From: Greg Kroah-Hartman Date: Fri, 24 Nov 2023 13:18:41 +0000 (+0000) Subject: 6.5-stable patches X-Git-Tag: v4.14.331~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e5117875dd4ae41eb7975f688c0c357b8151182;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: dm-bufio-fix-no-sleep-mode.patch dm-verity-don-t-use-blocking-calls-from-tasklets.patch drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch f2fs-avoid-format-overflow-warning.patch f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch f2fs-set-the-default-compress_level-on-ioctl.patch f2fs-split-initial-and-dynamic-conditions-for-extent_cache.patch gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch loongarch-mark-__percpu-functions-as-always-inline.patch lsm-fix-default-return-value-for-inode_getsecctx.patch lsm-fix-default-return-value-for-vm_enough_memory.patch media-ccs-correctly-initialise-try-compose-rectangle.patch media-lirc-drop-trailing-space-from-scancode-transmit.patch media-sharp-fix-sharp-encoding.patch media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch net-ethtool-fix-documentation-of-ethtool_sprintf.patch net-phylink-initialize-carrier-state-at-creation.patch nfsd-fix-file-memleak-on-client_opens_release.patch nfsd-update-nfsd_cache_append-to-use-xdr_stream.patch revert-i2c-pxa-move-to-generic-gpio-recovery.patch revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch riscv-kprobes-allow-writing-to-x0.patch riscv-mm-update-the-comment-of-config_page_offset.patch riscv-put-interrupt-entries-into-.irqentry.text.patch riscv-using-toolchain_has_zihintpause-marco-replace-zihintpause.patch s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch sbsa_gwdt-calculate-timeout-with-64-bit-math.patch --- diff --git a/queue-6.5/dm-bufio-fix-no-sleep-mode.patch b/queue-6.5/dm-bufio-fix-no-sleep-mode.patch new file mode 100644 index 00000000000..b263c81332f --- /dev/null +++ b/queue-6.5/dm-bufio-fix-no-sleep-mode.patch @@ -0,0 +1,245 @@ +From 2a695062a5a42aead8c539a344168d4806b3fda2 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 17 Nov 2023 18:36:34 +0100 +Subject: dm-bufio: fix no-sleep mode + +From: Mikulas Patocka + +commit 2a695062a5a42aead8c539a344168d4806b3fda2 upstream. + +dm-bufio has a no-sleep mode. When activated (with the +DM_BUFIO_CLIENT_NO_SLEEP flag), the bufio client is read-only and we +could call dm_bufio_get from tasklets. This is used by dm-verity. + +Unfortunately, commit 450e8dee51aa ("dm bufio: improve concurrent IO +performance") broke this and the kernel would warn that cache_get() +was calling down_read() from no-sleeping context. The bug can be +reproduced by using "veritysetup open" with the "--use-tasklets" +flag. + +This commit fixes dm-bufio, so that the tasklet mode works again, by +expanding use of the 'no_sleep_enabled' static_key to conditionally +use either a rw_semaphore or rwlock_t (which are colocated in the +buffer_tree structure using a union). + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org # v6.4 +Fixes: 450e8dee51aa ("dm bufio: improve concurrent IO performance") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-bufio.c | 87 ++++++++++++++++++++++++++++++------------- + 1 file changed, 62 insertions(+), 25 deletions(-) + +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c +index 62eb27639c9b..f03d7dba270c 100644 +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -254,7 +254,7 @@ enum evict_result { + + typedef enum evict_result (*le_predicate)(struct lru_entry *le, void *context); + +-static struct lru_entry *lru_evict(struct lru *lru, le_predicate pred, void *context) ++static struct lru_entry *lru_evict(struct lru *lru, le_predicate pred, void *context, bool no_sleep) + { + unsigned long tested = 0; + struct list_head *h = lru->cursor; +@@ -295,7 +295,8 @@ static struct lru_entry *lru_evict(struct lru *lru, le_predicate pred, void *con + + h = h->next; + +- cond_resched(); ++ if (!no_sleep) ++ cond_resched(); + } + + return NULL; +@@ -382,7 +383,10 @@ struct dm_buffer { + */ + + struct buffer_tree { +- struct rw_semaphore lock; ++ union { ++ struct rw_semaphore lock; ++ rwlock_t spinlock; ++ } u; + struct rb_root root; + } ____cacheline_aligned_in_smp; + +@@ -393,9 +397,12 @@ struct dm_buffer_cache { + * on the locks. + */ + unsigned int num_locks; ++ bool no_sleep; + struct buffer_tree trees[]; + }; + ++static DEFINE_STATIC_KEY_FALSE(no_sleep_enabled); ++ + static inline unsigned int cache_index(sector_t block, unsigned int num_locks) + { + return dm_hash_locks_index(block, num_locks); +@@ -403,22 +410,34 @@ static inline unsigned int cache_index(sector_t block, unsigned int num_locks) + + static inline void cache_read_lock(struct dm_buffer_cache *bc, sector_t block) + { +- down_read(&bc->trees[cache_index(block, bc->num_locks)].lock); ++ if (static_branch_unlikely(&no_sleep_enabled) && bc->no_sleep) ++ read_lock_bh(&bc->trees[cache_index(block, bc->num_locks)].u.spinlock); ++ else ++ down_read(&bc->trees[cache_index(block, bc->num_locks)].u.lock); + } + + static inline void cache_read_unlock(struct dm_buffer_cache *bc, sector_t block) + { +- up_read(&bc->trees[cache_index(block, bc->num_locks)].lock); ++ if (static_branch_unlikely(&no_sleep_enabled) && bc->no_sleep) ++ read_unlock_bh(&bc->trees[cache_index(block, bc->num_locks)].u.spinlock); ++ else ++ up_read(&bc->trees[cache_index(block, bc->num_locks)].u.lock); + } + + static inline void cache_write_lock(struct dm_buffer_cache *bc, sector_t block) + { +- down_write(&bc->trees[cache_index(block, bc->num_locks)].lock); ++ if (static_branch_unlikely(&no_sleep_enabled) && bc->no_sleep) ++ write_lock_bh(&bc->trees[cache_index(block, bc->num_locks)].u.spinlock); ++ else ++ down_write(&bc->trees[cache_index(block, bc->num_locks)].u.lock); + } + + static inline void cache_write_unlock(struct dm_buffer_cache *bc, sector_t block) + { +- up_write(&bc->trees[cache_index(block, bc->num_locks)].lock); ++ if (static_branch_unlikely(&no_sleep_enabled) && bc->no_sleep) ++ write_unlock_bh(&bc->trees[cache_index(block, bc->num_locks)].u.spinlock); ++ else ++ up_write(&bc->trees[cache_index(block, bc->num_locks)].u.lock); + } + + /* +@@ -442,18 +461,32 @@ static void lh_init(struct lock_history *lh, struct dm_buffer_cache *cache, bool + + static void __lh_lock(struct lock_history *lh, unsigned int index) + { +- if (lh->write) +- down_write(&lh->cache->trees[index].lock); +- else +- down_read(&lh->cache->trees[index].lock); ++ if (lh->write) { ++ if (static_branch_unlikely(&no_sleep_enabled) && lh->cache->no_sleep) ++ write_lock_bh(&lh->cache->trees[index].u.spinlock); ++ else ++ down_write(&lh->cache->trees[index].u.lock); ++ } else { ++ if (static_branch_unlikely(&no_sleep_enabled) && lh->cache->no_sleep) ++ read_lock_bh(&lh->cache->trees[index].u.spinlock); ++ else ++ down_read(&lh->cache->trees[index].u.lock); ++ } + } + + static void __lh_unlock(struct lock_history *lh, unsigned int index) + { +- if (lh->write) +- up_write(&lh->cache->trees[index].lock); +- else +- up_read(&lh->cache->trees[index].lock); ++ if (lh->write) { ++ if (static_branch_unlikely(&no_sleep_enabled) && lh->cache->no_sleep) ++ write_unlock_bh(&lh->cache->trees[index].u.spinlock); ++ else ++ up_write(&lh->cache->trees[index].u.lock); ++ } else { ++ if (static_branch_unlikely(&no_sleep_enabled) && lh->cache->no_sleep) ++ read_unlock_bh(&lh->cache->trees[index].u.spinlock); ++ else ++ up_read(&lh->cache->trees[index].u.lock); ++ } + } + + /* +@@ -502,14 +535,18 @@ static struct dm_buffer *list_to_buffer(struct list_head *l) + return le_to_buffer(le); + } + +-static void cache_init(struct dm_buffer_cache *bc, unsigned int num_locks) ++static void cache_init(struct dm_buffer_cache *bc, unsigned int num_locks, bool no_sleep) + { + unsigned int i; + + bc->num_locks = num_locks; ++ bc->no_sleep = no_sleep; + + for (i = 0; i < bc->num_locks; i++) { +- init_rwsem(&bc->trees[i].lock); ++ if (no_sleep) ++ rwlock_init(&bc->trees[i].u.spinlock); ++ else ++ init_rwsem(&bc->trees[i].u.lock); + bc->trees[i].root = RB_ROOT; + } + +@@ -648,7 +685,7 @@ static struct dm_buffer *__cache_evict(struct dm_buffer_cache *bc, int list_mode + struct lru_entry *le; + struct dm_buffer *b; + +- le = lru_evict(&bc->lru[list_mode], __evict_pred, &w); ++ le = lru_evict(&bc->lru[list_mode], __evict_pred, &w, bc->no_sleep); + if (!le) + return NULL; + +@@ -702,7 +739,7 @@ static void __cache_mark_many(struct dm_buffer_cache *bc, int old_mode, int new_ + struct evict_wrapper w = {.lh = lh, .pred = pred, .context = context}; + + while (true) { +- le = lru_evict(&bc->lru[old_mode], __evict_pred, &w); ++ le = lru_evict(&bc->lru[old_mode], __evict_pred, &w, bc->no_sleep); + if (!le) + break; + +@@ -915,10 +952,11 @@ static void cache_remove_range(struct dm_buffer_cache *bc, + { + unsigned int i; + ++ BUG_ON(bc->no_sleep); + for (i = 0; i < bc->num_locks; i++) { +- down_write(&bc->trees[i].lock); ++ down_write(&bc->trees[i].u.lock); + __remove_range(bc, &bc->trees[i].root, begin, end, pred, release); +- up_write(&bc->trees[i].lock); ++ up_write(&bc->trees[i].u.lock); + } + } + +@@ -979,8 +1017,6 @@ struct dm_bufio_client { + struct dm_buffer_cache cache; /* must be last member */ + }; + +-static DEFINE_STATIC_KEY_FALSE(no_sleep_enabled); +- + /*----------------------------------------------------------------*/ + + #define dm_bufio_in_request() (!!current->bio_list) +@@ -1871,7 +1907,8 @@ static void *new_read(struct dm_bufio_client *c, sector_t block, + if (need_submit) + submit_io(b, REQ_OP_READ, read_endio); + +- wait_on_bit_io(&b->state, B_READING, TASK_UNINTERRUPTIBLE); ++ if (nf != NF_GET) /* we already tested this condition above */ ++ wait_on_bit_io(&b->state, B_READING, TASK_UNINTERRUPTIBLE); + + if (b->read_error) { + int error = blk_status_to_errno(b->read_error); +@@ -2421,7 +2458,7 @@ struct dm_bufio_client *dm_bufio_client_create(struct block_device *bdev, unsign + r = -ENOMEM; + goto bad_client; + } +- cache_init(&c->cache, num_locks); ++ cache_init(&c->cache, num_locks, (flags & DM_BUFIO_CLIENT_NO_SLEEP) != 0); + + c->bdev = bdev; + c->block_size = block_size; +-- +2.43.0 + diff --git a/queue-6.5/dm-verity-don-t-use-blocking-calls-from-tasklets.patch b/queue-6.5/dm-verity-don-t-use-blocking-calls-from-tasklets.patch new file mode 100644 index 00000000000..5314eabd506 --- /dev/null +++ b/queue-6.5/dm-verity-don-t-use-blocking-calls-from-tasklets.patch @@ -0,0 +1,175 @@ +From 28f07f2ab4b3a2714f1fefcc58ada4bcc195f806 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 17 Nov 2023 18:37:25 +0100 +Subject: dm-verity: don't use blocking calls from tasklets + +From: Mikulas Patocka + +commit 28f07f2ab4b3a2714f1fefcc58ada4bcc195f806 upstream. + +The commit 5721d4e5a9cd enhanced dm-verity, so that it can verify blocks +from tasklets rather than from workqueues. This reportedly improves +performance significantly. + +However, dm-verity was using the flag CRYPTO_TFM_REQ_MAY_SLEEP from +tasklets which resulted in warnings about sleeping function being called +from non-sleeping context. + +BUG: sleeping function called from invalid context at crypto/internal.h:206 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 14, name: ksoftirqd/0 +preempt_count: 100, expected: 0 +RCU nest depth: 0, expected: 0 +CPU: 0 PID: 14 Comm: ksoftirqd/0 Tainted: G W 6.7.0-rc1 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x32/0x50 + __might_resched+0x110/0x160 + crypto_hash_walk_done+0x54/0xb0 + shash_ahash_update+0x51/0x60 + verity_hash_update.isra.0+0x4a/0x130 [dm_verity] + verity_verify_io+0x165/0x550 [dm_verity] + ? free_unref_page+0xdf/0x170 + ? psi_group_change+0x113/0x390 + verity_tasklet+0xd/0x70 [dm_verity] + tasklet_action_common.isra.0+0xb3/0xc0 + __do_softirq+0xaf/0x1ec + ? smpboot_thread_fn+0x1d/0x200 + ? sort_range+0x20/0x20 + run_ksoftirqd+0x15/0x30 + smpboot_thread_fn+0xed/0x200 + kthread+0xdc/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x28/0x40 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork_asm+0x11/0x20 + + +This commit fixes dm-verity so that it doesn't use the flags +CRYPTO_TFM_REQ_MAY_SLEEP and CRYPTO_TFM_REQ_MAY_BACKLOG from tasklets. The +crypto API would do GFP_ATOMIC allocation instead, it could return -ENOMEM +and we catch -ENOMEM in verity_tasklet and requeue the request to the +workqueue. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org # v6.0+ +Fixes: 5721d4e5a9cd ("dm verity: Add optional "try_verify_in_tasklet" feature") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 4 ++-- + drivers/md/dm-verity-target.c | 23 ++++++++++++----------- + drivers/md/dm-verity.h | 2 +- + 3 files changed, 15 insertions(+), 14 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -185,7 +185,7 @@ static int fec_is_erasure(struct dm_veri + { + if (unlikely(verity_hash(v, verity_io_hash_req(v, io), + data, 1 << v->data_dev_block_bits, +- verity_io_real_digest(v, io)))) ++ verity_io_real_digest(v, io), true))) + return 0; + + return memcmp(verity_io_real_digest(v, io), want_digest, +@@ -386,7 +386,7 @@ static int fec_decode_rsb(struct dm_veri + /* Always re-validate the corrected block against the expected hash */ + r = verity_hash(v, verity_io_hash_req(v, io), fio->output, + 1 << v->data_dev_block_bits, +- verity_io_real_digest(v, io)); ++ verity_io_real_digest(v, io), true); + if (unlikely(r < 0)) + return r; + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -135,20 +135,21 @@ static int verity_hash_update(struct dm_ + * Wrapper for crypto_ahash_init, which handles verity salting. + */ + static int verity_hash_init(struct dm_verity *v, struct ahash_request *req, +- struct crypto_wait *wait) ++ struct crypto_wait *wait, bool may_sleep) + { + int r; + + ahash_request_set_tfm(req, v->tfm); +- ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP | +- CRYPTO_TFM_REQ_MAY_BACKLOG, +- crypto_req_done, (void *)wait); ++ ahash_request_set_callback(req, ++ may_sleep ? CRYPTO_TFM_REQ_MAY_SLEEP | CRYPTO_TFM_REQ_MAY_BACKLOG : 0, ++ crypto_req_done, (void *)wait); + crypto_init_wait(wait); + + r = crypto_wait_req(crypto_ahash_init(req), wait); + + if (unlikely(r < 0)) { +- DMERR("crypto_ahash_init failed: %d", r); ++ if (r != -ENOMEM) ++ DMERR("crypto_ahash_init failed: %d", r); + return r; + } + +@@ -179,12 +180,12 @@ out: + } + + int verity_hash(struct dm_verity *v, struct ahash_request *req, +- const u8 *data, size_t len, u8 *digest) ++ const u8 *data, size_t len, u8 *digest, bool may_sleep) + { + int r; + struct crypto_wait wait; + +- r = verity_hash_init(v, req, &wait); ++ r = verity_hash_init(v, req, &wait, may_sleep); + if (unlikely(r < 0)) + goto out; + +@@ -322,7 +323,7 @@ static int verity_verify_level(struct dm + + r = verity_hash(v, verity_io_hash_req(v, io), + data, 1 << v->hash_dev_block_bits, +- verity_io_real_digest(v, io)); ++ verity_io_real_digest(v, io), !io->in_tasklet); + if (unlikely(r < 0)) + goto release_ret_r; + +@@ -556,7 +557,7 @@ static int verity_verify_io(struct dm_ve + continue; + } + +- r = verity_hash_init(v, req, &wait); ++ r = verity_hash_init(v, req, &wait, !io->in_tasklet); + if (unlikely(r < 0)) + return r; + +@@ -652,7 +653,7 @@ static void verity_tasklet(unsigned long + + io->in_tasklet = true; + err = verity_verify_io(io); +- if (err == -EAGAIN) { ++ if (err == -EAGAIN || err == -ENOMEM) { + /* fallback to retrying with work-queue */ + INIT_WORK(&io->work, verity_work); + queue_work(io->v->verify_wq, &io->work); +@@ -1033,7 +1034,7 @@ static int verity_alloc_zero_digest(stru + goto out; + + r = verity_hash(v, req, zero_data, 1 << v->data_dev_block_bits, +- v->zero_digest); ++ v->zero_digest, true); + + out: + kfree(req); +--- a/drivers/md/dm-verity.h ++++ b/drivers/md/dm-verity.h +@@ -128,7 +128,7 @@ extern int verity_for_bv_block(struct dm + u8 *data, size_t len)); + + extern int verity_hash(struct dm_verity *v, struct ahash_request *req, +- const u8 *data, size_t len, u8 *digest); ++ const u8 *data, size_t len, u8 *digest, bool may_sleep); + + extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io, + sector_t block, u8 *digest, bool *is_zero); diff --git a/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch b/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch new file mode 100644 index 00000000000..3e76975f6eb --- /dev/null +++ b/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch @@ -0,0 +1,55 @@ +From dab12fa8d2bd3868cf2de485ed15a3feef28a13d Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 14 Sep 2023 18:53:17 +0300 +Subject: drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection + +From: Jani Nikula + +commit dab12fa8d2bd3868cf2de485ed15a3feef28a13d upstream. + +The sads returned by drm_edid_to_sad() needs to be freed. + +Fixes: e71a8ebbe086 ("drm/mediatek: dp: Audio support for MT8195") +Cc: Guillaume Ranquet +Cc: Bo-Chen Chen +Cc: AngeloGioacchino Del Regno +Cc: Dmitry Osipenko +Cc: Chun-Kuang Hu +Cc: Philipp Zabel +Cc: Matthias Brugger +Cc: dri-devel@lists.freedesktop.org +Cc: linux-mediatek@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: # v6.1+ +Signed-off-by: Jani Nikula +Reviewed-by: Chen-Yu Tsai +Link: https://patchwork.kernel.org/project/dri-devel/patch/20230914155317.2511876-1-jani.nikula@intel.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_dp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mediatek/mtk_dp.c ++++ b/drivers/gpu/drm/mediatek/mtk_dp.c +@@ -1983,7 +1983,6 @@ static struct edid *mtk_dp_get_edid(stru + bool enabled = mtk_dp->enabled; + struct edid *new_edid = NULL; + struct mtk_dp_audio_cfg *audio_caps = &mtk_dp->info.audio_cur_cfg; +- struct cea_sad *sads; + + if (!enabled) { + drm_atomic_bridge_chain_pre_enable(bridge, connector->state->state); +@@ -2010,7 +2009,11 @@ static struct edid *mtk_dp_get_edid(stru + } + + if (new_edid) { ++ struct cea_sad *sads; ++ + audio_caps->sad_count = drm_edid_to_sad(new_edid, &sads); ++ kfree(sads); ++ + audio_caps->detect_monitor = drm_detect_monitor_audio(new_edid); + } + diff --git a/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch b/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch new file mode 100644 index 00000000000..e2455527d2d --- /dev/null +++ b/queue-6.5/drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch @@ -0,0 +1,45 @@ +From fcaf9761fd5884a64eaac48536f8c27ecfd2e6bc Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 14 Sep 2023 16:10:58 +0300 +Subject: drm/mediatek/dp: fix memory leak on ->get_edid callback error path + +From: Jani Nikula + +commit fcaf9761fd5884a64eaac48536f8c27ecfd2e6bc upstream. + +Setting new_edid to NULL leaks the buffer. + +Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver") +Cc: Markus Schneider-Pargmann +Cc: Guillaume Ranquet +Cc: Bo-Chen Chen +Cc: CK Hu +Cc: AngeloGioacchino Del Regno +Cc: Dmitry Osipenko +Cc: Chun-Kuang Hu +Cc: Philipp Zabel +Cc: Matthias Brugger +Cc: dri-devel@lists.freedesktop.org +Cc: linux-mediatek@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: # v6.1+ +Signed-off-by: Jani Nikula +Reviewed-by: Guillaume Ranquet +Link: https://patchwork.kernel.org/project/dri-devel/patch/20230914131058.2472260-1-jani.nikula@intel.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_dp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/mediatek/mtk_dp.c ++++ b/drivers/gpu/drm/mediatek/mtk_dp.c +@@ -2005,6 +2005,7 @@ static struct edid *mtk_dp_get_edid(stru + */ + if (mtk_dp_parse_capabilities(mtk_dp)) { + drm_err(mtk_dp->drm_dev, "Can't parse capabilities\n"); ++ kfree(new_edid); + new_edid = NULL; + } + diff --git a/queue-6.5/f2fs-avoid-format-overflow-warning.patch b/queue-6.5/f2fs-avoid-format-overflow-warning.patch new file mode 100644 index 00000000000..2d99b4dd40f --- /dev/null +++ b/queue-6.5/f2fs-avoid-format-overflow-warning.patch @@ -0,0 +1,46 @@ +From e0d4e8acb3789c5a8651061fbab62ca24a45c063 Mon Sep 17 00:00:00 2001 +From: Su Hui +Date: Sun, 8 Oct 2023 14:39:30 +0800 +Subject: f2fs: avoid format-overflow warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream. + +With gcc and W=1 option, there's a warning like this: + +fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’: +fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between +1 and 7 bytes into a region of size between 5 and 8 +[-Werror=format-overflow=] + 1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), + MINOR(dev)); + | ^~ + +String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up +to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35". +slab_name's size should be 35 rather than 32. + +Cc: stable@vger.kernel.org +Signed-off-by: Su Hui +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -1988,7 +1988,7 @@ void f2fs_destroy_compress_inode(struct + int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi) + { + dev_t dev = sbi->sb->s_bdev->bd_dev; +- char slab_name[32]; ++ char slab_name[35]; + + if (!f2fs_sb_has_compression(sbi)) + return 0; diff --git a/queue-6.5/f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch b/queue-6.5/f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch new file mode 100644 index 00000000000..a4c37169fdb --- /dev/null +++ b/queue-6.5/f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch @@ -0,0 +1,89 @@ +From 50a472bbc79ff9d5a88be8019a60e936cadf9f13 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Thu, 19 Oct 2023 15:51:08 -0700 +Subject: f2fs: do not return EFSCORRUPTED, but try to run online repair + +From: Jaegeuk Kim + +commit 50a472bbc79ff9d5a88be8019a60e936cadf9f13 upstream. + +If we return the error, there's no way to recover the status as of now, since +fsck does not fix the xattr boundary issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 4 +++- + fs/f2fs/xattr.c | 20 +++++++++++++------- + 2 files changed, 16 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2751,7 +2751,9 @@ recover_xnid: + f2fs_update_inode_page(inode); + + /* 3: update and set xattr node page dirty */ +- memcpy(F2FS_NODE(xpage), F2FS_NODE(page), VALID_XATTR_BLOCK_SIZE); ++ if (page) ++ memcpy(F2FS_NODE(xpage), F2FS_NODE(page), ++ VALID_XATTR_BLOCK_SIZE); + + set_page_dirty(xpage); + f2fs_put_page(xpage, 1); +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -364,10 +364,10 @@ static int lookup_all_xattrs(struct inod + + *xe = __find_xattr(cur_addr, last_txattr_addr, NULL, index, len, name); + if (!