2106 */ ++ wr32((tsintr_tt == 1) ? E1000_TRGTTIML1 : E1000_TRGTTIML0, ts.tv_nsec); ++ wr32((tsintr_tt == 1) ? E1000_TRGTTIMH1 : E1000_TRGTTIMH0, (u32)ts.tv_sec); ++ tsauxc = rd32(E1000_TSAUXC); ++ tsauxc |= TSAUXC_EN_TT0; ++ wr32(E1000_TSAUXC, tsauxc); ++ adapter->perout[pin].start = ts; ++ spin_unlock(&adapter->tmreg_lock); ++} ++ ++static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) ++{ ++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_EXTTS, tsintr_tt); ++ struct e1000_hw *hw = &adapter->hw; ++ struct ptp_clock_event event; ++ u32 sec, nsec; ++ ++ if (pin < 0 || pin >= IGB_N_EXTTS) ++ return; ++ ++ nsec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPL1 : E1000_AUXSTMPL0); ++ sec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPH1 : E1000_AUXSTMPH0); ++ event.type = PTP_CLOCK_EXTTS; ++ event.index = tsintr_tt; ++ event.timestamp = sec * 1000000000ULL + nsec; ++ ptp_clock_event(adapter->ptp_clock, &event); ++} ++ + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { + struct e1000_hw *hw = &adapter->hw; ++ u32 ack = 0, tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; +- struct timespec64 ts; +- u32 ack = 0, tsauxc, sec, nsec, tsicr = rd32(E1000_TSICR); + + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; +@@ -6783,51 +6823,22 @@ static void igb_tsync_interrupt(struct igb_adapter *adapter) + } + + if (tsicr & TSINTR_TT0) { +- spin_lock(&adapter->tmreg_lock); +- ts = timespec64_add(adapter->perout[0].start, +- adapter->perout[0].period); +- /* u32 conversion of tv_sec is safe until y2106 */ +- wr32(E1000_TRGTTIML0, ts.tv_nsec); +- wr32(E1000_TRGTTIMH0, (u32)ts.tv_sec); +- tsauxc = rd32(E1000_TSAUXC); +- tsauxc |= TSAUXC_EN_TT0; +- wr32(E1000_TSAUXC, tsauxc); +- adapter->perout[0].start = ts; +- spin_unlock(&adapter->tmreg_lock); ++ igb_perout(adapter, 0); + ack |= TSINTR_TT0; + } + + if (tsicr & TSINTR_TT1) { +- spin_lock(&adapter->tmreg_lock); +- ts = timespec64_add(adapter->perout[1].start, +- adapter->perout[1].period); +- wr32(E1000_TRGTTIML1, ts.tv_nsec); +- wr32(E1000_TRGTTIMH1, (u32)ts.tv_sec); +- tsauxc = rd32(E1000_TSAUXC); +- tsauxc |= TSAUXC_EN_TT1; +- wr32(E1000_TSAUXC, tsauxc); +- adapter->perout[1].start = ts; +- spin_unlock(&adapter->tmreg_lock); ++ igb_perout(adapter, 1); + ack |= TSINTR_TT1; + } + + if (tsicr & TSINTR_AUTT0) { +- nsec = rd32(E1000_AUXSTMPL0); +- sec = rd32(E1000_AUXSTMPH0); +- event.type = PTP_CLOCK_EXTTS; +- event.index = 0; +- event.timestamp = sec * 1000000000ULL + nsec; +- ptp_clock_event(adapter->ptp_clock, &event); ++ igb_extts(adapter, 0); + ack |= TSINTR_AUTT0; + } + + if (tsicr & TSINTR_AUTT1) { +- nsec = rd32(E1000_AUXSTMPL1); +- sec = rd32(E1000_AUXSTMPH1); +- event.type = PTP_CLOCK_EXTTS; +- event.index = 1; +- event.timestamp = sec * 1000000000ULL + nsec; +- ptp_clock_event(adapter->ptp_clock, &event); ++ igb_extts(adapter, 1); + ack |= TSINTR_AUTT1; + } + +-- +2.43.0 + diff --git a/queue-5.10/inet_diag-annotate-data-races-around-inet_diag_table.patch b/queue-5.10/inet_diag-annotate-data-races-around-inet_diag_table.patch new file mode 100644 index 00000000000..f3965fb3adc --- /dev/null +++ b/queue-5.10/inet_diag-annotate-data-races-around-inet_diag_table.patch @@ -0,0 +1,58 @@ +From e6d4b5c45c7ee54ebc1d157be6ce44c2f026a91d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 11:25:56 +0000 +Subject: inet_diag: annotate data-races around inet_diag_table[] + +From: Eric Dumazet + +[ Upstream commit e50e10ae5d81ddb41547114bfdc5edc04422f082 ] + +inet_diag_lock_handler() reads inet_diag_table[proto] locklessly. + +Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues. + +Fixes: d523a328fb02 ("[INET]: Fix inet_diag dead-lock regression") +Signed-off-by: Eric Dumazet +Reviewed-by: Guillaume Nault +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_diag.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index fa9f1de58df46..27a5a7d66d184 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -57,7 +57,7 @@ static const struct inet_diag_handler *inet_diag_lock_handler(int proto) + return ERR_PTR(-ENOENT); + } + +- if (!inet_diag_table[proto]) ++ if (!READ_ONCE(inet_diag_table[proto])) + sock_load_diag_module(AF_INET, proto); + + mutex_lock(&inet_diag_table_mutex); +@@ -1413,7 +1413,7 @@ int inet_diag_register(const struct inet_diag_handler *h) + mutex_lock(&inet_diag_table_mutex); + err = -EEXIST; + if (!inet_diag_table[type]) { +- inet_diag_table[type] = h; ++ WRITE_ONCE(inet_diag_table[type], h); + err = 0; + } + mutex_unlock(&inet_diag_table_mutex); +@@ -1430,7 +1430,7 @@ void inet_diag_unregister(const struct inet_diag_handler *h) + return; + + mutex_lock(&inet_diag_table_mutex); +- inet_diag_table[type] = NULL; ++ WRITE_ONCE(inet_diag_table[type], NULL); + mutex_unlock(&inet_diag_table_mutex); + } + EXPORT_SYMBOL_GPL(inet_diag_unregister); +-- +2.43.0 + diff --git a/queue-5.10/iommu-amd-mark-interrupt-as-managed.patch b/queue-5.10/iommu-amd-mark-interrupt-as-managed.patch new file mode 100644 index 00000000000..319d4aaabae --- /dev/null +++ b/queue-5.10/iommu-amd-mark-interrupt-as-managed.patch @@ -0,0 +1,69 @@ +From adf82c839f7b53526d5b764f35f5fc5a1eebdd01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 17:34:00 -0600 +Subject: iommu/amd: Mark interrupt as managed + +From: Mario Limonciello + +[ Upstream commit 0feda94c868d396fac3b3cb14089d2d989a07c72 ] + +On many systems that have an AMD IOMMU the following sequence of +warnings is observed during bootup. + +``` +pci 0000:00:00.2 can't derive routing for PCI INT A +pci 0000:00:00.2: PCI INT A: not connected +``` + +This series of events happens because of the IOMMU initialization +sequence order and the lack of _PRT entries for the IOMMU. + +During initialization the IOMMU driver first enables the PCI device +using pci_enable_device(). This will call acpi_pci_irq_enable() +which will check if the interrupt is declared in a PCI routing table +(_PRT) entry. According to the PCI spec [1] these routing entries +are only required under PCI root bridges: + The _PRT object is required under all PCI root bridges + +The IOMMU is directly connected to the root complex, so there is no +parent bridge to look for a _PRT entry. The first warning is emitted +since no entry could be found in the hierarchy. The second warning is +then emitted because the interrupt hasn't yet been configured to any +value. The pin was configured in pci_read_irq() but the byte in +PCI_INTERRUPT_LINE return 0xff which means "Unknown". + +After that sequence of events pci_enable_msi() is called and this +will allocate an interrupt. + +That is both of these warnings are totally harmless because the IOMMU +uses MSI for interrupts. To avoid even trying to probe for a _PRT +entry mark the IOMMU as IRQ managed. This avoids both warnings. + +Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/06_Device_Configuration/Device_Configuration.html?highlight=_prt#prt-pci-routing-table [1] +Signed-off-by: Mario Limonciello +Fixes: cffe0a2b5a34 ("x86, irq: Keep balance of IOAPIC pin reference count") +Reviewed-by: Vasant Hegde +Link: https://lore.kernel.org/r/20240122233400.1802-1-mario.limonciello@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index 603f625a74e54..91cc3a5643caf 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -1827,6 +1827,9 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) + /* Prevent binding other PCI device drivers to IOMMU devices */ + iommu->dev->match_driver = false; + ++ /* ACPI _PRT won't have an IRQ for IOMMU */ ++ iommu->dev->irq_managed = 1; ++ + pci_read_config_dword(iommu->dev, cap_ptr + MMIO_CAP_HDR_OFFSET, + &iommu->cap); + +-- +2.43.0 + diff --git a/queue-5.10/iommu-vt-d-don-t-issue-ats-invalidation-request-when.patch b/queue-5.10/iommu-vt-d-don-t-issue-ats-invalidation-request-when.patch new file mode 100644 index 00000000000..41cba7d37e3 --- /dev/null +++ b/queue-5.10/iommu-vt-d-don-t-issue-ats-invalidation-request-when.patch @@ -0,0 +1,203 @@ +From 8a0e393aa2ced661688fc7cd85173a63f1571e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 20:21:15 +0800 +Subject: iommu/vt-d: Don't issue ATS Invalidation request when device is + disconnected + +From: Ethan Zhao + +[ Upstream commit 4fc82cd907ac075648789cc3a00877778aa1838b ] + +For those endpoint devices connect to system via hotplug capable ports, +users could request a hot reset to the device by flapping device's link +through setting the slot's link control register, as pciehp_ist() DLLSC +interrupt sequence response, pciehp will unload the device driver and +then power it off. thus cause an IOMMU device-TLB invalidation (Intel +VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence +target device to be sent and deadly loop to retry that request after ITE +fault triggered in interrupt context. + +That would cause following continuous hard lockup warning and system hang + +[ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down +[ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present +[ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 +[ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S + OE kernel version xxxx +[ 4223.822623] Hardware name: vendorname xxxx 666-106, +BIOS 01.01.02.03.01 05/15/2023 +[ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 +[ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b + 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 +0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 +[ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 +[ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 +[ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 +[ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 +[ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 +[ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 +[ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) +knlGS:0000000000000000 +[ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 +[ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +[ 4223.822628] PKRU: 55555554 +[ 4223.822628] Call Trace: +[ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 +[ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 +[ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 +[ 4223.822629] intel_iommu_release_device+0x1f/0x30 +[ 4223.822629] iommu_release_device+0x33/0x60 +[ 4223.822629] iommu_bus_notifier+0x7f/0x90 +[ 4223.822630] blocking_notifier_call_chain+0x60/0x90 +[ 4223.822630] device_del+0x2e5/0x420 +[ 4223.822630] pci_remove_bus_device+0x70/0x110 +[ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 +[ 4223.822631] pciehp_disable_slot+0x6b/0x100 +[ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 +[ 4223.822631] pciehp_ist+0x176/0x180 +[ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 +[ 4223.822632] irq_thread_fn+0x19/0x50 +[ 4223.822632] irq_thread+0x104/0x190 +[ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 +[ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 +[ 4223.822633] kthread+0x114/0x130 +[ 4223.822633] ? __kthread_cancel_work+0x40/0x40 +[ 4223.822633] ret_from_fork+0x1f/0x30 +[ 4223.822633] Kernel panic - not syncing: Hard LOCKUP +[ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S + OE kernel version xxxx +[ 4223.822634] Hardware name: vendorname xxxx 666-106, +BIOS 01.01.02.03.01 05/15/2023 +[ 4223.822634] Call Trace: +[ 4223.822634] +[ 4223.822635] dump_stack+0x6d/0x88 +[ 4223.822635] panic+0x101/0x2d0 +[ 4223.822635] ? ret_from_fork+0x11/0x30 +[ 4223.822635] nmi_panic.cold.14+0xc/0xc +[ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 +[ 4223.822636] __perf_event_overflow+0x4f/0xf0 +[ 4223.822636] handle_pmi_common+0x1ef/0x290 +[ 4223.822636] ? __set_pte_vaddr+0x28/0x40 +[ 4223.822637] ? flush_tlb_one_kernel+0xa/0x20 +[ 4223.822637] ? __native_set_fixmap+0x24/0x30 +[ 4223.822637] ? ghes_copy_tofrom_phys+0x70/0x100 +[ 4223.822637] ? __ghes_peek_estatus.isra.16+0x49/0xa0 +[ 4223.822637] intel_pmu_handle_irq+0xba/0x2b0 +[ 4223.822638] perf_event_nmi_handler+0x24/0x40 +[ 4223.822638] nmi_handle+0x4d/0xf0 +[ 4223.822638] default_do_nmi+0x49/0x100 +[ 4223.822638] exc_nmi+0x134/0x180 +[ 4223.822639] end_repeat_nmi+0x16/0x67 +[ 4223.822639] RIP: 0010:qi_submit_sync+0x2c0/0x490 +[ 4223.822639] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b + 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 10 + 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 +[ 4223.822640] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 +[ 4223.822640] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 +[ 4223.822640] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 +[ 4223.822641] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 +[ 4223.822641] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 +[ 4223.822641] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 +[ 4223.822641] ? qi_submit_sync+0x2c0/0x490 +[ 4223.822642] ? qi_submit_sync+0x2c0/0x490 +[ 4223.822642] +[ 4223.822642] qi_flush_dev_iotlb+0xb1/0xd0 +[ 4223.822642] __dmar_remove_one_dev_info+0x224/0x250 +[ 4223.822643] dmar_remove_one_dev_info+0x3e/0x50 +[ 4223.822643] intel_iommu_release_device+0x1f/0x30 +[ 4223.822643] iommu_release_device+0x33/0x60 +[ 4223.822643] iommu_bus_notifier+0x7f/0x90 +[ 4223.822644] blocking_notifier_call_chain+0x60/0x90 +[ 4223.822644] device_del+0x2e5/0x420 +[ 4223.822644] pci_remove_bus_device+0x70/0x110 +[ 4223.822644] pciehp_unconfigure_device+0x7c/0x130 +[ 4223.822644] pciehp_disable_slot+0x6b/0x100 +[ 4223.822645] pciehp_handle_presence_or_link_change+0xd8/0x320 +[ 4223.822645] pciehp_ist+0x176/0x180 +[ 4223.822645] ? irq_finalize_oneshot.part.50+0x110/0x110 +[ 4223.822645] irq_thread_fn+0x19/0x50 +[ 4223.822646] irq_thread+0x104/0x190 +[ 4223.822646] ? irq_forced_thread_fn+0x90/0x90 +[ 4223.822646] ? irq_thread_check_affinity+0xe0/0xe0 +[ 4223.822646] kthread+0x114/0x130 +[ 4223.822647] ? __kthread_cancel_work+0x40/0x40 +[ 4223.822647] ret_from_fork+0x1f/0x30 +[ 4223.822647] Kernel Offset: 0x6400000 from 0xffffffff81000000 (relocation +range: 0xffffffff80000000-0xffffffffbfffffff) + +Such issue could be triggered by all kinds of regular surprise removal +hotplug operation. like: + +1. pull EP(endpoint device) out directly. +2. turn off EP's power. +3. bring the link down. +etc. + +this patch aims to work for regular safe removal and surprise removal +unplug. these hot unplug handling process could be optimized for fix the +ATS Invalidation hang issue by calling pci_dev_is_disconnected() in +function devtlb_invalidation_with_pasid() to check target device state to +avoid sending meaningless ATS Invalidation request to iommu when device is +gone. (see IMPLEMENTATION NOTE in PCIe spec r6.1 section 10.3.1) + +For safe removal, device wouldn't be removed until the whole software +handling process is done, it wouldn't trigger the hard lock up issue +caused by too long ATS Invalidation timeout wait. In safe removal path, +device state isn't set to pci_channel_io_perm_failure in +pciehp_unconfigure_device() by checking 'presence' parameter, calling +pci_dev_is_disconnected() in devtlb_invalidation_with_pasid() will return +false there, wouldn't break the function. + +For surprise removal, device state is set to pci_channel_io_perm_failure in +pciehp_unconfigure_device(), means device is already gone (disconnected) +call pci_dev_is_disconnected() in devtlb_invalidation_with_pasid() will +return true to break the function not to send ATS Invalidation request to +the disconnected device blindly, thus avoid to trigger further ITE fault, +and ITE fault will block all invalidation request to be handled. +furthermore retry the timeout request could trigger hard lockup. + +safe removal (present) & surprise removal (not present) + +pciehp_ist() + pciehp_handle_presence_or_link_change() + pciehp_disable_slot() + remove_board() + pciehp_unconfigure_device(presence) { + if (!presence) + pci_walk_bus(parent, pci_dev_set_disconnected, NULL); + } + +this patch works for regular safe removal and surprise removal of ATS +capable endpoint on PCIe switch downstream ports. + +Fixes: 6f7db75e1c46 ("iommu/vt-d: Add second level page table interface") +Reviewed-by: Dan Carpenter +Tested-by: Haorong Ye +Signed-off-by: Ethan Zhao +Link: https://lore.kernel.org/r/20240301080727.3529832-3-haifeng.zhao@linux.intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/pasid.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c +index 9b24e8224379e..586b289cf468d 100644 +--- a/drivers/iommu/intel/pasid.c ++++ b/drivers/iommu/intel/pasid.c +@@ -489,6 +489,9 @@ devtlb_invalidation_with_pasid(struct intel_iommu *iommu, + if (!info || !info->ats_enabled) + return; + ++ if (pci_dev_is_disconnected(to_pci_dev(dev))) ++ return; ++ + sid = info->bus << 8 | info->devfn; + qdep = info->ats_qdep; + pfsid = info->pfsid; +-- +2.43.0 + diff --git a/queue-5.10/ipmr-fix-incorrect-parameter-validation-in-the-ip_mr.patch b/queue-5.10/ipmr-fix-incorrect-parameter-validation-in-the-ip_mr.patch new file mode 100644 index 00000000000..e39f949cdcb --- /dev/null +++ b/queue-5.10/ipmr-fix-incorrect-parameter-validation-in-the-ip_mr.patch @@ -0,0 +1,45 @@ +From 5f18bf59ace33ef5aaa67068b0807c377d4915c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: ipmr: fix incorrect parameter validation in the + ip_mroute_getsockopt() function + +From: Gavrilov Ilia + +[ Upstream commit 5c3be3e0eb44b7f978bb6cbb20ad956adb93f736 ] + +The 'olr' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'olr' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ipmr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index cdc0a1781fd28..db184cb826b95 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1574,9 +1574,11 @@ int ip_mroute_getsockopt(struct sock *sk, int optname, sockptr_t optval, + + if (copy_from_sockptr(&olr, optlen, sizeof(int))) + return -EFAULT; +- olr = min_t(unsigned int, olr, sizeof(int)); + if (olr < 0) + return -EINVAL; ++ ++ olr = min_t(unsigned int, olr, sizeof(int)); ++ + if (copy_to_sockptr(optlen, &olr, sizeof(int))) + return -EFAULT; + if (copy_to_sockptr(optval, &val, olr)) +-- +2.43.0 + diff --git a/queue-5.10/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch b/queue-5.10/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch new file mode 100644 index 00000000000..d31ddb2c81b --- /dev/null +++ b/queue-5.10/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch @@ -0,0 +1,55 @@ +From 9f9147a1d156cc2c4de67789e04ee656d82ebafb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 18:01:57 +0800 +Subject: ipv6: fib6_rules: flush route cache when rule is changed + +From: Shiming Cheng + +[ Upstream commit c4386ab4f6c600f75fdfd21143f89bac3e625d0d ] + +When rule policy is changed, ipv6 socket cache is not refreshed. +The sock's skb still uses a outdated route cache and was sent to +a wrong interface. + +To avoid this error we should update fib node's version when +rule is changed. Then skb's route will be reroute checked as +route cache version is already different with fib node version. +The route cache is refreshed to match the latest rule. + +Fixes: 101367c2f8c4 ("[IPV6]: Policy Routing Rules") +Signed-off-by: Shiming Cheng +Signed-off-by: Lena Wang +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/fib6_rules.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c +index 3e4c87b29b115..55cd23b7a9357 100644 +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -446,6 +446,11 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule) + + nla_total_size(16); /* src */ + } + ++static void fib6_rule_flush_cache(struct fib_rules_ops *ops) ++{ ++ rt_genid_bump_ipv6(ops->fro_net); ++} ++ + static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { + .family = AF_INET6, + .rule_size = sizeof(struct fib6_rule), +@@ -458,6 +463,7 @@ static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { + .compare = fib6_rule_compare, + .fill = fib6_rule_fill, + .nlmsg_payload = fib6_rule_nlmsg_payload, ++ .flush_cache = fib6_rule_flush_cache, + .nlgroup = RTNLGRP_IPV6_RULE, + .policy = fib6_rule_policy, + .owner = THIS_MODULE, +-- +2.43.0 + diff --git a/queue-5.10/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch b/queue-5.10/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch new file mode 100644 index 00000000000..2d2708ae7f3 --- /dev/null +++ b/queue-5.10/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch @@ -0,0 +1,47 @@ +From acafe4eeb2582f37cd80a0bc4f870f59c785644d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reviewed-by: Tom Parkin +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 5ecc0f2009444..b1d89c850f686 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1357,11 +1357,11 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + err = -ENOTCONN; + if (!sk->sk_user_data) + goto end; +-- +2.43.0 + diff --git a/queue-5.10/leds-aw2013-unlock-mutex-before-destroying-it.patch b/queue-5.10/leds-aw2013-unlock-mutex-before-destroying-it.patch new file mode 100644 index 00000000000..b90375862ec --- /dev/null +++ b/queue-5.10/leds-aw2013-unlock-mutex-before-destroying-it.patch @@ -0,0 +1,37 @@ +From 2ef93ada08e00dbb2a8a832124845d5cb2535af3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 20:36:05 +0300 +Subject: leds: aw2013: Unlock mutex before destroying it + +From: George Stark + +[ Upstream commit 6969d0a2ba1adc9ba6a49b9805f24080896c255c ] + +In the probe() callback in case of error mutex is destroyed being locked +which is not allowed so unlock the mutex before destroying. + +Fixes: 59ea3c9faf32 ("leds: add aw2013 driver") +Signed-off-by: George Stark +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20231214173614.2820929-2-gnstark@salutedevices.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-aw2013.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/leds/leds-aw2013.c b/drivers/leds/leds-aw2013.c +index 80d937454aeef..f7d9795ce5e1f 100644 +--- a/drivers/leds/leds-aw2013.c ++++ b/drivers/leds/leds-aw2013.c +@@ -397,6 +397,7 @@ static int aw2013_probe(struct i2c_client *client) + regulator_disable(chip->vcc_regulator); + + error: ++ mutex_unlock(&chip->mutex); + mutex_destroy(&chip->mutex); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.10/leds-sgm3140-add-missing-timer-cleanup-and-flash-gpi.patch b/queue-5.10/leds-sgm3140-add-missing-timer-cleanup-and-flash-gpi.patch new file mode 100644 index 00000000000..4c2873438b6 --- /dev/null +++ b/queue-5.10/leds-sgm3140-add-missing-timer-cleanup-and-flash-gpi.patch @@ -0,0 +1,41 @@ +From a0af5c9b418054bd627b41f63078bf85ef753c99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Feb 2024 20:11:30 +0100 +Subject: leds: sgm3140: Add missing timer cleanup and flash gpio control + +From: Ondrej Jirman + +[ Upstream commit 205c29887a333ee4b37596e6533373e38cb23947 ] + +Enabling strobe and then setting brightness to 0 causes the driver to enter +invalid state after strobe end timer fires. We should cancel strobe mode +resources when changing brightness (aka torch mode). + +Fixes: cef8ec8cbd21 ("leds: add sgm3140 driver") +Signed-off-by: Ondrej Jirman +Link: https://lore.kernel.org/r/20240217191133.1757553-1-megi@xff.cz +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-sgm3140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/leds/leds-sgm3140.c b/drivers/leds/leds-sgm3140.c +index f4f831570f11c..e72017b11098b 100644 +--- a/drivers/leds/leds-sgm3140.c ++++ b/drivers/leds/leds-sgm3140.c +@@ -114,8 +114,11 @@ static int sgm3140_brightness_set(struct led_classdev *led_cdev, + "failed to enable regulator: %d\n", ret); + return ret; + } ++ gpiod_set_value_cansleep(priv->flash_gpio, 0); + gpiod_set_value_cansleep(priv->enable_gpio, 1); + } else { ++ del_timer_sync(&priv->powerdown_timer); ++ gpiod_set_value_cansleep(priv->flash_gpio, 0); + gpiod_set_value_cansleep(priv->enable_gpio, 0); + ret = regulator_disable(priv->vin_regulator); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.10/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch b/queue-5.10/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch new file mode 100644 index 00000000000..b4d83cd7777 --- /dev/null +++ b/queue-5.10/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch @@ -0,0 +1,73 @@ +From 2d409455a487d1f495a7728c4e7fd2510e18b55e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:40 +0800 +Subject: md: Don't clear MD_CLOSING when the raid is about to stop + +From: Li Nan + +[ Upstream commit 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 ] + +The raid should not be opened anymore when it is about to be stopped. +However, other processes can open it again if the flag MD_CLOSING is +cleared before exiting. From now on, this flag will not be cleared when +the raid will be stopped. + +Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240226031444.3606764-6-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index d6f12338cb989..09c7f52156f3f 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6243,7 +6243,15 @@ static void md_clean(struct mddev *mddev) + mddev->persistent = 0; + mddev->level = LEVEL_NONE; + mddev->clevel[0] = 0; +- mddev->flags = 0; ++ /* ++ * Don't clear MD_CLOSING, or mddev can be opened again. ++ * 'hold_active != 0' means mddev is still in the creation ++ * process and will be used later. ++ */ ++ if (mddev->hold_active) ++ mddev->flags = 0; ++ else ++ mddev->flags &= BIT_ULL_MASK(MD_CLOSING); + mddev->sb_flags = 0; + mddev->ro = 0; + mddev->metadata_type[0] = 0; +@@ -7562,7 +7570,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + int err = 0; + void __user *argp = (void __user *)arg; + struct mddev *mddev = NULL; +- bool did_set_md_closing = false; + + if (!md_ioctl_valid(cmd)) + return -ENOTTY; +@@ -7649,7 +7656,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + err = -EBUSY; + goto out; + } +- did_set_md_closing = true; + mutex_unlock(&mddev->open_mutex); + sync_blockdev(bdev); + } +@@ -7813,7 +7819,7 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + mddev->hold_active = 0; + mddev_unlock(mddev); + out: +- if(did_set_md_closing) ++ if (cmd == STOP_ARRAY_RO || (err && cmd == STOP_ARRAY)) + clear_bit(MD_CLOSING, &mddev->flags); + return err; + } +-- +2.43.0 + diff --git a/queue-5.10/md-implement-set_read_only-to-hook-into-blkroset-pro.patch b/queue-5.10/md-implement-set_read_only-to-hook-into-blkroset-pro.patch new file mode 100644 index 00000000000..5f32b891527 --- /dev/null +++ b/queue-5.10/md-implement-set_read_only-to-hook-into-blkroset-pro.patch @@ -0,0 +1,125 @@ +From d8cbd557280eeca67de30eacc5ef3419993cbda4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 11:00:13 +0100 +Subject: md: implement ->set_read_only to hook into BLKROSET processing + +From: Christoph Hellwig + +[ Upstream commit 118cf084adb3964d06e1667cf7d702e56e5cd2c5 ] + +Implement the ->set_read_only method instead of parsing the actual +ioctl command. + +Signed-off-by: Christoph Hellwig +Acked-by: Song Liu +Signed-off-by: Jens Axboe +Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 62 ++++++++++++++++++++++++------------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 03d2e31dda2f6..d6f12338cb989 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7536,7 +7536,6 @@ static inline bool md_ioctl_valid(unsigned int cmd) + { + switch (cmd) { + case ADD_NEW_DISK: +- case BLKROSET: + case GET_ARRAY_INFO: + case GET_BITMAP_FILE: + case GET_DISK_INFO: +@@ -7563,7 +7562,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + int err = 0; + void __user *argp = (void __user *)arg; + struct mddev *mddev = NULL; +- int ro; + bool did_set_md_closing = false; + + if (!md_ioctl_valid(cmd)) +@@ -7746,35 +7744,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + goto unlock; + } + break; +- +- case BLKROSET: +- if (get_user(ro, (int __user *)(arg))) { +- err = -EFAULT; +- goto unlock; +- } +- err = -EINVAL; +- +- /* if the bdev is going readonly the value of mddev->ro +- * does not matter, no writes are coming +- */ +- if (ro) +- goto unlock; +- +- /* are we are already prepared for writes? */ +- if (mddev->ro != 1) +- goto unlock; +- +- /* transitioning to readauto need only happen for +- * arrays that call md_write_start +- */ +- if (mddev->pers) { +- err = restart_array(mddev); +- if (err == 0) { +- mddev->ro = 2; +- set_disk_ro(mddev->gendisk, 0); +- } +- } +- goto unlock; + } + + /* +@@ -7868,6 +7837,36 @@ static int md_compat_ioctl(struct block_device *bdev, fmode_t mode, + } + #endif /* CONFIG_COMPAT */ + ++static int md_set_read_only(struct block_device *bdev, bool ro) ++{ ++ struct mddev *mddev = bdev->bd_disk->private_data; ++ int err; ++ ++ err = mddev_lock(mddev); ++ if (err) ++ return err; ++ ++ if (!mddev->raid_disks && !mddev->external) { ++ err = -ENODEV; ++ goto out_unlock; ++ } ++ ++ /* ++ * Transitioning to read-auto need only happen for arrays that call ++ * md_write_start and which are not ready for writes yet. ++ */ ++ if (!ro && mddev->ro == 1 && mddev->pers) { ++ err = restart_array(mddev); ++ if (err) ++ goto out_unlock; ++ mddev->ro = 2; ++ } ++ ++out_unlock: ++ mddev_unlock(mddev); ++ return err; ++} ++ + static int md_open(struct block_device *bdev, fmode_t mode) + { + /* +@@ -7944,6 +7943,7 @@ const struct block_device_operations md_fops = + #endif + .getgeo = md_getgeo, + .check_events = md_check_events, ++ .set_read_only = md_set_read_only, + }; + + static int md_thread(void *arg) +-- +2.43.0 + diff --git a/queue-5.10/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch b/queue-5.10/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch new file mode 100644 index 00000000000..b3bfe31ba47 --- /dev/null +++ b/queue-5.10/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch @@ -0,0 +1,95 @@ +From f83a80d25fc86d11e703f8b25fb7ea1ade872140 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 17:31:44 +0100 +Subject: media: dvb-frontends: avoid stack overflow warnings with clang + +From: Arnd Bergmann + +[ Upstream commit 7a4cf27d1f0538f779bf31b8c99eda394e277119 ] + +A previous patch worked around a KASAN issue in stv0367, now a similar +problem showed up with clang: + +drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than] + 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe) + +Rework the stv0367_writereg() function to be simpler and mark both +register access functions as noinline_for_stack so the temporary +i2c_msg structures do not get duplicated on the stack when KASAN_STACK +is enabled. + +Fixes: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN") +Signed-off-by: Arnd Bergmann +Reviewed-by: Justin Stitt +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/stv0367.c | 34 +++++++-------------------- + 1 file changed, 8 insertions(+), 26 deletions(-) + +diff --git a/drivers/media/dvb-frontends/stv0367.c b/drivers/media/dvb-frontends/stv0367.c +index 0bfca1174e9e7..8cbae8235b174 100644 +--- a/drivers/media/dvb-frontends/stv0367.c ++++ b/drivers/media/dvb-frontends/stv0367.c +@@ -118,50 +118,32 @@ static const s32 stv0367cab_RF_LookUp2[RF_LOOKUP_TABLE2_SIZE][RF_LOOKUP_TABLE2_S + } + }; + +-static +-int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len) ++static noinline_for_stack ++int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) + { +- u8 buf[MAX_XFER_SIZE]; ++ u8 buf[3] = { MSB(reg), LSB(reg), data }; + struct i2c_msg msg = { + .addr = state->config->demod_address, + .flags = 0, + .buf = buf, +- .len = len + 2 ++ .len = 3, + }; + int ret; + +- if (2 + len > sizeof(buf)) { +- printk(KERN_WARNING +- "%s: i2c wr reg=%04x: len=%d is too big!\n", +- KBUILD_MODNAME, reg, len); +- return -EINVAL; +- } +- +- +- buf[0] = MSB(reg); +- buf[1] = LSB(reg); +- memcpy(buf + 2, data, len); +- + if (i2cdebug) + printk(KERN_DEBUG "%s: [%02x] %02x: %02x\n", __func__, +- state->config->demod_address, reg, buf[2]); ++ state->config->demod_address, reg, data); + + ret = i2c_transfer(state->i2c, &msg, 1); + if (ret != 1) + printk(KERN_ERR "%s: i2c write error! ([%02x] %02x: %02x)\n", +- __func__, state->config->demod_address, reg, buf[2]); ++ __func__, state->config->demod_address, reg, data); + + return (ret != 1) ? -EREMOTEIO : 0; + } + +-static int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) +-{ +- u8 tmp = data; /* see gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 */ +- +- return stv0367_writeregs(state, reg, &tmp, 1); +-} +- +-static u8 stv0367_readreg(struct stv0367_state *state, u16 reg) ++static noinline_for_stack ++u8 stv0367_readreg(struct stv0367_state *state, u16 reg) + { + u8 b0[] = { 0, 0 }; + u8 b1[] = { 0 }; +-- +2.43.0 + diff --git a/queue-5.10/media-edia-dvbdev-fix-a-use-after-free.patch b/queue-5.10/media-edia-dvbdev-fix-a-use-after-free.patch new file mode 100644 index 00000000000..7bb261220e6 --- /dev/null +++ b/queue-5.10/media-edia-dvbdev-fix-a-use-after-free.patch @@ -0,0 +1,84 @@ +From f5e89100513ab52301067195dd979ffe2063e566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 14:40:43 +0100 +Subject: media: edia: dvbdev: fix a use-after-free + +From: Zhipeng Lu + +[ Upstream commit 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 ] + +In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed +in several error-handling paths. However, *pdvbdev is not set to NULL +after dvbdev's deallocation, causing use-after-frees in many places, +for example, in the following call chain: + +budget_register + |-> dvb_dmxdev_init + |-> dvb_register_device + |-> dvb_dmxdev_release + |-> dvb_unregister_device + |-> dvb_remove_device + |-> dvb_device_put + |-> kref_put + +When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in +dvb_register_device) could point to memory that had been freed in +dvb_register_device. Thereafter, this pointer is transferred to +kref_put and triggering a use-after-free. + +Link: https://lore.kernel.org/linux-media/20240203134046.3120099-1-alexious@zju.edu.cn +Fixes: b61901024776 ("V4L/DVB (5244): Dvbdev: fix illegal re-usage of fileoperations struct") +Signed-off-by: Zhipeng Lu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 3a83e8e092568..23a0c209744dc 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -504,6 +504,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + if (!dvbdevfops) { + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } +@@ -512,6 +513,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + if (!new_node) { + kfree(dvbdevfops); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } +@@ -545,6 +547,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); + return -EINVAL; +@@ -567,6 +570,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return ret; + } +@@ -585,6 +589,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } +-- +2.43.0 + diff --git a/queue-5.10/media-em28xx-annotate-unchecked-call-to-media_device.patch b/queue-5.10/media-em28xx-annotate-unchecked-call-to-media_device.patch new file mode 100644 index 00000000000..0e0ebd9aa02 --- /dev/null +++ b/queue-5.10/media-em28xx-annotate-unchecked-call-to-media_device.patch @@ -0,0 +1,42 @@ +From 6154786f86e700de44b77046bbc38d42219ecbda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 05:42:26 -0800 +Subject: media: em28xx: annotate unchecked call to media_device_register() + +From: Nikita Zhandarovich + +[ Upstream commit fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 ] + +Static analyzers generate alerts for an unchecked call to +`media_device_register()`. However, in this case, the device will work +reliably without the media controller API. + +Add a comment above the call to prevent future unnecessary changes. + +Suggested-by: Mauro Carvalho Chehab +Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index 26408a972b443..5deee83132c62 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -4049,6 +4049,10 @@ static int em28xx_usb_probe(struct usb_interface *intf, + * topology will likely change after the load of the em28xx subdrivers. + */ + #ifdef CONFIG_MEDIA_CONTROLLER ++ /* ++ * No need to check the return value, the device will still be ++ * usable without media controller API. ++ */ + retval = media_device_register(dev->media_dev); + #endif + +-- +2.43.0 + diff --git a/queue-5.10/media-go7007-add-check-of-return-value-of-go7007_rea.patch b/queue-5.10/media-go7007-add-check-of-return-value-of-go7007_rea.patch new file mode 100644 index 00000000000..90fbb433b33 --- /dev/null +++ b/queue-5.10/media-go7007-add-check-of-return-value-of-go7007_rea.patch @@ -0,0 +1,40 @@ +From ed55dfbe73f264b361173abbcb814a9dd2897395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 07:07:05 -0800 +Subject: media: go7007: add check of return value of go7007_read_addr() + +From: Daniil Dulov + +[ Upstream commit 0b70530ee740861f4776ff724fcc25023df1799a ] + +If go7007_read_addr() returns error channel is not assigned a value. +In this case go to allocfail. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 866b8695d67e ("Staging: add the go7007 video driver") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index eeb85981e02b6..762c13e49bfa5 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1201,7 +1201,9 @@ static int go7007_usb_probe(struct usb_interface *intf, + u16 channel; + + /* read channel number from GPIO[1:0] */ +- go7007_read_addr(go, 0x3c81, &channel); ++ if (go7007_read_addr(go, 0x3c81, &channel)) ++ goto allocfail; ++ + channel &= 0x3; + go->board_id = GO7007_BOARDID_ADLINK_MPG24; + usb->board = board = &board_adlink_mpg24; +-- +2.43.0 + diff --git a/queue-5.10/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch b/queue-5.10/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch new file mode 100644 index 00000000000..e17f66ed809 --- /dev/null +++ b/queue-5.10/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch @@ -0,0 +1,57 @@ +From 6f8578cb3d5f4bc7623fe83e63d44c3cd0fff4c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 12:37:13 +0800 +Subject: media: go7007: fix a memleak in go7007_load_encoder + +From: Zhipeng Lu + +[ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ] + +In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without +a deallocation thereafter. After the following call chain: + +saa7134_go7007_init + |-> go7007_boot_encoder + |-> go7007_load_encoder + |-> kfree(go) + +go is freed and thus bounce is leaked. + +Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-driver.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c +index 6650eab913d81..3c66542ce284a 100644 +--- a/drivers/media/usb/go7007/go7007-driver.c ++++ b/drivers/media/usb/go7007/go7007-driver.c +@@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go) + const struct firmware *fw_entry; + char fw_name[] = "go7007/go7007fw.bin"; + void *bounce; +- int fw_len, rv = 0; ++ int fw_len; + u16 intr_val, intr_data; + + if (go->boot_fw == NULL) { +@@ -109,9 +109,11 @@ static int go7007_load_encoder(struct go7007 *go) + go7007_read_interrupt(go, &intr_val, &intr_data) < 0 || + (intr_val & ~0x1) != 0x5a5a) { + v4l2_err(go, "error transferring firmware\n"); +- rv = -1; ++ kfree(go->boot_fw); ++ go->boot_fw = NULL; ++ return -1; + } +- return rv; ++ return 0; + } + + MODULE_FIRMWARE("go7007/go7007fw.bin"); +-- +2.43.0 + diff --git a/queue-5.10/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch b/queue-5.10/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch new file mode 100644 index 00000000000..77395ed5ca6 --- /dev/null +++ b/queue-5.10/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch @@ -0,0 +1,35 @@ +From 9ed10c83831cedffc4194226c806c3c0dc064af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 13:00:33 +0100 +Subject: media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak + +From: Lucas Stach + +[ Upstream commit 4797a3dd46f220e6d83daf54d70c5b33db6deb01 ] + +Free the memory allocated in v4l2_ctrl_handler_init on release. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Signed-off-by: Lucas Stach +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/imx/imx-media-csc-scaler.c b/drivers/staging/media/imx/imx-media-csc-scaler.c +index 63a0204502a8b..939843b895440 100644 +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -803,6 +803,7 @@ static int ipu_csc_scaler_release(struct file *file) + + dev_dbg(priv->dev, "Releasing instance %p\n", ctx); + ++ v4l2_ctrl_handler_free(&ctx->ctrl_hdlr); + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); +-- +2.43.0 + diff --git a/queue-5.10/media-mediatek-vcodec-avoid-wcast-function-type-stri.patch b/queue-5.10/media-mediatek-vcodec-avoid-wcast-function-type-stri.patch new file mode 100644 index 00000000000..f14113ecea4 --- /dev/null +++ b/queue-5.10/media-mediatek-vcodec-avoid-wcast-function-type-stri.patch @@ -0,0 +1,93 @@ +From 6b6bf108432b78ceba00b25de2ac96a7805455ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 13:10:22 +0100 +Subject: media: mediatek: vcodec: avoid -Wcast-function-type-strict warning + +From: Arnd Bergmann + +[ Upstream commit bfb1b99802ef16045402deb855c197591dc78886 ] + +The ipi handler here tries hard to maintain const-ness of its argument, +but by doing that causes a warning about function type casts: + +drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c:38:32: error: cast from 'mtk_vcodec_ipi_handler' (aka 'void (*)(void *, unsigned int, void *)') to 'ipi_handler_t' (aka 'void (*)(const void *, unsigned int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 38 | ipi_handler_t handler_const = (ipi_handler_t)handler; + | ^~~~~~~~~~~~~~~~~~~~~~ + +Remove the hack and just use a non-const argument. + +Fixes: bf1d556ad4e0 ("media: mtk-vcodec: abstract firmware interface") +Signed-off-by: Arnd Bergmann +Reviewed-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c | 2 +- + drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 10 +--------- + drivers/media/platform/mtk-vpu/mtk_vpu.c | 2 +- + drivers/media/platform/mtk-vpu/mtk_vpu.h | 2 +- + 4 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c b/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c +index b065ccd069140..378a1cba0144f 100644 +--- a/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c ++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_vpu.c +@@ -26,7 +26,7 @@ static void mtk_mdp_vpu_handle_init_ack(const struct mdp_ipi_comm_ack *msg) + vpu->inst_addr = msg->vpu_inst_addr; + } + +-static void mtk_mdp_vpu_ipi_handler(const void *data, unsigned int len, ++static void mtk_mdp_vpu_ipi_handler(void *data, unsigned int len, + void *priv) + { + const struct mdp_ipi_comm_ack *msg = data; +diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c +index cfc7ebed8fb7a..1ec29f1b163a1 100644 +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c +@@ -29,15 +29,7 @@ static int mtk_vcodec_vpu_set_ipi_register(struct mtk_vcodec_fw *fw, int id, + mtk_vcodec_ipi_handler handler, + const char *name, void *priv) + { +- /* +- * The handler we receive takes a void * as its first argument. We +- * cannot change this because it needs to be passed down to the rproc +- * subsystem when SCP is used. VPU takes a const argument, which is +- * more constrained, so the conversion below is safe. +- */ +- ipi_handler_t handler_const = (ipi_handler_t)handler; +- +- return vpu_ipi_register(fw->pdev, id, handler_const, name, priv); ++ return vpu_ipi_register(fw->pdev, id, handler, name, priv); + } + + static int mtk_vcodec_vpu_ipi_send(struct mtk_vcodec_fw *fw, int id, void *buf, +diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c +index e7c4b0dd588a9..a2f61d97ffeb1 100644 +--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c ++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c +@@ -612,7 +612,7 @@ int vpu_load_firmware(struct platform_device *pdev) + } + EXPORT_SYMBOL_GPL(vpu_load_firmware); + +-static void vpu_init_ipi_handler(const void *data, unsigned int len, void *priv) ++static void vpu_init_ipi_handler(void *data, unsigned int len, void *priv) + { + struct mtk_vpu *vpu = priv; + const struct vpu_run *run = data; +diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.h b/drivers/media/platform/mtk-vpu/mtk_vpu.h +index ee7c552ce9289..d4453b4bcee92 100644 +--- a/drivers/media/platform/mtk-vpu/mtk_vpu.h ++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.h +@@ -15,7 +15,7 @@ + * VPU interfaces with other blocks by share memory and interrupt. + **/ + +-typedef void (*ipi_handler_t) (const void *data, ++typedef void (*ipi_handler_t) (void *data, + unsigned int len, + void *priv); + +-- +2.43.0 + diff --git a/queue-5.10/media-pvrusb2-fix-pvr2_stream_callback-casts.patch b/queue-5.10/media-pvrusb2-fix-pvr2_stream_callback-casts.patch new file mode 100644 index 00000000000..dfbef3ae94e --- /dev/null +++ b/queue-5.10/media-pvrusb2-fix-pvr2_stream_callback-casts.patch @@ -0,0 +1,115 @@ +From d042f52bd57f0026d5e72187ad1732d5c3b9cc88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:04:27 +0100 +Subject: media: pvrusb2: fix pvr2_stream_callback casts + +From: Arnd Bergmann + +[ Upstream commit 30baa4a96b23add91a87305baaeba82c4e109e1f ] + +clang-16 complains about a control flow integrity (KCFI) issue in pvrusb2, +which casts three different prototypes into pvr2_stream_callback: + +drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1070:30: error: cast from 'void (*)(struct pvr2_v4l2_fh *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1070 | pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/media/usb/pvrusb2/pvrusb2-context.c:110:6: error: cast from 'void (*)(struct pvr2_context *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 110 | (void (*)(void *))pvr2_context_notify, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/media/usb/pvrusb2/pvrusb2-dvb.c:152:6: error: cast from 'void (*)(struct pvr2_dvb_adapter *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 152 | (pvr2_stream_callback) pvr2_dvb_notify, adap); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Change the functions to actually take a void* argument so the cast is no longer +needed. + +Fixes: bb8ce9d9143c ("V4L/DVB (7682): pvrusb2-dvb: finish up stream & buffer handling") +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 8 ++++---- + drivers/media/usb/pvrusb2/pvrusb2-dvb.c | 6 ++++-- + drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 6 ++++-- + 3 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index 1764674de98bc..58f2f3ff10ee2 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -90,8 +90,10 @@ static void pvr2_context_destroy(struct pvr2_context *mp) + } + + +-static void pvr2_context_notify(struct pvr2_context *mp) ++static void pvr2_context_notify(void *ptr) + { ++ struct pvr2_context *mp = ptr; ++ + pvr2_context_set_notify(mp,!0); + } + +@@ -106,9 +108,7 @@ static void pvr2_context_check(struct pvr2_context *mp) + pvr2_trace(PVR2_TRACE_CTXT, + "pvr2_context %p (initialize)", mp); + /* Finish hardware initialization */ +- if (pvr2_hdw_initialize(mp->hdw, +- (void (*)(void *))pvr2_context_notify, +- mp)) { ++ if (pvr2_hdw_initialize(mp->hdw, pvr2_context_notify, mp)) { + mp->video_stream.stream = + pvr2_hdw_get_video_stream(mp->hdw); + /* Trigger interface initialization. By doing this +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c +index 6954584526a32..1b768e7466721 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c +@@ -88,8 +88,10 @@ static int pvr2_dvb_feed_thread(void *data) + return stat; + } + +-static void pvr2_dvb_notify(struct pvr2_dvb_adapter *adap) ++static void pvr2_dvb_notify(void *ptr) + { ++ struct pvr2_dvb_adapter *adap = ptr; ++ + wake_up(&adap->buffer_wait_data); + } + +@@ -149,7 +151,7 @@ static int pvr2_dvb_stream_do_start(struct pvr2_dvb_adapter *adap) + } + + pvr2_stream_set_callback(pvr->video_stream.stream, +- (pvr2_stream_callback) pvr2_dvb_notify, adap); ++ pvr2_dvb_notify, adap); + + ret = pvr2_stream_set_buffer_count(stream, PVR2_DVB_BUFFER_COUNT); + if (ret < 0) return ret; +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +index c872868becbdc..29f2e767f236f 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +@@ -1037,8 +1037,10 @@ static int pvr2_v4l2_open(struct file *file) + } + + +-static void pvr2_v4l2_notify(struct pvr2_v4l2_fh *fhp) ++static void pvr2_v4l2_notify(void *ptr) + { ++ struct pvr2_v4l2_fh *fhp = ptr; ++ + wake_up(&fhp->wait_data); + } + +@@ -1071,7 +1073,7 @@ static int pvr2_v4l2_iosetup(struct pvr2_v4l2_fh *fh) + + hdw = fh->channel.mc_head->hdw; + sp = fh->pdi->stream->stream; +- pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); ++ pvr2_stream_set_callback(sp, pvr2_v4l2_notify, fh); + pvr2_hdw_set_stream_type(hdw,fh->pdi->config); + if ((ret = pvr2_hdw_set_streaming(hdw,!0)) < 0) return ret; + return pvr2_ioread_set_enabled(fh->rhp,!0); +-- +2.43.0 + diff --git a/queue-5.10/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch b/queue-5.10/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch new file mode 100644 index 00000000000..294945444c8 --- /dev/null +++ b/queue-5.10/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch @@ -0,0 +1,75 @@ +From aabfb7269f88c563c9ed7c9e87f57bae7fe093bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 15:30:47 +0800 +Subject: media: pvrusb2: fix uaf in pvr2_context_set_notify + +From: Edward Adam Davis + +[ Upstream commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee ] + +[Syzbot reported] +BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 +Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 + +CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: usb_hub_wq hub_event +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc4/0x620 mm/kasan/report.c:488 + kasan_report+0xda/0x110 mm/kasan/report.c:601 + pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 + pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] + pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 + +Freed by task 906: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 +kasan_save_track+0x14/0x30 mm/kasan/common.c:68 +kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 +poison_slab_object mm/kasan/common.c:241 [inline] +__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 +kasan_slab_free include/linux/kasan.h:184 [inline] +slab_free_hook mm/slub.c:2121 [inline] +slab_free mm/slub.c:4299 [inline] +kfree+0x105/0x340 mm/slub.c:4409 +pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] +pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 + +[Analyze] +Task A set disconnect_flag = !0, which resulted in Task B's condition being met +and releasing mp, leading to this issue. + +[Fix] +Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() +to avoid this issue. + +Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com +Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index 58f2f3ff10ee2..73c95ba2328a4 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -267,9 +267,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) + void pvr2_context_disconnect(struct pvr2_context *mp) + { + pvr2_hdw_disconnect(mp->hdw); +- mp->disconnect_flag = !0; + if (!pvr2_context_shutok()) + pvr2_context_notify(mp); ++ mp->disconnect_flag = !0; + } + + +-- +2.43.0 + diff --git a/queue-5.10/media-pvrusb2-remove-redundant-null-check.patch b/queue-5.10/media-pvrusb2-remove-redundant-null-check.patch new file mode 100644 index 00000000000..919f4c8e784 --- /dev/null +++ b/queue-5.10/media-pvrusb2-remove-redundant-null-check.patch @@ -0,0 +1,41 @@ +From bd9d661f4c7706666695c801d619cf327bde4bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 07:07:25 -0800 +Subject: media: pvrusb2: remove redundant NULL check + +From: Daniil Dulov + +[ Upstream commit 95ac1210fb2753f968ebce0730d4fbc553c2a3dc ] + +Pointer dip->stream cannot be NULL due to a shift, thus remove redundant +NULL check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: c74e0062684b ("V4L/DVB (5059): Pvrusb2: Be smarter about mode restoration") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +index 9657c18833116..c872868becbdc 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +@@ -1202,11 +1202,6 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip, + dip->minor_type = pvr2_v4l_type_video; + nr_ptr = video_nr; + caps |= V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_AUDIO; +- if (!dip->stream) { +- pr_err(KBUILD_MODNAME +- ": Failed to set up pvrusb2 v4l video dev due to missing stream instance\n"); +- return; +- } + break; + case VFL_TYPE_VBI: + dip->config = pvr2_config_vbi; +-- +2.43.0 + diff --git a/queue-5.10/media-sun8i-di-fix-chroma-difference-threshold.patch b/queue-5.10/media-sun8i-di-fix-chroma-difference-threshold.patch new file mode 100644 index 00000000000..0932d11a4a4 --- /dev/null +++ b/queue-5.10/media-sun8i-di-fix-chroma-difference-threshold.patch @@ -0,0 +1,36 @@ +From 62079d6af60fddacbf05f546da2c6d41c6259e6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 14:34:22 +0100 +Subject: media: sun8i-di: Fix chroma difference threshold + +From: Jernej Skrabec + +[ Upstream commit 856525e8db272b0ce6d9c6e6c2eeb97892b485a6 ] + +While there is no good explanation what this value does, vendor driver +uses value 31 for it. Align driver with it. + +Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") +Signed-off-by: Jernej Skrabec +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sunxi/sun8i-di/sun8i-di.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +index cb6d32c59191f..f0d2bcbe20b0d 100644 +--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c ++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +@@ -304,7 +304,7 @@ static void deinterlace_init(struct deinterlace_dev *dev) + + deinterlace_clr_set_bits(dev, DEINTERLACE_CHROMA_DIFF, + DEINTERLACE_CHROMA_DIFF_TH_MSK, +- DEINTERLACE_CHROMA_DIFF_TH(5)); ++ DEINTERLACE_CHROMA_DIFF_TH(31)); + } + + static inline struct deinterlace_ctx *deinterlace_file2ctx(struct file *file) +-- +2.43.0 + diff --git a/queue-5.10/media-sun8i-di-fix-coefficient-writes.patch b/queue-5.10/media-sun8i-di-fix-coefficient-writes.patch new file mode 100644 index 00000000000..c3a914b86fd --- /dev/null +++ b/queue-5.10/media-sun8i-di-fix-coefficient-writes.patch @@ -0,0 +1,102 @@ +From 75aac5998678340b6fe76a54d37adb5d0acd5109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 14:34:20 +0100 +Subject: media: sun8i-di: Fix coefficient writes + +From: Jernej Skrabec + +[ Upstream commit 794b581f8c6eb7b60fe468ccb96dd3cd38ff779f ] + +Currently coefficients are applied only once, since they don't change. +However, this is done before enable bit is set and thus it doesn't get +applied properly. + +Fix that by applying coefficients after enable bit is set. While this +means that it will be done evey time, it doesn't bring much time +penalty. + +Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") +Signed-off-by: Jernej Skrabec +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../media/platform/sunxi/sun8i-di/sun8i-di.c | 42 +++++++++---------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +index 2c159483c56ba..a9d3272940be0 100644 +--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c ++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +@@ -66,6 +66,7 @@ static void deinterlace_device_run(void *priv) + struct vb2_v4l2_buffer *src, *dst; + unsigned int hstep, vstep; + dma_addr_t addr; ++ int i; + + src = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +@@ -160,6 +161,26 @@ static void deinterlace_device_run(void *priv) + deinterlace_write(dev, DEINTERLACE_CH1_HORZ_FACT, hstep); + deinterlace_write(dev, DEINTERLACE_CH1_VERT_FACT, vstep); + ++ /* neutral filter coefficients */ ++ deinterlace_set_bits(dev, DEINTERLACE_FRM_CTRL, ++ DEINTERLACE_FRM_CTRL_COEF_ACCESS); ++ readl_poll_timeout(dev->base + DEINTERLACE_STATUS, val, ++ val & DEINTERLACE_STATUS_COEF_STATUS, 2, 40); ++ ++ for (i = 0; i < 32; i++) { ++ deinterlace_write(dev, DEINTERLACE_CH0_HORZ_COEF0 + i * 4, ++ DEINTERLACE_IDENTITY_COEF); ++ deinterlace_write(dev, DEINTERLACE_CH0_VERT_COEF + i * 4, ++ DEINTERLACE_IDENTITY_COEF); ++ deinterlace_write(dev, DEINTERLACE_CH1_HORZ_COEF0 + i * 4, ++ DEINTERLACE_IDENTITY_COEF); ++ deinterlace_write(dev, DEINTERLACE_CH1_VERT_COEF + i * 4, ++ DEINTERLACE_IDENTITY_COEF); ++ } ++ ++ deinterlace_clr_set_bits(dev, DEINTERLACE_FRM_CTRL, ++ DEINTERLACE_FRM_CTRL_COEF_ACCESS, 0); ++ + deinterlace_clr_set_bits(dev, DEINTERLACE_FIELD_CTRL, + DEINTERLACE_FIELD_CTRL_FIELD_CNT_MSK, + DEINTERLACE_FIELD_CTRL_FIELD_CNT(ctx->field)); +@@ -248,7 +269,6 @@ static irqreturn_t deinterlace_irq(int irq, void *data) + static void deinterlace_init(struct deinterlace_dev *dev) + { + u32 val; +- int i; + + deinterlace_write(dev, DEINTERLACE_BYPASS, + DEINTERLACE_BYPASS_CSC); +@@ -285,26 +305,6 @@ static void deinterlace_init(struct deinterlace_dev *dev) + deinterlace_clr_set_bits(dev, DEINTERLACE_CHROMA_DIFF, + DEINTERLACE_CHROMA_DIFF_TH_MSK, + DEINTERLACE_CHROMA_DIFF_TH(5)); +- +- /* neutral filter coefficients */ +- deinterlace_set_bits(dev, DEINTERLACE_FRM_CTRL, +- DEINTERLACE_FRM_CTRL_COEF_ACCESS); +- readl_poll_timeout(dev->base + DEINTERLACE_STATUS, val, +- val & DEINTERLACE_STATUS_COEF_STATUS, 2, 40); +- +- for (i = 0; i < 32; i++) { +- deinterlace_write(dev, DEINTERLACE_CH0_HORZ_COEF0 + i * 4, +- DEINTERLACE_IDENTITY_COEF); +- deinterlace_write(dev, DEINTERLACE_CH0_VERT_COEF + i * 4, +- DEINTERLACE_IDENTITY_COEF); +- deinterlace_write(dev, DEINTERLACE_CH1_HORZ_COEF0 + i * 4, +- DEINTERLACE_IDENTITY_COEF); +- deinterlace_write(dev, DEINTERLACE_CH1_VERT_COEF + i * 4, +- DEINTERLACE_IDENTITY_COEF); +- } +- +- deinterlace_clr_set_bits(dev, DEINTERLACE_FRM_CTRL, +- DEINTERLACE_FRM_CTRL_COEF_ACCESS, 0); + } + + static inline struct deinterlace_ctx *deinterlace_file2ctx(struct file *file) +-- +2.43.0 + diff --git a/queue-5.10/media-sun8i-di-fix-power-on-off-sequences.patch b/queue-5.10/media-sun8i-di-fix-power-on-off-sequences.patch new file mode 100644 index 00000000000..34c48a10da2 --- /dev/null +++ b/queue-5.10/media-sun8i-di-fix-power-on-off-sequences.patch @@ -0,0 +1,88 @@ +From 5c1030296687a63b084dfd8fce35bca613fad7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 14:34:21 +0100 +Subject: media: sun8i-di: Fix power on/off sequences + +From: Jernej Skrabec + +[ Upstream commit cff104e33bad38f4b2c8d58816a7accfaa2879f9 ] + +According to user manual, reset line should be deasserted before clocks +are enabled. Also fix power down sequence to be reverse of that. + +Fixes: a4260ea49547 ("media: sun4i: Add H3 deinterlace driver") +Signed-off-by: Jernej Skrabec +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + .../media/platform/sunxi/sun8i-di/sun8i-di.c | 25 ++++++++++--------- + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +index a9d3272940be0..cb6d32c59191f 100644 +--- a/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c ++++ b/drivers/media/platform/sunxi/sun8i-di/sun8i-di.c +@@ -937,11 +937,18 @@ static int deinterlace_runtime_resume(struct device *device) + return ret; + } + ++ ret = reset_control_deassert(dev->rstc); ++ if (ret) { ++ dev_err(dev->dev, "Failed to apply reset\n"); ++ ++ goto err_exclusive_rate; ++ } ++ + ret = clk_prepare_enable(dev->bus_clk); + if (ret) { + dev_err(dev->dev, "Failed to enable bus clock\n"); + +- goto err_exclusive_rate; ++ goto err_rst; + } + + ret = clk_prepare_enable(dev->mod_clk); +@@ -958,23 +965,16 @@ static int deinterlace_runtime_resume(struct device *device) + goto err_mod_clk; + } + +- ret = reset_control_deassert(dev->rstc); +- if (ret) { +- dev_err(dev->dev, "Failed to apply reset\n"); +- +- goto err_ram_clk; +- } +- + deinterlace_init(dev); + + return 0; + +-err_ram_clk: +- clk_disable_unprepare(dev->ram_clk); + err_mod_clk: + clk_disable_unprepare(dev->mod_clk); + err_bus_clk: + clk_disable_unprepare(dev->bus_clk); ++err_rst: ++ reset_control_assert(dev->rstc); + err_exclusive_rate: + clk_rate_exclusive_put(dev->mod_clk); + +@@ -985,11 +985,12 @@ static int deinterlace_runtime_suspend(struct device *device) + { + struct deinterlace_dev *dev = dev_get_drvdata(device); + +- reset_control_assert(dev->rstc); +- + clk_disable_unprepare(dev->ram_clk); + clk_disable_unprepare(dev->mod_clk); + clk_disable_unprepare(dev->bus_clk); ++ ++ reset_control_assert(dev->rstc); ++ + clk_rate_exclusive_put(dev->mod_clk); + + return 0; +-- +2.43.0 + diff --git a/queue-5.10/media-tc358743-register-v4l2-async-device-only-after.patch b/queue-5.10/media-tc358743-register-v4l2-async-device-only-after.patch new file mode 100644 index 00000000000..0fdd9310b2b --- /dev/null +++ b/queue-5.10/media-tc358743-register-v4l2-async-device-only-after.patch @@ -0,0 +1,51 @@ +From 49b0525900b6448a5cf562c7d94d35add060b666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 10:01:11 +0100 +Subject: media: tc358743: register v4l2 async device only after successful + setup + +From: Alexander Stein + +[ Upstream commit 87399f1ff92203d65f1febf5919429f4bb613a02 ] + +Ensure the device has been setup correctly before registering the v4l2 +async device, thus allowing userspace to access. + +Signed-off-by: Alexander Stein +Reviewed-by: Robert Foss +Fixes: 4c5211a10039 ("[media] tc358743: register v4l2 asynchronous subdevice") +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240110090111.458115-1-alexander.stein@ew.tq-group.com +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index f21da11caf224..8bcb4b354c895 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2108,9 +2108,6 @@ static int tc358743_probe(struct i2c_client *client) + state->mbus_fmt_code = MEDIA_BUS_FMT_RGB888_1X24; + + sd->dev = &client->dev; +- err = v4l2_async_register_subdev(sd); +- if (err < 0) +- goto err_hdl; + + mutex_init(&state->confctl_mutex); + +@@ -2168,6 +2165,10 @@ static int tc358743_probe(struct i2c_client *client) + if (err) + goto err_work_queues; + ++ err = v4l2_async_register_subdev(sd); ++ if (err < 0) ++ goto err_work_queues; ++ + v4l2_info(sd, "%s found @ 0x%x (%s)\n", client->name, + client->addr << 1, client->adapter->name); + +-- +2.43.0 + diff --git a/queue-5.10/media-ttpci-fix-two-memleaks-in-budget_av_attach.patch b/queue-5.10/media-ttpci-fix-two-memleaks-in-budget_av_attach.patch new file mode 100644 index 00000000000..99c08769157 --- /dev/null +++ b/queue-5.10/media-ttpci-fix-two-memleaks-in-budget_av_attach.patch @@ -0,0 +1,52 @@ +From a99e14dc893e4379e3153e27dcccfb51cb316524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 13:17:04 +0800 +Subject: media: ttpci: fix two memleaks in budget_av_attach + +From: Zhipeng Lu + +[ Upstream commit d0b07f712bf61e1a3cf23c87c663791c42e50837 ] + +When saa7146_register_device and saa7146_vv_init fails, budget_av_attach +should free the resources it allocates, like the error-handling of +ttpci_budget_init does. Besides, there are two fixme comment refers to +such deallocations. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/budget-av.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/ttpci/budget-av.c b/drivers/media/pci/ttpci/budget-av.c +index 3cb83005cf09b..519f85e0a397d 100644 +--- a/drivers/media/pci/ttpci/budget-av.c ++++ b/drivers/media/pci/ttpci/budget-av.c +@@ -1462,7 +1462,8 @@ static int budget_av_attach(struct saa7146_dev *dev, struct saa7146_pci_extensio + budget_av->has_saa7113 = 1; + err = saa7146_vv_init(dev, &vv_data); + if (err != 0) { +- /* fixme: proper cleanup here */ ++ ttpci_budget_deinit(&budget_av->budget); ++ kfree(budget_av); + ERR("cannot init vv subsystem\n"); + return err; + } +@@ -1471,9 +1472,10 @@ static int budget_av_attach(struct saa7146_dev *dev, struct saa7146_pci_extensio + vv_data.vid_ops.vidioc_s_input = vidioc_s_input; + + if ((err = saa7146_register_device(&budget_av->vd, dev, "knc1", VFL_TYPE_VIDEO))) { +- /* fixme: proper cleanup here */ +- ERR("cannot register capture v4l2 device\n"); + saa7146_vv_release(dev); ++ ttpci_budget_deinit(&budget_av->budget); ++ kfree(budget_av); ++ ERR("cannot register capture v4l2 device\n"); + return err; + } + +-- +2.43.0 + diff --git a/queue-5.10/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch b/queue-5.10/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch new file mode 100644 index 00000000000..54443ee51d9 --- /dev/null +++ b/queue-5.10/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch @@ -0,0 +1,48 @@ +From 8eb10dbb02b1696021e3fb9eff168102f689e871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:48:44 +0800 +Subject: media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity + +From: Zhipeng Lu + +[ Upstream commit 8f94b49a5b5d386c038e355bef6347298aabd211 ] + +The entity->name (i.e. name) is allocated in v4l2_m2m_register_entity +but isn't freed in its following error-handling paths. This patch +adds such deallocation to prevent memleak of entity->name. + +Fixes: be2fff656322 ("media: add helpers for memory-to-memory media controller") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-mem2mem.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-mem2mem.c b/drivers/media/v4l2-core/v4l2-mem2mem.c +index ad14d52141067..56d320b1a1ca7 100644 +--- a/drivers/media/v4l2-core/v4l2-mem2mem.c ++++ b/drivers/media/v4l2-core/v4l2-mem2mem.c +@@ -1053,11 +1053,17 @@ static int v4l2_m2m_register_entity(struct media_device *mdev, + entity->function = function; + + ret = media_entity_pads_init(entity, num_pads, pads); +- if (ret) ++ if (ret) { ++ kfree(entity->name); ++ entity->name = NULL; + return ret; ++ } + ret = media_device_register_entity(mdev, entity); +- if (ret) ++ if (ret) { ++ kfree(entity->name); ++ entity->name = NULL; + return ret; ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch b/queue-5.10/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch new file mode 100644 index 00000000000..640f1a7e748 --- /dev/null +++ b/queue-5.10/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch @@ -0,0 +1,112 @@ +From 84844898d1792c9b0804637756a219311df9badb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:47:53 +0800 +Subject: media: v4l2-tpg: fix some memleaks in tpg_alloc + +From: Zhipeng Lu + +[ Upstream commit 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c ] + +In tpg_alloc, resources should be deallocated in each and every +error-handling paths, since they are allocated in for statements. +Otherwise there would be memleaks because tpg_free is called only when +tpg_alloc return 0. + +Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 52 +++++++++++++++---- + 1 file changed, 42 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +index 7607b516a7c43..68968bfa2edc1 100644 +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -113,6 +113,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + { + unsigned pat; + unsigned plane; ++ int ret = 0; + + tpg->max_line_width = max_w; + for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) { +@@ -121,14 +122,18 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + + tpg->lines[pat][plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->lines[pat][plane]) +- return -ENOMEM; ++ if (!tpg->lines[pat][plane]) { ++ ret = -ENOMEM; ++ goto free_lines; ++ } + if (plane == 0) + continue; + tpg->downsampled_lines[pat][plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->downsampled_lines[pat][plane]) +- return -ENOMEM; ++ if (!tpg->downsampled_lines[pat][plane]) { ++ ret = -ENOMEM; ++ goto free_lines; ++ } + } + } + for (plane = 0; plane < TPG_MAX_PLANES; plane++) { +@@ -136,18 +141,45 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + + tpg->contrast_line[plane] = + vzalloc(array_size(pixelsz, max_w)); +- if (!tpg->contrast_line[plane]) +- return -ENOMEM; ++ if (!tpg->contrast_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + tpg->black_line[plane] = + vzalloc(array_size(pixelsz, max_w)); +- if (!tpg->black_line[plane]) +- return -ENOMEM; ++ if (!tpg->black_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + tpg->random_line[plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->random_line[plane]) +- return -ENOMEM; ++ if (!tpg->random_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + } + return 0; ++ ++free_contrast_line: ++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) { ++ vfree(tpg->contrast_line[plane]); ++ vfree(tpg->black_line[plane]); ++ vfree(tpg->random_line[plane]); ++ tpg->contrast_line[plane] = NULL; ++ tpg->black_line[plane] = NULL; ++ tpg->random_line[plane] = NULL; ++ } ++free_lines: ++ for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) ++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) { ++ vfree(tpg->lines[pat][plane]); ++ tpg->lines[pat][plane] = NULL; ++ if (plane == 0) ++ continue; ++ vfree(tpg->downsampled_lines[pat][plane]); ++ tpg->downsampled_lines[pat][plane] = NULL; ++ } ++ return ret; + } + EXPORT_SYMBOL_GPL(tpg_alloc); + +-- +2.43.0 + diff --git a/queue-5.10/mfd-altera-sysmgr-call-of_node_put-only-when-of_pars.patch b/queue-5.10/mfd-altera-sysmgr-call-of_node_put-only-when-of_pars.patch new file mode 100644 index 00000000000..e80f2eba1e9 --- /dev/null +++ b/queue-5.10/mfd-altera-sysmgr-call-of_node_put-only-when-of_pars.patch @@ -0,0 +1,42 @@ +From eadf829088f3de3f98e7671ec57f48d605f5c1db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 11:50:12 +0000 +Subject: mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() + takes a ref + +From: Peter Griffin + +[ Upstream commit e28c28a34ee9fa2ea671a20e5e7064e6220d55e7 ] + +of_parse_phandle() returns a device_node with refcount incremented, which +the callee needs to call of_node_put() on when done. We should only call +of_node_put() when the property argument is provided though as otherwise +nothing has taken a reference on the node. + +Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager") +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20240220115012.471689-4-peter.griffin@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/altera-sysmgr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/altera-sysmgr.c b/drivers/mfd/altera-sysmgr.c +index 591b300d90953..59efe7d5dcaa9 100644 +--- a/drivers/mfd/altera-sysmgr.c ++++ b/drivers/mfd/altera-sysmgr.c +@@ -110,7 +110,9 @@ struct regmap *altr_sysmgr_regmap_lookup_by_phandle(struct device_node *np, + + dev = driver_find_device_by_of_node(&altr_sysmgr_driver.driver, + (void *)sysmgr_np); +- of_node_put(sysmgr_np); ++ if (property) ++ of_node_put(sysmgr_np); ++ + if (!dev) + return ERR_PTR(-EPROBE_DEFER); + +-- +2.43.0 + diff --git a/queue-5.10/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch b/queue-5.10/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch new file mode 100644 index 00000000000..7d2fa598834 --- /dev/null +++ b/queue-5.10/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch @@ -0,0 +1,42 @@ +From 5b9e914e720ce03ff6b717232264bda6f6f40ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 11:50:10 +0000 +Subject: mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a + ref + +From: Peter Griffin + +[ Upstream commit d2b0680cf3b05490b579e71b0df6e07451977745 ] + +of_parse_phandle() returns a device_node with refcount incremented, which +the callee needs to call of_node_put() on when done. We should only call +of_node_put() when the property argument is provided though as otherwise +nothing has taken a reference on the node. + +Fixes: 45330bb43421 ("mfd: syscon: Allow property as NULL in syscon_regmap_lookup_by_phandle") +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20240220115012.471689-2-peter.griffin@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/syscon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c +index 60f74144a4f88..4d536a097e8cb 100644 +--- a/drivers/mfd/syscon.c ++++ b/drivers/mfd/syscon.c +@@ -224,7 +224,9 @@ struct regmap *syscon_regmap_lookup_by_phandle(struct device_node *np, + return ERR_PTR(-ENODEV); + + regmap = syscon_node_to_regmap(syscon_np); +- of_node_put(syscon_np); ++ ++ if (property) ++ of_node_put(syscon_np); + + return regmap; + } +-- +2.43.0 + diff --git a/queue-5.10/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch b/queue-5.10/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch new file mode 100644 index 00000000000..bf8d92f1a5e --- /dev/null +++ b/queue-5.10/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch @@ -0,0 +1,50 @@ +From e8f20b590eb4136677858cfe5308bc02c44546ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 22:37:39 +0100 +Subject: mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the + .remove function + +From: Christophe JAILLET + +[ Upstream commit ae5004a40a262d329039b99b62bd3fe7645b66ad ] + +This looks strange to call release_mem_region() in a remove function +without any request_mem_region() in the probe or "struct resource" +somewhere. + +So remove the corresponding code. + +Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/bb0bb1ed1e18de55e8c0547625bde271e64b8c31.1708983064.