*xe) { +- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr", ++ f2fs_err(F2FS_I_SB(inode), "lookup inode (%lu) has corrupted xattr", + inode->i_ino); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); +- err = -EFSCORRUPTED; ++ err = -ENODATA; + f2fs_handle_error(F2FS_I_SB(inode), + ERROR_CORRUPTED_XATTR); + goto out; +@@ -584,13 +584,12 @@ ssize_t f2fs_listxattr(struct dentry *de + + if ((void *)(entry) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) { +- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr", ++ f2fs_err(F2FS_I_SB(inode), "list inode (%lu) has corrupted xattr", + inode->i_ino); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); +- error = -EFSCORRUPTED; + f2fs_handle_error(F2FS_I_SB(inode), + ERROR_CORRUPTED_XATTR); +- goto cleanup; ++ break; + } + + if (!prefix) +@@ -650,7 +649,7 @@ static int __f2fs_setxattr(struct inode + + if (size > MAX_VALUE_LEN(inode)) + return -E2BIG; +- ++retry: + error = read_all_xattrs(inode, ipage, &base_addr); + if (error) + return error; +@@ -660,7 +659,14 @@ static int __f2fs_setxattr(struct inode + /* find entry with wanted name. */ + here = __find_xattr(base_addr, last_base_addr, NULL, index, len, name); + if (!here) { +- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr", ++ if (!F2FS_I(inode)->i_xattr_nid) { ++ f2fs_notice(F2FS_I_SB(inode), ++ "recover xattr in inode (%lu)", inode->i_ino); ++ f2fs_recover_xattr_data(inode, NULL); ++ kfree(base_addr); ++ goto retry; ++ } ++ f2fs_err(F2FS_I_SB(inode), "set inode (%lu) has corrupted xattr", + inode->i_ino); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); + error = -EFSCORRUPTED; diff --git a/queue-6.5/f2fs-set-the-default-compress_level-on-ioctl.patch b/queue-6.5/f2fs-set-the-default-compress_level-on-ioctl.patch new file mode 100644 index 00000000000..6d70519938d --- /dev/null +++ b/queue-6.5/f2fs-set-the-default-compress_level-on-ioctl.patch @@ -0,0 +1,42 @@ +From f5f3bd903a5d3e3b2ba89f11e0e29db25e60c048 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Fri, 8 Sep 2023 15:41:42 -0700 +Subject: f2fs: set the default compress_level on ioctl + +From: Jaegeuk Kim + +commit f5f3bd903a5d3e3b2ba89f11e0e29db25e60c048 upstream. + +Otherwise, we'll get a broken inode. + + # touch $FILE + # f2fs_io setflags compression $FILE + # f2fs_io set_coption 2 8 $FILE + +[ 112.227612] F2FS-fs (dm-51): sanity_check_compress_inode: inode (ino=8d3fe) has unsupported compress level: 0, run fsck to fix + +Cc: stable@vger.kernel.org +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -4006,6 +4006,15 @@ static int f2fs_ioc_set_compress_option( + F2FS_I(inode)->i_compress_algorithm = option.algorithm; + F2FS_I(inode)->i_log_cluster_size = option.log_cluster_size; + F2FS_I(inode)->i_cluster_size = BIT(option.log_cluster_size); ++ /* Set default level */ ++ if (F2FS_I(inode)->i_compress_algorithm == COMPRESS_ZSTD) ++ F2FS_I(inode)->i_compress_level = F2FS_ZSTD_DEFAULT_CLEVEL; ++ else ++ F2FS_I(inode)->i_compress_level = 0; ++ /* Adjust mount option level */ ++ if (option.algorithm == F2FS_OPTION(sbi).compress_algorithm && ++ F2FS_OPTION(sbi).compress_level) ++ F2FS_I(inode)->i_compress_level = F2FS_OPTION(sbi).compress_level; + f2fs_mark_inode_dirty_sync(inode, true); + + if (!f2fs_is_compress_backend_ready(inode)) diff --git a/queue-6.5/f2fs-split-initial-and-dynamic-conditions-for-extent_cache.patch b/queue-6.5/f2fs-split-initial-and-dynamic-conditions-for-extent_cache.patch new file mode 100644 index 00000000000..3df0d984f78 --- /dev/null +++ b/queue-6.5/f2fs-split-initial-and-dynamic-conditions-for-extent_cache.patch @@ -0,0 +1,133 @@ +From f803982190f0265fd36cf84670aa6daefc2b0768 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Thu, 7 Sep 2023 11:11:00 -0700 +Subject: f2fs: split initial and dynamic conditions for extent_cache + +From: Jaegeuk Kim + +commit f803982190f0265fd36cf84670aa6daefc2b0768 upstream. + +Let's allocate the extent_cache tree without dynamic conditions to avoid a +missing condition causing a panic as below. + + # create a file w/ a compressed flag + # disable the compression + # panic while updating extent_cache + +F2FS-fs (dm-64): Swapfile: last extent is not aligned to section +F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N) +Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k +================================================================== +BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] +BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] +BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] +BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] +BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 +Write of size 4 at addr 0000000000000030 by task syz-executor154/3327 + +CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1 +Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023 +Call Trace: + __dump_stack out/common/lib/dump_stack.c:77 [inline] + dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118 + __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415 + kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428 + kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186 + __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37 + instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] + atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] + queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] + __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] + _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 + __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155 + f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172 + f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline] + f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764 + vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310 + ksys_fallocate out/common/fs/open.c:333 [inline] + __do_sys_fallocate out/common/fs/open.c:341 [inline] + __se_sys_fallocate out/common/fs/open.c:339 [inline] + __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339 + do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46 + +Cc: stable@vger.kernel.org +Fixes: 72840cccc0a1 ("f2fs: allocate the extent_cache by default") +Reported-and-tested-by: syzbot+d342e330a37b48c094b7@syzkaller.appspotmail.com +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 53 +++++++++++++++++++------------------------------ + 1 file changed, 21 insertions(+), 32 deletions(-) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -74,40 +74,14 @@ static void __set_extent_info(struct ext + } + } + +-static bool __may_read_extent_tree(struct inode *inode) +-{ +- struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +- +- if (!test_opt(sbi, READ_EXTENT_CACHE)) +- return false; +- if (is_inode_flag_set(inode, FI_NO_EXTENT)) +- return false; +- if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) && +- !f2fs_sb_has_readonly(sbi)) +- return false; +- return S_ISREG(inode->i_mode); +-} +- +-static bool __may_age_extent_tree(struct inode *inode) +-{ +- struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +- +- if (!test_opt(sbi, AGE_EXTENT_CACHE)) +- return false; +- if (is_inode_flag_set(inode, FI_COMPRESSED_FILE)) +- return false; +- if (file_is_cold(inode)) +- return false; +- +- return S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode); +-} +- + static bool __init_may_extent_tree(struct inode *inode, enum extent_type type) + { + if (type == EX_READ) +- return __may_read_extent_tree(inode); +- else if (type == EX_BLOCK_AGE) +- return __may_age_extent_tree(inode); ++ return test_opt(F2FS_I_SB(inode), READ_EXTENT_CACHE) && ++ S_ISREG(inode->i_mode); ++ if (type == EX_BLOCK_AGE) ++ return test_opt(F2FS_I_SB(inode), AGE_EXTENT_CACHE) && ++ (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)); + return false; + } + +@@ -120,7 +94,22 @@ static bool __may_extent_tree(struct ino + if (list_empty(&F2FS_I_SB(inode)->s_list)) + return false; + +- return __init_may_extent_tree(inode, type); ++ if (!__init_may_extent_tree(inode, type)) ++ return false; ++ ++ if (type == EX_READ) { ++ if (is_inode_flag_set(inode, FI_NO_EXTENT)) ++ return false; ++ if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) && ++ !f2fs_sb_has_readonly(F2FS_I_SB(inode))) ++ return false; ++ } else if (type == EX_BLOCK_AGE) { ++ if (is_inode_flag_set(inode, FI_COMPRESSED_FILE)) ++ return false; ++ if (file_is_cold(inode)) ++ return false; ++ } ++ return true; + } + + static void __try_update_largest_extent(struct extent_tree *et, diff --git a/queue-6.5/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch b/queue-6.5/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch new file mode 100644 index 00000000000..6fa54070cc2 --- /dev/null +++ b/queue-6.5/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch @@ -0,0 +1,53 @@ +From 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Thu, 2 Nov 2023 20:52:30 +0100 +Subject: gfs2: don't withdraw if init_threads() got interrupted + +From: Andreas Gruenbacher + +commit 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 upstream. + +In gfs2_fill_super(), when mounting a gfs2 filesystem is interrupted, +kthread_create() can return -EINTR. When that happens, we roll back +what has already been done and abort the mount. + +Since commit 62dd0f98a0e5 ("gfs2: Flag a withdraw if init_threads() +fails), we are calling gfs2_withdraw_delayed() in gfs2_fill_super(); +first via gfs2_make_fs_rw(), then directly. But gfs2_withdraw_delayed() +only marks the filesystem as withdrawing and relies on a caller further +up the stack to do the actual withdraw, which doesn't exist in the +gfs2_fill_super() case. Because the filesystem is marked as withdrawing +/ withdrawn, function gfs2_lm_unmount() doesn't release the dlm +lockspace, so when we try to mount that filesystem again, we get: + + gfs2: fsid=gohan:gohan0: Trying to join cluster "lock_dlm", "gohan:gohan0" + gfs2: fsid=gohan:gohan0: dlm_new_lockspace error -17 + +Since commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"), the +deadlock this gfs2_withdraw_delayed() call was supposed to work around +cannot occur anymore because freeze_go_callback() won't take the +sb->s_umount semaphore unconditionally anymore, so we can get rid of the +gfs2_withdraw_delayed() in gfs2_fill_super() entirely. + +Reported-by: Alexander Aring +Signed-off-by: Andreas Gruenbacher +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/ops_fstype.