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wmt-sdmmc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c +index 3933195488575..3fcc81e48ad66 100644 +--- a/drivers/mmc/host/wmt-sdmmc.c ++++ b/drivers/mmc/host/wmt-sdmmc.c +@@ -889,7 +889,6 @@ static int wmt_mci_remove(struct platform_device *pdev) + { + struct mmc_host *mmc; + struct wmt_mci_priv *priv; +- struct resource *res; + u32 reg_tmp; + + mmc = platform_get_drvdata(pdev); +@@ -917,9 +916,6 @@ static int wmt_mci_remove(struct platform_device *pdev) + clk_disable_unprepare(priv->clk_sdmmc); + clk_put(priv->clk_sdmmc); + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- release_mem_region(res->start, resource_size(res)); +- + mmc_free_host(mmc); + + dev_info(&pdev->dev, "WMT MCI device removed\n"); +-- +2.43.0 + diff --git a/queue-5.10/mtd-maps-physmap-core-fix-flash-size-larger-than-32-.patch b/queue-5.10/mtd-maps-physmap-core-fix-flash-size-larger-than-32-.patch new file mode 100644 index 00000000000..f20bf6b6aa0 --- /dev/null +++ b/queue-5.10/mtd-maps-physmap-core-fix-flash-size-larger-than-32-.patch @@ -0,0 +1,39 @@ +From 8833225b833079d458903961aefb6effc08cea3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 12:34:18 +0200 +Subject: mtd: maps: physmap-core: fix flash size larger than 32-bit + +From: Baruch Siach + +[ Upstream commit 3884f03edd34887514a0865a80769cd5362d5c3b ] + +mtd-ram can potentially be larger than 4GB. get_bitmask_order() uses +fls() that is not guaranteed to work with values larger than 32-bit. +Specifically on aarch64 fls() returns 0 when all 32 LSB bits are clear. +Use fls64() instead. + +Fixes: ba32ce95cbd987 ("mtd: maps: Merge gpio-addr-flash.c into physmap-core.c") +Signed-off-by: Baruch Siach +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/9fbf3664ce00f8b07867f1011834015f21d162a5.1707388458.git.baruch@tkos.co.il +Signed-off-by: Sasha Levin +--- + drivers/mtd/maps/physmap-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c +index 9ab795f03c546..e5552093585e2 100644 +--- a/drivers/mtd/maps/physmap-core.c ++++ b/drivers/mtd/maps/physmap-core.c +@@ -528,7 +528,7 @@ static int physmap_flash_probe(struct platform_device *dev) + if (!info->maps[i].phys) + info->maps[i].phys = res->start; + +- info->win_order = get_bitmask_order(resource_size(res)) - 1; ++ info->win_order = fls64(resource_size(res)) - 1; + info->maps[i].size = BIT(info->win_order + + (info->gpios ? + info->gpios->ndescs : 0)); +-- +2.43.0 + diff --git a/queue-5.10/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch b/queue-5.10/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch new file mode 100644 index 00000000000..dc39f6127a5 --- /dev/null +++ b/queue-5.10/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch @@ -0,0 +1,52 @@ +From c8a584c10f53c3cc842868d12e87e207017414b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:00:09 +0100 +Subject: mtd: rawnand: lpc32xx_mlc: fix irq handler prototype + +From: Arnd Bergmann + +[ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ] + +clang-16 warns about mismatched function prototypes: + +drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Change the interrupt handler to the normal way of just passing +a void* pointer and converting it inside the function.. + +Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/lpc32xx_mlc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/lpc32xx_mlc.c b/drivers/mtd/nand/raw/lpc32xx_mlc.c +index 9e728c7317956..db228460a9079 100644 +--- a/drivers/mtd/nand/raw/lpc32xx_mlc.c ++++ b/drivers/mtd/nand/raw/lpc32xx_mlc.c +@@ -304,8 +304,9 @@ static int lpc32xx_nand_device_ready(struct nand_chip *nand_chip) + return 0; + } + +-static irqreturn_t lpc3xxx_nand_irq(int irq, struct lpc32xx_nand_host *host) ++static irqreturn_t lpc3xxx_nand_irq(int irq, void *data) + { ++ struct lpc32xx_nand_host *host = data; + uint8_t sr; + + /* Clear interrupt flag by reading status */ +@@ -780,7 +781,7 @@ static int lpc32xx_nand_probe(struct platform_device *pdev) + goto release_dma_chan; + } + +- if (request_irq(host->irq, (irq_handler_t)&lpc3xxx_nand_irq, ++ if (request_irq(host->irq, &lpc3xxx_nand_irq, + IRQF_TRIGGER_HIGH, DRV_NAME, host)) { + dev_err(&pdev->dev, "Error requesting NAND IRQ\n"); + res = -ENXIO; +-- +2.43.0 + diff --git a/queue-5.10/nbd-null-check-for-nla_nest_start.patch b/queue-5.10/nbd-null-check-for-nla_nest_start.patch new file mode 100644 index 00000000000..8709c86aa75 --- /dev/null +++ b/queue-5.10/nbd-null-check-for-nla_nest_start.patch @@ -0,0 +1,43 @@ +From db6e7425d18a3598d7e45f088eae3104de581a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Feb 2024 20:25:38 -0800 +Subject: nbd: null check for nla_nest_start + +From: Navid Emamdoost + +[ Upstream commit 31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d ] + +nla_nest_start() may fail and return NULL. Insert a check and set errno +based on other call sites within the same source code. + +Signed-off-by: Navid Emamdoost +Reviewed-by: Michal Kubecek +Fixes: 47d902b90a32 ("nbd: add a status netlink command") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20240218042534.it.206-kees@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index e0f805ca0e727..d6e3edb404748 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2339,6 +2339,12 @@ static int nbd_genl_status(struct sk_buff *skb, struct genl_info *info) + } + + dev_list = nla_nest_start_noflag(reply, NBD_ATTR_DEVICE_LIST); ++ if (!dev_list) { ++ nlmsg_free(reply); ++ ret = -EMSGSIZE; ++ goto out; ++ } ++ + if (index == -1) { + ret = idr_for_each(&nbd_index_idr, &status_cb, reply); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.10/net-blackhole_dev-fix-build-warning-for-ethh-set-but.patch b/queue-5.10/net-blackhole_dev-fix-build-warning-for-ethh-set-but.patch new file mode 100644 index 00000000000..03f996e414b --- /dev/null +++ b/queue-5.10/net-blackhole_dev-fix-build-warning-for-ethh-set-but.patch @@ -0,0 +1,49 @@ +From 4758e7518a6fc28b9f6b0990808d2297ead09db0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 07:13:29 -0800 +Subject: net: blackhole_dev: fix build warning for ethh set but not used + +From: Breno Leitao + +[ Upstream commit 843a8851e89e2e85db04caaf88d8554818319047 ] + +lib/test_blackhole_dev.c sets a variable that is never read, causing +this following building warning: + + lib/test_blackhole_dev.c:32:17: warning: variable 'ethh' set but not used [-Wunused-but-set-variable] + +Remove the variable struct ethhdr *ethh, which is unused. + +Fixes: 509e56b37cc3 ("blackhole_dev: add a selftest") +Signed-off-by: Breno Leitao +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/test_blackhole_dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/test_blackhole_dev.c b/lib/test_blackhole_dev.c +index 4c40580a99a36..f247089d63c08 100644 +--- a/lib/test_blackhole_dev.c ++++ b/lib/test_blackhole_dev.c +@@ -29,7 +29,6 @@ static int __init test_blackholedev_init(void) + { + struct ipv6hdr *ip6h; + struct sk_buff *skb; +- struct ethhdr *ethh; + struct udphdr *uh; + int data_len; + int ret; +@@ -61,7 +60,7 @@ static int __init test_blackholedev_init(void) + ip6h->saddr = in6addr_loopback; + ip6h->daddr = in6addr_loopback; + /* Ether */ +- ethh = (struct ethhdr *)skb_push(skb, sizeof(struct ethhdr)); ++ skb_push(skb, sizeof(struct ethhdr)); + skb_set_mac_header(skb, 0); + + skb->protocol = htons(ETH_P_IPV6); +-- +2.43.0 + diff --git a/queue-5.10/net-ena-remove-ena_select_queue.patch b/queue-5.10/net-ena-remove-ena_select_queue.patch new file mode 100644 index 00000000000..affc84c962e --- /dev/null +++ b/queue-5.10/net-ena-remove-ena_select_queue.patch @@ -0,0 +1,66 @@ +From 6b50d075d284a782a412dcddb54181a5fd75110c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 17:31:04 -0500 +Subject: net: ena: Remove ena_select_queue + +From: Kamal Heib + +[ Upstream commit 78e886ba2b549945ecada055ee0765f0ded5707a ] + +Avoid the following warnings by removing the ena_select_queue() function +and rely on the net core to do the queue selection, The issue happen +when an skb received from an interface with more queues than ena is +forwarded to the ena interface. + +[ 1176.159959] eth0 selects TX queue 11, but real number of TX queues is 8 +[ 1176.863976] eth0 selects TX queue 14, but real number of TX queues is 8 +[ 1180.767877] eth0 selects TX queue 14, but real number of TX queues is 8 +[ 1188.703742] eth0 selects TX queue 14, but real number of TX queues is 8 + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Kamal Heib +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index e13ae04d2f0fd..fa65971949fce 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3057,22 +3057,6 @@ static netdev_tx_t ena_start_xmit(struct sk_buff *skb, struct net_device *dev) + return NETDEV_TX_OK; + } + +-static u16 ena_select_queue(struct net_device *dev, struct sk_buff *skb, +- struct net_device *sb_dev) +-{ +- u16 qid; +- /* we suspect that this is good for in--kernel network services that +- * want to loop incoming skb rx to tx in normal user generated traffic, +- * most probably we will not get to this +- */ +- if (skb_rx_queue_recorded(skb)) +- qid = skb_get_rx_queue(skb); +- else +- qid = netdev_pick_tx(dev, skb, NULL); +- +- return qid; +-} +- + static void ena_config_host_info(struct ena_com_dev *ena_dev, struct pci_dev *pdev) + { + struct device *dev = &pdev->dev; +@@ -3242,7 +3226,6 @@ static const struct net_device_ops ena_netdev_ops = { + .ndo_open = ena_open, + .ndo_stop = ena_close, + .ndo_start_xmit = ena_start_xmit, +- .ndo_select_queue = ena_select_queue, + .ndo_get_stats64 = ena_get_stats64, + .ndo_tx_timeout = ena_tx_timeout, + .ndo_change_mtu = ena_change_mtu, +-- +2.43.0 + diff --git a/queue-5.10/net-hns3-fix-port-duplex-configure-error-in-imp-rese.patch b/queue-5.10/net-hns3-fix-port-duplex-configure-error-in-imp-rese.patch new file mode 100644 index 00000000000..68c35c7f476 --- /dev/null +++ b/queue-5.10/net-hns3-fix-port-duplex-configure-error-in-imp-rese.patch @@ -0,0 +1,44 @@ +From 42af2890e160e7784f0c81867dc684d781712d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 09:01:14 +0800 +Subject: net: hns3: fix port duplex configure error in IMP reset + +From: Jie Wang + +[ Upstream commit 11d80f79dd9f871a52feba4bf24b5ac39f448eb7 ] + +Currently, the mac port is fixed to configured as full dplex mode in +hclge_mac_init() when driver initialization or reset restore. Users may +change the mode to half duplex with ethtool, so it may cause the user +configuration dropped after reset. + +To fix it, don't change the duplex mode when resetting. + +Fixes: 2d03eacc0b7e ("net: hns3: Only update mac configuation when necessary") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index deba485ced1bd..c14c391a0cec6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -2723,7 +2723,10 @@ static int hclge_mac_init(struct hclge_dev *hdev) + int ret; + + hdev->support_sfp_query = true; +- hdev->hw.mac.duplex = HCLGE_MAC_FULL; ++ ++ if (!test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) ++ hdev->hw.mac.duplex = HCLGE_MAC_FULL; ++ + ret = hclge_cfg_mac_speed_dup_hw(hdev, hdev->hw.mac.speed, + hdev->hw.mac.duplex); + if (ret) +-- +2.43.0 + diff --git a/queue-5.10/net-ip_tunnel-make-sure-to-pull-inner-header-in-ip_t.patch b/queue-5.10/net-ip_tunnel-make-sure-to-pull-inner-header-in-ip_t.patch new file mode 100644 index 00000000000..2b784a93451 --- /dev/null +++ b/queue-5.10/net-ip_tunnel-make-sure-to-pull-inner-header-in-ip_t.patch @@ -0,0 +1,125 @@ +From 62800e9dda89f136f939bd977d527e1e68019fb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 10:07:16 +0000 +Subject: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() + +From: Eric Dumazet + +[ Upstream commit b0ec2abf98267f14d032102551581c833b0659d3 ] + +Apply the same fix than ones found in : + +8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") + +We have to save skb->network_header in a temporary variable +in order to be able to recompute the network_header pointer +after a pskb_inet_may_pull() call. + +pskb_inet_may_pull() makes sure the needed headers are in skb->head. + +syzbot reported: +BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] + BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] + ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 + __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 + ipgre_rcv net/ipv4/ip_gre.c:411 [inline] + gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 + gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 + ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 + NF_HOOK include/linux/netfilter.h:314 [inline] + ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 + dst_input include/net/dst.h:461 [inline] + ip_rcv_finish net/ipv4/ip_input.c:449 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core net/core/dev.c:5534 [inline] + __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 + netif_receive_skb_internal net/core/dev.c:5734 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5793 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 + tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 + call_write_iter include/linux/fs.h:2087 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb6b/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xd0 fs/read_write.c:652 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 + alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 + alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 + skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 + tun_build_skb drivers/net/tun.c:1686 [inline] + tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 + call_write_iter include/linux/fs.h:2087 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb6b/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xd0 fs/read_write.c:652 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 50f8231e9daec..0953d805cbbee 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -364,7 +364,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, + bool log_ecn_error) + { + const struct iphdr *iph = ip_hdr(skb); +- int err; ++ int nh, err; + + #ifdef CONFIG_NET_IPGRE_BROADCAST + if (ipv4_is_multicast(iph->daddr)) { +@@ -390,8 +390,21 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, + tunnel->i_seqno = ntohl(tpi->seq) + 1; + } + ++ /* Save offset of outer header relative to skb->head, ++ * because we are going to reset the network header to the inner header ++ * and might change skb->head. ++ */ ++ nh = skb_network_header(skb) - skb->head; ++ + skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0); + ++ if (!pskb_inet_may_pull(skb)) { ++ DEV_STATS_INC(tunnel->dev, rx_length_errors); ++ DEV_STATS_INC(tunnel->dev, rx_errors); ++ goto drop; ++ } ++ iph = (struct iphdr *)(skb->head + nh); ++ + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { + if (log_ecn_error) +-- +2.43.0 + diff --git a/queue-5.10/net-ipv4-ipv6-replace-one-element-arraya-with-flexib.patch b/queue-5.10/net-ipv4-ipv6-replace-one-element-arraya-with-flexib.patch new file mode 100644 index 00000000000..6faa62d0ed5 --- /dev/null +++ b/queue-5.10/net-ipv4-ipv6-replace-one-element-arraya-with-flexib.patch @@ -0,0 +1,340 @@ +From a3bfeae678c4101d4302ce962a218e96a79f021f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 15:45:36 -0500 +Subject: net/ipv4/ipv6: Replace one-element arraya with flexible-array members +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit db243b796439c0caba47865564d8acd18a301d18 ] + +There is a regular need in the kernel to provide a way to declare having +a dynamically sized set of trailing elements in a structure. Kernel code +should always use “flexible array members”[1] for these cases. The older +style of one-element or zero-length arrays should no longer be used[2]. + +Use an anonymous union with a couple of anonymous structs in order to +keep userspace unchanged and refactor the related code accordingly: + +$ pahole -C group_filter net/ipv4/ip_sockglue.o +struct group_filter { + union { + struct { + __u32 gf_interface_aux; /* 0 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct __kernel_sockaddr_storage gf_group_aux; /* 8 128 */ + /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */ + __u32 gf_fmode_aux; /* 136 4 */ + __u32 gf_numsrc_aux; /* 140 4 */ + struct __kernel_sockaddr_storage gf_slist[1]; /* 144 128 */ + }; /* 0 272 */ + struct { + __u32 gf_interface; /* 0 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct __kernel_sockaddr_storage gf_group; /* 8 128 */ + /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */ + __u32 gf_fmode; /* 136 4 */ + __u32 gf_numsrc; /* 140 4 */ + struct __kernel_sockaddr_storage gf_slist_flex[0]; /* 144 0 */ + }; /* 0 144 */ + }; /* 0 272 */ + + /* size: 272, cachelines: 5, members: 1 */ + /* last cacheline: 16 bytes */ +}; + +$ pahole -C compat_group_filter net/ipv4/ip_sockglue.o +struct compat_group_filter { + union { + struct { + __u32 gf_interface_aux; /* 0 4 */ + struct __kernel_sockaddr_storage gf_group_aux __attribute__((__aligned__(4))); /* 4 128 */ + /* --- cacheline 2 boundary (128 bytes) was 4 bytes ago --- */ + __u32 gf_fmode_aux; /* 132 4 */ + __u32 gf_numsrc_aux; /* 136 4 */ + struct __kernel_sockaddr_storage gf_slist[1] __attribute__((__aligned__(4))); /* 140 128 */ + } __attribute__((__packed__)) __attribute__((__aligned__(4))); /* 0 268 */ + struct { + __u32 gf_interface; /* 0 4 */ + struct __kernel_sockaddr_storage gf_group __attribute__((__aligned__(4))); /* 4 128 */ + /* --- cacheline 2 boundary (128 bytes) was 4 bytes ago --- */ + __u32 gf_fmode; /* 132 4 */ + __u32 gf_numsrc; /* 136 4 */ + struct __kernel_sockaddr_storage gf_slist_flex[0] __attribute__((__aligned__(4))); /* 140 0 */ + } __attribute__((__packed__)) __attribute__((__aligned__(4))); /* 0 140 */ + } __attribute__((__aligned__(1))); /* 0 268 */ + + /* size: 268, cachelines: 5, members: 1 */ + /* forced alignments: 1 */ + /* last cacheline: 12 bytes */ +} __attribute__((__packed__)); + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +[1] https://en.wikipedia.org/wiki/Flexible_array_member +[2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/109 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function") +Signed-off-by: Sasha Levin +--- + include/net/compat.h | 27 ++++++++++++++++++++------- + include/uapi/linux/in.h | 21 ++++++++++++++++----- + net/ipv4/ip_sockglue.c | 19 ++++++++++--------- + net/ipv6/ipv6_sockglue.c | 18 +++++++++--------- + 4 files changed, 55 insertions(+), 30 deletions(-) + +diff --git a/include/net/compat.h b/include/net/compat.h +index 745db0d605b62..52bf5f0ee236b 100644 +--- a/include/net/compat.h ++++ b/include/net/compat.h +@@ -81,13 +81,26 @@ struct compat_group_source_req { + } __packed; + + struct compat_group_filter { +- __u32 gf_interface; +- struct __kernel_sockaddr_storage gf_group +- __aligned(4); +- __u32 gf_fmode; +- __u32 gf_numsrc; +- struct __kernel_sockaddr_storage gf_slist[1] +- __aligned(4); ++ union { ++ struct { ++ __u32 gf_interface_aux; ++ struct __kernel_sockaddr_storage gf_group_aux ++ __aligned(4); ++ __u32 gf_fmode_aux; ++ __u32 gf_numsrc_aux; ++ struct __kernel_sockaddr_storage gf_slist[1] ++ __aligned(4); ++ } __packed; ++ struct { ++ __u32 gf_interface; ++ struct __kernel_sockaddr_storage gf_group ++ __aligned(4); ++ __u32 gf_fmode; ++ __u32 gf_numsrc; ++ struct __kernel_sockaddr_storage gf_slist_flex[] ++ __aligned(4); ++ } __packed; ++ }; + } __packed; + + #endif /* NET_COMPAT_H */ +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index 066098a5b9360..c4702fff64d3a 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -224,11 +224,22 @@ struct group_source_req { + }; + + struct group_filter { +- __u32 gf_interface; /* interface index */ +- struct __kernel_sockaddr_storage gf_group; /* multicast address */ +- __u32 gf_fmode; /* filter mode */ +- __u32 gf_numsrc; /* number of sources */ +- struct __kernel_sockaddr_storage gf_slist[1]; /* interface index */ ++ union { ++ struct { ++ __u32 gf_interface_aux; /* interface index */ ++ struct __kernel_sockaddr_storage gf_group_aux; /* multicast address */ ++ __u32 gf_fmode_aux; /* filter mode */ ++ __u32 gf_numsrc_aux; /* number of sources */ ++ struct __kernel_sockaddr_storage gf_slist[1]; /* interface index */ ++ }; ++ struct { ++ __u32 gf_interface; /* interface index */ ++ struct __kernel_sockaddr_storage gf_group; /* multicast address */ ++ __u32 gf_fmode; /* filter mode */ ++ __u32 gf_numsrc; /* number of sources */ ++ struct __kernel_sockaddr_storage gf_slist_flex[]; /* interface index */ ++ }; ++ }; + }; + + #define GROUP_FILTER_SIZE(numsrc) \ +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 28b9b2e85f0be..9bea014309ded 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -797,7 +797,8 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen) + goto out_free_gsf; + + err = set_mcast_msfilter(sk, gsf->gf_interface, gsf->gf_numsrc, +- gsf->gf_fmode, &gsf->gf_group, gsf->gf_slist); ++ gsf->gf_fmode, &gsf->gf_group, ++ gsf->gf_slist_flex); + out_free_gsf: + kfree(gsf); + return err; +@@ -806,7 +807,7 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen) + static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + int optlen) + { +- const int size0 = offsetof(struct compat_group_filter, gf_slist); ++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex); + struct compat_group_filter *gf32; + unsigned int n; + void *p; +@@ -820,7 +821,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + p = kmalloc(optlen + 4, GFP_KERNEL); + if (!p) + return -ENOMEM; +- gf32 = p + 4; /* we want ->gf_group and ->gf_slist aligned */ ++ gf32 = p + 4; /* we want ->gf_group and ->gf_slist_flex aligned */ + + err = -EFAULT; + if (copy_from_sockptr(gf32, optval, optlen)) +@@ -833,7 +834,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + goto out_free_gsf; + + err = -EINVAL; +- if (offsetof(struct compat_group_filter, gf_slist[n]) > optlen) ++ if (offsetof(struct compat_group_filter, gf_slist_flex[n]) > optlen) + goto out_free_gsf; + + /* numsrc >= (4G-140)/128 overflow in 32 bits */ +@@ -841,7 +842,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + if (n > READ_ONCE(sock_net(sk)->ipv4.sysctl_igmp_max_msf)) + goto out_free_gsf; + err = set_mcast_msfilter(sk, gf32->gf_interface, n, gf32->gf_fmode, +- &gf32->gf_group, gf32->gf_slist); ++ &gf32->gf_group, gf32->gf_slist_flex); + out_free_gsf: + kfree(p); + return err; +@@ -1462,7 +1463,7 @@ static bool getsockopt_needs_rtnl(int optname) + static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + int __user *optlen, int len) + { +- const int size0 = offsetof(struct group_filter, gf_slist); ++ const int size0 = offsetof(struct group_filter, gf_slist_flex); + struct group_filter __user *p = optval; + struct group_filter gsf; + int num; +@@ -1474,7 +1475,7 @@ static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + return -EFAULT; + + num = gsf.gf_numsrc; +- err = ip_mc_gsfget(sk, &gsf, p->gf_slist); ++ err = ip_mc_gsfget(sk, &gsf, p->gf_slist_flex); + if (err) + return err; + if (gsf.gf_numsrc < num) +@@ -1488,7 +1489,7 @@ static int ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + int __user *optlen, int len) + { +- const int size0 = offsetof(struct compat_group_filter, gf_slist); ++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex); + struct compat_group_filter __user *p = optval; + struct compat_group_filter gf32; + struct group_filter gf; +@@ -1505,7 +1506,7 @@ static int compat_ip_get_mcast_msfilter(struct sock *sk, void __user *optval, + num = gf.gf_numsrc = gf32.gf_numsrc; + gf.gf_group = gf32.gf_group; + +- err = ip_mc_gsfget(sk, &gf, p->gf_slist); ++ err = ip_mc_gsfget(sk, &gf, p->gf_slist_flex); + if (err) + return err; + if (gf.gf_numsrc < num) +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 7b4b457a8b87a..0ac527cd5d56d 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -225,7 +225,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) + goto out_free_gsf; + +- ret = ip6_mc_msfilter(sk, gsf, gsf->gf_slist); ++ ret = ip6_mc_msfilter(sk, gsf, gsf->gf_slist_flex); + out_free_gsf: + kfree(gsf); + return ret; +@@ -234,7 +234,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + int optlen) + { +- const int size0 = offsetof(struct compat_group_filter, gf_slist); ++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex); + struct compat_group_filter *gf32; + void *p; + int ret; +@@ -249,7 +249,7 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + if (!p) + return -ENOMEM; + +- gf32 = p + 4; /* we want ->gf_group and ->gf_slist aligned */ ++ gf32 = p + 4; /* we want ->gf_group and ->gf_slist_flex aligned */ + ret = -EFAULT; + if (copy_from_sockptr(gf32, optval, optlen)) + goto out_free_p; +@@ -261,14 +261,14 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval, + goto out_free_p; + + ret = -EINVAL; +- if (offsetof(struct compat_group_filter, gf_slist[n]) > optlen) ++ if (offsetof(struct compat_group_filter, gf_slist_flex[n]) > optlen) + goto out_free_p; + + ret = ip6_mc_msfilter(sk, &(struct group_filter){ + .gf_interface = gf32->gf_interface, + .gf_group = gf32->gf_group, + .gf_fmode = gf32->gf_fmode, +- .gf_numsrc = gf32->gf_numsrc}, gf32->gf_slist); ++ .gf_numsrc = gf32->gf_numsrc}, gf32->gf_slist_flex); + + out_free_p: + kfree(p); +@@ -1051,7 +1051,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt, + static int ipv6_get_msfilter(struct sock *sk, void __user *optval, + int __user *optlen, int len) + { +- const int size0 = offsetof(struct group_filter, gf_slist); ++ const int size0 = offsetof(struct group_filter, gf_slist_flex); + struct group_filter __user *p = optval; + struct group_filter gsf; + int num; +@@ -1065,7 +1065,7 @@ static int ipv6_get_msfilter(struct sock *sk, void __user *optval, + return -EADDRNOTAVAIL; + num = gsf.gf_numsrc; + lock_sock(sk); +- err = ip6_mc_msfget(sk, &gsf, p->gf_slist); ++ err = ip6_mc_msfget(sk, &gsf, p->gf_slist_flex); + if (!err) { + if (num > gsf.gf_numsrc) + num = gsf.gf_numsrc; +@@ -1080,7 +1080,7 @@ static int ipv6_get_msfilter(struct sock *sk, void __user *optval, + static int compat_ipv6_get_msfilter(struct sock *sk, void __user *optval, + int __user *optlen) + { +- const int size0 = offsetof(struct compat_group_filter, gf_slist); ++ const int size0 = offsetof(struct compat_group_filter, gf_slist_flex); + struct compat_group_filter __user *p = optval; + struct compat_group_filter gf32; + struct group_filter gf; +@@ -1103,7 +1103,7 @@ static int compat_ipv6_get_msfilter(struct sock *sk, void __user *optval, + return -EADDRNOTAVAIL; + + lock_sock(sk); +- err = ip6_mc_msfget(sk, &gf, p->gf_slist); ++ err = ip6_mc_msfget(sk, &gf, p->gf_slist_flex); + release_sock(sk); + if (err) + return err; +-- +2.43.0 + diff --git a/queue-5.10/net-ipv4-replace-one-element-array-with-flexible-arr.patch b/queue-5.10/net-ipv4-replace-one-element-array-with-flexible-arr.patch new file mode 100644 index 00000000000..21955c2a007 --- /dev/null +++ b/queue-5.10/net-ipv4-replace-one-element-array-with-flexible-arr.patch @@ -0,0 +1,195 @@ +From e4b1b58d8759210a2dedfa5817b2ba7088c6dc39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jul 2021 12:08:30 -0500 +Subject: net/ipv4: Replace one-element array with flexible-array member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit 2d3e5caf96b9449af951e63476657acd759c1a30 ] + +There is a regular need in the kernel to provide a way to declare having +a dynamically sized set of trailing elements in a structure. Kernel code +should always use “flexible array members”[1] for these cases. The older +style of one-element or zero-length arrays should no longer be used[2]. + +Use an anonymous union with a couple of anonymous structs in order to +keep userspace unchanged: + +$ pahole -C ip_msfilter net/ipv4/ip_sockglue.o +struct ip_msfilter { + union { + struct { + __be32 imsf_multiaddr_aux; /* 0 4 */ + __be32 imsf_interface_aux; /* 4 4 */ + __u32 imsf_fmode_aux; /* 8 4 */ + __u32 imsf_numsrc_aux; /* 12 4 */ + __be32 imsf_slist[1]; /* 16 4 */ + }; /* 0 20 */ + struct { + __be32 imsf_multiaddr; /* 0 4 */ + __be32 imsf_interface; /* 4 4 */ + __u32 imsf_fmode; /* 8 4 */ + __u32 imsf_numsrc; /* 12 4 */ + __be32 imsf_slist_flex[0]; /* 16 0 */ + }; /* 0 16 */ + }; /* 0 20 */ + + /* size: 20, cachelines: 1, members: 1 */ + /* last cacheline: 20 bytes */ +}; + +Also, refactor the code accordingly and make use of the struct_size() +and flex_array_size() helpers. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +[1] https://en.wikipedia.org/wiki/Flexible_array_member +[2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/109 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function") +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in.h | 21 ++++++++++++++++----- + net/ipv4/igmp.c | 12 ++++++------ + net/ipv4/ip_sockglue.c | 15 ++++++++------- + 3 files changed, 30 insertions(+), 18 deletions(-) + +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index 3960bc3da6b30..066098a5b9360 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -190,11 +190,22 @@ struct ip_mreq_source { + }; + + struct ip_msfilter { +- __be32 imsf_multiaddr; +- __be32 imsf_interface; +- __u32 imsf_fmode; +- __u32 imsf_numsrc; +- __be32 imsf_slist[1]; ++ union { ++ struct { ++ __be32 imsf_multiaddr_aux; ++ __be32 imsf_interface_aux; ++ __u32 imsf_fmode_aux; ++ __u32 imsf_numsrc_aux; ++ __be32 imsf_slist[1]; ++ }; ++ struct { ++ __be32 imsf_multiaddr; ++ __be32 imsf_interface; ++ __u32 imsf_fmode; ++ __u32 imsf_numsrc; ++ __be32 imsf_slist_flex[]; ++ }; ++ }; + }; + + #define IP_MSFILTER_SIZE(numsrc) \ +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index cb55fede03c04..134f1682a7e9b 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2493,8 +2493,8 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex) + goto done; + } + newpsl->sl_max = newpsl->sl_count = msf->imsf_numsrc; +- memcpy(newpsl->sl_addr, msf->imsf_slist, +- msf->imsf_numsrc * sizeof(msf->imsf_slist[0])); ++ memcpy(newpsl->sl_addr, msf->imsf_slist_flex, ++ flex_array_size(msf, imsf_slist_flex, msf->imsf_numsrc)); + err = ip_mc_add_src(in_dev, &msf->imsf_multiaddr, + msf->imsf_fmode, newpsl->sl_count, newpsl->sl_addr, 0); + if (err) { +@@ -2571,14 +2571,14 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, + count = psl->sl_count; + } + copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc; +- len = copycount * sizeof(psl->sl_addr[0]); ++ len = flex_array_size(psl, sl_addr, copycount); + msf->imsf_numsrc = count; +- if (put_user(IP_MSFILTER_SIZE(copycount), optlen) || +- copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) { ++ if (put_user(struct_size(optval, imsf_slist_flex, copycount), optlen) || ++ copy_to_user(optval, msf, struct_size(optval, imsf_slist_flex, 0))) { + return -EFAULT; + } + if (len && +- copy_to_user(&optval->imsf_slist[0], psl->sl_addr, len)) ++ copy_to_user(&optval->imsf_slist_flex[0], psl->sl_addr, len)) + return -EFAULT; + return 0; + done: +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 1b35afd326b8d..2cfc507712300 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -670,12 +670,11 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex, + struct sockaddr_storage *group, + struct sockaddr_storage *list) + { +- int msize = IP_MSFILTER_SIZE(numsrc); + struct ip_msfilter *msf; + struct sockaddr_in *psin; + int err, i; + +- msf = kmalloc(msize, GFP_KERNEL); ++ msf = kmalloc(struct_size(msf, imsf_slist_flex, numsrc), GFP_KERNEL); + if (!msf) + return -ENOBUFS; + +@@ -691,7 +690,7 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex, + + if (psin->sin_family != AF_INET) + goto Eaddrnotavail; +- msf->imsf_slist[i] = psin->sin_addr.s_addr; ++ msf->imsf_slist_flex[i] = psin->sin_addr.s_addr; + } + err = ip_mc_msfilter(sk, msf, ifindex); + kfree(msf); +@@ -1236,7 +1235,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname, + { + struct ip_msfilter *msf; + +- if (optlen < IP_MSFILTER_SIZE(0)) ++ if (optlen < struct_size(msf, imsf_slist_flex, 0)) + goto e_inval; + if (optlen > READ_ONCE(sysctl_optmem_max)) { + err = -ENOBUFS; +@@ -1254,7 +1253,8 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname, + err = -ENOBUFS; + break; + } +- if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) { ++ if (struct_size(msf, imsf_slist_flex, msf->imsf_numsrc) > ++ optlen) { + kfree(msf); + err = -EINVAL; + break; +@@ -1667,11 +1667,12 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + { + struct ip_msfilter msf; + +- if (len < IP_MSFILTER_SIZE(0)) { ++ if (len < struct_size(&msf, imsf_slist_flex, 0)) { + err = -EINVAL; + goto out; + } +- if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) { ++ if (copy_from_user(&msf, optval, ++ struct_size(&msf, imsf_slist_flex, 0))) { + err = -EFAULT; + goto out; + } +-- +2.43.0 + diff --git a/queue-5.10/net-ipv4-revert-use-of-struct_size-helper.patch b/queue-5.10/net-ipv4-revert-use-of-struct_size-helper.patch new file mode 100644 index 00000000000..eb5bf9ea79c --- /dev/null +++ b/queue-5.10/net-ipv4-revert-use-of-struct_size-helper.patch @@ -0,0 +1,93 @@ +From 2374687a2fd9982fe6edc38927565b7e97f1d03a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 13:23:25 -0500 +Subject: net/ipv4: Revert use of struct_size() helper + +From: Gustavo A. R. Silva + +[ Upstream commit 4167a960574fcadc9067f4280951a35b8c021c68 ] + +Revert the use of structr_size() and stay with IP_MSFILTER_SIZE() for +now, as in this case, the size of struct ip_msfilter didn't change with +the addition of the flexible array imsf_slist_flex[]. So, if we use +struct_size() we will be allocating and calculating the size of +struct ip_msfilter with one too many items for imsf_slist_flex[]. + +We might use struct_size() in the future, but for now let's stay +with IP_MSFILTER_SIZE(). + +Fixes: 2d3e5caf96b9 ("net/ipv4: Replace one-element array with flexible-array member") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Stable-dep-of: 5c3be3e0eb44 ("ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function") +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 4 ++-- + net/ipv4/ip_sockglue.c | 12 +++++------- + 2 files changed, 7 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 134f1682a7e9b..4ba1c92fb3524 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2573,8 +2573,8 @@ int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf, + copycount = count < msf->imsf_numsrc ? count : msf->imsf_numsrc; + len = flex_array_size(psl, sl_addr, copycount); + msf->imsf_numsrc = count; +- if (put_user(struct_size(optval, imsf_slist_flex, copycount), optlen) || +- copy_to_user(optval, msf, struct_size(optval, imsf_slist_flex, 0))) { ++ if (put_user(IP_MSFILTER_SIZE(copycount), optlen) || ++ copy_to_user(optval, msf, IP_MSFILTER_SIZE(0))) { + return -EFAULT; + } + if (len && +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index 2cfc507712300..28b9b2e85f0be 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -674,7 +674,7 @@ static int set_mcast_msfilter(struct sock *sk, int ifindex, + struct sockaddr_in *psin; + int err, i; + +- msf = kmalloc(struct_size(msf, imsf_slist_flex, numsrc), GFP_KERNEL); ++ msf = kmalloc(IP_MSFILTER_SIZE(numsrc), GFP_KERNEL); + if (!msf) + return -ENOBUFS; + +@@ -1235,7 +1235,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname, + { + struct ip_msfilter *msf; + +- if (optlen < struct_size(msf, imsf_slist_flex, 0)) ++ if (optlen < IP_MSFILTER_SIZE(0)) + goto e_inval; + if (optlen > READ_ONCE(sysctl_optmem_max)) { + err = -ENOBUFS; +@@ -1253,8 +1253,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname, + err = -ENOBUFS; + break; + } +- if (struct_size(msf, imsf_slist_flex, msf->imsf_numsrc) > +- optlen) { ++ if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) { + kfree(msf); + err = -EINVAL; + break; +@@ -1667,12 +1666,11 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, + { + struct ip_msfilter msf; + +- if (len < struct_size(&msf, imsf_slist_flex, 0)) { ++ if (len < IP_MSFILTER_SIZE(0)) { + err = -EINVAL; + goto out; + } +- if (copy_from_user(&msf, optval, +- struct_size(&msf, imsf_slist_flex, 0))) { ++ if (copy_from_user(&msf, optval, IP_MSFILTER_SIZE(0))) { + err = -EFAULT; + goto out; + } +-- +2.43.0 + diff --git a/queue-5.10/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch b/queue-5.10/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch new file mode 100644 index 00000000000..81480afad81 --- /dev/null +++ b/queue-5.10/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch @@ -0,0 +1,45 @@ +From 42c1895b5a118d06d9839c6a0f81fa4130431072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: net: kcm: fix incorrect parameter validation in the kcm_getsockopt) + function + +From: Gavrilov Ilia + +[ Upstream commit 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 39b3c7fbf9f66..7420b4f19b45e 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1275,10 +1275,11 @@ static int kcm_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case KCM_RECV_DISABLE: + val = kcm->rx_disabled; +-- +2.43.0 + diff --git a/queue-5.10/net-phy-dp83822-enable-rgmii-mode-if-phy_interface_i.patch b/queue-5.10/net-phy-dp83822-enable-rgmii-mode-if-phy_interface_i.patch new file mode 100644 index 00000000000..c514dec55aa --- /dev/null +++ b/queue-5.10/net-phy-dp83822-enable-rgmii-mode-if-phy_interface_i.patch @@ -0,0 +1,59 @@ +From e19b5973b60a45519fd8a3ad1e623c077eeaba3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 01:58:46 +0200 +Subject: net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii + +From: Tommaso Merciai + +[ Upstream commit 621427fbdada788f18f77238e1c36f463c2cb9d1 ] + +RGMII mode can be enable from dp83822 straps, and also writing bit 9 +of register 0x17 - RMII and Status Register (RCSR). +When phy_interface_is_rgmii rgmii mode must be enabled, same for +contrary, this prevents malconfigurations of hw straps + +References: + - https://www.ti.com/lit/gpn/dp83822i p66 + +Signed-off-by: Tommaso Merciai +Co-developed-by: Michael Trimarchi +Suggested-by: Alberto Bianchi +Tested-by: Tommaso Merciai +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Stable-dep-of: c8a5c731fd12 ("net: phy: dp83822: Fix RGMII TX delay configuration") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 81412999445d8..dce87589b1120 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -94,7 +94,8 @@ + #define DP83822_WOL_INDICATION_SEL BIT(8) + #define DP83822_WOL_CLR_INDICATION BIT(11) + +-/* RSCR bits */ ++/* RCSR bits */ ++#define DP83822_RGMII_MODE_EN BIT(9) + #define DP83822_RX_CLK_SHIFT BIT(12) + #define DP83822_TX_CLK_SHIFT BIT(11) + +@@ -386,6 +387,12 @@ static int dp83822_config_init(struct phy_device *phydev) + if (err) + return err; + } ++ ++ phy_set_bits_mmd(phydev, DP83822_DEVADDR, ++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); ++ } else { ++ phy_clear_bits_mmd(phydev, DP83822_DEVADDR, ++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); + } + + if (dp83822->fx_enabled) { +-- +2.43.0 + diff --git a/queue-5.10/net-phy-dp83822-fix-rgmii-tx-delay-configuration.patch b/queue-5.10/net-phy-dp83822-fix-rgmii-tx-delay-configuration.patch new file mode 100644 index 00000000000..e9f0e1578e2 --- /dev/null +++ b/queue-5.10/net-phy-dp83822-fix-rgmii-tx-delay-configuration.patch @@ -0,0 +1,91 @@ +From 3f463e12e0af57b8c8f23fd1c045397bd2938df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:06:08 +0100 +Subject: net: phy: dp83822: Fix RGMII TX delay configuration + +From: Tim Pambor + +[ Upstream commit c8a5c731fd1223090af57da33838c671a7fc6a78 ] + +The logic for enabling the TX clock shift is inverse of enabling the RX +clock shift. The TX clock shift is disabled when DP83822_TX_CLK_SHIFT is +set. Correct the current behavior and always write the delay configuration +to ensure consistent delay settings regardless of bootloader configuration. + +Reference: https://www.ti.com/lit/ds/symlink/dp83822i.pdf p. 69 + +Fixes: 8095295292b5 ("net: phy: DP83822: Add setting the fixed internal delay") +Signed-off-by: Tim Pambor +Link: https://lore.kernel.org/r/20240305110608.104072-1-tp@osasysteme.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index dce87589b1120..14c5e082ccc8f 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -359,7 +359,7 @@ static int dp83822_config_init(struct phy_device *phydev) + { + struct dp83822_private *dp83822 = phydev->priv; + struct device *dev = &phydev->mdio.dev; +- int rgmii_delay; ++ int rgmii_delay = 0; + s32 rx_int_delay; + s32 tx_int_delay; + int err = 0; +@@ -369,30 +369,33 @@ static int dp83822_config_init(struct phy_device *phydev) + rx_int_delay = phy_get_internal_delay(phydev, dev, NULL, 0, + true); + +- if (rx_int_delay <= 0) +- rgmii_delay = 0; +- else +- rgmii_delay = DP83822_RX_CLK_SHIFT; ++ /* Set DP83822_RX_CLK_SHIFT to enable rx clk internal delay */ ++ if (rx_int_delay > 0) ++ rgmii_delay |= DP83822_RX_CLK_SHIFT; + + tx_int_delay = phy_get_internal_delay(phydev, dev, NULL, 0, + false); ++ ++ /* Set DP83822_TX_CLK_SHIFT to disable tx clk internal delay */ + if (tx_int_delay <= 0) +- rgmii_delay &= ~DP83822_TX_CLK_SHIFT; +- else + rgmii_delay |= DP83822_TX_CLK_SHIFT; + +- if (rgmii_delay) { +- err = phy_set_bits_mmd(phydev, DP83822_DEVADDR, +- MII_DP83822_RCSR, rgmii_delay); +- if (err) +- return err; +- } ++ err = phy_modify_mmd(phydev, DP83822_DEVADDR, MII_DP83822_RCSR, ++ DP83822_RX_CLK_SHIFT | DP83822_TX_CLK_SHIFT, rgmii_delay); ++ if (err) ++ return err; ++ ++ err = phy_set_bits_mmd(phydev, DP83822_DEVADDR, ++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); + +- phy_set_bits_mmd(phydev, DP83822_DEVADDR, +- MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); ++ if (err) ++ return err; + } else { +- phy_clear_bits_mmd(phydev, DP83822_DEVADDR, +- MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); ++ err = phy_clear_bits_mmd(phydev, DP83822_DEVADDR, ++ MII_DP83822_RCSR, DP83822_RGMII_MODE_EN); ++ ++ if (err) ++ return err; + } + + if (dp83822->fx_enabled) { +-- +2.43.0 + diff --git a/queue-5.10/net-phy-fix-phy_get_internal_delay-accessing-an-empt.patch b/queue-5.10/net-phy-fix-phy_get_internal_delay-accessing-an-empt.patch new file mode 100644 index 00000000000..da7f33cbd06 --- /dev/null +++ b/queue-5.10/net-phy-fix-phy_get_internal_delay-accessing-an-empt.patch @@ -0,0 +1,48 @@ +From a4d41c0b1e24cc08b6cbdc1a6a260392c9053e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 12:19:06 +0100 +Subject: net: phy: fix phy_get_internal_delay accessing an empty array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kévin L'hôpital + +[ Upstream commit 4469c0c5b14a0919f5965c7ceac96b523eb57b79 ] + +The phy_get_internal_delay function could try to access to an empty +array in the case that the driver is calling phy_get_internal_delay +without defining delay_values and rx-internal-delay-ps or +tx-internal-delay-ps is defined to 0 in the device-tree. +This will lead to "unable to handle kernel NULL pointer dereference at +virtual address 0". To avoid this kernel oops, the test should be delay +>= 0. As there is already delay < 0 test just before, the test could +only be size == 0. + +Fixes: 92252eec913b ("net: phy: Add a helper to return the index for of the internal delay") +Co-developed-by: Enguerrand de Ribaucourt +Signed-off-by: Enguerrand de Ribaucourt +Signed-off-by: Kévin L'hôpital +Reviewed-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 095d16ceafcf8..8654e05ddc415 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -2769,7 +2769,7 @@ s32 phy_get_internal_delay(struct phy_device *phydev, struct device *dev, + if (delay < 0) + return delay; + +- if (delay && size == 0) ++ if (size == 0) + return delay; + + if (delay < delay_values[0] || delay > delay_values[size - 1]) { +-- +2.43.0 + diff --git a/queue-5.10/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch b/queue-5.10/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch new file mode 100644 index 00000000000..377e5e35bff --- /dev/null +++ b/queue-5.10/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch @@ -0,0 +1,42 @@ +From 26aa46f45f017bc23e3e6a2fbd4e82e8c2709ea0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 23:58:20 +0200 +Subject: net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() + +From: Christophe JAILLET + +[ Upstream commit d6f4de70f73a106986ee315d7d512539f2f3303a ] + +The intent is to check if the strings' are truncated or not. So, >= should +be used instead of >, because strlcat() and snprintf() return the length of +the output, excluding the trailing NULL. + +Fixes: a02d69261134 ("SUNRPC: Provide functions for managing universal addresses") +Signed-off-by: Christophe JAILLET +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/addr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c +index d435bffc61999..97ff11973c493 100644 +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -284,10 +284,10 @@ char *rpc_sockaddr2uaddr(const struct sockaddr *sap, gfp_t gfp_flags) + } + + if (snprintf(portbuf, sizeof(portbuf), +- ".%u.%u", port >> 8, port & 0xff) > (int)sizeof(portbuf)) ++ ".%u.%u", port >> 8, port & 0xff) >= (int)sizeof(portbuf)) + return NULL; + +- if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) > sizeof(addrbuf)) ++ if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) >= sizeof(addrbuf)) + return NULL; + + return kstrdup(addrbuf, gfp_flags); +-- +2.43.0 + diff --git a/queue-5.10/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch b/queue-5.10/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch new file mode 100644 index 00000000000..3f182b32916 --- /dev/null +++ b/queue-5.10/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch @@ -0,0 +1,47 @@ +From f12b4d205a24729c4d340b85ce7db349667b9852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: net/x25: fix incorrect parameter validation in the x25_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit d6eb8de2015f0c24822e47356f839167ebde2945 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 161dc194e6342..a7ecf2956cdd6 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -470,12 +470,12 @@ static int x25_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + goto out; + +- len = min_t(unsigned int, len, sizeof(int)); +- + rc = -EINVAL; + if (len < 0) + goto out; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + rc = -EFAULT; + if (put_user(len, optlen)) + goto out; +-- +2.43.0 + diff --git a/queue-5.10/nfp-flower-handle-acti_netdevs-allocation-failure.patch b/queue-5.10/nfp-flower-handle-acti_netdevs-allocation-failure.patch new file mode 100644 index 00000000000..48603e4b231 --- /dev/null +++ b/queue-5.10/nfp-flower-handle-acti_netdevs-allocation-failure.patch @@ -0,0 +1,45 @@ +From fd865a5c0b150b861d4f196dba71fe5beeafc5aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 22:25:40 +0800 +Subject: nfp: flower: handle acti_netdevs allocation failure + +From: Duoming Zhou + +[ Upstream commit 84e95149bd341705f0eca6a7fcb955c548805002 ] + +The kmalloc_array() in nfp_fl_lag_do_work() will return null, if +the physical memory has run out. As a result, if we dereference +the acti_netdevs, the null pointer dereference bugs will happen. + +This patch adds a check to judge whether allocation failure occurs. +If it happens, the delayed work will be rescheduled and try again. + +Fixes: bb9a8d031140 ("nfp: flower: monitor and offload LAG groups") +Signed-off-by: Duoming Zhou +Reviewed-by: Louis Peens +Link: https://lore.kernel.org/r/20240308142540.9674-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/flower/lag_conf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c +index 63907aeb3884e..3167f9675ae0f 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c +@@ -308,6 +308,11 @@ static void nfp_fl_lag_do_work(struct work_struct *work) + + acti_netdevs = kmalloc_array(entry->slave_cnt, + sizeof(*acti_netdevs), GFP_KERNEL); ++ if (!acti_netdevs) { ++ schedule_delayed_work(&lag->work, ++ NFP_FL_LAG_DELAY); ++ continue; ++ } + + /* Include sanity check in the loop. It may be that a bond has + * changed between processing the last notification and the +-- +2.43.0 + diff --git a/queue-5.10/nfs-fix-an-off-by-one-in-root_nfs_cat.patch b/queue-5.10/nfs-fix-an-off-by-one-in-root_nfs_cat.patch new file mode 100644 index 00000000000..fad3430a140 --- /dev/null +++ b/queue-5.10/nfs-fix-an-off-by-one-in-root_nfs_cat.patch @@ -0,0 +1,42 @@ +From 2985fa111a80ab8dbd06a8c1fa5c383a288281eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 22:16:53 +0100 +Subject: NFS: Fix an off by one in root_nfs_cat() + +From: Christophe JAILLET + +[ Upstream commit 698ad1a538da0b6bf969cfee630b4e3a026afb87 ] + +The intent is to check if 'dest' is truncated or not. So, >= should be +used instead of >, because strlcat() returns the length of 'dest' and 'src' +excluding the trailing NULL. + +Fixes: 56463e50d1fc ("NFS: Use super.c for NFSROOT mount option parsing") +Signed-off-by: Christophe JAILLET +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfsroot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfsroot.c b/fs/nfs/nfsroot.c +index fa148308822cc..c2cf4ff628811 100644 +--- a/fs/nfs/nfsroot.c ++++ b/fs/nfs/nfsroot.c +@@ -175,10 +175,10 @@ static int __init root_nfs_cat(char *dest, const char *src, + size_t len = strlen(dest); + + if (len && dest[len - 1] != ',') +- if (strlcat(dest, ",", destlen) > destlen) ++ if (strlcat(dest, ",", destlen) >= destlen) + return -1; + +- if (strlcat(dest, src, destlen) > destlen) ++ if (strlcat(dest, src, destlen) >= destlen) + return -1; + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/nfsv4.2-fix-listxattr-maximum-xdr-buffer-size.patch b/queue-5.10/nfsv4.2-fix-listxattr-maximum-xdr-buffer-size.patch new file mode 100644 index 00000000000..c83382672a8 --- /dev/null +++ b/queue-5.10/nfsv4.2-fix-listxattr-maximum-xdr-buffer-size.patch @@ -0,0 +1,60 @@ +From e203721fed0dd218ffa41af6bf12468e4d6302f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 07:51:28 -0700 +Subject: NFSv4.2: fix listxattr maximum XDR buffer size + +From: Jorge Mora + +[ Upstream commit bcac8bff90a6ee1629f90669cdb9d28fb86049b0 ] + +Switch order of operations to avoid creating a short XDR buffer: +e.g., buflen = 12, old xdrlen = 12, new xdrlen = 20. + +Having a short XDR buffer leads to lxa_maxcount be a few bytes +less than what is needed to retrieve the whole list when using +a buflen as returned by a call with size = 0: + buflen = listxattr(path, NULL, 0); + buf = malloc(buflen); + buflen = listxattr(path, buf, buflen); + +For a file with one attribute (name = '123456'), the first call +with size = 0 will return buflen = 12 ('user.123456\x00'). +The second call with size = 12, sends LISTXATTRS with +lxa_maxcount = 12 + 8 (cookie) + 4 (array count) = 24. The +XDR buffer needs 8 (cookie) + 4 (array count) + 4 (name count) ++ 6 (name len) + 2 (padding) + 4 (eof) = 28 which is 4 bytes +shorter than the lxa_maxcount provided in the call. + +Fixes: 04a5da690e8f ("NFSv4.2: define limits and sizes for user xattr handling") +Signed-off-by: Jorge Mora +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs42.h b/fs/nfs/nfs42.h +index 0fe5aacbcfdf1..e7192d0eea3de 100644 +--- a/fs/nfs/nfs42.h ++++ b/fs/nfs/nfs42.h +@@ -54,11 +54,14 @@ int nfs42_proc_removexattr(struct inode *inode, const char *name); + * They would be 7 bytes long in the eventual buffer ("user.x\0"), and + * 8 bytes long XDR-encoded. + * +- * Include the trailing eof word as well. ++ * Include the trailing eof word as well and make the result a multiple ++ * of 4 bytes. + */ + static inline u32 nfs42_listxattr_xdrsize(u32 buflen) + { +- return ((buflen / (XATTR_USER_PREFIX_LEN + 2)) * 8) + 4; ++ u32 size = 8 * buflen / (XATTR_USER_PREFIX_LEN + 2) + 4; ++ ++ return (size + 3) & ~3; + } + #endif /* CONFIG_NFS_V4_2 */ + #endif /* __LINUX_FS_NFS_NFS4_2_H */ +-- +2.43.0 + diff --git a/queue-5.10/nfsv4.2-fix-nfs4_listxattr-kernel-bug-at-mm-usercopy.patch b/queue-5.10/nfsv4.2-fix-nfs4_listxattr-kernel-bug-at-mm-usercopy.patch new file mode 100644 index 00000000000..500a1541960 --- /dev/null +++ b/queue-5.10/nfsv4.2-fix-nfs4_listxattr-kernel-bug-at-mm-usercopy.patch @@ -0,0 +1,99 @@ +From 44fca5669b200c61fcb31b92f06a35e87bdd0673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 07:56:12 -0700 +Subject: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 + +From: Jorge Mora + +[ Upstream commit 251a658bbfceafb4d58c76b77682c8bf7bcfad65 ] + +A call to listxattr() with a buffer size = 0 returns the actual +size of the buffer needed for a subsequent call. When size > 0, +nfs4_listxattr() does not return an error because either +generic_listxattr() or nfs4_listxattr_nfs4_label() consumes +exactly all the bytes then size is 0 when calling +nfs4_listxattr_nfs4_user() which then triggers the following +kernel BUG: + + [ 99.403778] kernel BUG at mm/usercopy.c:102! + [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 + [ 99.415827] Call trace: + [ 99.415985] usercopy_abort+0x70/0xa0 + [ 99.416227] __check_heap_object+0x134/0x158 + [ 99.416505] check_heap_object+0x150/0x188 + [ 99.416696] __check_object_size.part.0+0x78/0x168 + [ 99.416886] __check_object_size+0x28/0x40 + [ 99.417078] listxattr+0x8c/0x120 + [ 99.417252] path_listxattr+0x78/0xe0 + [ 99.417476] __arm64_sys_listxattr+0x28/0x40 + [ 99.417723] invoke_syscall+0x78/0x100 + [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 + [ 99.418186] do_el0_svc+0x24/0x38 + [ 99.418376] el0_svc+0x3c/0x110 + [ 99.418554] el0t_64_sync_handler+0x120/0x130 + [ 99.418788] el0t_64_sync+0x194/0x198 + [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) + +Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', +thus calling lisxattr() with size = 16 will trigger the bug. + +Add check on nfs4_listxattr() to return ERANGE error when it is +called with size > 0 and the return value is greater than size. + +Fixes: 012a211abd5d ("NFSv4.2: hook in the user extended attribute handlers") +Signed-off-by: Jorge Mora +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 7c3c96ed60853..8e546e6a56198 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -10370,29 +10370,33 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = { + static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size) + { + ssize_t error, error2, error3; ++ size_t left = size; + +- error = generic_listxattr(dentry, list, size); ++ error = generic_listxattr(dentry, list, left); + if (error < 0) + return error; + if (list) { + list += error; +- size -= error; ++ left -= error; + } + +- error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, size); ++ error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left); + if (error2 < 0) + return error2; + + if (list) { + list += error2; +- size -= error2; ++ left -= error2; + } + +- error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, size); ++ error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left); + if (error3 < 0) + return error3; + +- return error + error2 + error3; ++ error += error2 + error3; ++ if (size && error > size) ++ return -ERANGE; ++ return error; + } + + static void nfs4_enable_swap(struct inode *inode) +-- +2.43.0 + diff --git a/queue-5.10/opp-debugfs-fix-warning-around-icc_get_name.patch b/queue-5.10/opp-debugfs-fix-warning-around-icc_get_name.patch new file mode 100644 index 00000000000..ffd1b304397 --- /dev/null +++ b/queue-5.10/opp-debugfs-fix-warning-around-icc_get_name.patch @@ -0,0 +1,50 @@ +From 2c9f346c943df30d43a954cddd3be82b75b32239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 16:48:28 +0530 +Subject: OPP: debugfs: Fix warning around icc_get_name() + +From: Viresh Kumar + +[ Upstream commit 28330ceb953e39880ea77da4895bb902a1244860 ] + +If the kernel isn't built with interconnect support, icc_get_name() +returns NULL and we get following warning: + +drivers/opp/debugfs.c: In function 'bw_name_read': +drivers/opp/debugfs.c:43:42: error: '%.62s' directive argument is null [-Werror=format-overflow=] + i = scnprintf(buf, sizeof(buf), "%.62s\n", icc_get_name(path)); + +Fix it. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402141313.81ltVF5g-lkp@intel.com/ +Fixes: 0430b1d5704b0 ("opp: Expose bandwidth information via debugfs") +Signed-off-by: Viresh Kumar +Reviewed-by: Dhruva Gole +Signed-off-by: Sasha Levin +--- + drivers/opp/debugfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/opp/debugfs.c b/drivers/opp/debugfs.c +index 60f4ff8e044d1..016dea5a412be 100644 +--- a/drivers/opp/debugfs.c ++++ b/drivers/opp/debugfs.c +@@ -36,10 +36,12 @@ static ssize_t bw_name_read(struct file *fp, char __user *userbuf, + size_t count, loff_t *ppos) + { + struct icc_path *path = fp->private_data; ++ const char *name = icc_get_name(path); + char buf[64]; +- int i; ++ int i = 0; + +- i = scnprintf(buf, sizeof(buf), "%.62s\n", icc_get_name(path)); ++ if (name) ++ i = scnprintf(buf, sizeof(buf), "%.62s\n", name); + + return simple_read_from_buffer(userbuf, count, ppos, buf, i); + } +-- +2.43.0 + diff --git a/queue-5.10/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch b/queue-5.10/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch new file mode 100644 index 00000000000..d54cc7b286b --- /dev/null +++ b/queue-5.10/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch @@ -0,0 +1,52 @@ +From f4be41356780b1c9ccf78b5e533bcf8ce69e5060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 14:16:34 +0100 +Subject: PCI/AER: Fix rootport attribute paths in ABI docs + +From: Johan Hovold + +[ Upstream commit 0e7d29a39a546161ea3a49e8e282a43212d7ff68 ] + +The 'aer_stats' directory never made it into the sixth and final revision +of the series adding the sysfs AER attributes. + +Link: https://lore.kernel.org/r/20240202131635.11405-2-johan+linaro@kernel.org +Link: https://lore.kernel.org/lkml/20180621184822.GB14136@bhelgaas-glaptop.roam.corp.google.com/ +Fixes: 12833017e581 ("PCI/AER: Add sysfs attributes for rootport cumulative stats") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +index 860db53037a58..24087d5fd417a 100644 +--- a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats ++++ b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +@@ -100,19 +100,19 @@ collectors) that are AER capable. These indicate the number of error messages as + device, so these counters include them and are thus cumulative of all the error + messages on the PCI hierarchy originating at that root port. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_cor ++What: /sys/bus/pci/devices//aer_rootport_total_err_cor + Date: July 2018 + KernelVersion: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_COR messages reported to rootport. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_fatal ++What: /sys/bus/pci/devices//aer_rootport_total_err_fatal + Date: July 2018 + KernelVersion: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_FATAL messages reported to rootport. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_nonfatal ++What: /sys/bus/pci/devices//aer_rootport_total_err_nonfatal + Date: July 2018 + KernelVersion: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +-- +2.43.0 + diff --git a/queue-5.10/pci-dpc-print-all-tlp-prefixes-not-just-the-first.patch b/queue-5.10/pci-dpc-print-all-tlp-prefixes-not-just-the-first.patch new file mode 100644 index 00000000000..76f0046afcc --- /dev/null +++ b/queue-5.10/pci-dpc-print-all-tlp-prefixes-not-just-the-first.patch @@ -0,0 +1,45 @@ +From 2dccacd9b62d873f6e05cbaec88a79b444427f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 13:08:15 +0200 +Subject: PCI/DPC: Print all TLP Prefixes, not just the first +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 6568d82512b0a64809acff3d7a747362fa4288c8 ] + +The TLP Prefix Log Register consists of multiple DWORDs (PCIe r6.1 sec +7.9.14.13) but the loop in dpc_process_rp_pio_error() keeps reading from +the first DWORD, so we print only the first PIO TLP Prefix (duplicated +several times), and we never print the second, third, etc., Prefixes. + +Add the iteration count based offset calculation into the config read. + +Fixes: f20c4ea49ec4 ("PCI/DPC: Add eDPC support") +Link: https://lore.kernel.org/r/20240118110815.3867-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +[bhelgaas: add user-visible details to commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/dpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c +index f21d64ae4ffcc..cf0d4ba2e157a 100644 +--- a/drivers/pci/pcie/dpc.c ++++ b/drivers/pci/pcie/dpc.c +@@ -231,7 +231,7 @@ static void dpc_process_rp_pio_error(struct pci_dev *pdev) + + for (i = 0; i < pdev->dpc_rp_log_size - 5; i++) { + pci_read_config_dword(pdev, +- cap + PCI_EXP_DPC_RP_PIO_TLPPREFIX_LOG, &prefix); ++ cap + PCI_EXP_DPC_RP_PIO_TLPPREFIX_LOG + i * 4, &prefix); + pci_err(pdev, "TLP Prefix Header: dw%d, %#010x\n", i, prefix); + } + clear_status: +-- +2.43.0 + diff --git a/queue-5.10/pci-make-pci_dev_is_disconnected-helper-public-for-o.patch b/queue-5.10/pci-make-pci_dev_is_disconnected-helper-public-for-o.patch new file mode 100644 index 00000000000..a80c7b64153 --- /dev/null +++ b/queue-5.10/pci-make-pci_dev_is_disconnected-helper-public-for-o.patch @@ -0,0 +1,67 @@ +From 0c1a0b6916bd37e604e6105e06e1719be6abebae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 20:21:14 +0800 +Subject: PCI: Make pci_dev_is_disconnected() helper public for other drivers + +From: Ethan Zhao + +[ Upstream commit 39714fd73c6b60a8d27bcc5b431afb0828bf4434 ] + +Make pci_dev_is_disconnected() public so that it can be called from +Intel VT-d driver to quickly fix/workaround the surprise removal +unplug hang issue for those ATS capable devices on PCIe switch downstream +hotplug capable ports. + +Beside pci_device_is_present() function, this one has no config space +space access, so is light enough to optimize the normal pure surprise +removal and safe removal flow. + +Acked-by: Bjorn Helgaas +Reviewed-by: Dan Carpenter +Tested-by: Haorong Ye +Signed-off-by: Ethan Zhao +Link: https://lore.kernel.org/r/20240301080727.3529832-2-haifeng.zhao@linux.intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Stable-dep-of: 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.h | 5 ----- + include/linux/pci.h | 5 +++++ + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 72436000ff252..32fa07bfc448e 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -399,11 +399,6 @@ static inline int pci_dev_set_disconnected(struct pci_dev *dev, void *unused) + return 0; + } + +-static inline bool pci_dev_is_disconnected(const struct pci_dev *dev) +-{ +- return dev->error_state == pci_channel_io_perm_failure; +-} +- + /* pci_dev priv_flags */ + #define PCI_DEV_ADDED 0 + #define PCI_DPC_RECOVERED 1 +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 550e1cdb473fa..bf46453475e31 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -2191,6 +2191,11 @@ static inline struct pci_dev *pcie_find_root_port(struct pci_dev *dev) + return NULL; + } + ++static inline bool pci_dev_is_disconnected(const struct pci_dev *dev) ++{ ++ return dev->error_state == pci_channel_io_perm_failure; ++} ++ + void pci_request_acs(void); + bool pci_acs_enabled(struct pci_dev *pdev, u16 acs_flags); + bool pci_acs_path_enabled(struct pci_dev *start, +-- +2.43.0 + diff --git a/queue-5.10/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch b/queue-5.10/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch new file mode 100644 index 00000000000..b183eb020c3 --- /dev/null +++ b/queue-5.10/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch @@ -0,0 +1,56 @@ +From 916652cafaa183717295cf9841250145ebfb8599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:28:11 +0100 +Subject: PCI: Mark 3ware-9650SE Root Port Extended Tags as broken +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörg Wedekind + +[ Upstream commit baf67aefbe7d7deafa59ca49612d163f8889934c ] + +Per PCIe r6.1, sec 2.2.6.2 and 7.5.3.4, a Requester may not use 8-bit Tags +unless its Extended Tag Field Enable is set, but all Receivers/Completers +must handle 8-bit Tags correctly regardless of their Extended Tag Field +Enable. + +Some devices do not handle 8-bit Tags as Completers, so add a quirk for +them. If we find such a device, we disable Extended Tags for the entire +hierarchy to make peer-to-peer DMA possible. + +The 3ware 9650SE seems to have issues with handling 8-bit tags. Mark it as +broken. + +This fixes PCI Parity Errors like : + + 3w-9xxx: scsi0: ERROR: (0x06:0x000C): PCI Parity Error: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x000D): PCI Abort: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x000E): Controller Queue Error: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x0010): Microcontroller Error: clearing. + +Link: https://lore.kernel.org/r/20240219132811.8351-1-joerg@wedekind.de +Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202425 +Signed-off-by: Jörg Wedekind +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index b67aea8d8f197..646807a443e2d 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5364,6 +5364,7 @@ static void quirk_no_ext_tags(struct pci_dev *pdev) + + pci_walk_bus(bridge->bus, pci_configure_extended_tags, NULL); + } ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_3WARE, 0x1004, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0132, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0140, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0141, quirk_no_ext_tags); +-- +2.43.0 + diff --git a/queue-5.10/pci-switchtec-fix-an-error-handling-path-in-switchte.patch b/queue-5.10/pci-switchtec-fix-an-error-handling-path-in-switchte.patch new file mode 100644 index 00000000000..439e477d315 --- /dev/null +++ b/queue-5.10/pci-switchtec-fix-an-error-handling-path-in-switchte.patch @@ -0,0 +1,51 @@ +From 5fbc7c628e8fc16831d4cc0ab1368448e3947607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 15:30:01 +0100 +Subject: PCI: switchtec: Fix an error handling path in switchtec_pci_probe() + +From: Christophe JAILLET + +[ Upstream commit dec529b0b0572b32f9eb91c882dd1f08ca657efb ] + +The commit in Fixes changed the logic on how resources are released and +introduced a new switchtec_exit_pci() that need to be called explicitly in +order to undo a corresponding switchtec_init_pci(). + +This was done in the remove function, but not in the probe. + +Fix the probe now. + +Fixes: df25461119d9 ("PCI: switchtec: Fix stdev_release() crash after surprise hot remove") +Link: https://lore.kernel.org/r/01446d2ccb91a578239915812f2b7dfbeb2882af.1703428183.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/switch/switchtec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index 5cea3ad290c54..9aa230c3208ab 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1615,7 +1615,7 @@ static int switchtec_pci_probe(struct pci_dev *pdev, + rc = switchtec_init_isr(stdev); + if (rc) { + dev_err(&stdev->dev, "failed to init isr.\n"); +- goto err_put; ++ goto err_exit_pci; + } + + iowrite32(SWITCHTEC_EVENT_CLEAR | +@@ -1636,6 +1636,8 @@ static int switchtec_pci_probe(struct pci_dev *pdev, + + err_devadd: + stdev_kill(stdev); ++err_exit_pci: ++ switchtec_exit_pci(stdev); + err_put: + ida_simple_remove(&switchtec_minor_ida, MINOR(stdev->dev.devt)); + put_device(&stdev->dev); +-- +2.43.0 + diff --git a/queue-5.10/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch b/queue-5.10/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch new file mode 100644 index 00000000000..04ea8d206ae --- /dev/null +++ b/queue-5.10/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch @@ -0,0 +1,38 @@ +From e59771c82c0aaea122adc952ec065119fd79ece8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jan 2024 02:57:56 +0000 +Subject: perf evsel: Fix duplicate initialization of data->id in + evsel__parse_sample() + +From: Yang Jihong + +[ Upstream commit 4962aec0d684c8edb14574ccd0da53e4926ff834 ] + +data->id has been initialized at line 2362, remove duplicate initialization. + +Fixes: 3ad31d8a0df2 ("perf evsel: Centralize perf_sample initialization") +Signed-off-by: Yang Jihong +Reviewed-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240127025756.4041808-1-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 1a1cbd16d76d4..d9a4c0202a8c3 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -2109,7 +2109,6 @@ int evsel__parse_sample(struct evsel *evsel, union perf_event *event, + data->period = evsel->core.attr.sample_period; + data->cpumode = event->header.misc & PERF_RECORD_MISC_CPUMODE_MASK; + data->misc = event->header.misc; +- data->id = -1ULL; + data->data_src = PERF_MEM_DATA_SRC_NONE; + + if (event->header.type != PERF_RECORD_SAMPLE) { +-- +2.43.0 + diff --git a/queue-5.10/perf-record-fix-possible-incorrect-free-in-record__s.patch b/queue-5.10/perf-record-fix-possible-incorrect-free-in-record__s.patch new file mode 100644 index 00000000000..9a5fa8613e2 --- /dev/null +++ b/queue-5.10/perf-record-fix-possible-incorrect-free-in-record__s.patch @@ -0,0 +1,40 @@ +From a057ed9cf1d73f5ca343862df7b044bb96ce73ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 04:03:02 +0000 +Subject: perf record: Fix possible incorrect free in record__switch_output() + +From: Yang Jihong + +[ Upstream commit aff10a165201f6f60cff225083ce301ad3f5d8f1 ] + +perf_data__switch() may not assign a legal value to 'new_filename'. +In this case, 'new_filename' uses the on-stack value, which may cause a +incorrect free and unexpected result. + +Fixes: 03724b2e9c45 ("perf record: Allow to limit number of reported perf.data files") +Signed-off-by: Yang Jihong +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240119040304.3708522-2-yangjihong1@huawei.