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1261,10 +1261,8 @@ static int gfs2_fill_super(struct super_ + + if (!sb_rdonly(sb)) { + error = init_threads(sdp); +- if (error) { +- gfs2_withdraw_delayed(sdp); ++ if (error) + goto fail_per_node; +- } + } + + error = gfs2_freeze_lock_shared(sdp); diff --git a/queue-6.5/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch b/queue-6.5/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch new file mode 100644 index 00000000000..a90849415bd --- /dev/null +++ b/queue-6.5/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch @@ -0,0 +1,69 @@ +From e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 Mon Sep 17 00:00:00 2001 +From: Tam Nguyen +Date: Thu, 2 Nov 2023 10:30:08 +0700 +Subject: i2c: designware: Disable TX_EMPTY irq while waiting for block length byte + +From: Tam Nguyen + +commit e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 upstream. + +During SMBus block data read process, we have seen high interrupt rate +because of TX_EMPTY irq status while waiting for block length byte (the +first data byte after the address phase). The interrupt handler does not +do anything because the internal state is kept as STATUS_WRITE_IN_PROGRESS. +Hence, we should disable TX_EMPTY IRQ until I2C DesignWare receives +first data byte from I2C device, then re-enable it to resume SMBus +transaction. + +It takes 0.789 ms for host to receive data length from slave. +Without the patch, i2c_dw_isr() is called 99 times by TX_EMPTY interrupt. +And it is none after applying the patch. + +Cc: stable@vger.kernel.org +Co-developed-by: Chuong Tran +Signed-off-by: Chuong Tran +Signed-off-by: Tam Nguyen +Acked-by: Jarkko Nikula +Reviewed-by: Serge Semin +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -518,10 +518,16 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev) + + /* + * Because we don't know the buffer length in the +- * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop +- * the transaction here. ++ * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop the ++ * transaction here. Also disable the TX_EMPTY IRQ ++ * while waiting for the data length byte to avoid the ++ * bogus interrupts flood. + */ +- if (buf_len > 0 || flags & I2C_M_RECV_LEN) { ++ if (flags & I2C_M_RECV_LEN) { ++ dev->status |= STATUS_WRITE_IN_PROGRESS; ++ intr_mask &= ~DW_IC_INTR_TX_EMPTY; ++ break; ++ } else if (buf_len > 0) { + /* more bytes to be written */ + dev->status |= STATUS_WRITE_IN_PROGRESS; + break; +@@ -557,6 +563,13 @@ i2c_dw_recv_len(struct dw_i2c_dev *dev, + msgs[dev->msg_read_idx].len = len; + msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN; + ++ /* ++ * Received buffer length, re-enable TX_EMPTY interrupt ++ * to resume the SMBUS transaction. ++ */ ++ regmap_update_bits(dev->map, DW_IC_INTR_MASK, DW_IC_INTR_TX_EMPTY, ++ DW_IC_INTR_TX_EMPTY); ++ + return len; + } + diff --git a/queue-6.5/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch b/queue-6.5/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch new file mode 100644 index 00000000000..9a07d0126e6 --- /dev/null +++ b/queue-6.5/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch @@ -0,0 +1,66 @@ +From f78ca48a8ba9cdec96e8839351e49eec3233b177 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sat, 9 Sep 2023 22:25:06 +0200 +Subject: i2c: i801: fix potential race in i801_block_transaction_byte_by_byte + +From: Heiner Kallweit + +commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream. + +Currently we set SMBHSTCNT_LAST_BYTE only after the host has started +receiving the last byte. If we get e.g. preempted before setting +SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte +before SMBHSTCNT_LAST_BYTE is set. +Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing +SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code +is also consistent with what we do in i801_isr_byte_done(). + +Reported-by: Jean Delvare +Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/ +Cc: stable@vger.kernel.org +Acked-by: Andi Shyti +Signed-off-by: Heiner Kallweit +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-i801.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -681,15 +681,11 @@ static int i801_block_transaction_byte_b + return result ? priv->status : -ETIMEDOUT; + } + +- for (i = 1; i <= len; i++) { +- if (i == len && read_write == I2C_SMBUS_READ) +- smbcmd |= SMBHSTCNT_LAST_BYTE; +- outb_p(smbcmd, SMBHSTCNT(priv)); +- +- if (i == 1) +- outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START, +- SMBHSTCNT(priv)); ++ if (len == 1 && read_write == I2C_SMBUS_READ) ++ smbcmd |= SMBHSTCNT_LAST_BYTE; ++ outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv)); + ++ for (i = 1; i <= len; i++) { + status = i801_wait_byte_done(priv); + if (status) + return status; +@@ -712,9 +708,12 @@ static int i801_block_transaction_byte_b + data->block[0] = len; + } + +- /* Retrieve/store value in SMBBLKDAT */ +- if (read_write == I2C_SMBUS_READ) ++ if (read_write == I2C_SMBUS_READ) { + data->block[i] = inb_p(SMBBLKDAT(priv)); ++ if (i == len - 1) ++ outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv)); ++ } ++ + if (read_write == I2C_SMBUS_WRITE && i+1 <= len) + outb_p(data->block[i+1], SMBBLKDAT(priv)); + diff --git a/queue-6.5/loongarch-mark-__percpu-functions-as-always-inline.patch b/queue-6.5/loongarch-mark-__percpu-functions-as-always-inline.patch new file mode 100644 index 00000000000..f599354ff37 --- /dev/null +++ b/queue-6.5/loongarch-mark-__percpu-functions-as-always-inline.patch @@ -0,0 +1,104 @@ +From 71945968d8b128c955204baa33ec03bdd91bdc26 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 8 Nov 2023 14:12:15 +0800 +Subject: LoongArch: Mark __percpu functions as always inline + +From: Nathan Chancellor + +commit 71945968d8b128c955204baa33ec03bdd91bdc26 upstream. + +A recent change to the optimization pipeline in LLVM reveals some +fragility around the inlining of LoongArch's __percpu functions, which +manifests as a BUILD_BUG() failure: + + In file included from kernel/sched/build_policy.c:17: + In file included from include/linux/sched/cputime.h:5: + In file included from include/linux/sched/signal.h:5: + In file included from include/linux/rculist.h:11: + In file included from include/linux/rcupdate.h:26: + In file included from include/linux/irqflags.h:18: + arch/loongarch/include/asm/percpu.h:97:3: error: call to '__compiletime_assert_51' declared with 'error' attribute: BUILD_BUG failed + 97 | BUILD_BUG(); + | ^ + include/linux/build_bug.h:59:21: note: expanded from macro 'BUILD_BUG' + 59 | #define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed") + | ^ + include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG' + 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) + | ^ + include/linux/compiler_types.h:425:2: note: expanded from macro 'compiletime_assert' + 425 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + | ^ + include/linux/compiler_types.h:413:2: note: expanded from macro '_compiletime_assert' + 413 | __compiletime_assert(condition, msg, prefix, suffix) + | ^ + include/linux/compiler_types.h:406:4: note: expanded from macro '__compiletime_assert' + 406 | prefix ## suffix(); \ + | ^ + :86:1: note: expanded from here + 86 | __compiletime_assert_51 + | ^ + 1 error generated. + +If these functions are not inlined (which the compiler is free to do +even with functions marked with the standard 'inline' keyword), the +BUILD_BUG() in the default case cannot be eliminated since the compiler +cannot prove it is never used, resulting in a build failure due to the +error attribute. + +Mark these functions as __always_inline to guarantee inlining so that +the BUILD_BUG() only triggers when the default case genuinely cannot be +eliminated due to an unexpected size. + +Cc: +Closes: https://github.com/ClangBuiltLinux/linux/issues/1955 +Fixes: 46859ac8af52 ("LoongArch: Add multi-processor (SMP) support") +Link: https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/percpu.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/loongarch/include/asm/percpu.h ++++ b/arch/loongarch/include/asm/percpu.h +@@ -32,7 +32,7 @@ static inline void set_my_cpu_offset(uns + #define __my_cpu_offset __my_cpu_offset + + #define PERCPU_OP(op, asm_op, c_op) \ +-static inline unsigned long __percpu_##op(void *ptr, \ ++static __always_inline unsigned long __percpu_##op(void *ptr, \ + unsigned long val, int size) \ + { \ + unsigned long ret; \ +@@ -63,7 +63,7 @@ PERCPU_OP(and, and, &) + PERCPU_OP(or, or, |) + #undef PERCPU_OP + +-static inline unsigned long __percpu_read(void *ptr, int size) ++static __always_inline unsigned long __percpu_read(void *ptr, int size) + { + unsigned long ret; + +@@ -100,7 +100,7 @@ static inline unsigned long __percpu_rea + return ret; + } + +-static inline void __percpu_write(void *ptr, unsigned long val, int size) ++static __always_inline void __percpu_write(void *ptr, unsigned long val, int size) + { + switch (size) { + case 1: +@@ -132,8 +132,8 @@ static inline void __percpu_write(void * + } + } + +-static inline unsigned long __percpu_xchg(void *ptr, unsigned long val, +- int size) ++static __always_inline unsigned long __percpu_xchg(void *ptr, unsigned long val, ++ int size) + { + switch (size) { + case 1: diff --git a/queue-6.5/lsm-fix-default-return-value-for-inode_getsecctx.patch b/queue-6.5/lsm-fix-default-return-value-for-inode_getsecctx.patch new file mode 100644 index 00000000000..1f8081b3fe9 --- /dev/null +++ b/queue-6.5/lsm-fix-default-return-value-for-inode_getsecctx.patch @@ -0,0 +1,39 @@ +From b36995b8609a5a8fe5cf259a1ee768fcaed919f8 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 31 Oct 2023 13:32:07 +0100 +Subject: lsm: fix default return value for inode_getsecctx + +From: Ondrej Mosnacek + +commit b36995b8609a5a8fe5cf259a1ee768fcaed919f8 upstream. + +-EOPNOTSUPP is the return value that implements a "no-op" hook, not 0. + +Without this fix having only the BPF LSM enabled (with no programs +attached) can cause uninitialized variable reads in +nfsd4_encode_fattr(), because the BPF hook returns 0 without touching +the 'ctxlen' variable and the corresponding 'contextlen' variable in +nfsd4_encode_fattr() remains uninitialized, yet being treated as valid +based on the 0 return value. + +Cc: stable@vger.kernel.org +Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") +Reported-by: Benjamin Coddington +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -273,7 +273,7 @@ LSM_HOOK(void, LSM_RET_VOID, release_sec + LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) + LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) + LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) +-LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx, ++LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx, + u32 *ctxlen) + + #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/queue-6.5/lsm-fix-default-return-value-for-vm_enough_memory.patch b/queue-6.5/lsm-fix-default-return-value-for-vm_enough_memory.patch new file mode 100644 index 00000000000..153522e3f2d --- /dev/null +++ b/queue-6.5/lsm-fix-default-return-value-for-vm_enough_memory.patch @@ -0,0 +1,31 @@ +From 866d648059d5faf53f1cd960b43fe8365ad93ea7 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 31 Oct 2023 13:32:06 +0100 +Subject: lsm: fix default return value for vm_enough_memory + +From: Ondrej Mosnacek + +commit 866d648059d5faf53f1cd960b43fe8365ad93ea7 upstream. + +1 is the return value that implements a "no-op" hook, not 0. + +Cc: stable@vger.kernel.org +Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry + LSM_HOOK(int, 0, syslog, int type) + LSM_HOOK(int, 0, settime, const struct timespec64 *ts, + const struct timezone *tz) +-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages) ++LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) + LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) + LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file) + LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) diff --git a/queue-6.5/media-ccs-correctly-initialise-try-compose-rectangle.patch b/queue-6.5/media-ccs-correctly-initialise-try-compose-rectangle.patch new file mode 100644 index 00000000000..9e11f428c1f --- /dev/null +++ b/queue-6.5/media-ccs-correctly-initialise-try-compose-rectangle.patch @@ -0,0 +1,35 @@ +From 724ff68e968b19d786870d333f9952bdd6b119cb Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 4 Sep 2023 15:57:37 +0300 +Subject: media: ccs: Correctly initialise try compose rectangle + +From: Sakari Ailus + +commit 724ff68e968b19d786870d333f9952bdd6b119cb upstream. + +Initialise the try sink compose rectangle size to the sink compose +rectangle for binner and scaler sub-devices. This was missed due to the +faulty condition that lead to the compose rectangles to be initialised for +the pixel array sub-device where it is not relevant. + +Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs/ccs-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ccs/ccs-core.c ++++ b/drivers/media/i2c/ccs/ccs-core.c +@@ -3097,7 +3097,7 @@ static int ccs_open(struct v4l2_subdev * + try_fmt->code = sensor->internal_csi_format->code; + try_fmt->field = V4L2_FIELD_NONE; + +- if (ssd != sensor->pixel_array) ++ if (ssd == sensor->pixel_array) + continue; + + try_comp = v4l2_subdev_get_try_compose(sd, fh->state, i); diff --git a/queue-6.5/media-lirc-drop-trailing-space-from-scancode-transmit.patch b/queue-6.5/media-lirc-drop-trailing-space-from-scancode-transmit.patch new file mode 100644 index 00000000000..c8fc8c0c764 --- /dev/null +++ b/queue-6.5/media-lirc-drop-trailing-space-from-scancode-transmit.patch @@ -0,0 +1,37 @@ +From c8a489f820179fb12251e262b50303c29de991ac Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 6 Oct 2023 22:31:52 +0100 +Subject: media: lirc: drop trailing space from scancode transmit + +From: Sean Young + +commit c8a489f820179fb12251e262b50303c29de991ac upstream. + +When transmitting, infrared drivers expect an odd number of samples; iow +without a trailing space. No problems have been observed so far, so +this is just belt and braces. + +Fixes: 9b6192589be7 ("media: lirc: implement scancode sending") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -276,7 +276,11 @@ static ssize_t lirc_transmit(struct file + if (ret < 0) + goto out_kfree_raw; + +- count = ret; ++ /* drop trailing space */ ++ if (!(ret % 2)) ++ count = ret - 1; ++ else ++ count = ret; + + txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL); + if (!txbuf) { diff --git a/queue-6.5/media-sharp-fix-sharp-encoding.patch b/queue-6.5/media-sharp-fix-sharp-encoding.patch new file mode 100644 index 00000000000..1042297f85c --- /dev/null +++ b/queue-6.5/media-sharp-fix-sharp-encoding.patch @@ -0,0 +1,48 @@ +From 4f7efc71891462ab7606da7039f480d7c1584a13 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 6 Oct 2023 12:54:25 +0100 +Subject: media: sharp: fix sharp encoding + +From: Sean Young + +commit 4f7efc71891462ab7606da7039f480d7c1584a13 upstream. + +The Sharp protocol[1] encoding has incorrect timings for bit space. + +[1] https://www.sbprojects.net/knowledge/ir/sharp.php + +Fixes: d35afc5fe097 ("[media] rc: ir-sharp-decoder: Add encode capability") +Cc: stable@vger.kernel.org +Reported-by: Joe Ferner +Closes: https://sourceforge.net/p/lirc/mailman/message/38604507/ +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ir-sharp-decoder.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/media/rc/ir-sharp-decoder.c ++++ b/drivers/media/rc/ir-sharp-decoder.c +@@ -15,7 +15,9 @@ + #define SHARP_UNIT 40 /* us */ + #define SHARP_BIT_PULSE (8 * SHARP_UNIT) /* 320us */ + #define SHARP_BIT_0_PERIOD (25 * SHARP_UNIT) /* 1ms (680us space) */ +-#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680ms space) */ ++#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680us space) */ ++#define SHARP_BIT_0_SPACE (17 * SHARP_UNIT) /* 680us space */ ++#define SHARP_BIT_1_SPACE (42 * SHARP_UNIT) /* 1680us space */ + #define SHARP_ECHO_SPACE (1000 * SHARP_UNIT) /* 40 ms */ + #define SHARP_TRAILER_SPACE (125 * SHARP_UNIT) /* 5 ms (even longer) */ + +@@ -168,8 +170,8 @@ static const struct ir_raw_timings_pd ir + .header_pulse = 0, + .header_space = 0, + .bit_pulse = SHARP_BIT_PULSE, +- .bit_space[0] = SHARP_BIT_0_PERIOD, +- .bit_space[1] = SHARP_BIT_1_PERIOD, ++ .bit_space[0] = SHARP_BIT_0_SPACE, ++ .bit_space[1] = SHARP_BIT_1_SPACE, + .trailer_pulse = SHARP_BIT_PULSE, + .trailer_space = SHARP_ECHO_SPACE, + .msb_first = 1, diff --git a/queue-6.5/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch b/queue-6.5/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch new file mode 100644 index 00000000000..d4def635216 --- /dev/null +++ b/queue-6.5/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch @@ -0,0 +1,69 @@ +From 8d0b89398b7ebc52103e055bf36b60b045f5258f Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:03 +0530 +Subject: media: venus: hfi: add checks to handle capabilities from firmware + +From: Vikash Garodia + +commit 8d0b89398b7ebc52103e055bf36b60b045f5258f upstream. + +The hfi parser, parses the capabilities received from venus firmware and +copies them to core capabilities. Consider below api, for example, +fill_caps - In this api, caps in core structure gets updated with the +number of capabilities received in firmware data payload. If the same api +is called multiple times, there is a possibility of copying beyond the max +allocated size in core caps. +Similar possibilities in fill_raw_fmts and fill_profile_level functions. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -89,6 +89,9 @@ static void fill_profile_level(struct hf + { + const struct hfi_profile_level *pl = data; + ++ if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT) ++ return; ++ + memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl)); + cap->num_pl += num; + } +@@ -114,6 +117,9 @@ fill_caps(struct hfi_plat_caps *cap, con + { + const struct hfi_capability *caps = data; + ++ if (cap->num_caps + num >= MAX_CAP_ENTRIES) ++ return; ++ + memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps)); + cap->num_caps += num; + } +@@ -140,6 +146,9 @@ static void fill_raw_fmts(struct hfi_pla + { + const struct raw_formats *formats = fmts; + ++ if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES) ++ return; ++ + memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats)); + cap->num_fmts += num_fmts; + } +@@ -162,6 +171,9 @@ parse_raw_formats(struct venus_core *cor + rawfmts[i].buftype = fmt->buffer_type; + i++; + ++ if (i >= MAX_FMT_ENTRIES) ++ return; ++ + if (pinfo->num_planes > MAX_PLANES) + break; + diff --git a/queue-6.5/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch b/queue-6.5/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch new file mode 100644 index 00000000000..33750773921 --- /dev/null +++ b/queue-6.5/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch @@ -0,0 +1,36 @@ +From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:02 +0530 +Subject: media: venus: hfi: fix the check to handle session buffer requirement + +From: Vikash Garodia + +commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream. + +Buffer requirement, for different buffer type, comes from video firmware. +While copying these requirements, there is an OOB possibility when the +payload from firmware is more than expected size. Fix the check to avoid +the OOB possibility. + +Cc: stable@vger.kernel.org +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Reviewed-by: Nathan Hebert +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_ + memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); + idx++; + +- if (idx > HFI_BUFFER_TYPE_MAX) ++ if (idx >= HFI_BUFFER_TYPE_MAX) + return HFI_ERR_SESSION_INVALID_PARAMETER; + + req_bytes -= sizeof(struct hfi_buffer_requirements); diff --git a/queue-6.5/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch b/queue-6.5/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch new file mode 100644 index 00000000000..882a6609532 --- /dev/null +++ b/queue-6.5/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch @@ -0,0 +1,39 @@ +From 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:04 +0530 +Subject: media: venus: hfi_parser: Add check to keep the number of codecs within range + +From: Vikash Garodia + +commit 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd upstream. + +Supported codec bitmask is populated from the payload from venus firmware. +There is a possible case when all the bits in the codec bitmask is set. In +such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized. +Now while filling the caps for encoder, it can lead to access the caps +array beyong 32 index. Hence leading to OOB write. +The fix counts the supported encoder and decoder. If the count is more than +max, then it skips accessing the caps. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -19,6 +19,9 @@ static void init_codecs(struct venus_cor + struct hfi_plat_caps *caps = core->caps, *cap; + unsigned long bit; + ++ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM) ++ return; ++ + for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) { + cap = &caps[core->codecs_count++]; + cap->codec = BIT(bit); diff --git a/queue-6.5/mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch b/queue-6.5/mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch new file mode 100644 index 00000000000..516fe54cf40 --- /dev/null +++ b/queue-6.5/mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch @@ -0,0 +1,60 @@ +From d7133797e9e1b72fd89237f68cb36d745599ed86 Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Tue, 12 Sep 2023 17:17:10 +0800 +Subject: mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 + +From: Victor Shih + +commit d7133797e9e1b72fd89237f68cb36d745599ed86 upstream. + +When GL9750 enters ASPM L1 sub-states, it will stay at L1.1 and will not +enter L1.2. The workaround is to toggle PM state to allow GL9750 to enter +ASPM L1.2. + +Signed-off-by: Victor Shih +Link: https://lore.kernel.org/r/20230912091710.7797-1-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -25,6 +25,9 @@ + #define GLI_9750_WT_EN_ON 0x1 + #define GLI_9750_WT_EN_OFF 0x0 + ++#define PCI_GLI_9750_PM_CTRL 0xFC ++#define PCI_GLI_9750_PM_STATE GENMASK(1, 0) ++ + #define SDHCI_GLI_9750_CFG2 0x848 + #define SDHCI_GLI_9750_CFG2_L1DLY GENMASK(28, 24) + #define GLI_9750_CFG2_L1DLY_VALUE 0x1F +@@ -539,8 +542,12 @@ static void sdhci_gl9750_set_clock(struc + + static void gl9750_hw_setting(struct sdhci_host *host) + { ++ struct sdhci_pci_slot *slot = sdhci_priv(host); ++ struct pci_dev *pdev; + u32 value; + ++ pdev = slot->chip->pdev; ++ + gl9750_wt_on(host); + + value = sdhci_readl(host, SDHCI_GLI_9750_CFG2); +@@ -550,6 +557,13 @@ static void gl9750_hw_setting(struct sdh + GLI_9750_CFG2_L1DLY_VALUE); + sdhci_writel(host, value, SDHCI_GLI_9750_CFG2); + ++ /* toggle PM state to allow GL9750 to enter ASPM L1.2 */ ++ pci_read_config_dword(pdev, PCI_GLI_9750_PM_CTRL, &value); ++ value |= PCI_GLI_9750_PM_STATE; ++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value); ++ value &= ~PCI_GLI_9750_PM_STATE; ++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value); ++ + gl9750_wt_off(host); + } + diff --git a/queue-6.5/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch b/queue-6.5/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch new file mode 100644 index 00000000000..7d47d3dedd3 --- /dev/null +++ b/queue-6.5/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch @@ -0,0 +1,171 @@ +From 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Fri, 27 Oct 2023 08:57:38 +0200 +Subject: net: dsa: lan9303: consequently nested-lock physical MDIO + +From: Alexander Sverdlin + +commit 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 upstream. + +When LAN9303 is MDIO-connected two callchains exist into +mdio->bus->write(): + +1. switch ports 1&2 ("physical" PHYs): + +virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})-> + lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested + +2. LAN9303 virtual PHY: + +virtual MDIO bus (lan9303_phy_{read|write}) -> + lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write} + +If the latter functions just take +mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP +false-positive splat. It's false-positive because the first +mdio_lock in the second callchain above belongs to virtual MDIO bus, the +second mdio_lock belongs to physical MDIO bus. + +Consequent annotation in lan9303_mdio_{read|write} as nested lock +(similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus) +prevents the following splat: + +WARNING: possible circular locking dependency detected +5.15.71 #1 Not tainted +------------------------------------------------------ +kworker/u4:3/609 is trying to acquire lock: +ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex +but task is already holding lock: +ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +which lock already depends on the new lock. +the existing dependency chain (in reverse order) is: +-> #1 (&bus->mdio_lock){+.+.}-{3:3}: + lock_acquire + __mutex_lock + mutex_lock_nested + lan9303_mdio_read + _regmap_read + regmap_read + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +-> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}: + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +other info that might help us debug this: + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); +*** DEADLOCK *** +5 locks held by kworker/u4:3/609: + #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work + #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work + #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach + #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch + #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +stack backtrace: +CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1 +Workqueue: events_unbound deferred_probe_work_func +Call trace: + dump_backtrace + show_stack + dump_stack_lvl + dump_stack + print_circular_bug + check_noncircular + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe +... + +Cc: stable@vger.kernel.org +Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303_mdio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/lan9303_mdio.c ++++ b/drivers/net/dsa/lan9303_mdio.c +@@ -32,7 +32,7 @@ static int lan9303_mdio_write(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff); + lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff); + mutex_unlock(&sw_dev->device->bus->mdio_lock); +@@ -50,7 +50,7 @@ static int lan9303_mdio_read(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + *val = lan9303_mdio_real_read(sw_dev->device, reg); + *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16); + mutex_unlock(&sw_dev->device->bus->mdio_lock); diff --git a/queue-6.5/net-ethtool-fix-documentation-of-ethtool_sprintf.patch b/queue-6.5/net-ethtool-fix-documentation-of-ethtool_sprintf.patch new file mode 100644 index 00000000000..93e549a5dee --- /dev/null +++ b/queue-6.5/net-ethtool-fix-documentation-of-ethtool_sprintf.patch @@ -0,0 +1,40 @@ +From f55d8e60f10909dbc5524e261041e1d28d7d20d8 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sat, 28 Oct 2023 21:25:11 +0200 +Subject: net: ethtool: Fix documentation of ethtool_sprintf() + +From: Andrew Lunn + +commit f55d8e60f10909dbc5524e261041e1d28d7d20d8 upstream. + +This function takes a pointer to a pointer, unlike sprintf() which is +passed a plain pointer. Fix up the documentation to make this clear. + +Fixes: 7888fe53b706 ("ethtool: Add common function for filling out strings") +Cc: Alexander Duyck +Cc: Justin Stitt +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Lunn +Reviewed-by: Justin Stitt +Link: https://lore.kernel.org/r/20231028192511.100001-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ethtool.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/ethtool.h ++++ b/include/linux/ethtool.h +@@ -1045,10 +1045,10 @@ static inline int ethtool_mm_frag_size_m + + /** + * ethtool_sprintf - Write formatted string to ethtool string data +- * @data: Pointer to start of string to update ++ * @data: Pointer to a pointer to the start of string to update + * @fmt: Format of string to write + * +- * Write formatted string to data. Update data to point at start of ++ * Write formatted string to *data. Update *data to point at start of + * next string. + */ + extern __printf(2, 3) void ethtool_sprintf(u8 **data, const char *fmt, ...); diff --git a/queue-6.5/net-phylink-initialize-carrier-state-at-creation.patch b/queue-6.5/net-phylink-initialize-carrier-state-at-creation.patch new file mode 100644 index 00000000000..06ee77dfd34 --- /dev/null +++ b/queue-6.5/net-phylink-initialize-carrier-state-at-creation.patch @@ -0,0 +1,47 @@ +From 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 Mon Sep 17 00:00:00 2001 +From: Klaus Kudielka +Date: Tue, 7 Nov 2023 18:44:02 +0100 +Subject: net: phylink: initialize carrier state at creation + +From: Klaus Kudielka + +commit 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 upstream. + +Background: Turris Omnia (Armada 385); eth2 (mvneta) connected to SFP bus; +SFP module is present, but no fiber connected, so definitely no carrier. + +After booting, eth2 is down, but netdev LED trigger surprisingly reports +link active. Then, after "ip link set eth2 up", the link indicator goes +away - as I would have expected it from the beginning. + +It turns out, that the default carrier state after netdev creation is +"carrier ok". Some ethernet drivers explicitly call netif_carrier_off +during probing, others (like mvneta) don't - which explains the current +behaviour: only when the device is brought up, phylink_start calls +netif_carrier_off. + +Fix this for all drivers using phylink, by calling netif_carrier_off in +phylink_create. + +Fixes: 089381b27abe ("leds: initial support for Turris Omnia LEDs") +Cc: stable@vger.kernel.org +Suggested-by: Andrew Lunn +Signed-off-by: Klaus Kudielka +Reviewed-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1568,6 +1568,7 @@ struct phylink *phylink_create(struct ph + pl->config = config; + if (config->type == PHYLINK_NETDEV) { + pl->netdev = to_net_dev(config->dev); ++ netif_carrier_off(pl->netdev); + } else if (config->type == PHYLINK_DEV) { + pl->dev = config->dev; + } else { diff --git a/queue-6.5/nfsd-fix-file-memleak-on-client_opens_release.patch b/queue-6.5/nfsd-fix-file-memleak-on-client_opens_release.patch new file mode 100644 index 00000000000..8f08061c2d0 --- /dev/null +++ b/queue-6.5/nfsd-fix-file-memleak-on-client_opens_release.patch @@ -0,0 +1,34 @@ +From bc1b5acb40201a0746d68a7d7cfc141899937f4f Mon Sep 17 00:00:00 2001 +From: Mahmoud Adam +Date: Fri, 10 Nov 2023 19:21:04 +0100 +Subject: nfsd: fix file memleak on client_opens_release + +From: Mahmoud Adam + +commit bc1b5acb40201a0746d68a7d7cfc141899937f4f upstream. + +seq_release should be called to free the allocated seq_file + +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Mahmoud Adam +Reviewed-by: Jeff Layton +Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") +Reviewed-by: NeilBrown +Tested-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -2785,7 +2785,7 @@ static int client_opens_release(struct i + + /* XXX: alternatively, we could get/drop in seq start/stop */ + drop_client(clp); +- return 0; ++ return seq_release(inode, file); + } + + static const struct file_operations client_states_fops = { diff --git a/queue-6.5/nfsd-update-nfsd_cache_append-to-use-xdr_stream.patch b/queue-6.5/nfsd-update-nfsd_cache_append-to-use-xdr_stream.patch new file mode 100644 index 00000000000..3a506bd7705 --- /dev/null +++ b/queue-6.5/nfsd-update-nfsd_cache_append-to-use-xdr_stream.patch @@ -0,0 +1,56 @@ +From 49cecd8628a9855cd993792a0377559ea32d5e7c Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 10 Nov 2023 11:28:39 -0500 +Subject: NFSD: Update nfsd_cache_append() to use xdr_stream + +From: Chuck Lever + +commit 49cecd8628a9855cd993792a0377559ea32d5e7c upstream. + +When inserting a DRC-cached response into the reply buffer, ensure +that the reply buffer's xdr_stream is updated properly. Otherwise +the server will send a garbage response. + +Cc: stable@vger.kernel.org # v6.3+ +Reviewed-by: Jeff Layton +Tested-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfscache.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/fs/nfsd/nfscache.c ++++ b/fs/nfsd/nfscache.c +@@ -582,24 +582,17 @@ void nfsd_cache_update(struct svc_rqst * + return; + } + +-/* +- * Copy cached reply to current reply buffer. Should always fit. +- * FIXME as reply is in a page, we should just attach the page, and +- * keep a refcount.... +- */ + static int + nfsd_cache_append(struct svc_rqst *rqstp, struct kvec *data) + { +- struct kvec *vec = &rqstp->rq_res.head[0]; ++ __be32 *p; + +- if (vec->iov_len + data->iov_len > PAGE_SIZE) { +- printk(KERN_WARNING "nfsd: cached reply too large (%zd).\n", +- data->iov_len); +- return 0; +- } +- memcpy((char*)vec->iov_base + vec->iov_len, data->iov_base, data->iov_len); +- vec->iov_len += data->iov_len; +- return 1; ++ p = xdr_reserve_space(&rqstp->rq_res_stream, data->iov_len); ++ if (unlikely(!p)) ++ return false; ++ memcpy(p, data->iov_base, data->iov_len); ++ xdr_commit_encode(&rqstp->rq_res_stream); ++ return true; + } + + /* diff --git a/queue-6.5/revert-i2c-pxa-move-to-generic-gpio-recovery.patch b/queue-6.5/revert-i2c-pxa-move-to-generic-gpio-recovery.patch new file mode 100644 index 00000000000..9862ee1b349 --- /dev/null +++ b/queue-6.5/revert-i2c-pxa-move-to-generic-gpio-recovery.patch @@ -0,0 +1,148 @@ +From 7b211c7671212cad0b83603c674838c7e824d845 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Fri, 10 Nov 2023 10:30:11 +0100 +Subject: Revert "i2c: pxa: move to generic GPIO recovery" + +From: Robert Marko + +commit 7b211c7671212cad0b83603c674838c7e824d845 upstream. + +This reverts commit 0b01392c18b9993a584f36ace1d61118772ad0ca. + +Conversion of PXA to generic I2C recovery, makes the I2C bus completely +lock up if recovery pinctrl is present in the DT and I2C recovery is +enabled. + +So, until the generic I2C recovery can also work with PXA lets revert +to have working I2C and I2C recovery again. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org # 5.11+ +Acked-by: Andi Shyti +Acked-by: Russell King (Oracle) +Acked-by: Linus Walleij +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-pxa.c | 76 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 68 insertions(+), 8 deletions(-) + +--- a/drivers/i2c/busses/i2c-pxa.c ++++ b/drivers/i2c/busses/i2c-pxa.c +@@ -264,6 +264,9 @@ struct pxa_i2c { + u32 hs_mask; + + struct i2c_bus_recovery_info recovery; ++ struct pinctrl *pinctrl; ++ struct pinctrl_state *pinctrl_default; ++ struct pinctrl_state *pinctrl_recovery; + }; + + #define _IBMR(i2c) ((i2c)->reg_ibmr) +@@ -1300,12 +1303,13 @@ static void i2c_pxa_prepare_recovery(str + */ + gpiod_set_value(i2c->recovery.scl_gpiod, ibmr & IBMR_SCLS); + gpiod_set_value(i2c->recovery.sda_gpiod, ibmr & IBMR_SDAS); ++ ++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery)); + } + + static void i2c_pxa_unprepare_recovery(struct i2c_adapter *adap) + { + struct pxa_i2c *i2c = adap->algo_data; +- struct i2c_bus_recovery_info *bri = adap->bus_recovery_info; + u32 isr; + + /* +@@ -1319,7 +1323,7 @@ static void i2c_pxa_unprepare_recovery(s + i2c_pxa_do_reset(i2c); + } + +- WARN_ON(pinctrl_select_state(bri->pinctrl, bri->pins_default)); ++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default)); + + dev_dbg(&i2c->adap.dev, "recovery: IBMR 0x%08x ISR 0x%08x\n", + readl(_IBMR(i2c)), readl(_ISR(i2c))); +@@ -1341,20 +1345,76 @@ static int i2c_pxa_init_recovery(struct + if (IS_ENABLED(CONFIG_I2C_PXA_SLAVE)) + return 0; + +- bri->pinctrl = devm_pinctrl_get(dev); +- if (PTR_ERR(bri->pinctrl) == -ENODEV) { +- bri->pinctrl = NULL; ++ i2c->pinctrl = devm_pinctrl_get(dev); ++ if (PTR_ERR(i2c->pinctrl) == -ENODEV) ++ i2c->pinctrl = NULL; ++ if (IS_ERR(i2c->pinctrl)) ++ return PTR_ERR(i2c->pinctrl); ++ ++ if (!i2c->pinctrl) ++ return 0; ++ ++ i2c->pinctrl_default = pinctrl_lookup_state(i2c->pinctrl, ++ PINCTRL_STATE_DEFAULT); ++ i2c->pinctrl_recovery = pinctrl_lookup_state(i2c->pinctrl, "recovery"); ++ ++ if (IS_ERR(i2c->pinctrl_default) || IS_ERR(i2c->pinctrl_recovery)) { ++ dev_info(dev, "missing pinmux recovery information: %ld %ld\n", ++ PTR_ERR(i2c->pinctrl_default), ++ PTR_ERR(i2c->pinctrl_recovery)); ++ return 0; ++ } ++ ++ /* ++ * Claiming GPIOs can influence the pinmux state, and may glitch the ++ * I2C bus. Do this carefully. ++ */ ++ bri->scl_gpiod = devm_gpiod_get(dev, "scl", GPIOD_OUT_HIGH_OPEN_DRAIN); ++ if (bri->scl_gpiod == ERR_PTR(-EPROBE_DEFER)) ++ return -EPROBE_DEFER; ++ if (IS_ERR(bri->scl_gpiod)) { ++ dev_info(dev, "missing scl gpio recovery information: %pe\n", ++ bri->scl_gpiod); ++ return 0; ++ } ++ ++ /* ++ * We have SCL. Pull SCL low and wait a bit so that SDA glitches ++ * have no effect. ++ */ ++ gpiod_direction_output(bri->scl_gpiod, 0); ++ udelay(10); ++ bri->sda_gpiod = devm_gpiod_get(dev, "sda", GPIOD_OUT_HIGH_OPEN_DRAIN); ++ ++ /* Wait a bit in case of a SDA glitch, and then release SCL. */ ++ udelay(10); ++ gpiod_direction_output(bri->scl_gpiod, 1); ++ ++ if (bri->sda_gpiod == ERR_PTR(-EPROBE_DEFER)) ++ return -EPROBE_DEFER; ++ ++ if (IS_ERR(bri->sda_gpiod)) { ++ dev_info(dev, "missing sda gpio recovery information: %pe\n", ++ bri->sda_gpiod); + return 0; + } +- if (IS_ERR(bri->pinctrl)) +- return PTR_ERR(bri->pinctrl); + + bri->prepare_recovery = i2c_pxa_prepare_recovery; + bri->unprepare_recovery = i2c_pxa_unprepare_recovery; ++ bri->recover_bus = i2c_generic_scl_recovery; + + i2c->adap.bus_recovery_info = bri; + +- return 0; ++ /* ++ * Claiming GPIOs can change the pinmux state, which confuses the ++ * pinctrl since pinctrl's idea of the current setting is unaffected ++ * by the pinmux change caused by claiming the GPIO. Work around that ++ * by switching pinctrl to the GPIO state here. We do it this way to ++ * avoid glitching the I2C bus. ++ */ ++ pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery); ++ ++ return pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default); + } + + static int i2c_pxa_probe(struct platform_device *dev) diff --git a/queue-6.5/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch b/queue-6.5/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch new file mode 100644 index 00000000000..204dff24b78 --- /dev/null +++ b/queue-6.5/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch @@ -0,0 +1,46 @@ +From 9e2e7efbbbff69d8340abb56d375dd79d1f5770f Mon Sep 17 00:00:00 2001 +From: Johnathan Mantey +Date: Mon, 13 Nov 2023 08:30:29 -0800 +Subject: Revert ncsi: Propagate carrier gain/loss events to the NCSI controller + +From: Johnathan Mantey + +commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream. + +This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3. + +The cited commit introduced unwanted behavior. + +The intent for the commit was to be able to detect carrier loss/gain +for just the NIC connected to the BMC. The unwanted effect is a +carrier loss for auxiliary paths also causes the BMC to lose +carrier. The BMC never regains carrier despite the secondary NIC +regaining a link. + +This change, when merged, needs to be backported to stable kernels. +5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable + +Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller") +CC: stable@vger.kernel.org +Signed-off-by: Johnathan Mantey +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -89,11 +89,6 @@ static int ncsi_aen_handler_lsc(struct n + if ((had_link == has_link) || chained) + return 0; + +- if (had_link) +- netif_carrier_off(ndp->ndev.dev); +- else +- netif_carrier_on(ndp->ndev.dev); +- + if (!ndp->multi_package && !nc->package->multi_channel) { + if (had_link) { + ndp->flags |= NCSI_DEV_RESHUFFLE; diff --git a/queue-6.5/riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch b/queue-6.5/riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch new file mode 100644 index 00000000000..e05a43e4699 --- /dev/null +++ b/queue-6.5/riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch @@ -0,0 +1,44 @@ +From e59e5e2754bf983fc58ad18f99b5eec01f1a0745 Mon Sep 17 00:00:00 2001 +From: Song Shuai +Date: Tue, 29 Aug 2023 21:39:20 -0700 +Subject: riscv: correct pt_level name via pgtable_l5/4_enabled + +From: Song Shuai + +commit e59e5e2754bf983fc58ad18f99b5eec01f1a0745 upstream. + +The pt_level uses CONFIG_PGTABLE_LEVELS to display page table names. +But if page mode is downgraded from kernel cmdline or restricted by +the hardware in 64BIT, it will give a wrong name. + +Like, using no4lvl for sv39, ptdump named the 1G-mapping as "PUD" +that should be "PGD": + +0xffffffd840000000-0xffffffd900000000 0x00000000c0000000 3G PUD D A G . . W R V + +So select "P4D/PUD" or "PGD" via pgtable_l5/4_enabled to correct it. + +Fixes: e8a62cc26ddf ("riscv: Implement sv48 support") +Reviewed-by: Alexandre Ghiti +Signed-off-by: Song Shuai +Link: https://lore.kernel.org/r/20230712115740.943324-1-suagrfillet@gmail.com +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230830044129.11481-3-palmer@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/ptdump.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -384,6 +384,9 @@ static int __init ptdump_init(void) + + kernel_ptd_info.base_addr = KERN_VIRT_START; + ++ pg_level[1].name = pgtable_l5_enabled ? "P4D" : "PGD"; ++ pg_level[2].name = pgtable_l4_enabled ? "PUD" : "PGD"; ++ + for (i = 0; i < ARRAY_SIZE(pg_level); i++) + for (j = 0; j < ARRAY_SIZE(pte_bits); j++) + pg_level[i].mask |= pte_bits[j].mask; diff --git a/queue-6.5/riscv-kprobes-allow-writing-to-x0.patch b/queue-6.5/riscv-kprobes-allow-writing-to-x0.patch new file mode 100644 index 00000000000..e827da31dee --- /dev/null +++ b/queue-6.5/riscv-kprobes-allow-writing-to-x0.patch @@ -0,0 +1,38 @@ +From 8cb22bec142624d21bc85ff96b7bad10b6220e6a Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Tue, 29 Aug 2023 20:25:00 +0200 +Subject: riscv: kprobes: allow writing to x0 + +From: Nam Cao + +commit 8cb22bec142624d21bc85ff96b7bad10b6220e6a upstream. + +Instructions can write to x0, so we should simulate these instructions +normally. + +Currently, the kernel hangs if an instruction who writes to x0 is +simulated. + +Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") +Cc: stable@vger.kernel.org +Signed-off-by: Nam Cao +Reviewed-by: Charlie Jenkins +Acked-by: Guo Ren +Link: https://lore.kernel.org/r/20230829182500.61875-1-namcaov@gmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/probes/simulate-insn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/probes/simulate-insn.c ++++ b/arch/riscv/kernel/probes/simulate-insn.c +@@ -24,7 +24,7 @@ static inline bool rv_insn_reg_set_val(s + unsigned long val) + { + if (index == 0) +- return false; ++ return true; + else if (index <= 31) + *((unsigned long *)regs + index) = val; + else diff --git a/queue-6.5/riscv-mm-update-the-comment-of-config_page_offset.patch b/queue-6.5/riscv-mm-update-the-comment-of-config_page_offset.patch new file mode 100644 index 00000000000..60405274b26 --- /dev/null +++ b/queue-6.5/riscv-mm-update-the-comment-of-config_page_offset.patch @@ -0,0 +1,35 @@ +From 559fe94a449cba5b50a7cffea60474b385598c00 Mon Sep 17 00:00:00 2001 +From: Song Shuai +Date: Wed, 9 Aug 2023 11:10:23 +0800 +Subject: riscv: mm: Update the comment of CONFIG_PAGE_OFFSET + +From: Song Shuai + +commit 559fe94a449cba5b50a7cffea60474b385598c00 upstream. + +Since the commit 011f09d12052 set sv57 as default for CONFIG_64BIT, +the comment of CONFIG_PAGE_OFFSET should be updated too. + +Fixes: 011f09d12052 ("riscv: mm: Set sv57 on defaultly") +Signed-off-by: Song Shuai +Link: https://lore.kernel.org/r/20230809031023.3575407-1-songshuaishuai@tinylab.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/page.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/page.h ++++ b/arch/riscv/include/asm/page.h +@@ -33,8 +33,8 @@ + #define PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL) + #endif + /* +- * By default, CONFIG_PAGE_OFFSET value corresponds to SV48 address space so +- * define the PAGE_OFFSET value for SV39. ++ * By default, CONFIG_PAGE_OFFSET value corresponds to SV57 address space so ++ * define the PAGE_OFFSET value for SV48 and SV39. + */ + #define PAGE_OFFSET_L4 _AC(0xffffaf8000000000, UL) + #define PAGE_OFFSET_L3 _AC(0xffffffd800000000, UL) diff --git a/queue-6.5/riscv-put-interrupt-entries-into-.irqentry.text.patch b/queue-6.5/riscv-put-interrupt-entries-into-.irqentry.text.patch new file mode 100644 index 00000000000..0f1768de6cc --- /dev/null +++ b/queue-6.5/riscv-put-interrupt-entries-into-.irqentry.text.patch @@ -0,0 +1,35 @@ +From 87615e95f6f9ccd36d4a3905a2d87f91967ea9d2 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 21 Aug 2023 16:57:09 +0200 +Subject: riscv: put interrupt entries into .irqentry.text + +From: Nam Cao + +commit 87615e95f6f9ccd36d4a3905a2d87f91967ea9d2 upstream. + +The interrupt entries are expected to be in the .irqentry.text section. +For example, for kprobes to work properly, exception code cannot be +probed; this is ensured by blacklisting addresses in the .irqentry.text +section. + +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20230821145708.21270-1-namcaov@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/entry.