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index e5c938d538ee5..167cd8d3b7a21 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -1264,8 +1264,8 @@ static int + record__switch_output(struct record *rec, bool at_exit) + { + struct perf_data *data = &rec->data; ++ char *new_filename = NULL; + int fd, err; +- char *new_filename; + + /* Same Size: "2015122520103046"*/ + char timestamp[] = "InvalidTimestamp"; +-- +2.43.0 + diff --git a/queue-5.10/perf-stat-avoid-metric-only-segv.patch b/queue-5.10/perf-stat-avoid-metric-only-segv.patch new file mode 100644 index 00000000000..8c70b87ced8 --- /dev/null +++ b/queue-5.10/perf-stat-avoid-metric-only-segv.patch @@ -0,0 +1,43 @@ +From 1c1cdadb6a98eb784a090336f4c15055f40b0940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 12:49:46 -0800 +Subject: perf stat: Avoid metric-only segv + +From: Ian Rogers + +[ Upstream commit 2543947c77e0e224bda86b4e7220c2f6714da463 ] + +Cycles is recognized as part of a hard coded metric in stat-shadow.c, +it may call print_metric_only with a NULL fmt string leading to a +segfault. Handle the NULL fmt explicitly. + +Fixes: 088519f318be ("perf stat: Move the display functions to stat-display.c") +Signed-off-by: Ian Rogers +Reviewed-by: Kan Liang +Cc: K Prateek Nayak +Cc: James Clark +Cc: Kaige Ye +Cc: John Garry +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240209204947.3873294-4-irogers@google.com +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c +index 4688e39de52af..971fd77bd3e61 100644 +--- a/tools/perf/util/stat-display.c ++++ b/tools/perf/util/stat-display.c +@@ -271,7 +271,7 @@ static void print_metric_only(struct perf_stat_config *config, + if (color) + mlen += strlen(color) + sizeof(PERF_COLOR_RESET) - 1; + +- color_snprintf(str, sizeof(str), color ?: "", fmt, val); ++ color_snprintf(str, sizeof(str), color ?: "", fmt ?: "", val); + fprintf(out, "%*s ", mlen, str); + } + +-- +2.43.0 + diff --git a/queue-5.10/perf-thread_map-free-strlist-on-normal-path-in-threa.patch b/queue-5.10/perf-thread_map-free-strlist-on-normal-path-in-threa.patch new file mode 100644 index 00000000000..a680292f83d --- /dev/null +++ b/queue-5.10/perf-thread_map-free-strlist-on-normal-path-in-threa.patch @@ -0,0 +1,45 @@ +From ba75a29e68f922e849d054d88636d949f925524d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:32:28 +0000 +Subject: perf thread_map: Free strlist on normal path in + thread_map__new_by_tid_str() + +From: Yang Jihong + +[ Upstream commit 1eb3d924e3c0b8c27388b0583a989d757866efb6 ] + +slist needs to be freed in both error path and normal path in +thread_map__new_by_tid_str(). + +Fixes: b52956c961be3a04 ("perf tools: Allow multiple threads or processes in record, stat, top") +Reviewed-by: Arnaldo Carvalho de Melo +Signed-off-by: Yang Jihong +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240206083228.172607-6-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +--- + tools/perf/util/thread_map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/thread_map.c b/tools/perf/util/thread_map.c +index c9bfe4696943b..cee7fc3b5bb0c 100644 +--- a/tools/perf/util/thread_map.c ++++ b/tools/perf/util/thread_map.c +@@ -279,13 +279,13 @@ struct perf_thread_map *thread_map__new_by_tid_str(const char *tid_str) + threads->nr = ntasks; + } + out: ++ strlist__delete(slist); + if (threads) + refcount_set(&threads->refcnt, 1); + return threads; + + out_free_threads: + zfree(&threads); +- strlist__delete(slist); + goto out; + } + +-- +2.43.0 + diff --git a/queue-5.10/pinctrl-mediatek-drop-bogus-slew-rate-register-range.patch b/queue-5.10/pinctrl-mediatek-drop-bogus-slew-rate-register-range.patch new file mode 100644 index 00000000000..4dccb1097df --- /dev/null +++ b/queue-5.10/pinctrl-mediatek-drop-bogus-slew-rate-register-range.patch @@ -0,0 +1,40 @@ +From 80fdbe621f3aab3899ec7cc013ca03f19837a48a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 15:19:08 +0800 +Subject: pinctrl: mediatek: Drop bogus slew rate register range for MT8192 + +From: Chen-Yu Tsai + +[ Upstream commit e15ab05a6b3ed42f2f43f8bd1a1abdbde64afecd ] + +The MT8192 does not support configuring pin slew rate. This is evident +from both the datasheet, and the fact that the driver points the slew +rate register range at the GPIO direction register range. + +Drop the bogus setting. + +Fixes: d32f38f2a8fc ("pinctrl: mediatek: Add pinctrl driver for mt8192") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20240131071910.3950450-2-wenst@chromium.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mt8192.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8192.c b/drivers/pinctrl/mediatek/pinctrl-mt8192.c +index 0c16b2c756bf3..f3020e3c8533b 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mt8192.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mt8192.c +@@ -1346,7 +1346,6 @@ static const struct mtk_pin_reg_calc mt8192_reg_cals[PINCTRL_PIN_REG_MAX] = { + [PINCTRL_PIN_REG_DIR] = MTK_RANGE(mt8192_pin_dir_range), + [PINCTRL_PIN_REG_DI] = MTK_RANGE(mt8192_pin_di_range), + [PINCTRL_PIN_REG_DO] = MTK_RANGE(mt8192_pin_do_range), +- [PINCTRL_PIN_REG_SR] = MTK_RANGE(mt8192_pin_dir_range), + [PINCTRL_PIN_REG_SMT] = MTK_RANGE(mt8192_pin_smt_range), + [PINCTRL_PIN_REG_IES] = MTK_RANGE(mt8192_pin_ies_range), + [PINCTRL_PIN_REG_PU] = MTK_RANGE(mt8192_pin_pu_range), +-- +2.43.0 + diff --git a/queue-5.10/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch b/queue-5.10/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch new file mode 100644 index 00000000000..6ea49672349 --- /dev/null +++ b/queue-5.10/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch @@ -0,0 +1,53 @@ +From 851a397f49bd785db9185c44b72886f9d83d0fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 23:34:08 +1100 +Subject: powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() + etc. + +From: Michael Ellerman + +[ Upstream commit 20933531be0577cdd782216858c26150dbc7936f ] + +Move the prototypes into mpc10x.h which is included by all the relevant +C files, fixes: + + arch/powerpc/platforms/embedded6xx/ls_uart.c:59:6: error: no previous prototype for 'avr_uart_configure' + arch/powerpc/platforms/embedded6xx/ls_uart.c:82:6: error: no previous prototype for 'avr_uart_send' + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240305123410.3306253-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/embedded6xx/linkstation.c | 3 --- + arch/powerpc/platforms/embedded6xx/mpc10x.h | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/embedded6xx/linkstation.c b/arch/powerpc/platforms/embedded6xx/linkstation.c +index f514d5d28cd4f..3f3821eb4c36b 100644 +--- a/arch/powerpc/platforms/embedded6xx/linkstation.c ++++ b/arch/powerpc/platforms/embedded6xx/linkstation.c +@@ -97,9 +97,6 @@ static void __init linkstation_init_IRQ(void) + mpic_init(mpic); + } + +-extern void avr_uart_configure(void); +-extern void avr_uart_send(const char); +- + static void __noreturn linkstation_restart(char *cmd) + { + local_irq_disable(); +diff --git a/arch/powerpc/platforms/embedded6xx/mpc10x.h b/arch/powerpc/platforms/embedded6xx/mpc10x.h +index 5ad12023e5628..ebc258fa4858d 100644 +--- a/arch/powerpc/platforms/embedded6xx/mpc10x.h ++++ b/arch/powerpc/platforms/embedded6xx/mpc10x.h +@@ -156,4 +156,7 @@ int mpc10x_disable_store_gathering(struct pci_controller *hose); + /* For MPC107 boards that use the built-in openpic */ + void mpc10x_set_openpic(void); + ++void avr_uart_configure(void); ++void avr_uart_send(const char c); ++ + #endif /* __PPC_KERNEL_MPC10X_H */ +-- +2.43.0 + diff --git a/queue-5.10/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch b/queue-5.10/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch new file mode 100644 index 00000000000..c7120a71bd5 --- /dev/null +++ b/queue-5.10/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch @@ -0,0 +1,118 @@ +From c6ff616cbb5e3fc757645580f68a17956f7652b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 17:58:47 +0530 +Subject: powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value + checks + +From: Kajol Jain + +[ Upstream commit ad86d7ee43b22aa2ed60fb982ae94b285c1be671 ] + +Running event hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ +in one of the system throws below error: + + ---Logs--- + # perf list | grep hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles + hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=?/[Kernel PMU event] + + # perf stat -v -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 +Using CPUID 00800200 +Control descriptor is not initialized +Warning: +hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event is not supported by the kernel. +failed to read counter hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ + + Performance counter stats for 'system wide': + + hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ + + 2.000700771 seconds time elapsed + +The above error is because of the hcall failure as required +permission "Enable Performance Information Collection" is not set. +Based on current code, single_gpci_request function did not check the +error type incase hcall fails and by default returns EINVAL. But we can +have other reasons for hcall failures like H_AUTHORITY/H_PARAMETER with +detail_rc as GEN_BUF_TOO_SMALL, for which we need to act accordingly. + +Fix this issue by adding new checks in the single_gpci_request and +h_gpci_event_init functions. + +Result after fix patch changes: + + # perf stat -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 +Error: +No permission to enable hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event. + +Fixes: 220a0c609ad1 ("powerpc/perf: Add support for the hv gpci (get performance counter info) interface") +Reported-by: Akanksha J N +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240229122847.101162-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c +index 28b770bbc10b4..2a054de80e50b 100644 +--- a/arch/powerpc/perf/hv-gpci.c ++++ b/arch/powerpc/perf/hv-gpci.c +@@ -164,6 +164,20 @@ static unsigned long single_gpci_request(u32 req, u32 starting_index, + + ret = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO, + virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE); ++ ++ /* ++ * ret value as 'H_PARAMETER' with detail_rc as 'GEN_BUF_TOO_SMALL', ++ * specifies that the current buffer size cannot accommodate ++ * all the information and a partial buffer returned. ++ * Since in this function we are only accessing data for a given starting index, ++ * we don't need to accommodate whole data and can get required count by ++ * accessing first entry data. ++ * Hence hcall fails only incase the ret value is other than H_SUCCESS or ++ * H_PARAMETER with detail_rc value as GEN_BUF_TOO_SMALL(0x1B). ++ */ ++ if (ret == H_PARAMETER && be32_to_cpu(arg->params.detail_rc) == 0x1B) ++ ret = 0; ++ + if (ret) { + pr_devel("hcall failed: 0x%lx\n", ret); + goto out; +@@ -228,6 +242,7 @@ static int h_gpci_event_init(struct perf_event *event) + { + u64 count; + u8 length; ++ unsigned long ret; + + /* Not our event */ + if (event->attr.type != event->pmu->type) +@@ -258,13 +273,23 @@ static int h_gpci_event_init(struct perf_event *event) + } + + /* check if the request works... */ +- if (single_gpci_request(event_get_request(event), ++ ret = single_gpci_request(event_get_request(event), + event_get_starting_index(event), + event_get_secondary_index(event), + event_get_counter_info_version(event), + event_get_offset(event), + length, +- &count)) { ++ &count); ++ ++ /* ++ * ret value as H_AUTHORITY implies that partition is not permitted to retrieve ++ * performance information, and required to set ++ * "Enable Performance Information Collection" option. ++ */ ++ if (ret == H_AUTHORITY) ++ return -EPERM; ++ ++ if (ret) { + pr_devel("gpci hcall failed\n"); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-5.10/printk-add-panic_in_progress-helper.patch b/queue-5.10/printk-add-panic_in_progress-helper.patch new file mode 100644 index 00000000000..2dc4500a6d2 --- /dev/null +++ b/queue-5.10/printk-add-panic_in_progress-helper.patch @@ -0,0 +1,46 @@ +From 39a193250eef2ead8b1eff317ba76941c2188c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Feb 2022 09:18:18 -0800 +Subject: printk: Add panic_in_progress helper + +From: Stephen Brennan + +[ Upstream commit 77498617857f68496b360081dde1a492d40c28b2 ] + +This will be used help avoid deadlocks during panics. Although it would +be better to include this in linux/panic.h, it would require that header +to include linux/atomic.h as well. On some architectures, this results +in a circular dependency as well. So instead add the helper directly to +printk.c. + +Suggested-by: Petr Mladek +Signed-off-by: Stephen Brennan +Reviewed-by: Petr Mladek +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20220202171821.179394-2-stephen.s.brennan@oracle.com +Stable-dep-of: d04d5882cd67 ("printk: Disable passing console lock owner completely during panic()") +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 17a310dcb6d96..94af80b7fa9b5 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -258,6 +258,11 @@ static void __up_console_sem(unsigned long ip) + } + #define up_console_sem() __up_console_sem(_RET_IP_) + ++static bool panic_in_progress(void) ++{ ++ return unlikely(atomic_read(&panic_cpu) != PANIC_CPU_INVALID); ++} ++ + /* + * This is used for debugging the mess that is the VT code by + * keeping track if we have the console semaphore held. It's +-- +2.43.0 + diff --git a/queue-5.10/printk-disable-passing-console-lock-owner-completely.patch b/queue-5.10/printk-disable-passing-console-lock-owner-completely.patch new file mode 100644 index 00000000000..65f54fd5811 --- /dev/null +++ b/queue-5.10/printk-disable-passing-console-lock-owner-completely.patch @@ -0,0 +1,116 @@ +From b8b3bf167cb2439f091179cd6054ab6927273a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 14:47:00 +0106 +Subject: printk: Disable passing console lock owner completely during panic() + +From: Petr Mladek + +[ Upstream commit d04d5882cd678b898a9d7c5aee6afbe9e6e77fcd ] + +The commit d51507098ff91 ("printk: disable optimistic spin +during panic") added checks to avoid becoming a console waiter +if a panic is in progress. + +However, the transition to panic can occur while there is +already a waiter. The current owner should not pass the lock to +the waiter because it might get stopped or blocked anytime. + +Also the panic context might pass the console lock owner to an +already stopped waiter by mistake. It might happen when +console_flush_on_panic() ignores the current lock owner, for +example: + +CPU0 CPU1 +---- ---- +console_lock_spinning_enable() + console_trylock_spinning() + [CPU1 now console waiter] +NMI: panic() + panic_other_cpus_shutdown() + [stopped as console waiter] + console_flush_on_panic() + console_lock_spinning_enable() + [print 1 record] + console_lock_spinning_disable_and_check() + [handover to stopped CPU1] + +This results in panic() not flushing the panic messages. + +Fix these problems by disabling all spinning operations +completely during panic(). + +Another advantage is that it prevents possible deadlocks caused +by "console_owner_lock". The panic() context does not need to +take it any longer. The lockless checks are safe because the +functions become NOPs when they see the panic in progress. All +operations manipulating the state are still synchronized by the +lock even when non-panic CPUs would notice the panic +synchronously. + +The current owner might stay spinning. But non-panic() CPUs +would get stopped anyway and the panic context will never start +spinning. + +Fixes: dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes") +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20240207134103.1357162-12-john.ogness@linutronix.de +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 94af80b7fa9b5..d109411f108f9 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1760,10 +1760,23 @@ static bool console_waiter; + */ + static void console_lock_spinning_enable(void) + { ++ /* ++ * Do not use spinning in panic(). The panic CPU wants to keep the lock. ++ * Non-panic CPUs abandon the flush anyway. ++ * ++ * Just keep the lockdep annotation. The panic-CPU should avoid ++ * taking console_owner_lock because it might cause a deadlock. ++ * This looks like the easiest way how to prevent false lockdep ++ * reports without handling races a lockless way. ++ */ ++ if (panic_in_progress()) ++ goto lockdep; ++ + raw_spin_lock(&console_owner_lock); + console_owner = current; + raw_spin_unlock(&console_owner_lock); + ++lockdep: + /* The waiter may spin on us after setting console_owner */ + spin_acquire(&console_owner_dep_map, 0, 0, _THIS_IP_); + } +@@ -1787,6 +1800,22 @@ static int console_lock_spinning_disable_and_check(void) + { + int waiter; + ++ /* ++ * Ignore spinning waiters during panic() because they might get stopped ++ * or blocked at any time, ++ * ++ * It is safe because nobody is allowed to start spinning during panic ++ * in the first place. If there has been a waiter then non panic CPUs ++ * might stay spinning. They would get stopped anyway. The panic context ++ * will never start spinning and an interrupted spin on panic CPU will ++ * never continue. ++ */ ++ if (panic_in_progress()) { ++ /* Keep lockdep happy. */ ++ spin_release(&console_owner_dep_map, _THIS_IP_); ++ return 0; ++ } ++ + raw_spin_lock(&console_owner_lock); + waiter = READ_ONCE(console_waiter); + console_owner = NULL; +-- +2.43.0 + diff --git a/queue-5.10/quota-fix-potential-null-pointer-dereference.patch b/queue-5.10/quota-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..4fcbd2e9b52 --- /dev/null +++ b/queue-5.10/quota-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,278 @@ +From 6330fb3e1b8393949c3a3a5d4d87070c81fe8d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 16:18:52 +0800 +Subject: quota: Fix potential NULL pointer dereference + +From: Wang Jianjian + +[ Upstream commit d0aa72604fbd80c8aabb46eda00535ed35570f1f ] + +Below race may cause NULL pointer dereference + +P1 P2 +dquot_free_inode quota_off + drop_dquot_ref + remove_dquot_ref + dquots = i_dquot(inode) + dquots = i_dquot(inode) + srcu_read_lock + dquots[cnt]) != NULL (1) + dquots[type] = NULL (2) + spin_lock(&dquots[cnt]->dq_dqb_lock) (3) + .... + +If dquot_free_inode(or other routines) checks inode's quota pointers (1) +before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer +dereference will be triggered. + +So let's fix it by using a temporary pointer to avoid this issue. + +Signed-off-by: Wang Jianjian +Signed-off-by: Jan Kara +Message-Id: <20240202081852.2514092-1-wangjianjian3@huawei.com> +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 98 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 57 insertions(+), 41 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 77578332e35ae..3f19ef2cc186d 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -401,15 +401,17 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + EXPORT_SYMBOL(dquot_mark_dquot_dirty); + + /* Dirtify all the dquots - this can block when journalling */ +-static inline int mark_all_dquot_dirty(struct dquot * const *dquot) ++static inline int mark_all_dquot_dirty(struct dquot * const *dquots) + { + int ret, err, cnt; ++ struct dquot *dquot; + + ret = err = 0; + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquot[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) + /* Even in case of error we have to continue */ +- ret = mark_dquot_dirty(dquot[cnt]); ++ ret = mark_dquot_dirty(dquot); + if (!err) + err = ret; + } +@@ -1686,6 +1688,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + struct dquot_warn warn[MAXQUOTAS]; + int reserve = flags & DQUOT_SPACE_RESERVE; + struct dquot **dquots; ++ struct dquot *dquot; + + if (!inode_quota_active(inode)) { + if (reserve) { +@@ -1705,27 +1708,26 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + index = srcu_read_lock(&dquot_srcu); + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; + if (reserve) { +- ret = dquot_add_space(dquots[cnt], 0, number, flags, +- &warn[cnt]); ++ ret = dquot_add_space(dquot, 0, number, flags, &warn[cnt]); + } else { +- ret = dquot_add_space(dquots[cnt], number, 0, flags, +- &warn[cnt]); ++ ret = dquot_add_space(dquot, number, 0, flags, &warn[cnt]); + } + if (ret) { + /* Back out changes we already did */ + for (cnt--; cnt >= 0; cnt--) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); + if (reserve) +- dquot_free_reserved_space(dquots[cnt], +- number); ++ dquot_free_reserved_space(dquot, number); + else +- dquot_decr_space(dquots[cnt], number); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ dquot_decr_space(dquot, number); ++ spin_unlock(&dquot->dq_dqb_lock); + } + spin_unlock(&inode->i_lock); + goto out_flush_warn; +@@ -1756,6 +1758,7 @@ int dquot_alloc_inode(struct inode *inode) + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; ++ struct dquot *dquot; + + if (!inode_quota_active(inode)) + return 0; +@@ -1766,17 +1769,19 @@ int dquot_alloc_inode(struct inode *inode) + index = srcu_read_lock(&dquot_srcu); + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- ret = dquot_add_inodes(dquots[cnt], 1, &warn[cnt]); ++ ret = dquot_add_inodes(dquot, 1, &warn[cnt]); + if (ret) { + for (cnt--; cnt >= 0; cnt--) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; + /* Back out changes we already did */ +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- dquot_decr_inodes(dquots[cnt], 1); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); ++ dquot_decr_inodes(dquot, 1); ++ spin_unlock(&dquot->dq_dqb_lock); + } + goto warn_put_all; + } +@@ -1798,6 +1803,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); + int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + { + struct dquot **dquots; ++ struct dquot *dquot; + int cnt, index; + + if (!inode_quota_active(inode)) { +@@ -1813,9 +1819,8 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + spin_lock(&inode->i_lock); + /* Claim reserved quotas to allocated quotas */ + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquots[cnt]) { +- struct dquot *dquot = dquots[cnt]; +- ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) { + spin_lock(&dquot->dq_dqb_lock); + if (WARN_ON_ONCE(dquot->dq_dqb.dqb_rsvspace < number)) + number = dquot->dq_dqb.dqb_rsvspace; +@@ -1840,6 +1845,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); + void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + { + struct dquot **dquots; ++ struct dquot *dquot; + int cnt, index; + + if (!inode_quota_active(inode)) { +@@ -1855,9 +1861,8 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + spin_lock(&inode->i_lock); + /* Claim reserved quotas to allocated quotas */ + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquots[cnt]) { +- struct dquot *dquot = dquots[cnt]; +- ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) { + spin_lock(&dquot->dq_dqb_lock); + if (WARN_ON_ONCE(dquot->dq_dqb.dqb_curspace < number)) + number = dquot->dq_dqb.dqb_curspace; +@@ -1884,6 +1889,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot **dquots; ++ struct dquot *dquot; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + + if (!inode_quota_active(inode)) { +@@ -1904,17 +1910,18 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + int wtype; + + warn[cnt].w_type = QUOTA_NL_NOWARN; +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- wtype = info_bdq_free(dquots[cnt], number); ++ spin_lock(&dquot->dq_dqb_lock); ++ wtype = info_bdq_free(dquot, number); + if (wtype != QUOTA_NL_NOWARN) +- prepare_warning(&warn[cnt], dquots[cnt], wtype); ++ prepare_warning(&warn[cnt], dquot, wtype); + if (reserve) +- dquot_free_reserved_space(dquots[cnt], number); ++ dquot_free_reserved_space(dquot, number); + else +- dquot_decr_space(dquots[cnt], number); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ dquot_decr_space(dquot, number); ++ spin_unlock(&dquot->dq_dqb_lock); + } + if (reserve) + *inode_reserved_space(inode) -= number; +@@ -1939,6 +1946,7 @@ void dquot_free_inode(struct inode *inode) + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; ++ struct dquot *dquot; + int index; + + if (!inode_quota_active(inode)) +@@ -1949,16 +1957,16 @@ void dquot_free_inode(struct inode *inode) + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { + int wtype; +- + warn[cnt].w_type = QUOTA_NL_NOWARN; +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- wtype = info_idq_free(dquots[cnt], 1); ++ spin_lock(&dquot->dq_dqb_lock); ++ wtype = info_idq_free(dquot, 1); + if (wtype != QUOTA_NL_NOWARN) +- prepare_warning(&warn[cnt], dquots[cnt], wtype); +- dquot_decr_inodes(dquots[cnt], 1); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ prepare_warning(&warn[cnt], dquot, wtype); ++ dquot_decr_inodes(dquot, 1); ++ spin_unlock(&dquot->dq_dqb_lock); + } + spin_unlock(&inode->i_lock); + mark_all_dquot_dirty(dquots); +@@ -1985,7 +1993,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + qsize_t rsv_space = 0; + qsize_t inode_usage = 1; + struct dquot *transfer_from[MAXQUOTAS] = {}; +- int cnt, ret = 0; ++ int cnt, index, ret = 0; + char is_valid[MAXQUOTAS] = {}; + struct dquot_warn warn_to[MAXQUOTAS]; + struct dquot_warn warn_from_inodes[MAXQUOTAS]; +@@ -2074,8 +2082,16 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + spin_unlock(&inode->i_lock); + spin_unlock(&dq_data_lock); + ++ /* ++ * These arrays are local and we hold dquot references so we don't need ++ * the srcu protection but still take dquot_srcu to avoid warning in ++ * mark_all_dquot_dirty(). ++ */ ++ index = srcu_read_lock(&dquot_srcu); + mark_all_dquot_dirty(transfer_from); + mark_all_dquot_dirty(transfer_to); ++ srcu_read_unlock(&dquot_srcu, index); ++ + flush_warnings(warn_to); + flush_warnings(warn_from_inodes); + flush_warnings(warn_from_space); +-- +2.43.0 + diff --git a/queue-5.10/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch b/queue-5.10/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch new file mode 100644 index 00000000000..69d092ea1db --- /dev/null +++ b/queue-5.10/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch @@ -0,0 +1,253 @@ +From 72289a260921786a28b1060c522a6b213b0fd890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 15:32:09 +0100 +Subject: quota: Fix rcu annotations of inode dquot pointers + +From: Jan Kara + +[ Upstream commit 179b8c97ebf63429589f5afeba59a181fe70603e ] + +Dquot pointers in i_dquot array in the inode are protected by +dquot_srcu. Annotate the array pointers with __rcu, perform the locked +dereferences with srcu_dereference_check() instead of plain reads, and +set the array elements with rcu_assign_pointer(). + +Fixes: b9ba6f94b238 ("quota: remove dqptr_sem") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402061900.rTuYDlo6-lkp@intel.com/ +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 66 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 39 insertions(+), 27 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 3f19ef2cc186d..6a7b7d44753a3 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -401,7 +401,7 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + EXPORT_SYMBOL(dquot_mark_dquot_dirty); + + /* Dirtify all the dquots - this can block when journalling */ +-static inline int mark_all_dquot_dirty(struct dquot * const *dquots) ++static inline int mark_all_dquot_dirty(struct dquot __rcu * const *dquots) + { + int ret, err, cnt; + struct dquot *dquot; +@@ -1008,14 +1008,15 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + } + EXPORT_SYMBOL(dqget); + +-static inline struct dquot **i_dquot(struct inode *inode) ++static inline struct dquot __rcu **i_dquot(struct inode *inode) + { +- return inode->i_sb->s_op->get_dquots(inode); ++ /* Force __rcu for now until filesystems are fixed */ ++ return (struct dquot __rcu **)inode->i_sb->s_op->get_dquots(inode); + } + + static int dqinit_needed(struct inode *inode, int type) + { +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + int cnt; + + if (IS_NOQUOTA(inode)) +@@ -1105,14 +1106,16 @@ static void remove_dquot_ref(struct super_block *sb, int type) + */ + spin_lock(&dq_data_lock); + if (!IS_NOQUOTA(inode)) { +- struct dquot **dquots = i_dquot(inode); +- struct dquot *dquot = dquots[type]; ++ struct dquot __rcu **dquots = i_dquot(inode); ++ struct dquot *dquot = srcu_dereference_check( ++ dquots[type], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); + + #ifdef CONFIG_QUOTA_DEBUG + if (unlikely(inode_get_rsv_space(inode) > 0)) + reserved = 1; + #endif +- dquots[type] = NULL; ++ rcu_assign_pointer(dquots[type], NULL); + if (dquot) + dqput(dquot); + } +@@ -1465,7 +1468,8 @@ static int inode_quota_active(const struct inode *inode) + static int __dquot_initialize(struct inode *inode, int type) + { + int cnt, init_needed = 0; +- struct dquot **dquots, *got[MAXQUOTAS] = {}; ++ struct dquot __rcu **dquots; ++ struct dquot *got[MAXQUOTAS] = {}; + struct super_block *sb = inode->i_sb; + qsize_t rsv; + int ret = 0; +@@ -1540,7 +1544,7 @@ static int __dquot_initialize(struct inode *inode, int type) + if (!got[cnt]) + continue; + if (!dquots[cnt]) { +- dquots[cnt] = got[cnt]; ++ rcu_assign_pointer(dquots[cnt], got[cnt]); + got[cnt] = NULL; + /* + * Make quota reservation system happy if someone +@@ -1548,12 +1552,16 @@ static int __dquot_initialize(struct inode *inode, int type) + */ + rsv = inode_get_rsv_space(inode); + if (unlikely(rsv)) { ++ struct dquot *dquot = srcu_dereference_check( ++ dquots[cnt], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); ++ + spin_lock(&inode->i_lock); + /* Get reservation again under proper lock */ + rsv = __inode_get_rsv_space(inode); +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- dquots[cnt]->dq_dqb.dqb_rsvspace += rsv; +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); ++ dquot->dq_dqb.dqb_rsvspace += rsv; ++ spin_unlock(&dquot->dq_dqb_lock); + spin_unlock(&inode->i_lock); + } + } +@@ -1575,7 +1583,7 @@ EXPORT_SYMBOL(dquot_initialize); + + bool dquot_initialize_needed(struct inode *inode) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + int i; + + if (!inode_quota_active(inode)) +@@ -1600,13 +1608,14 @@ EXPORT_SYMBOL(dquot_initialize_needed); + static void __dquot_drop(struct inode *inode) + { + int cnt; +- struct dquot **dquots = i_dquot(inode); ++ struct dquot __rcu **dquots = i_dquot(inode); + struct dquot *put[MAXQUOTAS]; + + spin_lock(&dq_data_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- put[cnt] = dquots[cnt]; +- dquots[cnt] = NULL; ++ put[cnt] = srcu_dereference_check(dquots[cnt], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); ++ rcu_assign_pointer(dquots[cnt], NULL); + } + spin_unlock(&dq_data_lock); + dqput_all(put); +@@ -1614,7 +1623,7 @@ static void __dquot_drop(struct inode *inode) + + void dquot_drop(struct inode *inode) + { +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + int cnt; + + if (IS_NOQUOTA(inode)) +@@ -1687,7 +1696,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; + int reserve = flags & DQUOT_SPACE_RESERVE; +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + + if (!inode_quota_active(inode)) { +@@ -1757,7 +1766,7 @@ int dquot_alloc_inode(struct inode *inode) + { + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + struct dquot *dquot; + + if (!inode_quota_active(inode)) +@@ -1802,7 +1811,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); + */ + int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int cnt, index; + +@@ -1844,7 +1853,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); + */ + void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int cnt, index; + +@@ -1888,7 +1897,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + { + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + +@@ -1945,7 +1954,7 @@ void dquot_free_inode(struct inode *inode) + { + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + struct dquot *dquot; + int index; + +@@ -1992,6 +2001,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + qsize_t cur_space; + qsize_t rsv_space = 0; + qsize_t inode_usage = 1; ++ struct dquot __rcu **dquots; + struct dquot *transfer_from[MAXQUOTAS] = {}; + int cnt, index, ret = 0; + char is_valid[MAXQUOTAS] = {}; +@@ -2024,6 +2034,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + } + cur_space = __inode_get_bytes(inode); + rsv_space = __inode_get_rsv_space(inode); ++ dquots = i_dquot(inode); + /* + * Build the transfer_from list, check limits, and update usage in + * the target structures. +@@ -2038,7 +2049,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + if (!sb_has_quota_active(inode->i_sb, cnt)) + continue; + is_valid[cnt] = 1; +- transfer_from[cnt] = i_dquot(inode)[cnt]; ++ transfer_from[cnt] = srcu_dereference_check(dquots[cnt], ++ &dquot_srcu, lockdep_is_held(&dq_data_lock)); + ret = dquot_add_inodes(transfer_to[cnt], inode_usage, + &warn_to[cnt]); + if (ret) +@@ -2077,7 +2089,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + rsv_space); + spin_unlock(&transfer_from[cnt]->dq_dqb_lock); + } +- i_dquot(inode)[cnt] = transfer_to[cnt]; ++ rcu_assign_pointer(dquots[cnt], transfer_to[cnt]); + } + spin_unlock(&inode->i_lock); + spin_unlock(&dq_data_lock); +@@ -2088,8 +2100,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + * mark_all_dquot_dirty(). + */ + index = srcu_read_lock(&dquot_srcu); +- mark_all_dquot_dirty(transfer_from); +- mark_all_dquot_dirty(transfer_to); ++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_from); ++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_to); + srcu_read_unlock(&dquot_srcu, index); + + flush_warnings(warn_to); +-- +2.43.0 + diff --git a/queue-5.10/quota-simplify-drop_dquot_ref.patch b/queue-5.10/quota-simplify-drop_dquot_ref.patch new file mode 100644 index 00000000000..15da15c99c3 --- /dev/null +++ b/queue-5.10/quota-simplify-drop_dquot_ref.patch @@ -0,0 +1,132 @@ +From fbc03900e2e3802925fff2338c1eb745426208e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:22 +0800 +Subject: quota: simplify drop_dquot_ref() + +From: Baokun Li + +[ Upstream commit 7bce48f0fec602b3b6c335963b26d9eefa417788 ] + +As Honza said, remove_inode_dquot_ref() currently does not release the +last dquot reference but instead adds the dquot to tofree_head list. This +is because dqput() can sleep while dropping of the last dquot reference +(writing back the dquot and calling ->release_dquot()) and that must not +happen under dq_list_lock. Now that dqput() queues the final dquot cleanup +into a workqueue, remove_inode_dquot_ref() can call dqput() unconditionally +and we can significantly simplify it. + +Here we open code the simplified code of remove_inode_dquot_ref() into +remove_dquot_ref() and remove the function put_dquot_list() which is no +longer used. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-6-libaokun1@huawei.com> +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 70 +++++++----------------------------------------- + 1 file changed, 9 insertions(+), 61 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 4bb4b4b79827a..77578332e35ae 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1086,59 +1086,7 @@ static int add_dquot_ref(struct super_block *sb, int type) + return err; + } + +-/* +- * Remove references to dquots from inode and add dquot to list for freeing +- * if we have the last reference to dquot +- */ +-static void remove_inode_dquot_ref(struct inode *inode, int type, +- struct list_head *tofree_head) +-{ +- struct dquot **dquots = i_dquot(inode); +- struct dquot *dquot = dquots[type]; +- +- if (!dquot) +- return; +- +- dquots[type] = NULL; +- if (list_empty(&dquot->dq_free)) { +- /* +- * The inode still has reference to dquot so it can't be in the +- * free list +- */ +- spin_lock(&dq_list_lock); +- list_add(&dquot->dq_free, tofree_head); +- spin_unlock(&dq_list_lock); +- } else { +- /* +- * Dquot is already in a list to put so we won't drop the last +- * reference here. +- */ +- dqput(dquot); +- } +-} +- +-/* +- * Free list of dquots +- * Dquots are removed from inodes and no new references can be got so we are +- * the only ones holding reference +- */ +-static void put_dquot_list(struct list_head *tofree_head) +-{ +- struct list_head *act_head; +- struct dquot *dquot; +- +- act_head = tofree_head->next; +- while (act_head != tofree_head) { +- dquot = list_entry(act_head, struct dquot, dq_free); +- act_head = act_head->next; +- /* Remove dquot from the list so we won't have problems... */ +- list_del_init(&dquot->dq_free); +- dqput(dquot); +- } +-} +- +-static void remove_dquot_ref(struct super_block *sb, int type, +- struct list_head *tofree_head) ++static void remove_dquot_ref(struct super_block *sb, int type) + { + struct inode *inode; + #ifdef CONFIG_QUOTA_DEBUG +@@ -1155,11 +1103,16 @@ static void remove_dquot_ref(struct super_block *sb, int type, + */ + spin_lock(&dq_data_lock); + if (!IS_NOQUOTA(inode)) { ++ struct dquot **dquots = i_dquot(inode); ++ struct dquot *dquot = dquots[type]; ++ + #ifdef CONFIG_QUOTA_DEBUG + if (unlikely(inode_get_rsv_space(inode) > 0)) + reserved = 1; + #endif +- remove_inode_dquot_ref(inode, type, tofree_head); ++ dquots[type] = NULL; ++ if (dquot) ++ dqput(dquot); + } + spin_unlock(&dq_data_lock); + } +@@ -1176,13 +1129,8 @@ static void remove_dquot_ref(struct super_block *sb, int type, + /* Gather all references from inodes and drop them */ + static void drop_dquot_ref(struct super_block *sb, int type) + { +- LIST_HEAD(tofree_head); +- +- if (sb->dq_op) { +- remove_dquot_ref(sb, type, &tofree_head); +- synchronize_srcu(&dquot_srcu); +- put_dquot_list(&tofree_head); +- } ++ if (sb->dq_op) ++ remove_dquot_ref(sb, type); + } + + static inline +-- +2.43.0 + diff --git a/queue-5.10/rdma-device-fix-a-race-between-mad_client-and-cm_cli.patch b/queue-5.10/rdma-device-fix-a-race-between-mad_client-and-cm_cli.patch new file mode 100644 index 00000000000..16cac25cc2d --- /dev/null +++ b/queue-5.10/rdma-device-fix-a-race-between-mad_client-and-cm_cli.patch @@ -0,0 +1,133 @@ +From db9ba63ab679f4d5c4c73650fe5af0b04c81af52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 19:53:13 -0800 +Subject: RDMA/device: Fix a race between mad_client and cm_client init + +From: Shifeng Li + +[ Upstream commit 7a8bccd8b29c321ac181369b42b04fecf05f98e2 ] + +The mad_client will be initialized in enable_device_and_get(), while the +devices_rwsem will be downgraded to a read semaphore. There is a window +that leads to the failed initialization for cm_client, since it can not +get matched mad port from ib_mad_port_list, and the matched mad port will +be added to the list after that. + + mad_client | cm_client +------------------|-------------------------------------------------------- +ib_register_device| +enable_device_and_get +down_write(&devices_rwsem) +xa_set_mark(&devices, DEVICE_REGISTERED) +downgrade_write(&devices_rwsem) + | + |ib_cm_init + |ib_register_client(&cm_client) + |down_read(&devices_rwsem) + |xa_for_each_marked (&devices, DEVICE_REGISTERED) + |add_client_context + |cm_add_one + |ib_register_mad_agent + |ib_get_mad_port + |__ib_get_mad_port + |list_for_each_entry(entry, &ib_mad_port_list, port_list) + |return NULL + |up_read(&devices_rwsem) + | +add_client_context| +ib_mad_init_device| +ib_mad_port_open | +list_add_tail(&port_priv->port_list, &ib_mad_port_list) +up_read(&devices_rwsem) + | + +Fix it by using down_write(&devices_rwsem) in ib_register_client(). + +Fixes: d0899892edd0 ("RDMA/device: Provide APIs from the core code to help unregistration") +Link: https://lore.kernel.org/r/20240203035313.98991-1-lishifeng@sangfor.com.cn +Suggested-by: Jason Gunthorpe +Signed-off-by: Shifeng Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 37 +++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 3c29fd04b3016..94c3bad72cc59 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1686,7 +1686,7 @@ static int assign_client_id(struct ib_client *client) + { + int ret; + +- down_write(&clients_rwsem); ++ lockdep_assert_held(&clients_rwsem); + /* + * The add/remove callbacks must be called in FIFO/LIFO order. To + * achieve this we assign client_ids so they are sorted in +@@ -1695,14 +1695,11 @@ static int assign_client_id(struct ib_client *client) + client->client_id = highest_client_id; + ret = xa_insert(&clients, client->client_id, client, GFP_KERNEL); + if (ret) +- goto out; ++ return ret; + + highest_client_id++; + xa_set_mark(&clients, client->client_id, CLIENT_REGISTERED); +- +-out: +- up_write(&clients_rwsem); +- return ret; ++ return 0; + } + + static void remove_client_id(struct ib_client *client) +@@ -1732,25 +1729,35 @@ int ib_register_client(struct ib_client *client) + { + struct ib_device *device; + unsigned long index; ++ bool need_unreg = false; + int ret; + + refcount_set(&client->uses, 1); + init_completion(&client->uses_zero); ++ ++ /* ++ * The devices_rwsem is held in write mode to ensure that a racing ++ * ib_register_device() sees a consisent view of clients and devices. ++ */ ++ down_write(&devices_rwsem); ++ down_write(&clients_rwsem); + ret = assign_client_id(client); + if (ret) +- return ret; ++ goto out; + +- down_read(&devices_rwsem); ++ need_unreg = true; + xa_for_each_marked (&devices, index, device, DEVICE_REGISTERED) { + ret = add_client_context(device, client); +- if (ret) { +- up_read(&devices_rwsem); +- ib_unregister_client(client); +- return ret; +- } ++ if (ret) ++ goto out; + } +- up_read(&devices_rwsem); +- return 0; ++ ret = 0; ++out: ++ up_write(&clients_rwsem); ++ up_write(&devices_rwsem); ++ if (need_unreg && ret) ++ ib_unregister_client(client); ++ return ret; + } + EXPORT_SYMBOL(ib_register_client); + +-- +2.43.0 + diff --git a/queue-5.10/rdma-srpt-do-not-register-event-handler-until-srpt-d.patch b/queue-5.10/rdma-srpt-do-not-register-event-handler-until-srpt-d.patch new file mode 100644 index 00000000000..8acce826634 --- /dev/null +++ b/queue-5.10/rdma-srpt-do-not-register-event-handler-until-srpt-d.patch @@ -0,0 +1,61 @@ +From d8f78a572fbe9f10cd76187e261c0953e7a20d7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 02:15:49 -0700 +Subject: RDMA/srpt: Do not register event handler until srpt device is fully + setup + +From: William Kucharski + +[ Upstream commit c21a8870c98611e8f892511825c9607f1e2cd456 ] + +Upon rare occasions, KASAN reports a use-after-free Write +in srpt_refresh_port(). + +This seems to be because an event handler is registered before the +srpt device is fully setup and a race condition upon error may leave a +partially setup event handler in place. + +Instead, only register the event handler after srpt device initialization +is complete. + +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: William Kucharski +Link: https://lore.kernel.org/r/20240202091549.991784-2-william.kucharski@oracle.com +Reviewed-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 41abf9cf11c67..960f870a952a5 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -3205,7 +3205,6 @@ static int srpt_add_one(struct ib_device *device) + + INIT_IB_EVENT_HANDLER(&sdev->event_handler, sdev->device, + srpt_event_handler); +- ib_register_event_handler(&sdev->event_handler); + + for (i = 1; i <= sdev->device->phys_port_cnt; i++) { + sport = &sdev->port[i - 1]; +@@ -3228,6 +3227,7 @@ static int srpt_add_one(struct ib_device *device) + } + } + ++ ib_register_event_handler(&sdev->event_handler); + spin_lock(&srpt_dev_lock); + list_add_tail(&sdev->list, &srpt_dev_list); + spin_unlock(&srpt_dev_lock); +@@ -3238,7 +3238,6 @@ static int srpt_add_one(struct ib_device *device) + + err_port: + srpt_unregister_mad_agent(sdev, i); +- ib_unregister_event_handler(&sdev->event_handler); + err_cm: + if (sdev->cm_id) + ib_destroy_cm_id(sdev->cm_id); +-- +2.43.0 + diff --git a/queue-5.10/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch b/queue-5.10/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch new file mode 100644 index 00000000000..8c7943bf9ed --- /dev/null +++ b/queue-5.10/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch @@ -0,0 +1,152 @@ +From 1e795c472a4825643a7a495ca1a4ab3db0684be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 13:44:06 +0100 +Subject: scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn + +From: Arnd Bergmann + +[ Upstream commit b69600231f751304db914c63b937f7098ed2895c ] + +Some callback functions used here take a boolean argument, others take a +status argument. This breaks KCFI type checking, so clang now warns about +the function pointer cast: + +drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Assuming the code is actually correct here and the callers always match the +argument types of the callee, rework this to replace the explicit cast with +a union of the two pointer types. This does not change the behavior of the +code, so if something is actually broken here, a larger rework may be +necessary. + +Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats") +Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.") +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfa.h | 9 ++++++++- + drivers/scsi/bfa/bfa_core.c | 4 +--- + drivers/scsi/bfa/bfa_ioc.h | 8 ++++++-- + drivers/scsi/bfa/bfad_bsg.c | 11 ++++------- + 4 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/bfa/bfa.h b/drivers/scsi/bfa/bfa.h +index 7bd2ba1ad4d11..f30fe324e6ecc 100644 +--- a/drivers/scsi/bfa/bfa.h ++++ b/drivers/scsi/bfa/bfa.h +@@ -20,7 +20,6 @@ + struct bfa_s; + + typedef void (*bfa_isr_func_t) (struct bfa_s *bfa, struct bfi_msg_s *m); +-typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); + + /* + * Interrupt message handlers +@@ -437,4 +436,12 @@ struct bfa_cb_pending_q_s { + (__qe)->data = (__data); \ + } while (0) + ++#define bfa_pending_q_init_status(__qe, __cbfn, __cbarg, __data) do { \ ++ bfa_q_qe_init(&((__qe)->hcb_qe.qe)); \ ++ (__qe)->hcb_qe.cbfn_status = (__cbfn); \ ++ (__qe)->hcb_qe.cbarg = (__cbarg); \ ++ (__qe)->hcb_qe.pre_rmv = BFA_TRUE; \ ++ (__qe)->data = (__data); \ ++} while (0) ++ + #endif /* __BFA_H__ */ +diff --git a/drivers/scsi/bfa/bfa_core.c b/drivers/scsi/bfa/bfa_core.c +index 6846ca8f7313c..3438d0b8ba062 100644 +--- a/drivers/scsi/bfa/bfa_core.c ++++ b/drivers/scsi/bfa/bfa_core.c +@@ -1907,15 +1907,13 @@ bfa_comp_process(struct bfa_s *bfa, struct list_head *comp_q) + struct list_head *qe; + struct list_head *qen; + struct bfa_cb_qe_s *hcb_qe; +- bfa_cb_cbfn_status_t cbfn; + + list_for_each_safe(qe, qen, comp_q) { + hcb_qe = (struct bfa_cb_qe_s *) qe; + if (hcb_qe->pre_rmv) { + /* qe is invalid after return, dequeue before cbfn() */ + list_del(qe); +- cbfn = (bfa_cb_cbfn_status_t)(hcb_qe->cbfn); +- cbfn(hcb_qe->cbarg, hcb_qe->fw_status); ++ hcb_qe->cbfn_status(hcb_qe->cbarg, hcb_qe->fw_status); + } else + hcb_qe->cbfn(hcb_qe->cbarg, BFA_TRUE); + } +diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h +index 933a1c3890ff5..5e568d6d7b261 100644 +--- a/drivers/scsi/bfa/bfa_ioc.h ++++ b/drivers/scsi/bfa/bfa_ioc.h +@@ -361,14 +361,18 @@ struct bfa_reqq_wait_s { + void *cbarg; + }; + +-typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); ++typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); ++typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); + + /* + * Generic BFA callback element. + */ + struct bfa_cb_qe_s { + struct list_head qe; +- bfa_cb_cbfn_t cbfn; ++ union { ++ bfa_cb_cbfn_status_t cbfn_status; ++ bfa_cb_cbfn_t cbfn; ++ }; + bfa_boolean_t once; + bfa_boolean_t pre_rmv; /* set for stack based qe(s) */ + bfa_status_t fw_status; /* to access fw status in comp proc */ +diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c +index fc515424ca88d..eb589f9e8cfb5 100644 +--- a/drivers/scsi/bfa/bfad_bsg.c ++++ b/drivers/scsi/bfa/bfad_bsg.c +@@ -2135,8 +2135,7 @@ bfad_iocmd_fcport_get_stats(struct bfad_s *bfad, void *cmd) + struct bfa_cb_pending_q_s cb_qe; + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, &iocmd->stats); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); + spin_lock_irqsave(&bfad->bfad_lock, flags); + iocmd->status = bfa_fcport_get_stats(&bfad->bfa, &cb_qe); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); +@@ -2159,7 +2158,7 @@ bfad_iocmd_fcport_reset_stats(struct bfad_s *bfad, void *cmd) + struct bfa_cb_pending_q_s cb_qe; + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, &fcomp, NULL); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + iocmd->status = bfa_fcport_clear_stats(&bfad->bfa, &cb_qe); +@@ -2443,8 +2442,7 @@ bfad_iocmd_qos_get_stats(struct bfad_s *bfad, void *cmd) + struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, &iocmd->stats); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); +@@ -2474,8 +2472,7 @@ bfad_iocmd_qos_reset_stats(struct bfad_s *bfad, void *cmd) + struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, NULL); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); +-- +2.43.0 + diff --git a/queue-5.10/scsi-csiostor-avoid-function-pointer-casts.patch b/queue-5.10/scsi-csiostor-avoid-function-pointer-casts.patch new file mode 100644 index 00000000000..a63e19cc39e --- /dev/null +++ b/queue-5.10/scsi-csiostor-avoid-function-pointer-casts.patch @@ -0,0 +1,135 @@ +From 28c22659aef8774285a2afdbf8d4d903f14404f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:05:00 +0100 +Subject: scsi: csiostor: Avoid function pointer casts + +From: Arnd Bergmann + +[ Upstream commit 9f3dbcb5632d6876226031d552ef6163bb3ad215 ] + +csiostor uses function pointer casts to keep the csio_ln_ev state machine +hidden, but this causes warnings about control flow integrity (KCFI) +violations in clang-16 and higher: + +drivers/scsi/csiostor/csio_lnode.c:1098:33: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1098 | return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1369:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1369 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1373:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1373 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1377:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1377 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Move the enum into a shared header so the correct types can be used without +the need for casts. + +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213100518.457623-1-arnd@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_defs.h | 18 ++++++++++++++++-- + drivers/scsi/csiostor/csio_lnode.c | 8 ++++---- + drivers/scsi/csiostor/csio_lnode.h | 13 ------------- + 3 files changed, 20 insertions(+), 19 deletions(-) + +diff --git a/drivers/scsi/csiostor/csio_defs.h b/drivers/scsi/csiostor/csio_defs.h +index c38017b4af982..e50e93e7fe5a1 100644 +--- a/drivers/scsi/csiostor/csio_defs.h ++++ b/drivers/scsi/csiostor/csio_defs.h +@@ -73,7 +73,21 @@ csio_list_deleted(struct list_head *list) + #define csio_list_prev(elem) (((struct list_head *)(elem))->prev) + + /* State machine */ +-typedef void (*csio_sm_state_t)(void *, uint32_t); ++struct csio_lnode; ++ ++/* State machine evets */ ++enum csio_ln_ev { ++ CSIO_LNE_NONE = (uint32_t)0, ++ CSIO_LNE_LINKUP, ++ CSIO_LNE_FAB_INIT_DONE, ++ CSIO_LNE_LINK_DOWN, ++ CSIO_LNE_DOWN_LINK, ++ CSIO_LNE_LOGO, ++ CSIO_LNE_CLOSE, ++ CSIO_LNE_MAX_EVENT, ++}; ++ ++typedef void (*csio_sm_state_t)(struct csio_lnode *ln, enum csio_ln_ev evt); + + struct csio_sm { + struct list_head sm_list; +@@ -83,7 +97,7 @@ struct csio_sm { + static inline void + csio_set_state(void *smp, void *state) + { +- ((struct csio_sm *)smp)->sm_state = (csio_sm_state_t)state; ++ ((struct csio_sm *)smp)->sm_state = state; + } + + static inline void +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index d5ac938970232..5b3ffefae476d 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -1095,7 +1095,7 @@ csio_handle_link_down(struct csio_hw *hw, uint8_t portid, uint32_t fcfi, + int + csio_is_lnode_ready(struct csio_lnode *ln) + { +- return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); ++ return (csio_get_state(ln) == csio_lns_ready); + } + + /*****************************************************************************/ +@@ -1366,15 +1366,15 @@ csio_free_fcfinfo(struct kref *kref) + void + csio_lnode_state_to_str(struct csio_lnode *ln, int8_t *str) + { +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { ++ if (csio_get_state(ln) == csio_lns_uninit) { + strcpy(str, "UNINIT"); + return; + } +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { ++ if (csio_get_state(ln) == csio_lns_ready) { + strcpy(str, "READY"); + return; + } +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { ++ if (csio_get_state(ln) == csio_lns_offline) { + strcpy(str, "OFFLINE"); + return; + } +diff --git a/drivers/scsi/csiostor/csio_lnode.h b/drivers/scsi/csiostor/csio_lnode.h +index 372a67d122d38..607698a0f0631 100644 +--- a/drivers/scsi/csiostor/csio_lnode.h ++++ b/drivers/scsi/csiostor/csio_lnode.h +@@ -53,19 +53,6 @@ + extern int csio_fcoe_rnodes; + extern int csio_fdmi_enable; + +-/* State machine evets */ +-enum csio_ln_ev { +- CSIO_LNE_NONE = (uint32_t)0, +- CSIO_LNE_LINKUP, +- CSIO_LNE_FAB_INIT_DONE, +- CSIO_LNE_LINK_DOWN, +- CSIO_LNE_DOWN_LINK, +- CSIO_LNE_LOGO, +- CSIO_LNE_CLOSE, +- CSIO_LNE_MAX_EVENT, +-}; +- +- + struct csio_fcf_info { + struct list_head list; + uint8_t priority; +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 50963031044..2fd8b4b9eef 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -26,3 +26,181 @@ asoc-wm8962-enable-oscillator-if-selecting-wm8962_fl.patch asoc-wm8962-enable-both-spkoutr_ena-and-spkoutl_ena-.patch asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch x86-paravirt-fix-build-due-to-__text_gen_insn-backpo.patch +do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch +nbd-null-check-for-nla_nest_start.patch +fs-select-rework-stack-allocation-hack-for-clang.patch +block-add-a-new-set_read_only-method.patch +md-implement-set_read_only-to-hook-into-blkroset-pro.patch +md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch +aoe-fix-the-potential-use-after-free-problem-in-aoec.patch +timekeeping-fix-cross-timestamp-interpolation-on-cou.patch +timekeeping-fix-cross-timestamp-interpolation-corner.patch +timekeeping-fix-cross-timestamp-interpolation-for-no.patch +wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch +wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch +wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch +wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch +wifi-b43-disable-qos-for-bcm4331.patch +wifi-wilc1000-fix-declarations-ordering.patch +wifi-wilc1000-fix-rcu-usage-in-connect-path.patch +wifi-rtl8xxxu-add-cancel_work_sync-for-c2hcmd_work.patch +wifi-wilc1000-fix-multi-vif-management-when-deleting.patch +wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch +arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch +cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch +sock_diag-annotate-data-races-around-sock_diag_handl.patch +inet_diag-annotate-data-races-around-inet_diag_table.patch +bpftool-silence-build-warning-about-calloc.patch +af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch +wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch +wifi-iwlwifi-dbg-tlv-ensure-nul-termination.patch +wifi-iwlwifi-fix-ewrd-table-validity-check.patch +net-blackhole_dev-fix-build-warning-for-ethh-set-but.patch +wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch +arm64-dts-qcom-msm8996-fix-ufs-phy-clocks.patch +arm64-dts-qcom-msm8998-fix-ufs-phy-clocks.patch +printk-add-panic_in_progress-helper.patch +printk-disable-passing-console-lock-owner-completely.patch +arm64-dts-mediatek-mt7622-add-missing-device_type-to.patch +bpf-factor-out-bpf_spin_lock-into-helpers.patch +bpf-mark-bpf_spin_-lock-unlock-helpers-with-notrace-.patch +arm64-dts-qcom-msm8996-define-ufs-unipro-clock-limit.patch +wireless-remove-redundant-flush_workqueue-calls.patch +wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch +acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch +bus-tegra-aconnect-update-dependency-to-arch_tegra.patch +iommu-amd-mark-interrupt-as-managed.patch +wifi-brcmsmac-avoid-function-pointer-casts.patch +net-ena-remove-ena_select_queue.patch +arm-dts-arm-realview-fix-development-chip-rom-compat.patch +arm-dts-imx6dl-yapp4-move-phy-reset-into-switch-node.patch +arm-dts-imx6dl-yapp4-fix-typo-in-the-qca-switch-regi.patch +arm-dts-imx6dl-yapp4-move-the-internal-switch-phys-u.patch +arm64-dts-marvell-reorder-crypto-interrupts-on-armad.patch +acpi-scan-fix-device-check-notification-handling.patch +x86-relocs-ignore-relocations-in-.notes-section.patch +sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch +mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch +wifi-rtw88-8821c-fix-false-alarm-count.patch +pci-make-pci_dev_is_disconnected-helper-public-for-o.patch +iommu-vt-d-don-t-issue-ats-invalidation-request-when.patch +igb-move-perout-and-extts-isr-logic-to-separate-func.patch +igb-fix-missing-time-sync-events.patch +bluetooth-remove-superfluous-call-to-hci_conn_check_.patch +bluetooth-hci_core-fix-possible-buffer-overflow.patch +sr9800-add-check-for-usbnet_get_endpoints.patch +bpf-eliminate-rlimit-based-memory-accounting-for-dev.patch +bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch +bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch +bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch +ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch +net-ip_tunnel-make-sure-to-pull-inner-header-in-ip_t.patch +net-phy-fix-phy_get_internal_delay-accessing-an-empt.patch +net-hns3-fix-port-duplex-configure-error-in-imp-rese.patch +net-phy-dp83822-enable-rgmii-mode-if-phy_interface_i.patch +net-phy-dp83822-fix-rgmii-tx-delay-configuration.patch +opp-debugfs-fix-warning-around-icc_get_name.patch +tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch +net-ipv4-replace-one-element-array-with-flexible-arr.patch +net-ipv4-revert-use-of-struct_size-helper.patch +net-ipv4-ipv6-replace-one-element-arraya-with-flexib.patch +bpf-net-change-do_ip_getsockopt-to-take-the-sockptr_.patch +ipmr-fix-incorrect-parameter-validation-in-the-ip_mr.patch +l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch +udp-fix-incorrect-parameter-validation-in-the-udp_li.patch +net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch +net-x25-fix-incorrect-parameter-validation-in-the-x2.patch +nfp-flower-handle-acti_netdevs-allocation-failure.patch +dm-raid-fix-false-positive-for-requeue-needed-during.patch +dm-call-the-resume-method-on-internal-suspend.patch +drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch +drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch +drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch +drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch +drm-tegra-output-fix-missing-i2c_put_adapter-in-the-.patch +drm-rockchip-inno_hdmi-fix-video-timing.patch +drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch +drm-rockchip-lvds-do-not-overwrite-error-code.patch +drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch +drm-lima-fix-a-memleak-in-lima_heap_alloc.patch +dmaengine-tegra210-adma-update-dependency-to-arch_te.patch +media-tc358743-register-v4l2-async-device-only-after.patch +pci-dpc-print-all-tlp-prefixes-not-just-the-first.patch +perf-record-fix-possible-incorrect-free-in-record__s.patch +hid-lenovo-add-middleclick_workaround-sysfs-knob-for.patch +drm-amd-display-fix-a-potential-buffer-overflow-in-d.patch +drm-amd-display-fix-potential-null-pointer-dereferen.patch +perf-evsel-fix-duplicate-initialization-of-data-id-i.patch +pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch +media-em28xx-annotate-unchecked-call-to-media_device.patch +media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch +media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch +media-edia-dvbdev-fix-a-use-after-free.patch +pinctrl-mediatek-drop-bogus-slew-rate-register-range.patch +clk-qcom-reset-commonize-the-de-assert-functions.patch +clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch +quota-simplify-drop_dquot_ref.patch +quota-fix-potential-null-pointer-dereference.patch +quota-fix-rcu-annotations-of-inode-dquot-pointers.patch +pci-switchtec-fix-an-error-handling-path-in-switchte.patch +crypto-xilinx-call-finalize-with-bh-disabled.patch +perf-thread_map-free-strlist-on-normal-path-in-threa.patch +drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch +alsa-seq-fix-function-cast-warnings.patch +perf-stat-avoid-metric-only-segv.patch +asoc-meson-use-dev_err_probe-helper.patch +asoc-meson-aiu-fix-function-pointer-type-mismatch.patch +asoc-meson-t9015-fix-function-pointer-type-mismatch.patch +media-sun8i-di-fix-coefficient-writes.patch +media-sun8i-di-fix-power-on-off-sequences.patch +media-sun8i-di-fix-chroma-difference-threshold.patch +media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch +media-go7007-add-check-of-return-value-of-go7007_rea.patch +media-pvrusb2-remove-redundant-null-check.patch +media-pvrusb2-fix-pvr2_stream_callback-casts.patch +clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch +drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch +pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch +clk-hisilicon-hi3519-release-the-correct-number-of-g.patch +drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch +mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch +mfd-altera-sysmgr-call-of_node_put-only-when-of_pars.patch +crypto-arm-sha-fix-function-cast-warnings.patch +drm-tidss-fix-initial-plane-zpos-values.patch +mtd-maps-physmap-core-fix-flash-size-larger-than-32-.patch +mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch +asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch +asoc-meson-axg-tdm-interface-add-frame-rate-constrai.patch +drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch +media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch +media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch +media-go7007-fix-a-memleak-in-go7007_load_encoder.patch +media-ttpci-fix-two-memleaks-in-budget_av_attach.patch +media-mediatek-vcodec-avoid-wcast-function-type-stri.patch +drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch +powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch +drm-msm-dpu-add-division-of-drm_display_mode-s-hskew.patch +powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch +leds-aw2013-unlock-mutex-before-destroying-it.patch +leds-sgm3140-add-missing-timer-cleanup-and-flash-gpi.patch +backlight-lm3630a-initialize-backlight_properties-on.patch +backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch +backlight-da9052-fully-initialize-backlight_properti.patch +backlight-lm3639-fully-initialize-backlight_properti.patch +backlight-lp8788-fully-initialize-backlight_properti.patch +arch-powerpc-remove-linux-fb.h-from-backlight-code.patch +sparc32-fix-section-mismatch-in-leon_pci_grpci.patch +clk-fix-clk_core_get-null-dereference.patch +alsa-hda-realtek-fix-alc285-issues-on-hp-envy-x360-l.patch +alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch +rdma-srpt-do-not-register-event-handler-until-srpt-d.patch +f2fs-compress-fix-to-check-unreleased-compressed-clu.patch +scsi-csiostor-avoid-function-pointer-casts.patch +rdma-device-fix-a-race-between-mad_client-and-cm_cli.patch +scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch +net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch +nfsv4.2-fix-nfs4_listxattr-kernel-bug-at-mm-usercopy.patch +nfsv4.2-fix-listxattr-maximum-xdr-buffer-size.patch +watchdog-stm32_iwdg-initialize-default-timeout.patch +nfs-fix-an-off-by-one-in-root_nfs_cat.patch +afs-revert-afs-hide-silly-rename-files-from-userspac.patch diff --git a/queue-5.10/sock_diag-annotate-data-races-around-sock_diag_handl.patch b/queue-5.10/sock_diag-annotate-data-races-around-sock_diag_handl.patch new file mode 100644 index 00000000000..4c246387547 --- /dev/null +++ b/queue-5.10/sock_diag-annotate-data-races-around-sock_diag_handl.patch @@ -0,0 +1,74 @@ +From e6feac9dc24f4c817014481cd98565c82ac255cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 11:25:55 +0000 +Subject: sock_diag: annotate data-races around sock_diag_handlers[family] + +From: Eric Dumazet + +[ Upstream commit efd402537673f9951992aea4ef0f5ff51d858f4b ] + +__sock_diag_cmd() and sock_diag_bind() read sock_diag_handlers[family] +without a lock held. + +Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues. + +Fixes: 8ef874bfc729 ("sock_diag: Move the sock_ code to net/core/") +Signed-off-by: Eric Dumazet +Reviewed-by: Guillaume Nault +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock_diag.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c +index c9c45b935f990..bce65b519ee80 100644 +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -189,7 +189,7 @@ int sock_diag_register(const struct sock_diag_handler *hndl) + if (sock_diag_handlers[hndl->family]) + err = -EBUSY; + else +- sock_diag_handlers[hndl->family] = hndl; ++ WRITE_ONCE(sock_diag_handlers[hndl->family], hndl); + mutex_unlock(&sock_diag_table_mutex); + + return err; +@@ -205,7 +205,7 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld) + + mutex_lock(&sock_diag_table_mutex); + BUG_ON(sock_diag_handlers[family] != hnld); +- sock_diag_handlers[family] = NULL; ++ WRITE_ONCE(sock_diag_handlers[family], NULL); + mutex_unlock(&sock_diag_table_mutex); + } + EXPORT_SYMBOL_GPL(sock_diag_unregister); +@@ -223,7 +223,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh) + return -EINVAL; + req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX); + +- if (sock_diag_handlers[req->sdiag_family] == NULL) ++ if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL) + sock_load_diag_module(req->sdiag_family, 0); + + mutex_lock(&sock_diag_table_mutex); +@@ -282,12 +282,12 @@ static int sock_diag_bind(struct net *net, int group) + switch (group) { + case SKNLGRP_INET_TCP_DESTROY: + case SKNLGRP_INET_UDP_DESTROY: +- if (!sock_diag_handlers[AF_INET]) ++ if (!READ_ONCE(sock_diag_handlers[AF_INET])) + sock_load_diag_module(AF_INET, 0); + break; + case SKNLGRP_INET6_TCP_DESTROY: + case SKNLGRP_INET6_UDP_DESTROY: +- if (!sock_diag_handlers[AF_INET6]) ++ if (!READ_ONCE(sock_diag_handlers[AF_INET6])) + sock_load_diag_module(AF_INET6, 0); + break; + } +-- +2.43.0 + diff --git a/queue-5.10/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch b/queue-5.10/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch new file mode 100644 index 00000000000..ba39198f2fc --- /dev/null +++ b/queue-5.10/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch @@ -0,0 +1,62 @@ +From e8e9fbcd2f188520313e3b93686c61be8055871d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 18:42:28 +0100 +Subject: sparc32: Fix section mismatch in leon_pci_grpci + +From: Sam Ravnborg + +[ Upstream commit 24338a6ae13cb743ced77da1b3a12c83f08a0c96 ] + +Passing a datastructre marked _initconst to platform_driver_register() +is wrong. Drop the __initconst notation. + +This fixes the following warnings: + +WARNING: modpost: vmlinux: section mismatch in reference: grpci1_of_driver+0x30 (section: .data) -> grpci1_of_match (section: .init.rodata) +WARNING: modpost: vmlinux: section mismatch in reference: grpci2_of_driver+0x30 (section: .data) -> grpci2_of_match (section: .init.rodata) + +Signed-off-by: Sam Ravnborg +Cc: "David S. Miller" +Cc: Andreas Larsson +Fixes: 4154bb821f0b ("sparc: leon: grpci1: constify of_device_id") +Fixes: 03949b1cb9f1 ("sparc: leon: grpci2: constify of_device_id") +Tested-by: Randy Dunlap # build-tested +Reviewed-by: Andreas Larsson +Tested-by: Andreas Larsson +Signed-off-by: Andreas Larsson +Link: https://lore.kernel.org/r/20240224-sam-fix-sparc32-all-builds-v2-7-1f186603c5c4@ravnborg.org +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/leon_pci_grpci1.c | 2 +- + arch/sparc/kernel/leon_pci_grpci2.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/kernel/leon_pci_grpci1.c b/arch/sparc/kernel/leon_pci_grpci1.c +index e6935d0ac1ec9..c32590bdd3120 100644 +--- a/arch/sparc/kernel/leon_pci_grpci1.c ++++ b/arch/sparc/kernel/leon_pci_grpci1.c +@@ -696,7 +696,7 @@ static int grpci1_of_probe(struct platform_device *ofdev) + return err; + } + +-static const struct of_device_id grpci1_of_match[] __initconst = { ++static const struct of_device_id grpci1_of_match[] = { + { + .name = "GAISLER_PCIFBRG", + }, +diff --git a/arch/sparc/kernel/leon_pci_grpci2.c b/arch/sparc/kernel/leon_pci_grpci2.c +index ca22f93d90454..dd06abc61657f 100644 +--- a/arch/sparc/kernel/leon_pci_grpci2.c ++++ b/arch/sparc/kernel/leon_pci_grpci2.c +@@ -887,7 +887,7 @@ static int grpci2_of_probe(struct platform_device *ofdev) + return err; + } + +-static const struct of_device_id grpci2_of_match[] __initconst = { ++static const struct of_device_id grpci2_of_match[] = { + { + .name = "GAISLER_GRPCI2", + }, +-- +2.43.0 + diff --git a/queue-5.10/sr9800-add-check-for-usbnet_get_endpoints.patch b/queue-5.10/sr9800-add-check-for-usbnet_get_endpoints.patch new file mode 100644 index 00000000000..e61fb363250 --- /dev/null +++ b/queue-5.10/sr9800-add-check-for-usbnet_get_endpoints.patch @@ -0,0 +1,40 @@ +From a76c3bb97349f39ea5bdf17b6bb6c2b1b288736f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 07:59:27 +0000 +Subject: sr9800: Add check for usbnet_get_endpoints + +From: Chen Ni + +[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ] + +Add check for usbnet_get_endpoints() and return the error if it fails +in order to transfer the error. + +Signed-off-by: Chen Ni +Reviewed-by: Simon Horman +Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") +Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9800.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index 681e0def6356b..a5332e99102a5 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -736,7 +736,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) + + data->eeprom_len = SR9800_EEPROM_LEN; + +- usbnet_get_endpoints(dev, intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ goto out; + + /* LED Setting Rule : + * AABB:CCDD +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch b/queue-5.10/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch new file mode 100644 index 00000000000..ab5bdf3d010 --- /dev/null +++ b/queue-5.10/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch @@ -0,0 +1,86 @@ +From c5320f67c66b9a4ec249b54b49c45b6e603a0ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 13:38:13 +0800 +Subject: SUNRPC: fix some memleaks in gssx_dec_option_array + +From: Zhipeng Lu + +[ Upstream commit 3cfcfc102a5e57b021b786a755a38935e357797d ] + +The creds and oa->data need to be freed in the error-handling paths after +their allocation. So this patch add these deallocations in the +corresponding paths. + +Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS auth") +Signed-off-by: Zhipeng Lu +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 2ff7b7083ebab..e265b8d38aa14 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -250,8 +250,8 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, + + creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL); + if (!creds) { +- kfree(oa->data); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto free_oa; + } + + oa->data[0].option.data = CREDS_VALUE; +@@ -265,29 +265,40 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, + + /* option buffer */ + p = xdr_inline_decode(xdr, 4); +- if (unlikely(p == NULL)) +- return -ENOSPC; ++ if (unlikely(p == NULL)) { ++ err = -ENOSPC; ++ goto free_creds; ++ } + + length = be32_to_cpup(p); + p = xdr_inline_decode(xdr, length); +- if (unlikely(p == NULL)) +- return -ENOSPC; ++ if (unlikely(p == NULL)) { ++ err = -ENOSPC; ++ goto free_creds; ++ } + + if (length == sizeof(CREDS_VALUE) && + memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) { + /* We have creds here. parse them */ + err = gssx_dec_linux_creds(xdr, creds); + if (err) +- return err; ++ goto free_creds; + oa->data[0].value.len = 1; /* presence */ + } else { + /* consume uninteresting buffer */ + err = gssx_dec_buffer(xdr, &dummy); + if (err) +- return err; ++ goto free_creds; + } + } + return 0; ++ ++free_creds: ++ kfree(creds); ++free_oa: ++ kfree(oa->data); ++ oa->data = NULL; ++ return err; + } + + static int gssx_dec_status(struct xdr_stream *xdr, +-- +2.43.0 + diff --git a/queue-5.10/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch b/queue-5.10/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch new file mode 100644 index 00000000000..52c3bbdcb20 --- /dev/null +++ b/queue-5.10/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch @@ -0,0 +1,47 @@ +From c9227223ece390ecdf8d64bc31806769fba4d49b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:49 +0000 +Subject: tcp: fix incorrect parameter validation in the do_tcp_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 716edc9706deb3bb2ff56e2eeb83559cea8f22db ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gavrilov Ilia +Reviewed-by: Jason Xing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index a5c15e2d193f6..2e874ec859715 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3742,11 +3742,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case TCP_MAXSEG: + val = tp->mss_cache; +-- +2.43.0 + diff --git a/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-corner.patch b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-corner.patch new file mode 100644 index 00000000000..f05aa66238c --- /dev/null +++ b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-corner.patch @@ -0,0 +1,114 @@ +From 2b93b8b3152334f66b84b136e99e5c9c162e4ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:40 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation corner case decision + +From: Peter Hilber + +[ Upstream commit 87a41130881995f82f7adbafbfeddaebfb35f0ef ] + +The cycle_between() helper checks if parameter test is in the open interval +(before, after). Colloquially speaking, this also applies to the counter +wrap-around special case before > after. get_device_system_crosststamp() +currently uses cycle_between() at the first call site to decide whether to +interpolate for older counter readings. + +get_device_system_crosststamp() has the following problem with +cycle_between() testing against an open interval: Assume that, by chance, +cycles == tk->tkr_mono.cycle_last (in the following, "cycle_last" for +brevity). Then, cycle_between() at the first call site, with effective +argument values cycle_between(cycle_last, cycles, now), returns false, +enabling interpolation. During interpolation, +get_device_system_crosststamp() will then call cycle_between() at the +second call site (if a history_begin was supplied). The effective argument +values are cycle_between(history_begin->cycles, cycles, cycles), since +system_counterval.cycles == interval_start == cycles, per the assumption. +Due to the test against the open interval, cycle_between() returns false +again. This causes get_device_system_crosststamp() to return -EINVAL. + +This failure should be avoided, since get_device_system_crosststamp() works +both when cycles follows cycle_last (no interpolation), and when cycles +precedes cycle_last (interpolation). For the case cycles == cycle_last, +interpolation is actually unneeded. + +Fix this by changing cycle_between() into timestamp_in_interval(), which +now checks against the closed interval, rather than the open interval. + +This changes the get_device_system_crosststamp() behavior for three corner +cases: + +1. Bypass interpolation in the case cycles == tk->tkr_mono.cycle_last, + fixing the problem described above. + +2. At the first timestamp_in_interval() call site, cycles == now no longer + causes failure. + +3. At the second timestamp_in_interval() call site, history_begin->cycles + == system_counterval.cycles no longer causes failure. + adjust_historical_crosststamp() also works for this corner case, + where partial_history_cycles == total_history_cycles. + +These behavioral changes should not cause any problems. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231218073849.35294-3-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 6a8a610b19717..6f615db414769 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1167,13 +1167,15 @@ static int adjust_historical_crosststamp(struct system_time_snapshot *history, + } + + /* +- * cycle_between - true if test occurs chronologically between before and after ++ * timestamp_in_interval - true if ts is chronologically in [start, end] ++ * ++ * True if ts occurs chronologically at or after start, and before or at end. + */ +-static bool cycle_between(u64 before, u64 test, u64 after) ++static bool timestamp_in_interval(u64 start, u64 end, u64 ts) + { +- if (test > before && test < after) ++ if (ts >= start && ts <= end) + return true; +- if (before > after && (test > before || test < after)) ++ if (start > end && (ts >= start || ts <= end)) + return true; + return false; + } +@@ -1233,7 +1235,7 @@ int get_device_system_crosststamp(int (*get_time_fn) + */ + now = tk_clock_read(&tk->tkr_mono); + interval_start = tk->tkr_mono.cycle_last; +- if (!cycle_between(interval_start, cycles, now)) { ++ if (!timestamp_in_interval(interval_start, now, cycles)) { + clock_was_set_seq = tk->clock_was_set_seq; + cs_was_changed_seq = tk->cs_was_changed_seq; + cycles = interval_start; +@@ -1264,13 +1266,13 @@ int get_device_system_crosststamp(int (*get_time_fn) + bool discontinuity; + + /* +- * Check that the counter value occurs after the provided ++ * Check that the counter value is not before the provided + * history reference and that the history doesn't cross a + * clocksource change + */ + if (!history_begin || +- !cycle_between(history_begin->cycles, +- system_counterval.cycles, cycles) || ++ !timestamp_in_interval(history_begin->cycles, ++ cycles, system_counterval.cycles) || + history_begin->cs_was_changed_seq != cs_was_changed_seq) + return -EINVAL; + partial_history_cycles = cycles - system_counterval.cycles; +-- +2.43.0 + diff --git a/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-for-no.patch b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-for-no.patch new file mode 100644 index 00000000000..8e0e2cc08e8 --- /dev/null +++ b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-for-no.patch @@ -0,0 +1,58 @@ +From 69621d4243673b3fb24ca02f8573006d279ca02a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:41 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation for non-x86 + +From: Peter Hilber + +[ Upstream commit 14274d0bd31b4debf28284604589f596ad2e99f2 ] + +So far, get_device_system_crosststamp() unconditionally passes +system_counterval.cycles to timekeeping_cycles_to_ns(). But when +interpolating system time (do_interp == true), system_counterval.cycles is +before tkr_mono.cycle_last, contrary to the timekeeping_cycles_to_ns() +expectations. + +On x86, CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE will mitigate on +interpolating, setting delta to 0. With delta == 0, xtstamp->sys_monoraw +and xtstamp->sys_realtime are then set to the last update time, as +implicitly expected by adjust_historical_crosststamp(). On other +architectures, the resulting nonsense xtstamp->sys_monoraw and +xtstamp->sys_realtime corrupt the xtstamp (ts) adjustment in +adjust_historical_crosststamp(). + +Fix this by deriving xtstamp->sys_monoraw and xtstamp->sys_realtime from +the last update time when interpolating, by using the local variable +"cycles". The local variable already has the right value when +interpolating, unlike system_counterval.cycles. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/r/20231218073849.35294-4-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 6f615db414769..629a07e6a0bfc 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1248,10 +1248,8 @@ int get_device_system_crosststamp(int (*get_time_fn) + tk_core.timekeeper.offs_real); + base_raw = tk->tkr_raw.base; + +- nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, +- system_counterval.cycles); +- nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, +- system_counterval.cycles); ++ nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, cycles); ++ nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, cycles); + } while (read_seqcount_retry(&tk_core.seq, seq)); + + xtstamp->sys_realtime = ktime_add_ns(base_real, nsec_real); +-- +2.43.0 + diff --git a/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch new file mode 100644 index 00000000000..c55d4bb8054 --- /dev/null +++ b/queue-5.10/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch @@ -0,0 +1,43 @@ +From e8eaf7d47e03167c19431c65a05fc236c4cb0f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:39 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation on counter wrap + +From: Peter Hilber + +[ Upstream commit 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 ] + +cycle_between() decides whether get_device_system_crosststamp() will +interpolate for older counter readings. + +cycle_between() yields wrong results for a counter wrap-around where after +< before < test, and for the case after < test < before. + +Fix the comparison logic. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/r/20231218073849.35294-2-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index d9b48f7a35e0d..6a8a610b19717 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1173,7 +1173,7 @@ static bool cycle_between(u64 before, u64 test, u64 after) + { + if (test > before && test < after) + return true; +- if (test < before && before > after) ++ if (before > after && (test > before || test < after)) + return true; + return false; + } +-- +2.43.0 + diff --git a/queue-5.10/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch b/queue-5.10/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch new file mode 100644 index 00000000000..33e0d1d95ea --- /dev/null +++ b/queue-5.10/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch @@ -0,0 +1,47 @@ +From 5a8a979d77e07872716a53a9bab350905f37ed00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: udp: fix incorrect parameter validation in the udp_lib_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 4bb3ba7b74fceec6f558745b25a43c6521cf5506 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Willem de Bruijn +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 476f79f1563a8..b2541c7d7c87f 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2748,11 +2748,11 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case UDP_CORK: + val = READ_ONCE(up->corkflag); +-- +2.43.0 + diff --git a/queue-5.10/watchdog-stm32_iwdg-initialize-default-timeout.patch b/queue-5.10/watchdog-stm32_iwdg-initialize-default-timeout.patch new file mode 100644 index 00000000000..fecbdb6282e --- /dev/null +++ b/queue-5.10/watchdog-stm32_iwdg-initialize-default-timeout.patch @@ -0,0 +1,59 @@ +From 2160477ac787a4d299b2d59af1d7af8e59afe074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 13:27:23 -0500 +Subject: watchdog: stm32_iwdg: initialize default timeout + +From: Ben Wolsieffer + +[ Upstream commit dbd7c0088b7f44aa0b9276ed3449df075a7b5b54 ] + +The driver never sets a default timeout value, therefore it is +initialized to zero. When CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED is +enabled, the watchdog is started during probe. The kernel is supposed to +automatically ping the watchdog from this point until userspace takes +over, but this does not happen if the configured timeout is zero. A zero +timeout causes watchdog_need_worker() to return false, so the heartbeat +worker does not run and the system therefore resets soon after the +driver is probed. + +This patch fixes this by setting an arbitrary non-zero default timeout. +The default could be read from the hardware instead, but I didn't see +any reason to add this complexity. + +This has been tested on an STM32F746. + +Fixes: 85fdc63fe256 ("drivers: watchdog: stm32_iwdg: set WDOG_HW_RUNNING at probe") +Signed-off-by: Ben Wolsieffer +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240228182723.12855-1-ben.wolsieffer@hefring.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/stm32_iwdg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/watchdog/stm32_iwdg.c b/drivers/watchdog/stm32_iwdg.c +index 25188d6bbe152..16dd1aab7c676 100644 +--- a/drivers/watchdog/stm32_iwdg.c ++++ b/drivers/watchdog/stm32_iwdg.c +@@ -21,6 +21,8 @@ + #include + #include + ++#define DEFAULT_TIMEOUT 10 ++ + /* IWDG registers */ + #define IWDG_KR 0x00 /* Key register */ + #define IWDG_PR 0x04 /* Prescaler Register */ +@@ -254,6 +256,7 @@ static int stm32_iwdg_probe(struct platform_device *pdev) + wdd->parent = dev; + wdd->info = &stm32_iwdg_info; + wdd->ops = &stm32_iwdg_ops; ++ wdd->timeout = DEFAULT_TIMEOUT; + wdd->min_timeout = DIV_ROUND_UP((RLR_MIN + 1) * PR_MIN, wdt->rate); + wdd->max_hw_heartbeat_ms = ((RLR_MAX + 1) * wdt->data->max_prescaler * + 1000) / wdt->rate; +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch b/queue-5.10/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch new file mode 100644 index 00000000000..83bbd82e2fd --- /dev/null +++ b/queue-5.10/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch @@ -0,0 +1,42 @@ +From ad6e3a384ed9e966aec5e3736af23bd01dafc26d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 13:29:01 +0200 +Subject: wifi: ath10k: fix NULL pointer dereference in + ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() + +From: Xingyuan Mo + +[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] + +We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is +present before accessing it, otherwise a null pointer deference error will +occur. + +Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") +Signed-off-by: Xingyuan Mo +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index 4f2fbc610d798..0eeb74245372f 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, + } + + ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; ++ if (!ev) { ++ kfree(tb); ++ return -EPROTO; ++ } + + arg->desc_id = ev->desc_id; + arg->status = ev->status; +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch b/queue-5.10/wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch new file mode 100644 index 00000000000..6da20c6ccfa --- /dev/null +++ b/queue-5.10/wifi-ath9k-delay-all-of-ath9k_wmi_event_tasklet-unti.patch @@ -0,0 +1,124 @@ +From e19bf486923dc1967895c1ba16bdbc353db48ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 15:02:17 +0100 +Subject: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is + complete +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 24355fcb0d4cbcb6ddda262596558e8cfba70f11 ] + +The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data +structures have been fully initialised by the time it runs. However, because of +the order in which things are initialised, this is not guaranteed to be the +case, because the device is exposed to the USB subsystem before the ath9k driver +initialisation is completed. + +We already committed a partial fix for this in commit: +8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()") + +However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event +tasklet, pairing it with an "initialisation complete" bit in the TX struct. It +seems syzbot managed to trigger the race for one of the other commands as well, +so let's just move the existing synchronisation bit to cover the whole +tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside +ath9k_tx_init()). + +Link: https://lore.kernel.org/r/ed1d2c66-1193-4c81-9542-d514c29ba8b8.bugreport@ubisectech.com +Fixes: 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()") +Reported-by: Ubisectech Sirius +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240126140218.1033443-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc.h | 2 +- + drivers/net/wireless/ath/ath9k/htc_drv_init.c | 4 ++++ + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 4 ---- + drivers/net/wireless/ath/ath9k/wmi.c | 10 ++++++---- + 4 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h +index 237f4ec2cffd7..6c33e898b3000 100644 +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -306,7 +306,6 @@ struct ath9k_htc_tx { + DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM); + struct timer_list cleanup_timer; + spinlock_t tx_lock; +- bool initialized; + }; + + struct ath9k_htc_tx_ctl { +@@ -515,6 +514,7 @@ struct ath9k_htc_priv { + unsigned long ps_usecount; + bool ps_enabled; + bool ps_idle; ++ bool initialized; + + #ifdef CONFIG_MAC80211_LEDS + enum led_brightness brightness; +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +index 96a3185a96d75..b014185373f34 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +@@ -966,6 +966,10 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, + + htc_handle->drv_priv = priv; + ++ /* Allow ath9k_wmi_event_tasklet() to operate. */ ++ smp_wmb(); ++ priv->initialized = true; ++ + return 0; + + err_init: +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 5037142c5a822..95146ec754d5c 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -810,10 +810,6 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv) + skb_queue_head_init(&priv->tx.data_vo_queue); + skb_queue_head_init(&priv->tx.tx_failed); + +- /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */ +- smp_wmb(); +- priv->tx.initialized = true; +- + return 0; + } + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 1476b42b52a91..805ad31edba2b 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -155,6 +155,12 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t) + } + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + ++ /* Check if ath9k_htc_probe_device() completed. */ ++ if (!data_race(priv->initialized)) { ++ kfree_skb(skb); ++ continue; ++ } ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + wmi_event = skb_pull(skb, sizeof(struct wmi_cmd_hdr)); +@@ -169,10 +175,6 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t) + &wmi->drv_priv->fatal_work); + break; + case WMI_TXSTATUS_EVENTID: +- /* Check if ath9k_tx_init() completed. */ +- if (!data_race(priv->tx.initialized)) +- break; +- + spin_lock_bh(&priv->tx.tx_lock); + if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) { + spin_unlock_bh(&priv->tx.tx_lock); +-- +2.43.0 + diff --git a/queue-5.10/wifi-b43-disable-qos-for-bcm4331.patch b/queue-5.10/wifi-b43-disable-qos-for-bcm4331.patch new file mode 100644 index 00000000000..94b3c7203b3 --- /dev/null +++ b/queue-5.10/wifi-b43-disable-qos-for-bcm4331.patch @@ -0,0 +1,68 @@ +From 0dfb9f523bc6523a9da5e529e66705a29068ff22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:58 +0000 +Subject: wifi: b43: Disable QoS for bcm4331 + +From: Rahul Rameshbabu + +[ Upstream commit 09795bded2e725443fe4a4803cae2079cdaf7b26 ] + +bcm4331 seems to not function correctly with QoS support. This may be due +to issues with currently available firmware or potentially a device +specific issue. + +When queues that are not of the default "best effort" priority are +selected, traffic appears to not transmit out of the hardware while no +errors are returned. This behavior is present among all the other priority +queues: video, voice, and background. While this can be worked around by +setting a kernel parameter, the default behavior is problematic for most +users and may be difficult to debug. This patch offers a working out-of-box +experience for bcm4331 users. + +Log of the issue (using ssh low-priority traffic as an example): + ssh -T -vvvv git@github.com + OpenSSH_9.6p1, OpenSSL 3.0.12 24 Oct 2023 + debug1: Reading configuration data /etc/ssh/ssh_config + debug2: checking match for 'host * exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'"' host github.com originally github.com + debug3: /etc/ssh/ssh_config line 5: matched 'host "github.com"' + debug1: Executing command: '/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'' + debug3: command returned status 0 + debug3: /etc/ssh/ssh_config line 5: matched 'exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0r"' + debug2: match found + debug1: /etc/ssh/ssh_config line 9: Applying options for * + debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/binary-eater/.ssh/known_hosts' + debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/binary-eater/.ssh/known_hosts2' + debug2: resolving "github.com" port 22 + debug3: resolve_host: lookup github.com:22 + debug3: channel_clear_timeouts: clearing + debug3: ssh_connect_direct: entering + debug1: Connecting to github.com [192.30.255.113] port 22. + debug3: set_sock_tos: set socket 3 IP_TOS 0x48 + +Fixes: e6f5b934fba8 ("b43: Add QOS support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-5-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c +index 6100c0d2a7f3c..29f97ab9b72a6 100644 +--- a/drivers/net/wireless/broadcom/b43/main.c ++++ b/drivers/net/wireless/broadcom/b43/main.c +@@ -2587,7 +2587,8 @@ static void b43_request_firmware(struct work_struct *work) + + start_ieee80211: + wl->hw->queues = B43_QOS_QUEUE_NUM; +- if (!modparam_qos || dev->fw.opensource) ++ if (!modparam_qos || dev->fw.opensource || ++ dev->dev->chip_id == BCMA_CHIP_ID_BCM4331) + wl->hw->queues = 1; + + err = ieee80211_register_hw(wl->hw); +-- +2.43.0 + diff --git a/queue-5.10/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch b/queue-5.10/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch new file mode 100644 index 00000000000..97c3e742c6c --- /dev/null +++ b/queue-5.10/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch @@ -0,0 +1,66 @@ +From 1ec48c3a9a3b2317b445a9929226d2481346d0f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:51 +0000 +Subject: wifi: b43: Stop correct queue in DMA worker when QoS is disabled + +From: Rahul Rameshbabu + +[ Upstream commit 581c8967d66c4961076dbbee356834e9c6777184 ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop queue 0 when QoS is +disabled to prevent trying to stop a non-existent queue and failing to stop +the actual queue instantiated. + +Fixes: bad691946966 ("b43: avoid packet losses in the dma worker code.") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-4-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c +index f175dbaffc300..6100c0d2a7f3c 100644 +--- a/drivers/net/wireless/broadcom/b43/main.c ++++ b/drivers/net/wireless/broadcom/b43/main.c +@@ -3603,7 +3603,7 @@ static void b43_tx_work(struct work_struct *work) + err = b43_dma_tx(dev, skb); + if (err == -ENOSPC) { + wl->tx_queue_stopped[queue_num] = true; +- ieee80211_stop_queue(wl->hw, queue_num); ++ b43_stop_queue(dev, queue_num); + skb_queue_head(&wl->tx_queue[queue_num], skb); + break; + } +@@ -3627,6 +3627,7 @@ static void b43_op_tx(struct ieee80211_hw *hw, + struct sk_buff *skb) + { + struct b43_wl *wl = hw_to_b43_wl(hw); ++ u16 skb_queue_mapping; + + if (unlikely(skb->len < 2 + 2 + 6)) { + /* Too short, this can't be a valid frame. */ +@@ -3635,12 +3636,12 @@ static void b43_op_tx(struct ieee80211_hw *hw, + } + B43_WARN_ON(skb_shinfo(skb)->nr_frags); + +- skb_queue_tail(&wl->tx_queue[skb->queue_mapping], skb); +- if (!wl->tx_queue_stopped[skb->queue_mapping]) { ++ skb_queue_mapping = skb_get_queue_mapping(skb); ++ skb_queue_tail(&wl->tx_queue[skb_queue_mapping], skb); ++ if (!wl->tx_queue_stopped[skb_queue_mapping]) + ieee80211_queue_work(wl->hw, &wl->tx_work); +- } else { +- ieee80211_stop_queue(wl->hw, skb->queue_mapping); +- } ++ else ++ b43_stop_queue(wl->current_dev, skb_queue_mapping); + } + + static void b43_qos_params_upload(struct b43_wldev *dev, +-- +2.43.0 + diff --git a/queue-5.10/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch b/queue-5.10/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch new file mode 100644 index 00000000000..57f6c36b99d --- /dev/null +++ b/queue-5.10/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch @@ -0,0 +1,167 @@ +From ee8259e069114d3e955b471b9367a201b839d1a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:33 +0000 +Subject: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is + disabled + +From: Rahul Rameshbabu + +[ Upstream commit 9636951e4468f02c72cc75a82dc65d003077edbc ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS +is disabled to prevent trying to stop/wake a non-existent queue and failing +to stop/wake the actual queue instantiated. + +Log of issue before change (with kernel parameter qos=0): + [ +5.112651] ------------[ cut here ]------------ + [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 + [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common + [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)] + [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS + [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 + [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00 + [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097 + [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 + [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900 + [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0 + [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000 + [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40 + [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000 + [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ +0.000001] CR2: 00007fafda7ae008 CR3: 000000046d220005 CR4: 00000000000606e0 + [ +0.000002] Call Trace: + [ +0.000003] + [ +0.000001] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000044] ? __warn+0x81/0x130 + [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000045] ? report_bug+0x171/0x1a0 + [ +0.000004] ? handle_bug+0x41/0x70 + [ +0.000004] ? exc_invalid_op+0x17/0x70 + [ +0.000003] ? asm_exc_invalid_op+0x1a/0x20 + [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000043] ieee80211_wake_queue+0x4a/0x80 [mac80211] + [ +0.000044] b43_dma_handle_txstatus+0x29c/0x3a0 [b43] + [ +0.000016] ? __pfx_irq_thread_fn+0x10/0x10 + [ +0.000002] b43_handle_txstatus+0x61/0x80 [b43] + [ +0.000012] b43_interrupt_thread_handler+0x3f9/0x6b0 [b43] + [ +0.000011] irq_thread_fn+0x23/0x60 + [ +0.000002] irq_thread+0xfe/0x1c0 + [ +0.000002] ? __pfx_irq_thread_dtor+0x10/0x10 + [ +0.000001] ? __pfx_irq_thread+0x10/0x10 + [ +0.000001] kthread+0xe8/0x120 + [ +0.000003] ? __pfx_kthread+0x10/0x10 + [ +0.000003] ret_from_fork+0x34/0x50 + [ +0.000002] ? __pfx_kthread+0x10/0x10 + [ +0.000002] ret_from_fork_asm+0x1b/0x30 + [ +0.000004] + [ +0.000001] ---[ end trace 0000000000000000 ]--- + + [ +0.000065] ------------[ cut here ]------------ + [ +0.000001] WARNING: CPU: 0 PID: 56077 at net/mac80211/util.c:514 __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000077] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 + [ +0.000073] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common + [ +0.000084] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43] + [ +0.000012] CPU: 0 PID: 56077 Comm: kworker/u16:17 Tainted: G W O 6.6.7 #1-NixOS + [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 + [ +0.000001] Workqueue: phy7 b43_tx_work [b43] + [ +0.000019] RIP: 0010:__ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000076] Code: 74 11 48 8b 78 08 0f b7 d6 89 e9 4c 89 e6 e8 ab f4 00 00 65 ff 0d 9c b7 34 3f 0f 85 55 ff ff ff 0f 1f 44 00 00 e9 4b ff ff ff <0f> 0b 5b 5d 41 5c 41 5d c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 + [ +0.000002] RSP: 0000:ffffc90004157d50 EFLAGS: 00010097 + [ +0.000002] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 + [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882d65d0900 + [ +0.000002] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 + [ +0.000001] R10: 00000000000000ff R11: ffff88814d0155a0 R12: ffff8882d65d0900 + [ +0.000002] R13: 0000000000000000 R14: ffff8881002d2800 R15: 00000000000000d0 + [ +0.000002] FS: 0000000000000000(0000) GS:ffff88846f800000(0000) knlGS:0000000000000000 + [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ +0.000002] CR2: 00007f2e8c10c880 CR3: 0000000385b66005 CR4: 00000000000606f0 + [ +0.000002] Call Trace: + [ +0.000001] + [ +0.000001] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000075] ? __warn+0x81/0x130 + [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000075] ? report_bug+0x171/0x1a0 + [ +0.000005] ? handle_bug+0x41/0x70 + [ +0.000003] ? exc_invalid_op+0x17/0x70 + [ +0.000004] ? asm_exc_invalid_op+0x1a/0x20 + [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000076] ieee80211_stop_queue+0x36/0x50 [mac80211] + [ +0.000077] b43_dma_tx+0x550/0x780 [b43] + [ +0.000023] b43_tx_work+0x90/0x130 [b43] + [ +0.000018] process_one_work+0x174/0x340 + [ +0.000003] worker_thread+0x27b/0x3a0 + [ +0.000004] ? __pfx_worker_thread+0x10/0x10 + [ +0.000002] kthread+0xe8/0x120 + [ +0.000003] ? __pfx_kthread+0x10/0x10 + [ +0.000004] ret_from_fork+0x34/0x50 + [ +0.000002] ? __pfx_kthread+0x10/0x10 + [ +0.000003] ret_from_fork_asm+0x1b/0x30 + [ +0.000006] + [ +0.000001] ---[ end trace 0000000000000000 ]--- + +Fixes: e6f5b934fba8 ("b43: Add QOS support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-2-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/b43.h | 16 ++++++++++++++++ + drivers/net/wireless/broadcom/b43/dma.c | 4 ++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h +index 67b4bac048e58..c0d8fc0b22fb2 100644 +--- a/drivers/net/wireless/broadcom/b43/b43.h ++++ b/drivers/net/wireless/broadcom/b43/b43.h +@@ -1082,6 +1082,22 @@ static inline bool b43_using_pio_transfers(struct b43_wldev *dev) + return dev->__using_pio_transfers; + } + ++static inline void b43_wake_queue(struct b43_wldev *dev, int queue_prio) ++{ ++ if (dev->qos_enabled) ++ ieee80211_wake_queue(dev->wl->hw, queue_prio); ++ else ++ ieee80211_wake_queue(dev->wl->hw, 0); ++} ++ ++static inline void b43_stop_queue(struct b43_wldev *dev, int queue_prio) ++{ ++ if (dev->qos_enabled) ++ ieee80211_stop_queue(dev->wl->hw, queue_prio); ++ else ++ ieee80211_stop_queue(dev->wl->hw, 0); ++} ++ + /* Message printing */ + __printf(2, 3) void b43info(struct b43_wl *wl, const char *fmt, ...); + __printf(2, 3) void b43err(struct b43_wl *wl, const char *fmt, ...); +diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c +index 9a7c62bd5e431..cfaf2f9d67b22 100644 +--- a/drivers/net/wireless/broadcom/b43/dma.c ++++ b/drivers/net/wireless/broadcom/b43/dma.c +@@ -1399,7 +1399,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb) + should_inject_overflow(ring)) { + /* This TX ring is full. */ + unsigned int skb_mapping = skb_get_queue_mapping(skb); +- ieee80211_stop_queue(dev->wl->hw, skb_mapping); ++ b43_stop_queue(dev, skb_mapping); + dev->wl->tx_queue_stopped[skb_mapping] = true; + ring->stopped = true; + if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { +@@ -1570,7 +1570,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev, + } else { + /* If the driver queue is running wake the corresponding + * mac80211 queue. */ +- ieee80211_wake_queue(dev->wl->hw, ring->queue_prio); ++ b43_wake_queue(dev, ring->queue_prio); + if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { + b43dbg(dev->wl, "Woke up TX ring %d\n", ring->index); + } +-- +2.43.0 + diff --git a/queue-5.10/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch b/queue-5.10/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch new file mode 100644 index 00000000000..1401d27bfe2 --- /dev/null +++ b/queue-5.10/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch @@ -0,0 +1,59 @@ +From 15c13277fdc7f05930d4ddce6e448975356e087c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:45 +0000 +Subject: wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is + disabled + +From: Rahul Rameshbabu + +[ Upstream commit 77135a38f6c2f950d2306ac3d37cbb407e6243f2 ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS +is disabled to prevent trying to stop/wake a non-existent queue and failing +to stop/wake the actual queue instantiated. + +Fixes: 5100d5ac81b9 ("b43: Add PIO support for PCMCIA devices") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-3-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/pio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/pio.c b/drivers/net/wireless/broadcom/b43/pio.c +index 8c28a9250cd19..cc19b589fa70d 100644 +--- a/drivers/net/wireless/broadcom/b43/pio.c ++++ b/drivers/net/wireless/broadcom/b43/pio.c +@@ -525,7 +525,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) + if (total_len > (q->buffer_size - q->buffer_used)) { + /* Not enough memory on the queue. */ + err = -EBUSY; +- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); ++ b43_stop_queue(dev, skb_get_queue_mapping(skb)); + q->stopped = true; + goto out; + } +@@ -552,7 +552,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) + if (((q->buffer_size - q->buffer_used) < roundup(2 + 2 + 6, 4)) || + (q->free_packet_slots == 0)) { + /* The queue is full. */ +- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); ++ b43_stop_queue(dev, skb_get_queue_mapping(skb)); + q->stopped = true; + } + +@@ -587,7 +587,7 @@ void b43_pio_handle_txstatus(struct b43_wldev *dev, + list_add(&pack->list, &q->packets_list); + + if (q->stopped) { +- ieee80211_wake_queue(dev->wl->hw, q->queue_prio); ++ b43_wake_queue(dev, q->queue_prio); + q->stopped = false; + } + } +-- +2.43.0 + diff --git a/queue-5.10/wifi-brcmsmac-avoid-function-pointer-casts.patch b/queue-5.10/wifi-brcmsmac-avoid-function-pointer-casts.patch new file mode 100644 index 00000000000..2ad02dfa52b --- /dev/null +++ b/queue-5.10/wifi-brcmsmac-avoid-function-pointer-casts.patch @@ -0,0 +1,81 @@ +From 63a4e436ca9511d4aaf660aada2f6ac7afa3b24c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:05:37 +0100 +Subject: wifi: brcmsmac: avoid function pointer casts + +From: Arnd Bergmann + +[ Upstream commit e1ea6db35fc3ba5ff063f097385e9f7a88c25356 ] + +An old cleanup went a little too far and causes a warning with clang-16 +and higher as it breaks control flow integrity (KCFI) rules: + +drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c:64:34: error: cast from 'void (*)(struct brcms_phy *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 64 | brcms_init_timer(physhim->wl, (void (*)(void *))fn, + | ^~~~~~~~~~~~~~~~~~~~ + +Change this one instance back to passing a void pointer so it can be +used with the timer callback interface. + +Fixes: d89a4c80601d ("staging: brcm80211: removed void * from softmac phy") +Signed-off-by: Arnd Bergmann +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240213100548.457854-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c | 3 ++- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c | 5 ++--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c +index ccc621b8ed9f2..4a1fe982a948e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c +@@ -383,8 +383,9 @@ struct shared_phy *wlc_phy_shared_attach(struct shared_phy_params *shp) + return sh; + } + +-static void wlc_phy_timercb_phycal(struct brcms_phy *pi) ++static void wlc_phy_timercb_phycal(void *ptr) + { ++ struct brcms_phy *pi = ptr; + uint delay = 5; + + if (PHY_PERICAL_MPHASE_PENDING(pi)) { +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c +index a0de5db0cd646..b723817915365 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c +@@ -57,12 +57,11 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim) + } + + struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, +- void (*fn)(struct brcms_phy *pi), ++ void (*fn)(void *pi), + void *arg, const char *name) + { + return (struct wlapi_timer *) +- brcms_init_timer(physhim->wl, (void (*)(void *))fn, +- arg, name); ++ brcms_init_timer(physhim->wl, fn, arg, name); + } + + void wlapi_free_timer(struct wlapi_timer *t) +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h +index dd8774717adee..27d0934e600ed 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h +@@ -131,7 +131,7 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim); + + /* PHY to WL utility functions */ + struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, +- void (*fn)(struct brcms_phy *pi), ++ void (*fn)(void *pi), + void *arg, const char *name); + void wlapi_free_timer(struct wlapi_timer *t); + void wlapi_add_timer(struct wlapi_timer *t, uint ms, int periodic); +-- +2.43.0 + diff --git a/queue-5.10/wifi-iwlwifi-dbg-tlv-ensure-nul-termination.patch b/queue-5.10/wifi-iwlwifi-dbg-tlv-ensure-nul-termination.patch new file mode 100644 index 00000000000..4a26cff02d8 --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-dbg-tlv-ensure-nul-termination.patch @@ -0,0 +1,43 @@ +From aff3be5f79a90c7f62bd2ab3fae72cc912d8cba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 08:53:53 +0200 +Subject: wifi: iwlwifi: dbg-tlv: ensure NUL termination + +From: Johannes Berg + +[ Upstream commit ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea ] + +The iwl_fw_ini_debug_info_tlv is used as a string, so we must +ensure the string is terminated correctly before using it. + +Fixes: a9248de42464 ("iwlwifi: dbg_ini: add TLV allocation new API support") +Signed-off-by: Johannes Berg +Reviewed-by: Gregory Greenman +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240128084842.be15e858ee89.Ibff93429cf999eafc7b26f3eef4c055dc84984a0@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +index bcaec8a184cd6..299819d2d1904 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -155,6 +155,12 @@ static int iwl_dbg_tlv_alloc_debug_info(struct iwl_trans *trans, + if (le32_to_cpu(tlv->length) != sizeof(*debug_info)) + return -EINVAL; + ++ /* we use this as a string, ensure input was NUL terminated */ ++ if (strnlen(debug_info->debug_cfg_name, ++ sizeof(debug_info->debug_cfg_name)) == ++ sizeof(debug_info->debug_cfg_name)) ++ return -EINVAL; ++ + IWL_DEBUG_FW(trans, "WRT: Loading debug cfg: %s\n", + debug_info->debug_cfg_name); + +-- +2.43.0 + diff --git a/queue-5.10/wifi-iwlwifi-fix-ewrd-table-validity-check.patch b/queue-5.10/wifi-iwlwifi-fix-ewrd-table-validity-check.patch new file mode 100644 index 00000000000..c81ec9ef489 --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-fix-ewrd-table-validity-check.patch @@ -0,0 +1,44 @@ +From 2580704741086cfc2d2d2325e0dfcad59561309c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jan 2024 21:21:49 +0200 +Subject: wifi: iwlwifi: fix EWRD table validity check + +From: Miri Korenblit + +[ Upstream commit c8d8f3911135921ace8e939ea0956b55f74bf8a0 ] + +EWRD ACPI table contains up to 3 additional sar profiles. +According to the BIOS spec, the table contains a n_profile +variable indicating how many additional profiles exist in the +table. +Currently we check that n_profiles is not <= 0. +But according to the BIOS spec, 0 is a valid value, +and it can't be < 0 anyway because we receive that from ACPI as +an unsigned integer. + +Fixes: 39c1a9728f93 ("iwlwifi: refactor the SAR tables from mvm to acpi") +Signed-off-by: Miri Korenblit +Reviewed-by: Gregory Greenman +Link: https://msgid.link/20240129211905.448ea2f40814.Iffd2aadf8e8693e6cb599bee0406a800a0c1e081@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +index 5e4faf9ce4bbe..fc35f8f84376c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -555,7 +555,7 @@ int iwl_sar_get_ewrd_table(struct iwl_fw_runtime *fwrt) + * from index 1, so the maximum value allowed here is + * ACPI_SAR_PROFILES_NUM - 1. + */ +- if (n_profiles <= 0 || n_profiles >= ACPI_SAR_PROFILE_NUM) { ++ if (n_profiles >= ACPI_SAR_PROFILE_NUM) { + ret = -EINVAL; + goto out_free; + } +-- +2.43.0 + diff --git a/queue-5.10/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch b/queue-5.10/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch new file mode 100644 index 00000000000..0844980e008 --- /dev/null +++ b/queue-5.10/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch @@ -0,0 +1,57 @@ +From 1bef42e9c8f196c763e3c3739012a5a6a7f8c3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 15:53:34 +0800 +Subject: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() + +From: Zhipeng Lu + +[ Upstream commit 5f0e4aede01cb01fa633171f0533affd25328c3a ] + +In the for statement of lbs_allocate_cmd_buffer(), if the allocation of +cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to +be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Signed-off-by: Zhipeng Lu +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240126075336.2825608-1-alexious@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cmd.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cmd.c b/drivers/net/wireless/marvell/libertas/cmd.c +index a4d9dd73b2588..db9a852fa58a3 100644 +--- a/drivers/net/wireless/marvell/libertas/cmd.c ++++ b/drivers/net/wireless/marvell/libertas/cmd.c +@@ -1133,7 +1133,7 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) + if (!cmdarray[i].cmdbuf) { + lbs_deb_host("ALLOC_CMD_BUF: ptempvirtualaddr is NULL\n"); + ret = -1; +- goto done; ++ goto free_cmd_array; + } + } + +@@ -1141,8 +1141,17 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) + init_waitqueue_head(&cmdarray[i].cmdwait_q); + lbs_cleanup_and_insert_cmd(priv, &cmdarray[i]); + } +- ret = 0; ++ return 0; + ++free_cmd_array: ++ for (i = 0; i < LBS_NUM_CMD_BUFFERS; i++) { ++ if (cmdarray[i].cmdbuf) { ++ kfree(cmdarray[i].cmdbuf); ++ cmdarray[i].cmdbuf = NULL; ++ } ++ } ++ kfree(priv->cmd_array); ++ priv->cmd_array = NULL; + done: + return ret; + } +-- +2.43.0 + diff --git a/queue-5.10/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch b/queue-5.10/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch new file mode 100644 index 00000000000..db6c72ffa17 --- /dev/null +++ b/queue-5.10/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch @@ -0,0 +1,46 @@ +From 7808ba7627a5640b1df307d54e1d5aed72a93621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 11:02:15 +0800 +Subject: wifi: mwifiex: debugfs: Drop unnecessary error check for + debugfs_create_dir() + +From: Jinjie Ruan + +[ Upstream commit 50180c7f8e3de7c2d87f619131776598fcb1478d ] + +debugfs_create_dir() returns ERR_PTR and never return NULL. + +As Russell suggested, this patch removes the error checking for +debugfs_create_dir(). This is because the DebugFS kernel API is developed +in a way that the caller can safely ignore the errors that occur during +the creation of DebugFS nodes. The debugfs APIs have a IS_ERR() judge in +start_creating() which can handle it gracefully. So these checks are +unnecessary. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jinjie Ruan +Suggested-by: Russell King (Oracle) +Signed-off-by: Kalle Valo +Link: https://msgid.link/20230903030216.1509013-3-ruanjinjie@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c +index 1e7dc724c6a94..d48a3e0b36060 100644 +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -976,9 +976,6 @@ mwifiex_dev_debugfs_init(struct mwifiex_private *priv) + priv->dfs_dev_dir = debugfs_create_dir(priv->netdev->name, + mwifiex_dfs_dir); + +- if (!priv->dfs_dev_dir) +- return; +- + MWIFIEX_DFS_ADD_FILE(info); + MWIFIEX_DFS_ADD_FILE(debug); + MWIFIEX_DFS_ADD_FILE(getlog); +-- +2.43.0 + diff --git a/queue-5.10/wifi-rtl8xxxu-add-cancel_work_sync-for-c2hcmd_work.patch b/queue-5.10/wifi-rtl8xxxu-add-cancel_work_sync-for-c2hcmd_work.patch new file mode 100644 index 00000000000..f028e41da1b --- /dev/null +++ b/queue-5.10/wifi-rtl8xxxu-add-cancel_work_sync-for-c2hcmd_work.patch @@ -0,0 +1,37 @@ +From 2971b6c8e2c29005cdd77734f4e10e527a5b1a14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jan 2024 17:36:27 +0100 +Subject: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work + +From: Martin Kaistra + +[ Upstream commit 1213acb478a7181cd73eeaf00db430f1e45b1361 ] + +The workqueue might still be running, when the driver is stopped. To +avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop(). + +Fixes: e542e66b7c2e ("rtl8xxxu: add bluetooth co-existence support for single antenna") +Signed-off-by: Martin Kaistra +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240111163628.320697-2-martin.kaistra@linutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 3051fb358fdd5..9efc15e69ae82 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -6483,6 +6483,7 @@ static void rtl8xxxu_stop(struct ieee80211_hw *hw) + if (priv->usb_interrupts) + rtl8xxxu_write32(priv, REG_USB_HIMR, 0); + ++ cancel_work_sync(&priv->c2hcmd_work); + cancel_delayed_work_sync(&priv->ra_watchdog); + + rtl8xxxu_free_rx_resources(priv); +-- +2.43.0 + diff --git a/queue-5.10/wifi-rtw88-8821c-fix-false-alarm-count.patch b/queue-5.10/wifi-rtw88-8821c-fix-false-alarm-count.patch new file mode 100644 index 00000000000..e80938cf843 --- /dev/null +++ b/queue-5.10/wifi-rtw88-8821c-fix-false-alarm-count.patch @@ -0,0 +1,40 @@ +From 08a6ce351037678057703d62466aa461be5d1cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 00:35:58 +0200 +Subject: wifi: rtw88: 8821c: Fix false alarm count + +From: Bitterblue Smith + +[ Upstream commit c238adbc578eeb70cbc8fdd1bef3666b0f585b13 ] + +total_fa_cnt is supposed to include cck_fa_cnt and ofdm_fa_cnt, not just +ofdm_fa_cnt. + +Fixes: 960361238b86 ("rtw88: 8821c: add false alarm statistics") +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/f3cb6d17-e4e4-44a7-9c9b-72aed994b5c9@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/rtw8821c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.c b/drivers/net/wireless/realtek/rtw88/rtw8821c.c +index f9615f76f1734..d517f92b6180b 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.c +@@ -579,9 +579,9 @@ static void rtw8821c_false_alarm_statistics(struct rtw_dev *rtwdev) + + dm_info->cck_fa_cnt = cck_fa_cnt; + dm_info->ofdm_fa_cnt = ofdm_fa_cnt; ++ dm_info->total_fa_cnt = ofdm_fa_cnt; + if (cck_enable) + dm_info->total_fa_cnt += cck_fa_cnt; +- dm_info->total_fa_cnt = ofdm_fa_cnt; + + crc32_cnt = rtw_read32(rtwdev, REG_CRC_CCK); + dm_info->cck_ok_cnt = FIELD_GET(GENMASK(15, 0), crc32_cnt); +-- +2.43.0 + diff --git a/queue-5.10/wifi-wilc1000-fix-declarations-ordering.patch b/queue-5.10/wifi-wilc1000-fix-declarations-ordering.patch new file mode 100644 index 00000000000..592dab7a6cb --- /dev/null +++ b/queue-5.10/wifi-wilc1000-fix-declarations-ordering.patch @@ -0,0 +1,49 @@ +From fda7a1ad0770e30c13fefb8f2392165dc5a3ce3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 08:57:32 +0100 +Subject: wifi: wilc1000: fix declarations ordering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit 535733e90e5d8912ebeccebb05b354a2d06ff459 ] + +Reorder parameters declaration in wilc_parse_join_bss_param to enforce +reverse christmas tree + +Signed-off-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240105075733.36331-2-alexis.lothore@bootlin.com +Stable-dep-of: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index 884f45e627a72..bff33f39605b9 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -359,13 +359,13 @@ static void handle_connect_timeout(struct work_struct *work) + void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct cfg80211_crypto_settings *crypto) + { +- struct wilc_join_bss_param *param; +- struct ieee80211_p2p_noa_attr noa_attr; +- u8 rates_len = 0; ++ const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies); + const u8 *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie; + const u8 *ht_ie, *wpa_ie, *wmm_ie, *rsn_ie; ++ struct ieee80211_p2p_noa_attr noa_attr; ++ struct wilc_join_bss_param *param; ++ u8 rates_len = 0; + int ret; +- const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies); + + param = kzalloc(sizeof(*param), GFP_KERNEL); + if (!param) +-- +2.43.0 + diff --git a/queue-5.10/wifi-wilc1000-fix-multi-vif-management-when-deleting.patch b/queue-5.10/wifi-wilc1000-fix-multi-vif-management-when-deleting.patch new file mode 100644 index 00000000000..b1231432c01 --- /dev/null +++ b/queue-5.10/wifi-wilc1000-fix-multi-vif-management-when-deleting.patch @@ -0,0 +1,54 @@ +From b9743ffbe56b2d0ad7d3e863c34eca0db3884944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jan 2024 15:56:34 +0100 +Subject: wifi: wilc1000: fix multi-vif management when deleting a vif +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ajay Singh + +[ Upstream commit 12cfc9c8d3faf887a202c89bc312202445fca7e8 ] + +Adding then removing a second vif currently makes the first vif not working +anymore. This is visible for example when we have a first interface +connected to some access point: +- create a wpa_supplicant.conf with some AP credentials +- wpa_supplicant -Dnl80211 -c /etc/wpa_supplicant.conf -i wlan0 +- dhclient wlan0 +- iw phy phy0 interface add wlan1 type managed +- iw dev wlan1 del +wlan0 does not manage properly traffic anymore (eg: ping not working) + +This is due to vif mode being incorrectly reconfigured with some default +values in del_virtual_intf, affecting by default first vif. + +Prevent first vif from being affected on second vif removal by removing vif +mode change command in del_virtual_intf + +Fixes: 9bc061e88054 ("staging: wilc1000: added support to dynamically add/remove interfaces") +Signed-off-by: Ajay Singh +Co-developed-by: Alexis Lothoré +Signed-off-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240115-wilc_1000_fixes-v1-5-54d29463a738@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/cfg80211.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +index dd26f20861807..5d4f9e9a81e05 100644 +--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c ++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +@@ -1562,7 +1562,6 @@ static int del_virtual_intf(struct wiphy *wiphy, struct wireless_dev *wdev) + unregister_netdevice(vif->ndev); + vif->monitor_flag = 0; + +- wilc_set_operation_mode(vif, 0, 0, 0); + mutex_lock(&wl->vif_mutex); + list_del_rcu(&vif->list); + wl->vif_num--; +-- +2.43.0 + diff --git a/queue-5.10/wifi-wilc1000-fix-rcu-usage-in-connect-path.patch b/queue-5.10/wifi-wilc1000-fix-rcu-usage-in-connect-path.patch new file mode 100644 index 00000000000..7283c0a2610 --- /dev/null +++ b/queue-5.10/wifi-wilc1000-fix-rcu-usage-in-connect-path.patch @@ -0,0 +1,176 @@ +From 73f05380c4d82ccb8437f35df28a0f9bc5b75c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 08:57:33 +0100 +Subject: wifi: wilc1000: fix RCU usage in connect path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit 205c50306acf58a335eb19fa84e40140f4fe814f ] + +With lockdep enabled, calls to the connect function from cfg802.11 layer +lead to the following warning: + +============================= +WARNING: suspicious RCU usage +6.7.0-rc1-wt+ #333 Not tainted +----------------------------- +drivers/net/wireless/microchip/wilc1000/hif.c:386 +suspicious rcu_dereference_check() usage! +[...] +stack backtrace: +CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333 +Hardware name: Atmel SAMA5 + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x34/0x48 + dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4 + wilc_parse_join_bss_param from connect+0x2c4/0x648 + connect from cfg80211_connect+0x30c/0xb74 + cfg80211_connect from nl80211_connect+0x860/0xa94 + nl80211_connect from genl_rcv_msg+0x3fc/0x59c + genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8 + netlink_rcv_skb from genl_rcv+0x2c/0x3c + genl_rcv from netlink_unicast+0x3b0/0x550 + netlink_unicast from netlink_sendmsg+0x368/0x688 + netlink_sendmsg from ____sys_sendmsg+0x190/0x430 + ____sys_sendmsg from ___sys_sendmsg+0x110/0x158 + ___sys_sendmsg from sys_sendmsg+0xe8/0x150 + sys_sendmsg from ret_fast_syscall+0x0/0x1c + +This warning is emitted because in the connect path, when trying to parse +target BSS parameters, we dereference a RCU pointer whithout being in RCU +critical section. +Fix RCU dereference usage by moving it to a RCU read critical section. To +avoid wrapping the whole wilc_parse_join_bss_param under the critical +section, just use the critical section to copy ies data + +Fixes: c460495ee072 ("staging: wilc1000: fix incorrent type in initializer") +Signed-off-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240105075733.36331-3-alexis.lothore@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 36 ++++++++++++------- + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index bff33f39605b9..457386f9de990 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -359,38 +359,49 @@ static void handle_connect_timeout(struct work_struct *work) + void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct cfg80211_crypto_settings *crypto) + { +- const struct cfg80211_bss_ies *ies = rcu_dereference(bss->ies); +- const u8 *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie; ++ const u8 *ies_data, *tim_elm, *ssid_elm, *rates_ie, *supp_rates_ie; + const u8 *ht_ie, *wpa_ie, *wmm_ie, *rsn_ie; + struct ieee80211_p2p_noa_attr noa_attr; ++ const struct cfg80211_bss_ies *ies; + struct wilc_join_bss_param *param; +- u8 rates_len = 0; ++ u8 rates_len = 0, ies_len; + int ret; + + param = kzalloc(sizeof(*param), GFP_KERNEL); + if (!param) + return NULL; + ++ rcu_read_lock(); ++ ies = rcu_dereference(bss->ies); ++ ies_data = kmemdup(ies->data, ies->len, GFP_ATOMIC); ++ if (!ies_data) { ++ rcu_read_unlock(); ++ kfree(param); ++ return NULL; ++ } ++ ies_len = ies->len; ++ rcu_read_unlock(); ++ + param->beacon_period = cpu_to_le16(bss->beacon_interval); + param->cap_info = cpu_to_le16(bss->capability); + param->bss_type = WILC_FW_BSS_TYPE_INFRA; + param->ch = ieee80211_frequency_to_channel(bss->channel->center_freq); + ether_addr_copy(param->bssid, bss->bssid); + +- ssid_elm = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); ++ ssid_elm = cfg80211_find_ie(WLAN_EID_SSID, ies_data, ies_len); + if (ssid_elm) { + if (ssid_elm[1] <= IEEE80211_MAX_SSID_LEN) + memcpy(param->ssid, ssid_elm + 2, ssid_elm[1]); + } + +- tim_elm = cfg80211_find_ie(WLAN_EID_TIM, ies->data, ies->len); ++ tim_elm = cfg80211_find_ie(WLAN_EID_TIM, ies_data, ies_len); + if (tim_elm && tim_elm[1] >= 2) + param->dtim_period = tim_elm[3]; + + memset(param->p_suites, 0xFF, 3); + memset(param->akm_suites, 0xFF, 3); + +- rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len); ++ rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies_data, ies_len); + if (rates_ie) { + rates_len = rates_ie[1]; + if (rates_len > WILC_MAX_RATES_SUPPORTED) +@@ -401,7 +412,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + + if (rates_len < WILC_MAX_RATES_SUPPORTED) { + supp_rates_ie = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, +- ies->data, ies->len); ++ ies_data, ies_len); + if (supp_rates_ie) { + u8 ext_rates = supp_rates_ie[1]; + +@@ -416,11 +427,11 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + } + } + +- ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies->data, ies->len); ++ ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies_data, ies_len); + if (ht_ie) + param->ht_capable = true; + +- ret = cfg80211_get_p2p_attr(ies->data, ies->len, ++ ret = cfg80211_get_p2p_attr(ies_data, ies_len, + IEEE80211_P2P_ATTR_ABSENCE_NOTICE, + (u8 *)&noa_attr, sizeof(noa_attr)); + if (ret > 0) { +@@ -444,7 +455,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + } + wmm_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, + WLAN_OUI_TYPE_MICROSOFT_WMM, +- ies->data, ies->len); ++ ies_data, ies_len); + if (wmm_ie) { + struct ieee80211_wmm_param_ie *ie; + +@@ -459,13 +470,13 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + + wpa_ie = cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, + WLAN_OUI_TYPE_MICROSOFT_WPA, +- ies->data, ies->len); ++ ies_data, ies_len); + if (wpa_ie) { + param->mode_802_11i = 1; + param->rsn_found = true; + } + +- rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len); ++ rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies_data, ies_len); + if (rsn_ie) { + int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; + int offset = 8; +@@ -499,6 +510,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + param->akm_suites[i] = crypto->akm_suites[i] & 0xFF; + } + ++ kfree(ies_data); + return (void *)param; + } + +-- +2.43.0 + diff --git a/queue-5.10/wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch b/queue-5.10/wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch new file mode 100644 index 00000000000..6c47be58f3d --- /dev/null +++ b/queue-5.10/wifi-wilc1000-prevent-use-after-free-on-vif-when-cle.patch @@ -0,0 +1,172 @@ +From a7b33ff852b99df514351fa0fab377d6bbaf2e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 13:57:37 +0100 +Subject: wifi: wilc1000: prevent use-after-free on vif when cleaning up all + interfaces +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit cb5942b77c05d54310a0420cac12935e9b6aa21c ] + +wilc_netdev_cleanup currently triggers a KASAN warning, which can be +observed on interface registration error path, or simply by +removing the module/unbinding device from driver: + +echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind + +================================================================== +BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc +Read of size 4 at addr c54d1ce8 by task sh/86 + +CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 +Hardware name: Atmel SAMA5 + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x34/0x58 + dump_stack_lvl from print_report+0x154/0x500 + print_report from kasan_report+0xac/0xd8 + kasan_report from wilc_netdev_cleanup+0x508/0x5cc + wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec + wilc_bus_remove from spi_remove+0x8c/0xac + spi_remove from device_release_driver_internal+0x434/0x5f8 + device_release_driver_internal from unbind_store+0xbc/0x108 + unbind_store from kernfs_fop_write_iter+0x398/0x584 + kernfs_fop_write_iter from vfs_write+0x728/0xf88 + vfs_write from ksys_write+0x110/0x1e4 + ksys_write from ret_fast_syscall+0x0/0x1c + +[...] + +Allocated by task 1: + kasan_save_track+0x30/0x5c + __kasan_kmalloc+0x8c/0x94 + __kmalloc_node+0x1cc/0x3e4 + kvmalloc_node+0x48/0x180 + alloc_netdev_mqs+0x68/0x11dc + alloc_etherdev_mqs+0x28/0x34 + wilc_netdev_ifc_init+0x34/0x8ec + wilc_cfg80211_init+0x690/0x910 + wilc_bus_probe+0xe0/0x4a0 + spi_probe+0x158/0x1b0 + really_probe+0x270/0xdf4 + __driver_probe_device+0x1dc/0x580 + driver_probe_device+0x60/0x140 + __driver_attach+0x228/0x5d4 + bus_for_each_dev+0x13c/0x1a8 + bus_add_driver+0x2a0/0x608 + driver_register+0x24c/0x578 + do_one_initcall+0x180/0x310 + kernel_init_freeable+0x424/0x484 + kernel_init+0x20/0x148 + ret_from_fork+0x14/0x28 + +Freed by task 86: + kasan_save_track+0x30/0x5c + kasan_save_free_info+0x38/0x58 + __kasan_slab_free+0xe4/0x140 + kfree+0xb0/0x238 + device_release+0xc0/0x2a8 + kobject_put+0x1d4/0x46c + netdev_run_todo+0x8fc/0x11d0 + wilc_netdev_cleanup+0x1e4/0x5cc + wilc_bus_remove+0xc8/0xec + spi_remove+0x8c/0xac + device_release_driver_internal+0x434/0x5f8 + unbind_store+0xbc/0x108 + kernfs_fop_write_iter+0x398/0x584 + vfs_write+0x728/0xf88 + ksys_write+0x110/0x1e4 + ret_fast_syscall+0x0/0x1c + [...] + +David Mosberger-Tan initial investigation [1] showed that this +use-after-free is due to netdevice unregistration during vif list +traversal. When unregistering a net device, since the needs_free_netdev has +been set to true during registration, the netdevice object is also freed, +and as a consequence, the corresponding vif object too, since it is +attached to it as private netdevice data. The next occurrence of the loop +then tries to access freed vif pointer to the list to move forward in the +list. + +Fix this use-after-free thanks to two mechanisms: +- navigate in the list with list_for_each_entry_safe, which allows to + safely modify the list as we go through each element. For each element, + remove it from the list with list_del_rcu +- make sure to wait for RCU grace period end after each vif removal to make + sure it is safe to free the corresponding vif too (through + unregister_netdev) + +Since we are in a RCU "modifier" path (not a "reader" path), and because +such path is expected not to be concurrent to any other modifier (we are +using the vif_mutex lock), we do not need to use RCU list API, that's why +we can benefit from list_for_each_entry_safe. + +[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/ + +Fixes: 8399918f3056 ("staging: wilc1000: use RCU list to maintain vif interfaces list") +Signed-off-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@bootlin.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/microchip/wilc1000/netdev.c | 28 +++++-------------- + 1 file changed, 7 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c +index 463f3bfc3064d..ab84b146aa272 100644 +--- a/drivers/net/wireless/microchip/wilc1000/netdev.c ++++ b/drivers/net/wireless/microchip/wilc1000/netdev.c +@@ -821,8 +821,7 @@ static const struct net_device_ops wilc_netdev_ops = { + + void wilc_netdev_cleanup(struct wilc *wilc) + { +- struct wilc_vif *vif; +- int srcu_idx, ifc_cnt = 0; ++ struct wilc_vif *vif, *vif_tmp; + + if (!wilc) + return; +@@ -832,32 +831,19 @@ void wilc_netdev_cleanup(struct wilc *wilc) + wilc->firmware = NULL; + } + +- srcu_idx = srcu_read_lock(&wilc->srcu); +- list_for_each_entry_rcu(vif, &wilc->vif_list, list) { ++ list_for_each_entry_safe(vif, vif_tmp, &wilc->vif_list, list) { ++ mutex_lock(&wilc->vif_mutex); ++ list_del_rcu(&vif->list); ++ wilc->vif_num--; ++ mutex_unlock(&wilc->vif_mutex); ++ synchronize_srcu(&wilc->srcu); + if (vif->ndev) + unregister_netdev(vif->ndev); + } +- srcu_read_unlock(&wilc->srcu, srcu_idx); + + wilc_wfi_deinit_mon_interface(wilc, false); + destroy_workqueue(wilc->hif_workqueue); + +- while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) { +- mutex_lock(&wilc->vif_mutex); +- if (wilc->vif_num <= 0) { +- mutex_unlock(&wilc->vif_mutex); +- break; +- } +- vif = wilc_get_wl_to_vif(wilc); +- if (!IS_ERR(vif)) +- list_del_rcu(&vif->list); +- +- wilc->vif_num--; +- mutex_unlock(&wilc->vif_mutex); +- synchronize_srcu(&wilc->srcu); +- ifc_cnt++; +- } +- + wilc_wlan_cfg_deinit(wilc); + wlan_deinit_locks(wilc); + kfree(wilc->bus_data); +-- +2.43.0 + diff --git a/queue-5.10/wireless-remove-redundant-flush_workqueue-calls.patch b/queue-5.10/wireless-remove-redundant-flush_workqueue-calls.patch new file mode 100644 index 00000000000..885804293b4 --- /dev/null +++ b/queue-5.10/wireless-remove-redundant-flush_workqueue-calls.patch @@ -0,0 +1,243 @@ +From c1287ba367968983d2aba723795d4878a800de4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Oct 2021 09:09:11 +0200 +Subject: wireless: Remove redundant 'flush_workqueue()' calls + +From: Christophe JAILLET + +[ Upstream commit ff1cc2fa3055ee4c83839f38b74b4ee370a2291c ] + +'destroy_workqueue()' already drains the queue before destroying it, so +there is no need to flush it explicitly. + +Remove the redundant 'flush_workqueue()' calls. + +This was generated with coccinelle: + +@@ +expression E; +@@ +- flush_workqueue(E); + destroy_workqueue(E); + +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/0855d51423578ad019c0264dad3fe47a2e8af9c7.1633849511.git.christophe.jaillet@wanadoo.fr +Stable-dep-of: cb5942b77c05 ("wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 3 --- + drivers/net/wireless/ath/ath10k/sdio.c | 1 - + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 1 - + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 1 - + drivers/net/wireless/intel/iwlwifi/dvm/main.c | 1 - + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 -- + drivers/net/wireless/marvell/mwifiex/main.c | 2 -- + drivers/net/wireless/microchip/wilc1000/netdev.c | 1 - + drivers/net/wireless/quantenna/qtnfmac/core.c | 2 -- + drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c | 2 -- + drivers/net/wireless/realtek/rtlwifi/pci.c | 1 - + drivers/net/wireless/rndis_wlan.c | 2 -- + drivers/net/wireless/st/cw1200/bh.c | 2 -- + 13 files changed, 21 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index d0967bb1f3871..57ac80997319b 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -3381,13 +3381,10 @@ EXPORT_SYMBOL(ath10k_core_create); + + void ath10k_core_destroy(struct ath10k *ar) + { +- flush_workqueue(ar->workqueue); + destroy_workqueue(ar->workqueue); + +- flush_workqueue(ar->workqueue_aux); + destroy_workqueue(ar->workqueue_aux); + +- flush_workqueue(ar->workqueue_tx_complete); + destroy_workqueue(ar->workqueue_tx_complete); + + ath10k_debug_destroy(ar); +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index 0fe639710a8bb..9d1b0890f3105 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -2651,7 +2651,6 @@ static void ath10k_sdio_remove(struct sdio_func *func) + + ath10k_core_destroy(ar); + +- flush_workqueue(ar_sdio->workqueue); + destroy_workqueue(ar_sdio->workqueue); + } + +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index ef0ac42a55a2a..55c00a07bc4d3 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -3831,7 +3831,6 @@ il3945_pci_remove(struct pci_dev *pdev) + il3945_unset_hw_params(il); + + /*netif_stop_queue(dev); */ +- flush_workqueue(il->workqueue); + + /* ieee80211_unregister_hw calls il3945_mac_stop, which flushes + * il->workqueue... so we can't take down the workqueue +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 12cf22d0e9949..2549902552e1d 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -6745,7 +6745,6 @@ il4965_pci_remove(struct pci_dev *pdev) + il_eeprom_free(il); + + /*netif_stop_queue(dev); */ +- flush_workqueue(il->workqueue); + + /* ieee80211_unregister_hw calls il_mac_stop, which flushes + * il->workqueue... so we can't take down the workqueue +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +index 461af58311561..6a19fc4c68604 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +@@ -1526,7 +1526,6 @@ static void iwl_op_mode_dvm_stop(struct iwl_op_mode *op_mode) + kfree(priv->nvm_data); + + /*netif_stop_queue(dev); */ +- flush_workqueue(priv->workqueue); + + /* ieee80211_unregister_hw calls iwlagn_mac_stop, which flushes + * priv->workqueue... so we can't take down the workqueue +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 2f5f1ff22a601..e1196c565a62f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -3155,13 +3155,11 @@ int mwifiex_del_virtual_intf(struct wiphy *wiphy, struct wireless_dev *wdev) + unregister_netdevice(wdev->netdev); + + if (priv->dfs_cac_workqueue) { +- flush_workqueue(priv->dfs_cac_workqueue); + destroy_workqueue(priv->dfs_cac_workqueue); + priv->dfs_cac_workqueue = NULL; + } + + if (priv->dfs_chan_sw_workqueue) { +- flush_workqueue(priv->dfs_chan_sw_workqueue); + destroy_workqueue(priv->dfs_chan_sw_workqueue); + priv->dfs_chan_sw_workqueue = NULL; + } +diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c +index 6283df5aaaf8b..b8b79fe50dbc2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -498,13 +498,11 @@ static void mwifiex_free_adapter(struct mwifiex_adapter *adapter) + static void mwifiex_terminate_workqueue(struct mwifiex_adapter *adapter) + { + if (adapter->workqueue) { +- flush_workqueue(adapter->workqueue); + destroy_workqueue(adapter->workqueue); + adapter->workqueue = NULL; + } + + if (adapter->rx_workqueue) { +- flush_workqueue(adapter->rx_workqueue); + destroy_workqueue(adapter->rx_workqueue); + adapter->rx_workqueue = NULL; + } +diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c +index c508f429984ab..463f3bfc3064d 100644 +--- a/drivers/net/wireless/microchip/wilc1000/netdev.c ++++ b/drivers/net/wireless/microchip/wilc1000/netdev.c +@@ -840,7 +840,6 @@ void wilc_netdev_cleanup(struct wilc *wilc) + srcu_read_unlock(&wilc->srcu, srcu_idx); + + wilc_wfi_deinit_mon_interface(wilc, false); +- flush_workqueue(wilc->hif_workqueue); + destroy_workqueue(wilc->hif_workqueue); + + while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) { +diff --git a/drivers/net/wireless/quantenna/qtnfmac/core.c b/drivers/net/wireless/quantenna/qtnfmac/core.c +index bf6dbeb618423..d39c210da68e2 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/core.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/core.c +@@ -816,13 +816,11 @@ void qtnf_core_detach(struct qtnf_bus *bus) + bus->fw_state = QTNF_FW_STATE_DETACHED; + + if (bus->workqueue) { +- flush_workqueue(bus->workqueue); + destroy_workqueue(bus->workqueue); + bus->workqueue = NULL; + } + + if (bus->hprio_workqueue) { +- flush_workqueue(bus->hprio_workqueue); + destroy_workqueue(bus->hprio_workqueue); + bus->hprio_workqueue = NULL; + } +diff --git a/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c b/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c +index 0f328ce47fee3..f65eb6e5b8d59 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c +@@ -387,7 +387,6 @@ static int qtnf_pcie_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + error: +- flush_workqueue(pcie_priv->workqueue); + destroy_workqueue(pcie_priv->workqueue); + pci_set_drvdata(pdev, NULL); + return ret; +@@ -416,7 +415,6 @@ static void qtnf_pcie_remove(struct pci_dev *dev) + qtnf_core_detach(bus); + + netif_napi_del(&bus->mux_napi); +- flush_workqueue(priv->workqueue); + destroy_workqueue(priv->workqueue); + tasklet_kill(&priv->reclaim_tq); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 679ae786cf450..6d9f2a6233a21 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1704,7 +1704,6 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw) + tasklet_kill(&rtlpriv->works.irq_tasklet); + cancel_work_sync(&rtlpriv->works.lps_change_work); + +- flush_workqueue(rtlpriv->works.rtl_wq); + destroy_workqueue(rtlpriv->works.rtl_wq); + } + +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index dc076d8448680..75c78e1c924b0 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -3497,7 +3497,6 @@ static int rndis_wlan_bind(struct usbnet *usbdev, struct usb_interface *intf) + cancel_delayed_work_sync(&priv->dev_poller_work); + cancel_delayed_work_sync(&priv->scan_work); + cancel_work_sync(&priv->work); +- flush_workqueue(priv->workqueue); + destroy_workqueue(priv->workqueue); + + wiphy_free(wiphy); +@@ -3514,7 +3513,6 @@ static void rndis_wlan_unbind(struct usbnet *usbdev, struct usb_interface *intf) + cancel_delayed_work_sync(&priv->dev_poller_work); + cancel_delayed_work_sync(&priv->scan_work); + cancel_work_sync(&priv->work); +- flush_workqueue(priv->workqueue); + destroy_workqueue(priv->workqueue); + + rndis_unbind(usbdev, intf); +diff --git a/drivers/net/wireless/st/cw1200/bh.c b/drivers/net/wireless/st/cw1200/bh.c +index 02efe8483cba6..361fef6e1eeaa 100644 +--- a/drivers/net/wireless/st/cw1200/bh.c ++++ b/drivers/net/wireless/st/cw1200/bh.c +@@ -88,8 +88,6 @@ void cw1200_unregister_bh(struct cw1200_common *priv) + atomic_add(1, &priv->bh_term); + wake_up(&priv->bh_wq); + +- flush_workqueue(priv->bh_workqueue); +- + destroy_workqueue(priv->bh_workqueue); + priv->bh_workqueue = NULL; + +-- +2.43.0 + diff --git a/queue-5.10/x86-relocs-ignore-relocations-in-.notes-section.patch b/queue-5.10/x86-relocs-ignore-relocations-in-.notes-section.patch new file mode 100644 index 00000000000..1f3ba540e82 --- /dev/null +++ b/queue-5.10/x86-relocs-ignore-relocations-in-.notes-section.patch @@ -0,0 +1,54 @@ +From 271f8fc9fab6b1e8ce89e98fcd4bc495d1c17efb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 09:51:12 -0800 +Subject: x86, relocs: Ignore relocations in .notes section + +From: Kees Cook + +[ Upstream commit aaa8736370db1a78f0e8434344a484f9fd20be3b ] + +When building with CONFIG_XEN_PV=y, .text symbols are emitted into +the .notes section so that Xen can find the "startup_xen" entry point. +This information is used prior to booting the kernel, so relocations +are not useful. In fact, performing relocations against the .notes +section means that the KASLR base is exposed since /sys/kernel/notes +is world-readable. + +To avoid leaking the KASLR base without breaking unprivileged tools that +are expecting to read /sys/kernel/notes, skip performing relocations in +the .notes section. The values readable in .notes are then identical to +those found in System.map. + +Reported-by: Guixiong Wei +Closes: https://lore.kernel.org/all/20240218073501.54555-1-guixiongwei@gmail.com/ +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Fixes: da1a679cde9b ("Add /sys/kernel/notes") +Reviewed-by: Juergen Gross +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/x86/tools/relocs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 1c3a1962cade6..0043fd374a62f 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -596,6 +596,14 @@ static void print_absolute_relocs(void) + if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { + continue; + } ++ /* ++ * Do not perform relocations in .notes section; any ++ * values there are meant for pre-boot consumption (e.g. ++ * startup_xen). ++ */ ++ if (sec_applies->shdr.sh_type == SHT_NOTE) { ++ continue; ++ } + sh_symtab = sec_symtab->symtab; + sym_strtab = sec_symtab->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { +-- +2.43.0 +