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/riscv/kernel/entry.S ++++ b/arch/riscv/kernel/entry.S +@@ -16,6 +16,8 @@ + #include + #include + ++ .section .irqentry.text, "ax" ++ + SYM_CODE_START(handle_exception) + /* + * If coming from userspace, preserve the user thread pointer and load diff --git a/queue-6.5/riscv-using-toolchain_has_zihintpause-marco-replace-zihintpause.patch b/queue-6.5/riscv-using-toolchain_has_zihintpause-marco-replace-zihintpause.patch new file mode 100644 index 00000000000..2ee9f6ab273 --- /dev/null +++ b/queue-6.5/riscv-using-toolchain_has_zihintpause-marco-replace-zihintpause.patch @@ -0,0 +1,44 @@ +From dd16ac404a685cce07e67261a94c6225d90ea7ba Mon Sep 17 00:00:00 2001 +From: Minda Chen +Date: Wed, 2 Aug 2023 14:42:15 +0800 +Subject: riscv: Using TOOLCHAIN_HAS_ZIHINTPAUSE marco replace zihintpause + +From: Minda Chen + +commit dd16ac404a685cce07e67261a94c6225d90ea7ba upstream. + +Actually it is a part of Conor's +commit aae538cd03bc ("riscv: fix detection of toolchain +Zihintpause support"). +It is looks like a merge issue. Samuel's +commit 0b1d60d6dd9e ("riscv: Fix build with +CONFIG_CC_OPTIMIZE_FOR_SIZE=y") do not base on Conor's commit and +revert to __riscv_zihintpause. So this patch can fix it. + +Signed-off-by: Minda Chen +Fixes: 3c349eacc559 ("Merge patch "riscv: Fix build with CONFIG_CC_OPTIMIZE_FOR_SIZE=y"") +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20230802064215.31111-1-minda.chen@starfivetech.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/vdso/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/vdso/processor.h b/arch/riscv/include/asm/vdso/processor.h +index 14f5d27783b8..96b65a5396df 100644 +--- a/arch/riscv/include/asm/vdso/processor.h ++++ b/arch/riscv/include/asm/vdso/processor.h +@@ -14,7 +14,7 @@ static inline void cpu_relax(void) + __asm__ __volatile__ ("div %0, %0, zero" : "=r" (dummy)); + #endif + +-#ifdef __riscv_zihintpause ++#ifdef CONFIG_TOOLCHAIN_HAS_ZIHINTPAUSE + /* + * Reduce instruction retirement. + * This assumes the PC changes. +-- +2.43.0 + diff --git a/queue-6.5/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch b/queue-6.5/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch new file mode 100644 index 00000000000..81d52b218d1 --- /dev/null +++ b/queue-6.5/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch @@ -0,0 +1,88 @@ +From e14aec23025eeb1f2159ba34dbc1458467c4c347 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 23 Oct 2023 09:57:10 +0200 +Subject: s390/ap: fix AP bus crash on early config change callback invocation + +From: Harald Freudenberger + +commit e14aec23025eeb1f2159ba34dbc1458467c4c347 upstream. + +Fix kernel crash in AP bus code caused by very early invocation of the +config change callback function via SCLP. + +After a fresh IML of the machine the crypto cards are still offline and +will get switched online only with activation of any LPAR which has the +card in it's configuration. A crypto card coming online is reported +to the LPAR via SCLP and the AP bus offers a callback function to get +this kind of information. However, it may happen that the callback is +invoked before the AP bus init function is complete. As the callback +triggers a synchronous AP bus scan, the scan may already run but some +internal states are not initialized by the AP bus init function resulting +in a crash like this: + + [ 11.635859] Unable to handle kernel pointer dereference in virtual kernel address space + [ 11.635861] Failing address: 0000000000000000 TEID: 0000000000000887 + [ 11.635862] Fault in home space mode while using kernel ASCE. + [ 11.635864] AS:00000000894c4007 R3:00000001fece8007 S:00000001fece7800 P:000000000000013d + [ 11.635879] Oops: 0004 ilc:1 [#1] SMP + [ 11.635882] Modules linked in: + [ 11.635884] CPU: 5 PID: 42 Comm: kworker/5:0 Not tainted 6.6.0-rc3-00003-g4dbf7cdc6b42 #12 + [ 11.635886] Hardware name: IBM 3931 A01 751 (LPAR) + [ 11.635887] Workqueue: events_long ap_scan_bus + [ 11.635891] Krnl PSW : 0704c00180000000 0000000000000000 (0x0) + [ 11.635895] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 + [ 11.635897] Krnl GPRS: 0000000001000a00 0000000000000000 0000000000000006 0000000089591940 + [ 11.635899] 0000000080000000 0000000000000a00 0000000000000000 0000000000000000 + [ 11.635901] 0000000081870c00 0000000089591000 000000008834e4e2 0000000002625a00 + [ 11.635903] 0000000081734200 0000038000913c18 000000008834c6d6 0000038000913ac8 + [ 11.635906] Krnl Code:>0000000000000000: 0000 illegal + [ 11.635906] 0000000000000002: 0000 illegal + [ 11.635906] 0000000000000004: 0000 illegal + [ 11.635906] 0000000000000006: 0000 illegal + [ 11.635906] 0000000000000008: 0000 illegal + [ 11.635906] 000000000000000a: 0000 illegal + [ 11.635906] 000000000000000c: 0000 illegal + [ 11.635906] 000000000000000e: 0000 illegal + [ 11.635915] Call Trace: + [ 11.635916] [<0000000000000000>] 0x0 + [ 11.635918] [<000000008834e4e2>] ap_queue_init_state+0x82/0xb8 + [ 11.635921] [<000000008834ba1c>] ap_scan_domains+0x6fc/0x740 + [ 11.635923] [<000000008834c092>] ap_scan_adapter+0x632/0x8b0 + [ 11.635925] [<000000008834c3e4>] ap_scan_bus+0xd4/0x288 + [ 11.635927] [<00000000879a33ba>] process_one_work+0x19a/0x410 + [ 11.635930] Discipline DIAG cannot be used without z/VM + [ 11.635930] [<00000000879a3a2c>] worker_thread+0x3fc/0x560 + [ 11.635933] [<00000000879aea60>] kthread+0x120/0x128 + [ 11.635936] [<000000008792afa4>] __ret_from_fork+0x3c/0x58 + [ 11.635938] [<00000000885ebe62>] ret_from_fork+0xa/0x30 + [ 11.635942] Last Breaking-Event-Address: + [ 11.635942] [<000000008834c6d4>] ap_wait+0xcc/0x148 + +This patch improves the ap_bus_force_rescan() function which is +invoked by the config change callback by checking if a first +initial AP bus scan has been done. If not, the force rescan request +is simple ignored. Anyhow it does not make sense to trigger AP bus +re-scans even before the very first bus scan is complete. + +Cc: stable@vger.kernel.org +Reviewed-by: Holger Dengler +Signed-off-by: Harald Freudenberger +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/ap_bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -1030,6 +1030,10 @@ EXPORT_SYMBOL(ap_driver_unregister); + + void ap_bus_force_rescan(void) + { ++ /* Only trigger AP bus scans after the initial scan is done */ ++ if (atomic64_read(&ap_scan_bus_count) <= 0) ++ return; ++ + /* processing a asynchronous bus rescan */ + del_timer(&ap_config_timer); + queue_work(system_long_wq, &ap_scan_work); diff --git a/queue-6.5/sbsa_gwdt-calculate-timeout-with-64-bit-math.patch b/queue-6.5/sbsa_gwdt-calculate-timeout-with-64-bit-math.patch new file mode 100644 index 00000000000..35155248315 --- /dev/null +++ b/queue-6.5/sbsa_gwdt-calculate-timeout-with-64-bit-math.patch @@ -0,0 +1,61 @@ +From 5d6aa89bba5bd6af2580f872b57f438dab883738 Mon Sep 17 00:00:00 2001 +From: Darren Hart +Date: Thu, 21 Sep 2023 02:02:36 -0700 +Subject: sbsa_gwdt: Calculate timeout with 64-bit math + +From: Darren Hart + +commit 5d6aa89bba5bd6af2580f872b57f438dab883738 upstream. + +Commit abd3ac7902fb ("watchdog: sbsa: Support architecture version 1") +introduced new timer math for watchdog revision 1 with the 48 bit offset +register. + +The gwdt->clk and timeout are u32, but the argument being calculated is +u64. Without a cast, the compiler performs u32 operations, truncating +intermediate steps, resulting in incorrect values. + +A watchdog revision 1 implementation with a gwdt->clk of 1GHz and a +timeout of 600s writes 3647256576 to the one shot watchdog instead of +300000000000, resulting in the watchdog firing in 3.6s instead of 600s. + +Force u64 math by casting the first argument (gwdt->clk) as a u64. Make +the order of operations explicit with parenthesis. + +Fixes: abd3ac7902fb ("watchdog: sbsa: Support architecture version 1") +Reported-by: Vanshidhar Konda +Signed-off-by: Darren Hart +Cc: Wim Van Sebroeck +Cc: Guenter Roeck +Cc: linux-watchdog@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: # 5.14.x +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/7d1713c5ffab19b0f3de796d82df19e8b1f340de.1695286124.git.darren@os.amperecomputing.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sbsa_gwdt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/sbsa_gwdt.c ++++ b/drivers/watchdog/sbsa_gwdt.c +@@ -153,14 +153,14 @@ static int sbsa_gwdt_set_timeout(struct + timeout = clamp_t(unsigned int, timeout, 1, wdd->max_hw_heartbeat_ms / 1000); + + if (action) +- sbsa_gwdt_reg_write(gwdt->clk * timeout, gwdt); ++ sbsa_gwdt_reg_write((u64)gwdt->clk * timeout, gwdt); + else + /* + * In the single stage mode, The first signal (WS0) is ignored, + * the timeout is (WOR * 2), so the WOR should be configured + * to half value of timeout. + */ +- sbsa_gwdt_reg_write(gwdt->clk / 2 * timeout, gwdt); ++ sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt); + + return 0; + } diff --git a/queue-6.5/series b/queue-6.5/series index ca07879e06d..fde9feac865 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -404,3 +404,38 @@ alsa-hda-realtek-add-dell-alc295-to-pin-fall-back-table.patch alsa-hda-realtek-enable-internal-speaker-of-asus-k6500zc.patch alsa-hda-realtek-enable-mute-led-on-hp-255-g10.patch alsa-hda-realtek-add-quirks-for-hp-laptops.patch +revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch +revert-i2c-pxa-move-to-generic-gpio-recovery.patch +lsm-fix-default-return-value-for-vm_enough_memory.patch +lsm-fix-default-return-value-for-inode_getsecctx.patch +sbsa_gwdt-calculate-timeout-with-64-bit-math.patch +i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch +s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch +net-ethtool-fix-documentation-of-ethtool_sprintf.patch +net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch +net-phylink-initialize-carrier-state-at-creation.patch +gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch +i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch +f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch +f2fs-set-the-default-compress_level-on-ioctl.patch +f2fs-avoid-format-overflow-warning.patch +f2fs-split-initial-and-dynamic-conditions-for-extent_cache.patch +media-lirc-drop-trailing-space-from-scancode-transmit.patch +media-sharp-fix-sharp-encoding.patch +media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch +media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch +media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch +media-ccs-correctly-initialise-try-compose-rectangle.patch +drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch +drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch +dm-bufio-fix-no-sleep-mode.patch +dm-verity-don-t-use-blocking-calls-from-tasklets.patch +nfsd-fix-file-memleak-on-client_opens_release.patch +nfsd-update-nfsd_cache_append-to-use-xdr_stream.patch +loongarch-mark-__percpu-functions-as-always-inline.patch +riscv-using-toolchain_has_zihintpause-marco-replace-zihintpause.patch +riscv-put-interrupt-entries-into-.irqentry.text.patch +riscv-mm-update-the-comment-of-config_page_offset.patch +riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch +riscv-kprobes-allow-writing-to-x0.patch +mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch