From: Sasha Levin Date: Fri, 22 Mar 2024 16:53:58 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.8.2~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95d404a1ae6cb72bb9d113ef7ec2b778f450f5c1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/abi-sysfs-bus-pci-devices-aer_stats-uses-an-invalid-.patch b/queue-4.19/abi-sysfs-bus-pci-devices-aer_stats-uses-an-invalid-.patch new file mode 100644 index 00000000000..cd4e78543f7 --- /dev/null +++ b/queue-4.19/abi-sysfs-bus-pci-devices-aer_stats-uses-an-invalid-.patch @@ -0,0 +1,77 @@ +From ce74ec93c61491076d8aaa224e449c29d92101e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2019 14:52:15 -0300 +Subject: ABI: sysfs-bus-pci-devices-aer_stats uses an invalid tag + +From: Mauro Carvalho Chehab + +[ Upstream commit abf313b5a8b72302062dd407ed7e470d67d389bb ] + +According with Documentation/ABI/, the right tag to describe +an ABI symbol is "What:", and not "Where:". + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 0e7d29a39a54 ("PCI/AER: Fix rootport attribute paths in ABI docs") +Signed-off-by: Sasha Levin +--- + .../ABI/testing/sysfs-bus-pci-devices-aer_stats | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +index 4b0318c99507f..ff229d71961c3 100644 +--- a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats ++++ b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +@@ -9,7 +9,7 @@ errors may be "seen" / reported by the link partner and not the + problematic endpoint itself (which may report all counters as 0 as it never + saw any problems). + +-Where: /sys/bus/pci/devices//aer_dev_correctable ++What: /sys/bus/pci/devices//aer_dev_correctable + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +@@ -31,7 +31,7 @@ Header Log Overflow 0 + TOTAL_ERR_COR 2 + ------------------------------------------------------------------------- + +-Where: /sys/bus/pci/devices//aer_dev_fatal ++What: /sys/bus/pci/devices//aer_dev_fatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +@@ -62,7 +62,7 @@ TLP Prefix Blocked Error 0 + TOTAL_ERR_FATAL 0 + ------------------------------------------------------------------------- + +-Where: /sys/bus/pci/devices//aer_dev_nonfatal ++What: /sys/bus/pci/devices//aer_dev_nonfatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +@@ -103,19 +103,19 @@ collectors) that are AER capable. These indicate the number of error messages as + device, so these counters include them and are thus cumulative of all the error + messages on the PCI hierarchy originating at that root port. + +-Where: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_cor ++What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_cor + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_COR messages reported to rootport. + +-Where: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_fatal ++What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_fatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_FATAL messages reported to rootport. + +-Where: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_nonfatal ++What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_nonfatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +-- +2.43.0 + diff --git a/queue-4.19/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch b/queue-4.19/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch new file mode 100644 index 00000000000..dc3177769b2 --- /dev/null +++ b/queue-4.19/acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch @@ -0,0 +1,61 @@ +From 0099cd08ce8c370897b5a03cce779b3558b81254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 01:41:58 +0100 +Subject: ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() + +From: Armin Wolf + +[ Upstream commit e18afcb7b2a12b635ac10081f943fcf84ddacc51 ] + +After unregistering the CPU idle device, the memory associated with +it is not freed, leading to a memory leak: + +unreferenced object 0xffff896282f6c000 (size 1024): + comm "swapper/0", pid 1, jiffies 4294893170 + hex dump (first 32 bytes): + 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 8836a742): + [] kmalloc_trace+0x29d/0x340 + [] acpi_processor_power_init+0xf3/0x1c0 + [] __acpi_processor_start+0xd3/0xf0 + [] acpi_processor_start+0x2c/0x50 + [] really_probe+0xe2/0x480 + [] __driver_probe_device+0x78/0x160 + [] driver_probe_device+0x1f/0x90 + [] __driver_attach+0xce/0x1c0 + [] bus_for_each_dev+0x70/0xc0 + [] bus_add_driver+0x112/0x210 + [] driver_register+0x55/0x100 + [] acpi_processor_driver_init+0x3b/0xc0 + [] do_one_initcall+0x41/0x300 + [] kernel_init_freeable+0x320/0x470 + [] kernel_init+0x16/0x1b0 + [] ret_from_fork+0x2d/0x50 + +Fix this by freeing the CPU idle device after unregistering it. + +Fixes: 3d339dcbb56d ("cpuidle / ACPI : move cpuidle_device field out of the acpi_processor_power structure") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index d80010ac2a43a..22b56a6e9ccac 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1530,6 +1530,8 @@ int acpi_processor_power_exit(struct acpi_processor *pr) + acpi_processor_registered--; + if (acpi_processor_registered == 0) + cpuidle_unregister_driver(&acpi_idle_driver); ++ ++ kfree(dev); + } + + pr->flags.power_setup_done = 0; +-- +2.43.0 + diff --git a/queue-4.19/acpi-scan-fix-device-check-notification-handling.patch b/queue-4.19/acpi-scan-fix-device-check-notification-handling.patch new file mode 100644 index 00000000000..3e9f1367669 --- /dev/null +++ b/queue-4.19/acpi-scan-fix-device-check-notification-handling.patch @@ -0,0 +1,57 @@ +From 5fb5596e210e36c07dfb3dd3ada189f5598dc8df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 17:35:27 +0100 +Subject: ACPI: scan: Fix device check notification handling + +From: Rafael J. Wysocki + +[ Upstream commit 793551c965116d9dfaf0550dacae1396a20efa69 ] + +It is generally invalid to fail a Device Check notification if the scan +handler has not been attached to the given device after a bus rescan, +because there may be valid reasons for the scan handler to refuse +attaching to the device (for example, the device is not ready). + +For this reason, modify acpi_scan_device_check() to return 0 in that +case without printing a warning. + +While at it, reduce the log level of the "already enumerated" message +in the same function, because it is only interesting when debugging +notification handling + +Fixes: 443fc8202272 ("ACPI / hotplug: Rework generic code to handle suprise removals") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/acpi/scan.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index 1e7e2c438acf0..60417cee19b9b 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -321,18 +321,14 @@ static int acpi_scan_device_check(struct acpi_device *adev) + * again). + */ + if (adev->handler) { +- dev_warn(&adev->dev, "Already enumerated\n"); +- return -EALREADY; ++ dev_dbg(&adev->dev, "Already enumerated\n"); ++ return 0; + } + error = acpi_bus_scan(adev->handle); + if (error) { + dev_warn(&adev->dev, "Namespace scan failure\n"); + return error; + } +- if (!adev->handler) { +- dev_warn(&adev->dev, "Enumeration failure\n"); +- error = -ENODEV; +- } + } else { + error = acpi_scan_device_not_present(adev); + } +-- +2.43.0 + diff --git a/queue-4.19/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch b/queue-4.19/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch new file mode 100644 index 00000000000..a8c14856842 --- /dev/null +++ b/queue-4.19/af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch @@ -0,0 +1,39 @@ +From 7b45ce302920a12283ac2b63deef7d5ffd7c05e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 09:08:52 -0800 +Subject: af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc(). + +From: Kuniyuki Iwashima + +[ Upstream commit 31e03207119a535d0b0e3b3a7f91983aeb2cb14d ] + +gc_in_progress is changed under spin_lock(&unix_gc_lock), +but wait_for_unix_gc() reads it locklessly. + +Let's use READ_ONCE(). + +Fixes: 5f23b734963e ("net: Fix soft lockups/OOM issues w/ unix garbage collector") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240123170856.41348-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 4d283e26d8162..0a212422b513c 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -203,7 +203,7 @@ void wait_for_unix_gc(void) + if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC && + !READ_ONCE(gc_in_progress)) + unix_gc(); +- wait_event(unix_gc_wait, gc_in_progress == false); ++ wait_event(unix_gc_wait, !READ_ONCE(gc_in_progress)); + } + + /* The external entry point: unix_gc() */ +-- +2.43.0 + diff --git a/queue-4.19/alsa-seq-fix-function-cast-warnings.patch b/queue-4.19/alsa-seq-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..23ba4767c1b --- /dev/null +++ b/queue-4.19/alsa-seq-fix-function-cast-warnings.patch @@ -0,0 +1,95 @@ +From 7c3326f801239e9741ab650058642dc920d9783f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 14:53:43 +0100 +Subject: ALSA: seq: fix function cast warnings + +From: Takashi Iwai + +[ Upstream commit d7bf73809849463f76de42aad62c850305dd6c5d ] + +clang-16 points out a control flow integrity (kcfi) issue when event +callbacks get converted to incompatible types: + +sound/core/seq/seq_midi.c:135:30: error: cast from 'int (*)(struct snd_rawmidi_substream *, const char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 135 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +sound/core/seq/seq_virmidi.c:83:31: error: cast from 'int (*)(struct snd_rawmidi_substream *, const unsigned char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 83 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For addressing those errors, introduce wrapper functions that are used +for callbacks and bridge to the actual function call with pointer +cast. + +The code was originally added with the initial ALSA merge in linux-2.5.4. + +[ the patch description shamelessly copied from Arnd's original patch + -- tiwai ] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213101020.459183-1-arnd@kernel.org +Link: https://lore.kernel.org/r/20240213135343.16411-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_midi.c | 8 +++++++- + sound/core/seq/seq_virmidi.c | 9 ++++++++- + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_midi.c b/sound/core/seq/seq_midi.c +index 9e0dabd3ce5f5..2bb6f21ac1964 100644 +--- a/sound/core/seq/seq_midi.c ++++ b/sound/core/seq/seq_midi.c +@@ -125,6 +125,12 @@ static int dump_midi(struct snd_rawmidi_substream *substream, const char *buf, i + return 0; + } + ++/* callback for snd_seq_dump_var_event(), bridging to dump_midi() */ ++static int __dump_midi(void *ptr, void *buf, int count) ++{ ++ return dump_midi(ptr, buf, count); ++} ++ + static int event_process_midi(struct snd_seq_event *ev, int direct, + void *private_data, int atomic, int hop) + { +@@ -144,7 +150,7 @@ static int event_process_midi(struct snd_seq_event *ev, int direct, + pr_debug("ALSA: seq_midi: invalid sysex event flags = 0x%x\n", ev->flags); + return 0; + } +- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); ++ snd_seq_dump_var_event(ev, __dump_midi, substream); + snd_midi_event_reset_decode(msynth->parser); + } else { + if (msynth->parser == NULL) +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c +index af9af89a44d4e..23975b86e1d4b 100644 +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -76,6 +76,13 @@ static void snd_virmidi_init_event(struct snd_virmidi *vmidi, + /* + * decode input event and put to read buffer of each opened file + */ ++ ++/* callback for snd_seq_dump_var_event(), bridging to snd_rawmidi_receive() */ ++static int dump_to_rawmidi(void *ptr, void *buf, int count) ++{ ++ return snd_rawmidi_receive(ptr, buf, count); ++} ++ + static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, + struct snd_seq_event *ev, + bool atomic) +@@ -94,7 +101,7 @@ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, + if (ev->type == SNDRV_SEQ_EVENT_SYSEX) { + if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE) + continue; +- snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); ++ snd_seq_dump_var_event(ev, dump_to_rawmidi, vmidi->substream); + snd_midi_event_reset_decode(vmidi->parser); + } else { + len = snd_midi_event_decode(vmidi->parser, msg, sizeof(msg), ev); +-- +2.43.0 + diff --git a/queue-4.19/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch b/queue-4.19/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch new file mode 100644 index 00000000000..0d39f3c754f --- /dev/null +++ b/queue-4.19/alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch @@ -0,0 +1,43 @@ +From 942effbe5d532a67a8271171c5ca85faf2a09e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 09:15:09 +0100 +Subject: ALSA: usb-audio: Stop parsing channels bits when all channels are + found. + +From: Johan Carlsson + +[ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ] + +If a usb audio device sets more bits than the amount of channels +it could write outside of the map array. + +Signed-off-by: Johan Carlsson +Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") +Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/stream.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 1cfb30465df7d..3f20438a1b56e 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -306,9 +306,12 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, + c = 0; + + if (bits) { +- for (; bits && *maps; maps++, bits >>= 1) ++ for (; bits && *maps; maps++, bits >>= 1) { + if (bits & 1) + chmap->map[c++] = *maps; ++ if (c == chmap->channels) ++ break; ++ } + } else { + /* If we're missing wChannelConfig, then guess something + to make sure the channel map is not skipped entirely */ +-- +2.43.0 + diff --git a/queue-4.19/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/queue-4.19/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch new file mode 100644 index 00000000000..b999218e811 --- /dev/null +++ b/queue-4.19/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch @@ -0,0 +1,88 @@ +From 455e30d2d66ab86edc1f36bbbbffc5b45d4fd9db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 16:20:48 +0800 +Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts + +From: Chun-Yi Lee + +[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] + +This patch is against CVE-2023-6270. The description of cve is: + + A flaw was found in the ATA over Ethernet (AoE) driver in the Linux + kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on + `struct net_device`, and a use-after-free can be triggered by racing + between the free on the struct and the access through the `skbtxq` + global queue. This could lead to a denial of service condition or + potential code execution. + +In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial +code is finished. But the net_device ifp will still be used in +later tx()->dev_queue_xmit() in kthread. Which means that the +dev_put(ifp) should NOT be called in the success path of skb +initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into +use-after-free because the net_device is freed. + +This patch removed the dev_put(ifp) in the success path in +aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). + +Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 +Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") +Signed-off-by: Chun-Yi Lee +Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/aoe/aoecmd.c | 12 ++++++------ + drivers/block/aoe/aoenet.c | 1 + + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c +index 136dc507d0206..c2b32c53da2bb 100644 +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -420,13 +420,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu + rcu_read_lock(); + for_each_netdev_rcu(&init_net, ifp) { + dev_hold(ifp); +- if (!is_aoe_netif(ifp)) +- goto cont; ++ if (!is_aoe_netif(ifp)) { ++ dev_put(ifp); ++ continue; ++ } + + skb = new_skb(sizeof *h + sizeof *ch); + if (skb == NULL) { + printk(KERN_INFO "aoe: skb alloc failure\n"); +- goto cont; ++ dev_put(ifp); ++ continue; + } + skb_put(skb, sizeof *h + sizeof *ch); + skb->dev = ifp; +@@ -441,9 +444,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu + h->major = cpu_to_be16(aoemajor); + h->minor = aoeminor; + h->cmd = AOECMD_CFG; +- +-cont: +- dev_put(ifp); + } + rcu_read_unlock(); + } +diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c +index 63773a90581dd..1e66c7a188a12 100644 +--- a/drivers/block/aoe/aoenet.c ++++ b/drivers/block/aoe/aoenet.c +@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock) + pr_warn("aoe: packet could not be sent on %s. %s\n", + ifp ? ifp->name : "netif", + "consider increasing tx_queue_len"); ++ dev_put(ifp); + spin_lock_irq(&txlock); + } + return 0; +-- +2.43.0 + diff --git a/queue-4.19/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch b/queue-4.19/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch new file mode 100644 index 00000000000..9a3d87ff0f7 --- /dev/null +++ b/queue-4.19/arch-powerpc-remove-linux-fb.h-from-backlight-code.patch @@ -0,0 +1,98 @@ +From 489560c90793e6ae07506e8875b75bd0a8c6fa6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 13:28:20 +0100 +Subject: arch/powerpc: Remove from backlight code + +From: Thomas Zimmermann + +[ Upstream commit 838f865802b9f26135ea7df4e30f89ac2f50c23e ] + +Replace with a forward declaration in to +resolve an unnecessary dependency. Remove pmac_backlight_curve_lookup() +and struct fb_info from source and header files. The function and the +framebuffer struct are unused. No functional changes. + +v3: + * Add Fixes tag (Christophe) + * fix typos in commit message (Jani) + +Signed-off-by: Thomas Zimmermann +Fixes: d565dd3b0824 ("[PATCH] powerpc: More via-pmu backlight fixes") +Reviewed-by: Jani Nikula +Acked-by: Michael Ellerman # (powerpc) +Link: https://patchwork.freedesktop.org/patch/msgid/20240306122935.10626-4-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/backlight.h | 5 ++-- + arch/powerpc/platforms/powermac/backlight.c | 26 --------------------- + 2 files changed, 2 insertions(+), 29 deletions(-) + +diff --git a/arch/powerpc/include/asm/backlight.h b/arch/powerpc/include/asm/backlight.h +index 1b5eab62ed047..061a910d74929 100644 +--- a/arch/powerpc/include/asm/backlight.h ++++ b/arch/powerpc/include/asm/backlight.h +@@ -10,15 +10,14 @@ + #define __ASM_POWERPC_BACKLIGHT_H + #ifdef __KERNEL__ + +-#include + #include + ++struct backlight_device; ++ + /* For locking instructions, see the implementation file */ + extern struct backlight_device *pmac_backlight; + extern struct mutex pmac_backlight_mutex; + +-extern int pmac_backlight_curve_lookup(struct fb_info *info, int value); +- + extern int pmac_has_backlight_type(const char *type); + + extern void pmac_backlight_key(int direction); +diff --git a/arch/powerpc/platforms/powermac/backlight.c b/arch/powerpc/platforms/powermac/backlight.c +index 6b5dcccae1d30..8fae9a7d3d47c 100644 +--- a/arch/powerpc/platforms/powermac/backlight.c ++++ b/arch/powerpc/platforms/powermac/backlight.c +@@ -8,7 +8,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -72,31 +71,6 @@ int pmac_has_backlight_type(const char *type) + return 0; + } + +-int pmac_backlight_curve_lookup(struct fb_info *info, int value) +-{ +- int level = (FB_BACKLIGHT_LEVELS - 1); +- +- if (info && info->bl_dev) { +- int i, max = 0; +- +- /* Look for biggest value */ +- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++) +- max = max((int)info->bl_curve[i], max); +- +- /* Look for nearest value */ +- for (i = 0; i < FB_BACKLIGHT_LEVELS; i++) { +- int diff = abs(info->bl_curve[i] - value); +- if (diff < max) { +- max = diff; +- level = i; +- } +- } +- +- } +- +- return level; +-} +- + static void pmac_backlight_key_worker(struct work_struct *work) + { + if (atomic_read(&kernel_backlight_disabled)) +-- +2.43.0 + diff --git a/queue-4.19/arm-dts-arm-realview-fix-development-chip-rom-compat.patch b/queue-4.19/arm-dts-arm-realview-fix-development-chip-rom-compat.patch new file mode 100644 index 00000000000..b7f23321d36 --- /dev/null +++ b/queue-4.19/arm-dts-arm-realview-fix-development-chip-rom-compat.patch @@ -0,0 +1,43 @@ +From 8e630c7dd673b09debf845fdd9e33514fcccd9b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 17:03:04 +0200 +Subject: ARM: dts: arm: realview: Fix development chip ROM compatible value + +From: Geert Uytterhoeven + +[ Upstream commit 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 ] + +When the development chip ROM was added, the "direct-mapped" compatible +value was already obsolete. In addition, the device node lacked the +accompanying "probe-type" property, causing the old physmap_of_core +driver to fall back to trying all available probe types. +Unfortunately this fallback was lost when the DT and pdata cases were +merged. + +Fix this by using the modern "mtd-rom" compatible value instead. + +Fixes: 5c3f5edbe0a1dff3 ("ARM: realview: add flash devices to the PB1176 DTS") +Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/arm-realview-pb1176.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/arm-realview-pb1176.dts b/arch/arm/boot/dts/arm-realview-pb1176.dts +index 83e0fbc4a1a10..350a5dbd36130 100644 +--- a/arch/arm/boot/dts/arm-realview-pb1176.dts ++++ b/arch/arm/boot/dts/arm-realview-pb1176.dts +@@ -427,7 +427,7 @@ pb1176_serial3: serial@1010f000 { + + /* Direct-mapped development chip ROM */ + pb1176_rom@10200000 { +- compatible = "direct-mapped"; ++ compatible = "mtd-rom"; + reg = <0x10200000 0x4000>; + bank-width = <1>; + }; +-- +2.43.0 + diff --git a/queue-4.19/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch b/queue-4.19/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch new file mode 100644 index 00000000000..8e3a9bdac96 --- /dev/null +++ b/queue-4.19/arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch @@ -0,0 +1,82 @@ +From f5c1fb0d77017f55a010700662c68587628c740f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jan 2024 12:03:03 +0100 +Subject: ARM: dts: renesas: r8a73a4: Fix external clocks and clock rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 090c4094574705b0afc7d37825cdc5d06f0e7e02 ] + +External clocks should be defined as zero-Hz clocks in the SoC .dtsi, +and overridden in the board .dts when present. + +Correct the clock rate of extal1 from 25 to 26 MHz, to match the crystal +oscillator present on the APE6-EVM board. + +Fixes: a76809a329d6ebae ("ARM: shmobile: r8a73a4: Common clock framework DT description") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Niklas Söderlund +Link: https://lore.kernel.org/r/1692bc8cd465d62168cbf110522ad62a7af3f606.1705315614.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/r8a73a4-ape6evm.dts | 12 ++++++++++++ + arch/arm/boot/dts/r8a73a4.dtsi | 9 ++++++--- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/r8a73a4-ape6evm.dts b/arch/arm/boot/dts/r8a73a4-ape6evm.dts +index d530f451467e2..c077a7c1874a6 100644 +--- a/arch/arm/boot/dts/r8a73a4-ape6evm.dts ++++ b/arch/arm/boot/dts/r8a73a4-ape6evm.dts +@@ -184,6 +184,18 @@ &cmt1 { + status = "okay"; + }; + ++&extal1_clk { ++ clock-frequency = <26000000>; ++}; ++ ++&extal2_clk { ++ clock-frequency = <48000000>; ++}; ++ ++&extalr_clk { ++ clock-frequency = <32768>; ++}; ++ + &pfc { + scifa0_pins: scifa0 { + groups = "scifa0_data"; +diff --git a/arch/arm/boot/dts/r8a73a4.dtsi b/arch/arm/boot/dts/r8a73a4.dtsi +index 4447f45f0cba9..48121ef690c9d 100644 +--- a/arch/arm/boot/dts/r8a73a4.dtsi ++++ b/arch/arm/boot/dts/r8a73a4.dtsi +@@ -494,17 +494,20 @@ clocks { + extalr_clk: extalr { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <32768>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + extal1_clk: extal1 { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <25000000>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + extal2_clk: extal2 { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <48000000>; ++ /* This value must be overridden by the board. */ ++ clock-frequency = <0>; + }; + fsiack_clk: fsiack { + compatible = "fixed-clock"; +-- +2.43.0 + diff --git a/queue-4.19/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch b/queue-4.19/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch new file mode 100644 index 00000000000..44aff619ee6 --- /dev/null +++ b/queue-4.19/asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch @@ -0,0 +1,49 @@ +From 46bca75b79cc53ac0e62f2c83748ff03a4305cbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:51:07 +0100 +Subject: ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs + +From: Jerome Brunet + +[ Upstream commit e3741a8d28a1137f8b19ae6f3d6e3be69a454a0a ] + +By default, when mclk-fs is not provided, the tdm-interface driver +requests an MCLK that is 4x the bit clock, SCLK. + +However there is no justification for this: + +* If the codec needs MCLK for its operation, mclk-fs is expected to be set + according to the codec requirements. +* If the codec does not need MCLK the minimum is 2 * SCLK, because this is + minimum the divider between SCLK and MCLK can do. + +Multiplying by 4 may cause problems because the PLL limit may be reached +sooner than it should, so use 2x instead. + +Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") +Signed-off-by: Jerome Brunet +Link: https://msgid.link/r/20240223175116.2005407-2-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-interface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index 01cc551a8e3fa..2a7ea41fc49e5 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -258,8 +258,8 @@ static int axg_tdm_iface_set_sclk(struct snd_soc_dai *dai, + srate = iface->slots * iface->slot_width * params_rate(params); + + if (!iface->mclk_rate) { +- /* If no specific mclk is requested, default to bit clock * 4 */ +- clk_set_rate(iface->mclk, 4 * srate); ++ /* If no specific mclk is requested, default to bit clock * 2 */ ++ clk_set_rate(iface->mclk, 2 * srate); + } else { + /* Check if we can actually get the bit clock from mclk */ + if (iface->mclk_rate % srate) { +-- +2.43.0 + diff --git a/queue-4.19/b43-dma-fix-use-true-false-for-bool-type-variable.patch b/queue-4.19/b43-dma-fix-use-true-false-for-bool-type-variable.patch new file mode 100644 index 00000000000..8183e639a10 --- /dev/null +++ b/queue-4.19/b43-dma-fix-use-true-false-for-bool-type-variable.patch @@ -0,0 +1,44 @@ +From 6791c8f53fd1bb621e00b90a937954c4232357d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 00:42:59 +0530 +Subject: b43: dma: Fix use true/false for bool type variable + +From: Saurav Girepunje + +[ Upstream commit a9160bb35ad9ada8428a4d48426f7fc128db40cc ] + +use true/false for bool type variables assignment. + +Signed-off-by: Saurav Girepunje +Signed-off-by: Kalle Valo +Stable-dep-of: 9636951e4468 ("wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c +index 06139835055fa..cd809d5e46791 100644 +--- a/drivers/net/wireless/broadcom/b43/dma.c ++++ b/drivers/net/wireless/broadcom/b43/dma.c +@@ -1462,7 +1462,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb) + /* This TX ring is full. */ + unsigned int skb_mapping = skb_get_queue_mapping(skb); + ieee80211_stop_queue(dev->wl->hw, skb_mapping); +- dev->wl->tx_queue_stopped[skb_mapping] = 1; ++ dev->wl->tx_queue_stopped[skb_mapping] = true; + ring->stopped = true; + if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { + b43dbg(dev->wl, "Stopped TX ring %d\n", ring->index); +@@ -1628,7 +1628,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev, + } + + if (dev->wl->tx_queue_stopped[ring->queue_prio]) { +- dev->wl->tx_queue_stopped[ring->queue_prio] = 0; ++ dev->wl->tx_queue_stopped[ring->queue_prio] = false; + } else { + /* If the driver queue is running wake the corresponding + * mac80211 queue. */ +-- +2.43.0 + diff --git a/queue-4.19/b43-main-fix-use-true-false-for-bool-type.patch b/queue-4.19/b43-main-fix-use-true-false-for-bool-type.patch new file mode 100644 index 00000000000..a4debdd7ca9 --- /dev/null +++ b/queue-4.19/b43-main-fix-use-true-false-for-bool-type.patch @@ -0,0 +1,53 @@ +From f9bfbc0e6542ea1f5d59e0f1b02fcbeb0712f5e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 00:32:04 +0530 +Subject: b43: main: Fix use true/false for bool type + +From: Saurav Girepunje + +[ Upstream commit 6db774c1725059f98e4fce97f878688248584be5 ] + +use true/false on bool type variable assignment. + +Signed-off-by: Saurav Girepunje +Signed-off-by: Kalle Valo +Stable-dep-of: 581c8967d66c ("wifi: b43: Stop correct queue in DMA worker when QoS is disabled") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c +index 8a226a9d755e2..9a3563de60a77 100644 +--- a/drivers/net/wireless/broadcom/b43/main.c ++++ b/drivers/net/wireless/broadcom/b43/main.c +@@ -3625,7 +3625,7 @@ static void b43_tx_work(struct work_struct *work) + else + err = b43_dma_tx(dev, skb); + if (err == -ENOSPC) { +- wl->tx_queue_stopped[queue_num] = 1; ++ wl->tx_queue_stopped[queue_num] = true; + ieee80211_stop_queue(wl->hw, queue_num); + skb_queue_head(&wl->tx_queue[queue_num], skb); + break; +@@ -3636,7 +3636,7 @@ static void b43_tx_work(struct work_struct *work) + } + + if (!err) +- wl->tx_queue_stopped[queue_num] = 0; ++ wl->tx_queue_stopped[queue_num] = false; + } + + #if B43_DEBUG +@@ -5630,7 +5630,7 @@ static struct b43_wl *b43_wireless_init(struct b43_bus_dev *dev) + /* Initialize queues and flags. */ + for (queue_num = 0; queue_num < B43_QOS_QUEUE_NUM; queue_num++) { + skb_queue_head_init(&wl->tx_queue[queue_num]); +- wl->tx_queue_stopped[queue_num] = 0; ++ wl->tx_queue_stopped[queue_num] = false; + } + + snprintf(chip_name, ARRAY_SIZE(chip_name), +-- +2.43.0 + diff --git a/queue-4.19/backlight-da9052-fully-initialize-backlight_properti.patch b/queue-4.19/backlight-da9052-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..36eaeea5f3f --- /dev/null +++ b/queue-4.19/backlight-da9052-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From 41ccf0ae652d300c3a2c2153b0903288f74be76a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:24 +0000 +Subject: backlight: da9052: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit 0285e9efaee8276305db5c52a59baf84e9731556 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: 6ede3d832aaa ("backlight: add driver for DA9052/53 PMIC v1") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-2-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/da9052_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/da9052_bl.c b/drivers/video/backlight/da9052_bl.c +index 49035c12739a1..d48513eb3bc5f 100644 +--- a/drivers/video/backlight/da9052_bl.c ++++ b/drivers/video/backlight/da9052_bl.c +@@ -122,6 +122,7 @@ static int da9052_backlight_probe(struct platform_device *pdev) + wleds->led_reg = platform_get_device_id(pdev)->driver_data; + wleds->state = DA9052_WLEDS_OFF; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.max_brightness = DA9052_MAX_BRIGHTNESS; + +-- +2.43.0 + diff --git a/queue-4.19/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch b/queue-4.19/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch new file mode 100644 index 00000000000..4d0dbd0e7c2 --- /dev/null +++ b/queue-4.19/backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch @@ -0,0 +1,77 @@ +From e1aa0bb50fb23cbe08c4b5e8dbeb188a9eaa73c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 00:11:20 +0100 +Subject: backlight: lm3630a: Don't set bl->props.brightness in get_brightness + +From: Luca Weiss + +[ Upstream commit 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 ] + +There's no need to set bl->props.brightness, the get_brightness function +is just supposed to return the current brightness and not touch the +struct. + +With that done we can also remove the 'goto out' and just return the +value. + +Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") +Signed-off-by: Luca Weiss +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-2-9ca62f7e4a33@z3ntu.xyz +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3630a_bl.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c +index 70f5ea5f210cc..874040c465f20 100644 +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -223,7 +223,7 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) + if (rval < 0) + goto out_i2c_err; + brightness |= rval; +- goto out; ++ return brightness; + } + + /* disable sleep */ +@@ -234,11 +234,8 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) + rval = lm3630a_read(pchip, REG_BRT_A); + if (rval < 0) + goto out_i2c_err; +- brightness = rval; ++ return rval; + +-out: +- bl->props.brightness = brightness; +- return bl->props.brightness; + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access register\n"); + return 0; +@@ -300,7 +297,7 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) + if (rval < 0) + goto out_i2c_err; + brightness |= rval; +- goto out; ++ return brightness; + } + + /* disable sleep */ +@@ -311,11 +308,8 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) + rval = lm3630a_read(pchip, REG_BRT_B); + if (rval < 0) + goto out_i2c_err; +- brightness = rval; ++ return rval; + +-out: +- bl->props.brightness = brightness; +- return bl->props.brightness; + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access register\n"); + return 0; +-- +2.43.0 + diff --git a/queue-4.19/backlight-lm3630a-initialize-backlight_properties-on.patch b/queue-4.19/backlight-lm3630a-initialize-backlight_properties-on.patch new file mode 100644 index 00000000000..6b81f491c29 --- /dev/null +++ b/queue-4.19/backlight-lm3630a-initialize-backlight_properties-on.patch @@ -0,0 +1,37 @@ +From 987b782f4b5102eda71cabce4198619be02114bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 00:11:19 +0100 +Subject: backlight: lm3630a: Initialize backlight_properties on init + +From: Luca Weiss + +[ Upstream commit ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 ] + +The backlight_properties struct should be initialized to zero before +using, otherwise there will be some random values in the struct. + +Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") +Signed-off-by: Luca Weiss +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-1-9ca62f7e4a33@z3ntu.xyz +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3630a_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c +index f17e5a8860fa7..70f5ea5f210cc 100644 +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -332,6 +332,7 @@ static int lm3630a_backlight_register(struct lm3630a_chip *pchip) + struct backlight_properties props; + struct lm3630a_platform_data *pdata = pchip->pdata; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + if (pdata->leda_ctrl != LM3630A_LEDA_DISABLE) { + props.brightness = pdata->leda_init_brt; +-- +2.43.0 + diff --git a/queue-4.19/backlight-lm3639-fully-initialize-backlight_properti.patch b/queue-4.19/backlight-lm3639-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..74d2593321e --- /dev/null +++ b/queue-4.19/backlight-lm3639-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From eef4715cd1d174b00cf2dec51ab31cdf02f3b58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:25 +0000 +Subject: backlight: lm3639: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: 0f59858d5119 ("backlight: add new lm3639 backlight driver") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-3-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3639_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lm3639_bl.c b/drivers/video/backlight/lm3639_bl.c +index 086611c7bc03c..a1ef6f23156db 100644 +--- a/drivers/video/backlight/lm3639_bl.c ++++ b/drivers/video/backlight/lm3639_bl.c +@@ -343,6 +343,7 @@ static int lm3639_probe(struct i2c_client *client, + } + + /* backlight */ ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.brightness = pdata->init_brt_led; + props.max_brightness = pdata->max_brt_led; +-- +2.43.0 + diff --git a/queue-4.19/backlight-lp8788-fully-initialize-backlight_properti.patch b/queue-4.19/backlight-lp8788-fully-initialize-backlight_properti.patch new file mode 100644 index 00000000000..79791d817d0 --- /dev/null +++ b/queue-4.19/backlight-lp8788-fully-initialize-backlight_properti.patch @@ -0,0 +1,37 @@ +From a3fb8e377df0a777aab77ed3d5c2ad3075c350c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:35:26 +0000 +Subject: backlight: lp8788: Fully initialize backlight_properties during probe + +From: Daniel Thompson + +[ Upstream commit 392346827fbe8a7fd573dfb145170d7949f639a6 ] + +props is stack allocated and the fields that are not explcitly set +by the probe function need to be zeroed or we'll get undefined behaviour +(especially so power/blank states)! + +Fixes: c5a51053cf3b ("backlight: add new lp8788 backlight driver") +Signed-off-by: Daniel Thompson +Link: https://lore.kernel.org/r/20240220153532.76613-4-daniel.thompson@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lp8788_bl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/lp8788_bl.c b/drivers/video/backlight/lp8788_bl.c +index cf869ec90cce8..a324423f30474 100644 +--- a/drivers/video/backlight/lp8788_bl.c ++++ b/drivers/video/backlight/lp8788_bl.c +@@ -195,6 +195,7 @@ static int lp8788_backlight_register(struct lp8788_bl *bl) + int init_brt; + char *name; + ++ memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_PLATFORM; + props.max_brightness = MAX_BRIGHTNESS; + +-- +2.43.0 + diff --git a/queue-4.19/block-add-a-new-set_read_only-method.patch b/queue-4.19/block-add-a-new-set_read_only-method.patch new file mode 100644 index 00000000000..677762b0949 --- /dev/null +++ b/queue-4.19/block-add-a-new-set_read_only-method.patch @@ -0,0 +1,53 @@ +From 1e352756e39f106f3dc2d67474ff3449b669cdd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 11:00:11 +0100 +Subject: block: add a new set_read_only method + +From: Christoph Hellwig + +[ Upstream commit e00adcadf3af7a8335026d71ab9f0e0a922191ac ] + +Add a new method to allow for driver-specific processing when setting or +clearing the block device read-only state. This allows to replace the +cumbersome and error-prone override of the whole ioctl implementation. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") +Signed-off-by: Sasha Levin +--- + block/ioctl.c | 5 +++++ + include/linux/blkdev.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/block/ioctl.c b/block/ioctl.c +index 3884d810efd27..6d6c4f4c411a6 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -451,6 +451,11 @@ static int blkdev_roset(struct block_device *bdev, fmode_t mode, + return ret; + if (get_user(n, (int __user *)arg)) + return -EFAULT; ++ if (bdev->bd_disk->fops->set_read_only) { ++ ret = bdev->bd_disk->fops->set_read_only(bdev, n); ++ if (ret) ++ return ret; ++ } + set_device_ro(bdev, n); + return 0; + } +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index ac407c1d4d40f..8f0aafae09d97 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1997,6 +1997,7 @@ struct block_device_operations { + void (*unlock_native_capacity) (struct gendisk *); + int (*revalidate_disk) (struct gendisk *); + int (*getgeo)(struct block_device *, struct hd_geometry *); ++ int (*set_read_only)(struct block_device *bdev, bool ro); + /* this callback is with swap_lock and sometimes page table lock held */ + void (*swap_slot_free_notify) (struct block_device *, unsigned long); + struct module *owner; +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-hci_core-fix-possible-buffer-overflow.patch b/queue-4.19/bluetooth-hci_core-fix-possible-buffer-overflow.patch new file mode 100644 index 00000000000..8feef3ef012 --- /dev/null +++ b/queue-4.19/bluetooth-hci_core-fix-possible-buffer-overflow.patch @@ -0,0 +1,36 @@ +From f3ac6c85f5badaa95386476ebf39282f3cee0cff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 10:49:26 -0500 +Subject: Bluetooth: hci_core: Fix possible buffer overflow + +From: Luiz Augusto von Dentz + +[ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ] + +struct hci_dev_info has a fixed size name[8] field so in the event that +hdev->name is bigger than that strcpy would attempt to write past its +size, so this fixes this problem by switching to use strscpy. + +Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index f455a503f5b04..47f1eec0eb35f 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2074,7 +2074,7 @@ int hci_get_dev_info(void __user *arg) + else + flags = hdev->flags; + +- strcpy(di.name, hdev->name); ++ strscpy(di.name, hdev->name, sizeof(di.name)); + di.bdaddr = hdev->bdaddr; + di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4); + di.flags = flags; +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch b/queue-4.19/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch new file mode 100644 index 00000000000..40d5d22ecf2 --- /dev/null +++ b/queue-4.19/bluetooth-remove-superfluous-call-to-hci_conn_check_.patch @@ -0,0 +1,62 @@ +From 185e0bb73ebd858c34eab46b8347aa4fa0687ecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jan 2024 23:46:06 +0100 +Subject: Bluetooth: Remove superfluous call to hci_conn_check_pending() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit 78e3639fc8031275010c3287ac548c0bc8de83b1 ] + +The "pending connections" feature was originally introduced with commit +4c67bc74f016 ("[Bluetooth] Support concurrent connect requests") and +6bd57416127e ("[Bluetooth] Handling pending connect attempts after +inquiry") to handle controllers supporting only a single connection request +at a time. Later things were extended to also cancel ongoing inquiries on +connect() with commit 89e65975fea5 ("Bluetooth: Cancel Inquiry before +Create Connection"). + +With commit a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only +opcodes"), hci_conn_check_pending() was introduced as a helper to +consolidate a few places where we check for pending connections (indicated +by the BT_CONNECT2 flag) and then try to connect. + +This refactoring commit also snuck in two more calls to +hci_conn_check_pending(): + +- One is in the failure callback of hci_cs_inquiry(), this one probably +makes sense: If we send an "HCI Inquiry" command and then immediately +after a "Create Connection" command, the "Create Connection" command might +fail before the "HCI Inquiry" command, and then we want to retry the +"Create Connection" on failure of the "HCI Inquiry". + +- The other added call to hci_conn_check_pending() is in the event handler +for the "Remote Name" event, this seems unrelated and is possibly a +copy-paste error, so remove that one. + +Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes") +Signed-off-by: Jonas Dreßler +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 4811855259267..0e9325057b3a9 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2777,8 +2777,6 @@ static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) + + BT_DBG("%s", hdev->name); + +- hci_conn_check_pending(hdev); +- + hci_dev_lock(hdev); + + conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); +-- +2.43.0 + diff --git a/queue-4.19/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch b/queue-4.19/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..3832bef92d0 --- /dev/null +++ b/queue-4.19/bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,65 @@ +From 3c01d187c07caaed3cd534483b872ed953e55d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:03:36 +0100 +Subject: bpf: Fix hashtab overflow check on 32-bit arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ] + +The hashtab code relies on roundup_pow_of_two() to compute the number of +hash buckets, and contains an overflow check by checking if the +resulting value is 0. However, on 32-bit arches, the roundup code itself +can overflow by doing a 32-bit left-shift of an unsigned long value, +which is undefined behaviour, so it is not guaranteed to truncate +neatly. This was triggered by syzbot on the DEVMAP_HASH type, which +contains the same check, copied from the hashtab code. So apply the same +fix to hashtab, by moving the overflow check to before the roundup. + +Fixes: daaf427c6ab3 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") +Signed-off-by: Toke Høiland-Jørgensen +Message-ID: <20240307120340.99577-3-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 8e379b667a0f7..16081d8384bfc 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -330,7 +330,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) + num_possible_cpus()); + } + +- /* hash table size must be power of 2 */ ++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow ++ * into UB on 32-bit arches, so check that first ++ */ ++ err = -E2BIG; ++ if (htab->map.max_entries > 1UL << 31) ++ goto free_htab; ++ + htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); + + htab->elem_size = sizeof(struct htab_elem) + +@@ -340,10 +346,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) + else + htab->elem_size += round_up(htab->map.value_size, 8); + +- err = -E2BIG; +- /* prevent zero size kmalloc and check for u32 overflow */ +- if (htab->n_buckets == 0 || +- htab->n_buckets > U32_MAX / sizeof(struct bucket)) ++ /* check for u32 overflow */ ++ if (htab->n_buckets > U32_MAX / sizeof(struct bucket)) + goto free_htab; + + cost = (u64) htab->n_buckets * sizeof(struct bucket) + +-- +2.43.0 + diff --git a/queue-4.19/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch b/queue-4.19/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch new file mode 100644 index 00000000000..9d34fe4896b --- /dev/null +++ b/queue-4.19/bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch @@ -0,0 +1,61 @@ +From 8ebf6f462411bc3bf278486051fa3201a1d7afd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:03:37 +0100 +Subject: bpf: Fix stackmap overflow check on 32-bit arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ] + +The stackmap code relies on roundup_pow_of_two() to compute the number +of hash buckets, and contains an overflow check by checking if the +resulting value is 0. However, on 32-bit arches, the roundup code itself +can overflow by doing a 32-bit left-shift of an unsigned long value, +which is undefined behaviour, so it is not guaranteed to truncate +neatly. This was triggered by syzbot on the DEVMAP_HASH type, which +contains the same check, copied from the hashtab code. + +The commit in the fixes tag actually attempted to fix this, but the fix +did not account for the UB, so the fix only works on CPUs where an +overflow does result in a neat truncation to zero, which is not +guaranteed. Checking the value before rounding does not have this +problem. + +Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()") +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Bui Quang Minh +Message-ID: <20240307120340.99577-4-toke@redhat.com> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/stackmap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c +index 92310b07cb98e..a41858db14416 100644 +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -113,11 +113,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) + } else if (value_size / 8 > sysctl_perf_event_max_stack) + return ERR_PTR(-EINVAL); + +- /* hash table size must be power of 2 */ +- n_buckets = roundup_pow_of_two(attr->max_entries); +- if (!n_buckets) ++ /* hash table size must be power of 2; roundup_pow_of_two() can overflow ++ * into UB on 32-bit arches, so check that first ++ */ ++ if (attr->max_entries > 1UL << 31) + return ERR_PTR(-E2BIG); + ++ n_buckets = roundup_pow_of_two(attr->max_entries); ++ + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); + if (cost >= U32_MAX - PAGE_SIZE) + return ERR_PTR(-E2BIG); +-- +2.43.0 + diff --git a/queue-4.19/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch b/queue-4.19/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch new file mode 100644 index 00000000000..e268d7c6237 --- /dev/null +++ b/queue-4.19/bus-tegra-aconnect-update-dependency-to-arch_tegra.patch @@ -0,0 +1,48 @@ +From ff006bead57623bd8c2869e2beee6296ffb54277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 10:02:37 +0000 +Subject: bus: tegra-aconnect: Update dependency to ARCH_TEGRA + +From: Peter Robinson + +[ Upstream commit 4acd21a45c1446277e2abaece97d7fa7c2e692a9 ] + +Update the architecture dependency to be the generic Tegra +because the driver works on the four latest Tegra generations +not just Tegra210, if you build a kernel with a specific +ARCH_TEGRA_xxx_SOC option that excludes Tegra210 you don't get +this driver. + +Fixes: 46a88534afb59 ("bus: Add support for Tegra ACONNECT") +Signed-off-by: Peter Robinson +Cc: Jon Hunter +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/bus/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig +index 1851112ccc294..02ef3399bf810 100644 +--- a/drivers/bus/Kconfig ++++ b/drivers/bus/Kconfig +@@ -126,12 +126,13 @@ config SUNXI_RSB + + config TEGRA_ACONNECT + tristate "Tegra ACONNECT Bus Driver" +- depends on ARCH_TEGRA_210_SOC ++ depends on ARCH_TEGRA + depends on OF && PM + select PM_CLK + help + Driver for the Tegra ACONNECT bus which is used to interface with +- the devices inside the Audio Processing Engine (APE) for Tegra210. ++ the devices inside the Audio Processing Engine (APE) for ++ Tegra210 and later. + + config TEGRA_GMI + tristate "Tegra Generic Memory Interface bus driver" +-- +2.43.0 + diff --git a/queue-4.19/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch b/queue-4.19/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch new file mode 100644 index 00000000000..d72ce9236f6 --- /dev/null +++ b/queue-4.19/clk-hisilicon-hi3519-release-the-correct-number-of-g.patch @@ -0,0 +1,39 @@ +From ba609a5213f94169d6238113d4738982a05bf8b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 19:58:21 +0100 +Subject: clk: hisilicon: hi3519: Release the correct number of gates in + hi3519_clk_unregister() + +From: Christophe JAILLET + +[ Upstream commit 74e39f526d95c0c119ada1874871ee328c59fbee ] + +The gates are stored in 'hi3519_gate_clks', not 'hi3519_mux_clks'. +This is also in line with how hisi_clk_register_gate() is called in the +probe. + +Fixes: 224b3b262c52 ("clk: hisilicon: hi3519: add driver remove path and fix some issues") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/c3f1877c9a0886fa35c949c8f0ef25547f284f18.1704912510.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/hisilicon/clk-hi3519.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/hisilicon/clk-hi3519.c b/drivers/clk/hisilicon/clk-hi3519.c +index 51b173ef1ddad..d789735160a2b 100644 +--- a/drivers/clk/hisilicon/clk-hi3519.c ++++ b/drivers/clk/hisilicon/clk-hi3519.c +@@ -142,7 +142,7 @@ static void hi3519_clk_unregister(struct platform_device *pdev) + of_clk_del_provider(pdev->dev.of_node); + + hisi_clk_unregister_gate(hi3519_gate_clks, +- ARRAY_SIZE(hi3519_mux_clks), ++ ARRAY_SIZE(hi3519_gate_clks), + crg->clk_data); + hisi_clk_unregister_mux(hi3519_mux_clks, + ARRAY_SIZE(hi3519_mux_clks), +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch b/queue-4.19/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch new file mode 100644 index 00000000000..a6e511b0887 --- /dev/null +++ b/queue-4.19/clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch @@ -0,0 +1,38 @@ +From 512590c6112c695ef42dcf90462ba0b1c73a84e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 21:20:18 +0100 +Subject: clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times + +From: Konrad Dybcio + +[ Upstream commit 117e7dc697c2739d754db8fe0c1e2d4f1f5d5f82 ] + +SDM845 downstream uses non-default values for GDSC internal waits. +Program them accordingly to avoid surprises. + +Fixes: 81351776c9fb ("clk: qcom: Add display clock controller driver for SDM845") +Signed-off-by: Konrad Dybcio +Tested-by: Caleb Connolly # OnePlus 6 +Link: https://lore.kernel.org/r/20240103-topic-845gdsc-v1-1-368efbe1a61d@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sdm845.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/qcom/dispcc-sdm845.c b/drivers/clk/qcom/dispcc-sdm845.c +index 0cc4909b5dbef..cb7a2d9247b04 100644 +--- a/drivers/clk/qcom/dispcc-sdm845.c ++++ b/drivers/clk/qcom/dispcc-sdm845.c +@@ -569,6 +569,8 @@ static struct clk_branch disp_cc_mdss_vsync_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x3000, ++ .en_few_wait_val = 0x6, ++ .en_rest_wait_val = 0x5, + .pd = { + .name = "mdss_gdsc", + }, +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch b/queue-4.19/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch new file mode 100644 index 00000000000..54136b15997 --- /dev/null +++ b/queue-4.19/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch @@ -0,0 +1,118 @@ +From 51b18a01057670657f645dd3a7a42de5f89e3b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 00:26:05 +0530 +Subject: clk: qcom: gdsc: Add support to update GDSC transition delay + +From: Taniya Das + +[ Upstream commit 4e7c4d3652f96f41179aab3ff53025c7a550d689 ] + +GDSCs have multiple transition delays which are used for the GDSC FSM +states. Older targets/designs required these values to be updated from +gdsc code to certain default values for the FSM state to work as +expected. But on the newer targets/designs the values updated from the +GDSC driver can hamper the FSM state to not work as expected. + +On SC7180 we observe black screens because the gdsc is being +enabled/disabled very rapidly and the GDSC FSM state does not work as +expected. This is due to the fact that the GDSC reset value is being +updated from SW. + +Thus add support to update the transition delay from the clock +controller gdscs as required. + +Fixes: 45dd0e55317cc ("clk: qcom: Add support for GDSCs) +Signed-off-by: Taniya Das +Link: https://lore.kernel.org/r/20220223185606.3941-1-tdas@codeaurora.org +Reviewed-by: Bjorn Andersson +Signed-off-by: Stephen Boyd +Stable-dep-of: 117e7dc697c2 ("clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 26 +++++++++++++++++++++----- + drivers/clk/qcom/gdsc.h | 8 +++++++- + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index a077133c7ce38..83541e9d50701 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -39,9 +39,14 @@ + #define CFG_GDSCR_OFFSET 0x4 + + /* Wait 2^n CXO cycles between all states. Here, n=2 (4 cycles). */ +-#define EN_REST_WAIT_VAL (0x2 << 20) +-#define EN_FEW_WAIT_VAL (0x8 << 16) +-#define CLK_DIS_WAIT_VAL (0x2 << 12) ++#define EN_REST_WAIT_VAL 0x2 ++#define EN_FEW_WAIT_VAL 0x8 ++#define CLK_DIS_WAIT_VAL 0x2 ++ ++/* Transition delay shifts */ ++#define EN_REST_WAIT_SHIFT 20 ++#define EN_FEW_WAIT_SHIFT 16 ++#define CLK_DIS_WAIT_SHIFT 12 + + #define RETAIN_MEM BIT(14) + #define RETAIN_PERIPH BIT(13) +@@ -314,7 +319,18 @@ static int gdsc_init(struct gdsc *sc) + */ + mask = HW_CONTROL_MASK | SW_OVERRIDE_MASK | + EN_REST_WAIT_MASK | EN_FEW_WAIT_MASK | CLK_DIS_WAIT_MASK; +- val = EN_REST_WAIT_VAL | EN_FEW_WAIT_VAL | CLK_DIS_WAIT_VAL; ++ ++ if (!sc->en_rest_wait_val) ++ sc->en_rest_wait_val = EN_REST_WAIT_VAL; ++ if (!sc->en_few_wait_val) ++ sc->en_few_wait_val = EN_FEW_WAIT_VAL; ++ if (!sc->clk_dis_wait_val) ++ sc->clk_dis_wait_val = CLK_DIS_WAIT_VAL; ++ ++ val = sc->en_rest_wait_val << EN_REST_WAIT_SHIFT | ++ sc->en_few_wait_val << EN_FEW_WAIT_SHIFT | ++ sc->clk_dis_wait_val << CLK_DIS_WAIT_SHIFT; ++ + ret = regmap_update_bits(sc->regmap, sc->gdscr, mask, val); + if (ret) + return ret; +diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h +index bd1f2c780d0af..a31d3dc36f2f2 100644 +--- a/drivers/clk/qcom/gdsc.h ++++ b/drivers/clk/qcom/gdsc.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -29,6 +29,9 @@ struct reset_controller_dev; + * @cxcs: offsets of branch registers to toggle mem/periph bits in + * @cxc_count: number of @cxcs + * @pwrsts: Possible powerdomain power states ++ * @en_rest_wait_val: transition delay value for receiving enr ack signal ++ * @en_few_wait_val: transition delay value for receiving enf ack signal ++ * @clk_dis_wait_val: transition delay value for halting clock + * @resets: ids of resets associated with this gdsc + * @reset_count: number of @resets + * @rcdev: reset controller +@@ -42,6 +45,9 @@ struct gdsc { + unsigned int clamp_io_ctrl; + unsigned int *cxcs; + unsigned int cxc_count; ++ unsigned int en_rest_wait_val; ++ unsigned int en_few_wait_val; ++ unsigned int clk_dis_wait_val; + const u8 pwrsts; + /* Powerdomain allowable state bitfields */ + #define PWRSTS_OFF BIT(0) +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-reset-allow-specifying-custom-reset-delay.patch b/queue-4.19/clk-qcom-reset-allow-specifying-custom-reset-delay.patch new file mode 100644 index 00000000000..cacb5f584fc --- /dev/null +++ b/queue-4.19/clk-qcom-reset-allow-specifying-custom-reset-delay.patch @@ -0,0 +1,67 @@ +From 067e05754a2fc63992a2ffd40b2208374451a2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 15:41:29 +0200 +Subject: clk: qcom: reset: Allow specifying custom reset delay + +From: Stephan Gerhold + +[ Upstream commit 2cb8a39b6781ea23accd1fa93b3ad000d0948aec ] + +The amount of time required between asserting and deasserting the reset +signal can vary depending on the involved hardware component. Sometimes +1 us might not be enough and a larger delay is necessary to conform to +the specifications. + +Usually this is worked around in the consuming drivers, by replacing +reset_control_reset() with a sequence of reset_control_assert(), waiting +for a custom delay, followed by reset_control_deassert(). + +However, in some cases the driver making use of the reset is generic and +can be used with different reset controllers. In this case the reset +time requirement is better handled directly by the reset controller +driver. + +Make this possible by adding an "udelay" field to the qcom_reset_map +that allows setting a different reset delay (in microseconds). + +Signed-off-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220706134132.3623415-4-stephan.gerhold@kernkonzept.com +Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 4 +++- + drivers/clk/qcom/reset.h | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 0324d8daab9bc..fc68c8fa30ac7 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -21,8 +21,10 @@ + + static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + { ++ struct qcom_reset_controller *rst = to_qcom_reset_controller(rcdev); ++ + rcdev->ops->assert(rcdev, id); +- udelay(1); ++ udelay(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ + rcdev->ops->deassert(rcdev, id); + return 0; + } +diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h +index cda877927d43a..3e30f6724c7a4 100644 +--- a/drivers/clk/qcom/reset.h ++++ b/drivers/clk/qcom/reset.h +@@ -19,6 +19,7 @@ + struct qcom_reset_map { + unsigned int reg; + u8 bit; ++ u8 udelay; + }; + + struct regmap; +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-reset-commonize-the-de-assert-functions.patch b/queue-4.19/clk-qcom-reset-commonize-the-de-assert-functions.patch new file mode 100644 index 00000000000..9bb90dc216f --- /dev/null +++ b/queue-4.19/clk-qcom-reset-commonize-the-de-assert-functions.patch @@ -0,0 +1,69 @@ +From 5dd4cec6c9422587a861d92c9d7156d9e31322c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 19:43:35 +0100 +Subject: clk: qcom: reset: Commonize the de/assert functions + +From: Konrad Dybcio + +[ Upstream commit eda40d9c583e95e0b6ac69d2950eec10f802e0e8 ] + +They do the same thing, except the last argument of the last function +call differs. Commonize them. + +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-2-c37eba13b5ce@linaro.org +Signed-off-by: Bjorn Andersson +Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 60b60631c3445..252d7abf577e3 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -29,8 +29,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + return 0; + } + +-static int +-qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) ++static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, ++ unsigned long id, bool assert) + { + struct qcom_reset_controller *rst; + const struct qcom_reset_map *map; +@@ -40,21 +40,17 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + map = &rst->reset_map[id]; + mask = map->bitmask ? map->bitmask : BIT(map->bit); + +- return regmap_update_bits(rst->regmap, map->reg, mask, mask); ++ return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); + } + +-static int +-qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) ++static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + { +- struct qcom_reset_controller *rst; +- const struct qcom_reset_map *map; +- u32 mask; +- +- rst = to_qcom_reset_controller(rcdev); +- map = &rst->reset_map[id]; +- mask = map->bitmask ? map->bitmask : BIT(map->bit); ++ return qcom_reset_set_assert(rcdev, id, true); ++} + +- return regmap_update_bits(rst->regmap, map->reg, mask, 0); ++static int qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) ++{ ++ return qcom_reset_set_assert(rcdev, id, false); + } + + const struct reset_control_ops qcom_reset_ops = { +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch b/queue-4.19/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch new file mode 100644 index 00000000000..694261f4249 --- /dev/null +++ b/queue-4.19/clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch @@ -0,0 +1,45 @@ +From 6bcb599b1f788d39440f4cad83aa79c84d649ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 19:43:36 +0100 +Subject: clk: qcom: reset: Ensure write completion on reset de/assertion + +From: Konrad Dybcio + +[ Upstream commit 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf ] + +Trying to toggle the resets in a rapid fashion can lead to the changes +not actually arriving at the clock controller block when we expect them +to. This was observed at least on SM8250. + +Read back the value after regmap_update_bits to ensure write completion. + +Fixes: b36ba30c8ac6 ("clk: qcom: Add reset controller support") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-3-c37eba13b5ce@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 252d7abf577e3..3a1cfc2dd94c9 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -40,7 +40,12 @@ static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, + map = &rst->reset_map[id]; + mask = map->bitmask ? map->bitmask : BIT(map->bit); + +- return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); ++ regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); ++ ++ /* Read back the register to ensure write completion, ignore the value */ ++ regmap_read(rst->regmap, map->reg, &mask); ++ ++ return 0; + } + + static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) +-- +2.43.0 + diff --git a/queue-4.19/clk-qcom-reset-support-resetting-multiple-bits.patch b/queue-4.19/clk-qcom-reset-support-resetting-multiple-bits.patch new file mode 100644 index 00000000000..b49dd2d84b9 --- /dev/null +++ b/queue-4.19/clk-qcom-reset-support-resetting-multiple-bits.patch @@ -0,0 +1,72 @@ +From fed493cf89bd7f75bb0fd999b065d8bd6c5a23bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 14:28:59 +0100 +Subject: clk: qcom: reset: support resetting multiple bits + +From: Robert Marko + +[ Upstream commit 4a5210893625f89723ea210d7c630b730abb37ad ] + +This patch adds the support for giving the complete bitmask +in reset structure and reset operation will use this bitmask +for all reset operations. + +Currently, reset structure only takes a single bit for each reset +and then calculates the bitmask by using the BIT() macro. + +However, this is not sufficient anymore for newer SoC-s like IPQ8074, +IPQ6018 and more, since their networking resets require multiple bits +to be asserted in order to properly reset the HW block completely. + +So, in order to allow asserting multiple bits add "bitmask" field to +qcom_reset_map, and then use that bitmask value if its populated in the +driver, if its not populated, then we just default to existing behaviour +and calculate the bitmask on the fly. + +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221107132901.489240-1-robimarko@gmail.com +Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 4 ++-- + drivers/clk/qcom/reset.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index fc68c8fa30ac7..60b60631c3445 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -38,7 +38,7 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + + rst = to_qcom_reset_controller(rcdev); + map = &rst->reset_map[id]; +- mask = BIT(map->bit); ++ mask = map->bitmask ? map->bitmask : BIT(map->bit); + + return regmap_update_bits(rst->regmap, map->reg, mask, mask); + } +@@ -52,7 +52,7 @@ qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) + + rst = to_qcom_reset_controller(rcdev); + map = &rst->reset_map[id]; +- mask = BIT(map->bit); ++ mask = map->bitmask ? map->bitmask : BIT(map->bit); + + return regmap_update_bits(rst->regmap, map->reg, mask, 0); + } +diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h +index 3e30f6724c7a4..a118311503d41 100644 +--- a/drivers/clk/qcom/reset.h ++++ b/drivers/clk/qcom/reset.h +@@ -20,6 +20,7 @@ struct qcom_reset_map { + unsigned int reg; + u8 bit; + u8 udelay; ++ u32 bitmask; + }; + + struct regmap; +-- +2.43.0 + diff --git a/queue-4.19/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch b/queue-4.19/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch new file mode 100644 index 00000000000..42a3c4de828 --- /dev/null +++ b/queue-4.19/cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch @@ -0,0 +1,39 @@ +From b7e59d4a2605da3fa3c1e0cca33feed6b07ce818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jan 2024 10:12:20 +0300 +Subject: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return + value + +From: Anastasia Belova + +[ Upstream commit f661017e6d326ee187db24194cabb013d81bc2a6 ] + +cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it +and return 0 in case of error. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") +Signed-off-by: Anastasia Belova +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/brcmstb-avs-cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c +index 541486217984b..1302e1900dcb1 100644 +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -457,6 +457,8 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv) + static unsigned int brcm_avs_cpufreq_get(unsigned int cpu) + { + struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); ++ if (!policy) ++ return 0; + struct private_data *priv = policy->driver_data; + + return brcm_avs_get_frequency(priv->base); +-- +2.43.0 + diff --git a/queue-4.19/crypto-arm-rename-functions-to-avoid-conflict-with-c.patch b/queue-4.19/crypto-arm-rename-functions-to-avoid-conflict-with-c.patch new file mode 100644 index 00000000000..01f5d964254 --- /dev/null +++ b/queue-4.19/crypto-arm-rename-functions-to-avoid-conflict-with-c.patch @@ -0,0 +1,128 @@ +From db034736a9ed56b572bc7a0e2e09c06dac4b6606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2019 22:35:24 +0200 +Subject: crypto: arm - Rename functions to avoid conflict with crypto/sha256.h + +From: Hans de Goede + +[ Upstream commit e4dcc1be15268b6d34de3968f906577591521bd5 ] + +Rename static / file-local functions so that they do not conflict with +the functions declared in crypto/sha256.h. + +This is a preparation patch for folding crypto/sha256.h into crypto/sha.h. + +Signed-off-by: Hans de Goede +Signed-off-by: Herbert Xu +Stable-dep-of: 53cc9baeb9bc ("crypto: arm/sha - fix function cast warnings") +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/sha256_glue.c | 8 ++++---- + arch/arm/crypto/sha256_neon_glue.c | 24 ++++++++++++------------ + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c +index 0ae900e778f3b..040c744ef9f50 100644 +--- a/arch/arm/crypto/sha256_glue.c ++++ b/arch/arm/crypto/sha256_glue.c +@@ -44,7 +44,7 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, + } + EXPORT_SYMBOL(crypto_sha256_arm_update); + +-static int sha256_final(struct shash_desc *desc, u8 *out) ++static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out) + { + sha256_base_do_finalize(desc, + (sha256_block_fn *)sha256_block_data_order); +@@ -56,7 +56,7 @@ int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data, + { + sha256_base_do_update(desc, data, len, + (sha256_block_fn *)sha256_block_data_order); +- return sha256_final(desc, out); ++ return crypto_sha256_arm_final(desc, out); + } + EXPORT_SYMBOL(crypto_sha256_arm_finup); + +@@ -64,7 +64,7 @@ static struct shash_alg algs[] = { { + .digestsize = SHA256_DIGEST_SIZE, + .init = sha256_base_init, + .update = crypto_sha256_arm_update, +- .final = sha256_final, ++ .final = crypto_sha256_arm_final, + .finup = crypto_sha256_arm_finup, + .descsize = sizeof(struct sha256_state), + .base = { +@@ -78,7 +78,7 @@ static struct shash_alg algs[] = { { + .digestsize = SHA224_DIGEST_SIZE, + .init = sha224_base_init, + .update = crypto_sha256_arm_update, +- .final = sha256_final, ++ .final = crypto_sha256_arm_final, + .finup = crypto_sha256_arm_finup, + .descsize = sizeof(struct sha256_state), + .base = { +diff --git a/arch/arm/crypto/sha256_neon_glue.c b/arch/arm/crypto/sha256_neon_glue.c +index 1d82c6cd31a41..8d296529c8ba7 100644 +--- a/arch/arm/crypto/sha256_neon_glue.c ++++ b/arch/arm/crypto/sha256_neon_glue.c +@@ -29,8 +29,8 @@ + asmlinkage void sha256_block_data_order_neon(u32 *digest, const void *data, + unsigned int num_blks); + +-static int sha256_update(struct shash_desc *desc, const u8 *data, +- unsigned int len) ++static int crypto_sha256_neon_update(struct shash_desc *desc, const u8 *data, ++ unsigned int len) + { + struct sha256_state *sctx = shash_desc_ctx(desc); + +@@ -46,8 +46,8 @@ static int sha256_update(struct shash_desc *desc, const u8 *data, + return 0; + } + +-static int sha256_finup(struct shash_desc *desc, const u8 *data, +- unsigned int len, u8 *out) ++static int crypto_sha256_neon_finup(struct shash_desc *desc, const u8 *data, ++ unsigned int len, u8 *out) + { + if (!may_use_simd()) + return crypto_sha256_arm_finup(desc, data, len, out); +@@ -63,17 +63,17 @@ static int sha256_finup(struct shash_desc *desc, const u8 *data, + return sha256_base_finish(desc, out); + } + +-static int sha256_final(struct shash_desc *desc, u8 *out) ++static int crypto_sha256_neon_final(struct shash_desc *desc, u8 *out) + { +- return sha256_finup(desc, NULL, 0, out); ++ return crypto_sha256_neon_finup(desc, NULL, 0, out); + } + + struct shash_alg sha256_neon_algs[] = { { + .digestsize = SHA256_DIGEST_SIZE, + .init = sha256_base_init, +- .update = sha256_update, +- .final = sha256_final, +- .finup = sha256_finup, ++ .update = crypto_sha256_neon_update, ++ .final = crypto_sha256_neon_final, ++ .finup = crypto_sha256_neon_finup, + .descsize = sizeof(struct sha256_state), + .base = { + .cra_name = "sha256", +@@ -85,9 +85,9 @@ struct shash_alg sha256_neon_algs[] = { { + }, { + .digestsize = SHA224_DIGEST_SIZE, + .init = sha224_base_init, +- .update = sha256_update, +- .final = sha256_final, +- .finup = sha256_finup, ++ .update = crypto_sha256_neon_update, ++ .final = crypto_sha256_neon_final, ++ .finup = crypto_sha256_neon_finup, + .descsize = sizeof(struct sha256_state), + .base = { + .cra_name = "sha224", +-- +2.43.0 + diff --git a/queue-4.19/crypto-arm-sha-fix-function-cast-warnings.patch b/queue-4.19/crypto-arm-sha-fix-function-cast-warnings.patch new file mode 100644 index 00000000000..595321f14b5 --- /dev/null +++ b/queue-4.19/crypto-arm-sha-fix-function-cast-warnings.patch @@ -0,0 +1,115 @@ +From 29ec4e16b0520e4ecae4f4351c9b840a525fa3ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 14:49:46 +0100 +Subject: crypto: arm/sha - fix function cast warnings + +From: Arnd Bergmann + +[ Upstream commit 53cc9baeb9bc2a187eb9c9790d30995148852b12 ] + +clang-16 warns about casting between incompatible function types: + +arch/arm/crypto/sha256_glue.c:37:5: error: cast from 'void (*)(u32 *, const void *, unsigned int)' (aka 'void (*)(unsigned int *, const void *, unsigned int)') to 'sha256_block_fn *' (aka 'void (*)(struct sha256_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 37 | (sha256_block_fn *)sha256_block_data_order); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/arm/crypto/sha512-glue.c:34:3: error: cast from 'void (*)(u64 *, const u8 *, int)' (aka 'void (*)(unsigned long long *, const unsigned char *, int)') to 'sha512_block_fn *' (aka 'void (*)(struct sha512_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 34 | (sha512_block_fn *)sha512_block_data_order); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fix the prototypes for the assembler functions to match the typedef. +The code already relies on the digest being the first part of the +state structure, so there is no change in behavior. + +Fixes: c80ae7ca3726 ("crypto: arm/sha512 - accelerated SHA-512 using ARM generic ASM and NEON") +Fixes: b59e2ae3690c ("crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer") +Signed-off-by: Arnd Bergmann +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/sha256_glue.c | 13 +++++-------- + arch/arm/crypto/sha512-glue.c | 12 +++++------- + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c +index 040c744ef9f50..a46878560d77d 100644 +--- a/arch/arm/crypto/sha256_glue.c ++++ b/arch/arm/crypto/sha256_glue.c +@@ -30,8 +30,8 @@ + + #include "sha256_glue.h" + +-asmlinkage void sha256_block_data_order(u32 *digest, const void *data, +- unsigned int num_blks); ++asmlinkage void sha256_block_data_order(struct sha256_state *state, ++ const u8 *data, int num_blks); + + int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, + unsigned int len) +@@ -39,23 +39,20 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, + /* make sure casting to sha256_block_fn() is safe */ + BUILD_BUG_ON(offsetof(struct sha256_state, state) != 0); + +- return sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ return sha256_base_do_update(desc, data, len, sha256_block_data_order); + } + EXPORT_SYMBOL(crypto_sha256_arm_update); + + static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out) + { +- sha256_base_do_finalize(desc, +- (sha256_block_fn *)sha256_block_data_order); ++ sha256_base_do_finalize(desc, sha256_block_data_order); + return sha256_base_finish(desc, out); + } + + int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) + { +- sha256_base_do_update(desc, data, len, +- (sha256_block_fn *)sha256_block_data_order); ++ sha256_base_do_update(desc, data, len, sha256_block_data_order); + return crypto_sha256_arm_final(desc, out); + } + EXPORT_SYMBOL(crypto_sha256_arm_finup); +diff --git a/arch/arm/crypto/sha512-glue.c b/arch/arm/crypto/sha512-glue.c +index 86540cd4a6faa..242d0ef08dfef 100644 +--- a/arch/arm/crypto/sha512-glue.c ++++ b/arch/arm/crypto/sha512-glue.c +@@ -28,27 +28,25 @@ MODULE_ALIAS_CRYPTO("sha512"); + MODULE_ALIAS_CRYPTO("sha384-arm"); + MODULE_ALIAS_CRYPTO("sha512-arm"); + +-asmlinkage void sha512_block_data_order(u64 *state, u8 const *src, int blocks); ++asmlinkage void sha512_block_data_order(struct sha512_state *state, ++ u8 const *src, int blocks); + + int sha512_arm_update(struct shash_desc *desc, const u8 *data, + unsigned int len) + { +- return sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ return sha512_base_do_update(desc, data, len, sha512_block_data_order); + } + + int sha512_arm_final(struct shash_desc *desc, u8 *out) + { +- sha512_base_do_finalize(desc, +- (sha512_block_fn *)sha512_block_data_order); ++ sha512_base_do_finalize(desc, sha512_block_data_order); + return sha512_base_finish(desc, out); + } + + int sha512_arm_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) + { +- sha512_base_do_update(desc, data, len, +- (sha512_block_fn *)sha512_block_data_order); ++ sha512_base_do_update(desc, data, len, sha512_block_data_order); + return sha512_arm_final(desc, out); + } + +-- +2.43.0 + diff --git a/queue-4.19/dm-call-the-resume-method-on-internal-suspend.patch b/queue-4.19/dm-call-the-resume-method-on-internal-suspend.patch new file mode 100644 index 00000000000..d30d9f9ff9d --- /dev/null +++ b/queue-4.19/dm-call-the-resume-method-on-internal-suspend.patch @@ -0,0 +1,123 @@ +From f68b979d7a41f65ec405991dbed23934ec21be4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 15:06:39 +0100 +Subject: dm: call the resume method on internal suspend + +From: Mikulas Patocka + +[ Upstream commit 65e8fbde64520001abf1c8d0e573561b4746ef38 ] + +There is this reported crash when experimenting with the lvm2 testsuite. +The list corruption is caused by the fact that the postsuspend and resume +methods were not paired correctly; there were two consecutive calls to the +origin_postsuspend function. The second call attempts to remove the +"hash_list" entry from a list, while it was already removed by the first +call. + +Fix __dm_internal_resume so that it calls the preresume and resume +methods of the table's targets. + +If a preresume method of some target fails, we are in a tricky situation. +We can't return an error because dm_internal_resume isn't supposed to +return errors. We can't return success, because then the "resume" and +"postsuspend" methods would not be paired correctly. So, we set the +DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace +tools, but it won't cause a kernel crash. + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:56! +invalid opcode: 0000 [#1] PREEMPT SMP +CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 + +RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 +RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff +RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 +R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 +R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 +FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 +Call Trace: + + ? die+0x2d/0x80 + ? do_trap+0xeb/0xf0 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? do_error_trap+0x60/0x80 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? exc_invalid_op+0x49/0x60 + ? __list_del_entry_valid_or_report+0x77/0xc0 + ? asm_exc_invalid_op+0x16/0x20 + ? table_deps+0x1b0/0x1b0 [dm_mod] + ? __list_del_entry_valid_or_report+0x77/0xc0 + origin_postsuspend+0x1a/0x50 [dm_snapshot] + dm_table_postsuspend_targets+0x34/0x50 [dm_mod] + dm_suspend+0xd8/0xf0 [dm_mod] + dev_suspend+0x1f2/0x2f0 [dm_mod] + ? table_deps+0x1b0/0x1b0 [dm_mod] + ctl_ioctl+0x300/0x5f0 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] + __x64_compat_sys_ioctl+0x104/0x170 + do_syscall_64+0x184/0x1b0 + entry_SYSCALL_64_after_hwframe+0x46/0x4e +RIP: 0033:0xf7e6aead + +---[ end trace 0000000000000000 ]--- + +Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 9a9b2adcf39e3..50dcda27144eb 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2849,6 +2849,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla + + static void __dm_internal_resume(struct mapped_device *md) + { ++ int r; ++ struct dm_table *map; ++ + BUG_ON(!md->internal_suspend_count); + + if (--md->internal_suspend_count) +@@ -2857,12 +2860,23 @@ static void __dm_internal_resume(struct mapped_device *md) + if (dm_suspended_md(md)) + goto done; /* resume from nested suspend */ + +- /* +- * NOTE: existing callers don't need to call dm_table_resume_targets +- * (which may fail -- so best to avoid it for now by passing NULL map) +- */ +- (void) __dm_resume(md, NULL); +- ++ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); ++ r = __dm_resume(md, map); ++ if (r) { ++ /* ++ * If a preresume method of some target failed, we are in a ++ * tricky situation. We can't return an error to the caller. We ++ * can't fake success because then the "resume" and ++ * "postsuspend" methods would not be paired correctly, and it ++ * would break various targets, for example it would cause list ++ * corruption in the "origin" target. ++ * ++ * So, we fake normal suspend here, to make sure that the ++ * "resume" and "postsuspend" methods will be paired correctly. ++ */ ++ DMERR("Preresume method failed: %d", r); ++ set_bit(DMF_SUSPENDED, &md->flags); ++ } + done: + clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); + smp_mb__after_atomic(); +-- +2.43.0 + diff --git a/queue-4.19/dm-raid-fix-false-positive-for-requeue-needed-during.patch b/queue-4.19/dm-raid-fix-false-positive-for-requeue-needed-during.patch new file mode 100644 index 00000000000..36c634d4294 --- /dev/null +++ b/queue-4.19/dm-raid-fix-false-positive-for-requeue-needed-during.patch @@ -0,0 +1,46 @@ +From 68a5e24e3ed59d8e222cf19768e374b3c816031c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 13:42:55 -0400 +Subject: dm raid: fix false positive for requeue needed during reshape + +From: Ming Lei + +[ Upstream commit b25b8f4b8ecef0f48c05f0c3572daeabefe16526 ] + +An empty flush doesn't have a payload, so it should never be looked at +when considering to possibly requeue a bio for the case when a reshape +is in progress. + +Fixes: 9dbd1aa3a81c ("dm raid: add reshaping support to the target") +Reported-by: Patrick Plenefisch +Signed-off-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 72aa5097b68ff..1759134fce824 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -3348,14 +3348,14 @@ static int raid_map(struct dm_target *ti, struct bio *bio) + struct mddev *mddev = &rs->md; + + /* +- * If we're reshaping to add disk(s)), ti->len and ++ * If we're reshaping to add disk(s), ti->len and + * mddev->array_sectors will differ during the process + * (ti->len > mddev->array_sectors), so we have to requeue + * bios with addresses > mddev->array_sectors here or + * there will occur accesses past EOD of the component + * data images thus erroring the raid set. + */ +- if (unlikely(bio_end_sector(bio) > mddev->array_sectors)) ++ if (unlikely(bio_has_data(bio) && bio_end_sector(bio) > mddev->array_sectors)) + return DM_MAPIO_REQUEUE; + + md_handle_request(mddev, bio); +-- +2.43.0 + diff --git a/queue-4.19/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch b/queue-4.19/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch new file mode 100644 index 00000000000..898c0365edc --- /dev/null +++ b/queue-4.19/do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch @@ -0,0 +1,72 @@ +From c9147aba81dec36d6d282fd85cfe83b389c2eef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 07:39:06 -0800 +Subject: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak + +From: Nikita Zhandarovich + +[ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ] + +syzbot identified a kernel information leak vulnerability in +do_sys_name_to_handle() and issued the following report [1]. + +[1] +"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + do_sys_name_to_handle fs/fhandle.c:73 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 + __do_kmalloc_node mm/slab_common.c:1006 [inline] + __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 + kmalloc include/linux/slab.h:604 [inline] + do_sys_name_to_handle fs/fhandle.c:39 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Bytes 18-19 of 20 are uninitialized +Memory access of size 20 starts at ffff888128a46380 +Data copied to user address 0000000020000240" + +Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to +solve the problem. + +Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") +Suggested-by: Chuck Lever III +Reported-and-tested-by: +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/fhandle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fhandle.c b/fs/fhandle.c +index 0ee727485615b..cb78dbfd7cd51 100644 +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -37,7 +37,7 @@ static long do_sys_name_to_handle(struct path *path, + if (f_handle.handle_bytes > MAX_HANDLE_SZ) + return -EINVAL; + +- handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, ++ handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + GFP_KERNEL); + if (!handle) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch b/queue-4.19/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch new file mode 100644 index 00000000000..3d24d8d2997 --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch @@ -0,0 +1,48 @@ +From 68b52ef54c7962bde2aa7f9c2230fc0057af5d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 07:48:52 +0530 +Subject: drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of + atom_get_src_int() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit 7cf1ad2fe10634238b38442a851d89514cb14ea2 ] + +Missing break statement in the ATOM_ARG_IMM case of a switch statement, +adds the missing break statement, ensuring that the program's control +flow is as intended. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/atom.c:323 atom_get_src_int() warn: ignoring unreachable code. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Cc: Jammy Zhou +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/atom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index 0222bb7ea49b4..805ac556635d1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -306,7 +306,7 @@ static uint32_t atom_get_src_int(atom_exec_context *ctx, uint8_t attr, + DEBUG("IMM 0x%02X\n", val); + return val; + } +- return 0; ++ break; + case ATOM_ARG_PLL: + idx = U8(*ptr); + (*ptr)++; +-- +2.43.0 + diff --git a/queue-4.19/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch b/queue-4.19/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch new file mode 100644 index 00000000000..b3a55d7431f --- /dev/null +++ b/queue-4.19/drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch @@ -0,0 +1,41 @@ +From 11ca8946a2dcb58798d54995f8e41b31cf162fdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 11:36:20 -0500 +Subject: drm: Don't treat 0 as -1 in drm_fixp2int_ceil + +From: Harry Wentland + +[ Upstream commit cf8837d7204481026335461629b84ac7f4538fa5 ] + +Unit testing this in VKMS shows that passing 0 into +this function returns -1, which is highly counter- +intuitive. Fix it by checking whether the input is +>= 0 instead of > 0. + +Fixes: 64566b5e767f ("drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil") +Signed-off-by: Harry Wentland +Reviewed-by: Simon Ser +Reviewed-by: Melissa Wen +Signed-off-by: Melissa Wen +Link: https://patchwork.freedesktop.org/patch/msgid/20231108163647.106853-2-harry.wentland@amd.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_fixed.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/drm/drm_fixed.h b/include/drm/drm_fixed.h +index 553210c02ee0f..627efa56e59fb 100644 +--- a/include/drm/drm_fixed.h ++++ b/include/drm/drm_fixed.h +@@ -88,7 +88,7 @@ static inline int drm_fixp2int(s64 a) + + static inline int drm_fixp2int_ceil(s64 a) + { +- if (a > 0) ++ if (a >= 0) + return drm_fixp2int(a + DRM_FIXED_ALMOST_ONE); + else + return drm_fixp2int(a - DRM_FIXED_ALMOST_ONE); +-- +2.43.0 + diff --git a/queue-4.19/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch b/queue-4.19/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch new file mode 100644 index 00000000000..047d061c3f6 --- /dev/null +++ b/queue-4.19/drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch @@ -0,0 +1,78 @@ +From 1b5eb591c6573173518257ba82be936c8fff3d61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 09:53:09 +0100 +Subject: drm/mediatek: dsi: Fix DSI RGB666 formats and definitions + +From: AngeloGioacchino Del Regno + +[ Upstream commit fae6f815505301b92d9113764f4d76d0bfe45607 ] + +The register bits definitions for RGB666 formats are wrong in multiple +ways: first, in the DSI_PS_SEL bits region, the Packed 18-bits RGB666 +format is selected with bit 1, while the Loosely Packed one is bit 2, +and second - the definition name "LOOSELY_PS_18BIT_RGB666" is wrong +because the loosely packed format is 24 bits instead! + +Either way, functions mtk_dsi_ps_control_vact() and mtk_dsi_ps_control() +do not even agree on the DSI_PS_SEL bit to set in DSI_PSCTRL: one sets +loosely packed (24) on RGB666, the other sets packed (18), and the other +way around for RGB666_PACKED. + +Fixing this entire stack of issues is done in one go: + - Use the correct bit for the Loosely Packed RGB666 definition + - Rename LOOSELY_PS_18BIT_RGB666 to LOOSELY_PS_24BIT_RGB666 + - Change ps_bpp_mode in mtk_dsi_ps_control_vact() to set: + - Loosely Packed, 24-bits for MIPI_DSI_FMT_RGB666 + - Packed, 18-bits for MIPI_DSI_FMT_RGB666_PACKED + +Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") +Reviewed-by: Alexandre Mergnat +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240215085316.56835-3-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c +index a629a69c27568..6a7a5a485bad7 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -70,8 +70,8 @@ + #define DSI_PS_WC 0x3fff + #define DSI_PS_SEL (3 << 16) + #define PACKED_PS_16BIT_RGB565 (0 << 16) +-#define LOOSELY_PS_18BIT_RGB666 (1 << 16) +-#define PACKED_PS_18BIT_RGB666 (2 << 16) ++#define PACKED_PS_18BIT_RGB666 (1 << 16) ++#define LOOSELY_PS_24BIT_RGB666 (2 << 16) + #define PACKED_PS_24BIT_RGB888 (3 << 16) + + #define DSI_VSA_NL 0x20 +@@ -327,10 +327,10 @@ static void mtk_dsi_ps_control_vact(struct mtk_dsi *dsi) + ps_bpp_mode |= PACKED_PS_24BIT_RGB888; + break; + case MIPI_DSI_FMT_RGB666: +- ps_bpp_mode |= PACKED_PS_18BIT_RGB666; ++ ps_bpp_mode |= LOOSELY_PS_24BIT_RGB666; + break; + case MIPI_DSI_FMT_RGB666_PACKED: +- ps_bpp_mode |= LOOSELY_PS_18BIT_RGB666; ++ ps_bpp_mode |= PACKED_PS_18BIT_RGB666; + break; + case MIPI_DSI_FMT_RGB565: + ps_bpp_mode |= PACKED_PS_16BIT_RGB565; +@@ -381,7 +381,7 @@ static void mtk_dsi_ps_control(struct mtk_dsi *dsi) + dsi_tmp_buf_bpp = 3; + break; + case MIPI_DSI_FMT_RGB666: +- tmp_reg = LOOSELY_PS_18BIT_RGB666; ++ tmp_reg = LOOSELY_PS_24BIT_RGB666; + dsi_tmp_buf_bpp = 3; + break; + case MIPI_DSI_FMT_RGB666_PACKED: +-- +2.43.0 + diff --git a/queue-4.19/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch b/queue-4.19/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch new file mode 100644 index 00000000000..680b83f21c9 --- /dev/null +++ b/queue-4.19/drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch @@ -0,0 +1,81 @@ +From a3133bb16f8dd5d00c80266169b753f7af37e297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 13:23:29 -0800 +Subject: drm/mediatek: Fix a null pointer crash in + mtk_drm_crtc_finish_page_flip + +From: Hsin-Yi Wang + +[ Upstream commit c958e86e9cc1b48cac004a6e245154dfba8e163b ] + +It's possible that mtk_crtc->event is NULL in +mtk_drm_crtc_finish_page_flip(). + +pending_needs_vblank value is set by mtk_crtc->event, but in +mtk_drm_crtc_atomic_flush(), it's is not guarded by the same +lock in mtk_drm_finish_page_flip(), thus a race condition happens. + +Consider the following case: + +CPU1 CPU2 +step 1: +mtk_drm_crtc_atomic_begin() +mtk_crtc->event is not null, + step 1: + mtk_drm_crtc_atomic_flush: + mtk_drm_crtc_update_config( + !!mtk_crtc->event) +step 2: +mtk_crtc_ddp_irq -> +mtk_drm_finish_page_flip: +lock +mtk_crtc->event set to null, +pending_needs_vblank set to false +unlock + pending_needs_vblank set to true, + + step 2: + mtk_crtc_ddp_irq -> + mtk_drm_finish_page_flip called again, + pending_needs_vblank is still true + //null pointer + +Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more +efficient to just check if mtk_crtc->event is null before use. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Hsin-Yi Wang +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690-1-hsinyi@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index eac9caf322f90..fb7262ed9b699 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -79,11 +79,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) + struct drm_crtc *crtc = &mtk_crtc->base; + unsigned long flags; + +- spin_lock_irqsave(&crtc->dev->event_lock, flags); +- drm_crtc_send_vblank_event(crtc, mtk_crtc->event); +- drm_crtc_vblank_put(crtc); +- mtk_crtc->event = NULL; +- spin_unlock_irqrestore(&crtc->dev->event_lock, flags); ++ if (mtk_crtc->event) { ++ spin_lock_irqsave(&crtc->dev->event_lock, flags); ++ drm_crtc_send_vblank_event(crtc, mtk_crtc->event); ++ drm_crtc_vblank_put(crtc); ++ mtk_crtc->event = NULL; ++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags); ++ } + } + + static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch b/queue-4.19/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch new file mode 100644 index 00000000000..51696415514 --- /dev/null +++ b/queue-4.19/drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch @@ -0,0 +1,39 @@ +From 83fcbe118896f9f9a3bbc65a8ef28923d469c84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:48:14 -0800 +Subject: drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() + +From: Nikita Zhandarovich + +[ Upstream commit c4891d979c7668b195a0a75787967ec95a24ecef ] + +Clean up a typo in pr_err() erroneously printing NI MC 'rdev->mc_fw->size' +during SMC firmware load. Log 'rdev->smc_fw->size' instead. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 6596afd48af4 ("drm/radeon/kms: add dpm support for btc (v3)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c +index 381b0255ff027..e2f8b68a999af 100644 +--- a/drivers/gpu/drm/radeon/ni.c ++++ b/drivers/gpu/drm/radeon/ni.c +@@ -823,7 +823,7 @@ int ni_init_microcode(struct radeon_device *rdev) + err = 0; + } else if (rdev->smc_fw->size != smc_req_size) { + pr_err("ni_mc: Bogus length %zu in firmware \"%s\"\n", +- rdev->mc_fw->size, fw_name); ++ rdev->smc_fw->size, fw_name); + err = -EINVAL; + } + } +-- +2.43.0 + diff --git a/queue-4.19/drm-rockchip-inno_hdmi-fix-video-timing.patch b/queue-4.19/drm-rockchip-inno_hdmi-fix-video-timing.patch new file mode 100644 index 00000000000..388963c3d79 --- /dev/null +++ b/queue-4.19/drm-rockchip-inno_hdmi-fix-video-timing.patch @@ -0,0 +1,51 @@ +From bff1f78b29f863d6b07067335299e1e707d8e417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 18:41:54 +0100 +Subject: drm/rockchip: inno_hdmi: Fix video timing + +From: Alex Bee + +[ Upstream commit 47a145c03484d33e65d773169d5ca1b9fe2a492e ] + +The controller wants the difference between *total and *sync_start in the +HDMI_VIDEO_EXT_*DELAY registers. Otherwise the signal is very unstable for +certain non-VIC modes. See downstream commit [0]. + +[0] https://github.com/rockchip-linux/kernel/commit/8eb559f2502c + +Fixes: 412d4ae6b7a5 ("drm/rockchip: hdmi: add Innosilicon HDMI support") +Co-developed-by: Zheng Yang +Signed-off-by: Zheng Yang +Signed-off-by: Alex Bee +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231222174220.55249-4-knaerzche@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/inno_hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c +index 1c02b3e61299c..229a1c908ad02 100644 +--- a/drivers/gpu/drm/rockchip/inno_hdmi.c ++++ b/drivers/gpu/drm/rockchip/inno_hdmi.c +@@ -408,7 +408,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_L, value & 0xFF); + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_H, (value >> 8) & 0xFF); + +- value = mode->hsync_start - mode->hdisplay; ++ value = mode->htotal - mode->hsync_start; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_L, value & 0xFF); + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_H, (value >> 8) & 0xFF); + +@@ -423,7 +423,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, + value = mode->vtotal - mode->vdisplay; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VBLANK, value & 0xFF); + +- value = mode->vsync_start - mode->vdisplay; ++ value = mode->vtotal - mode->vsync_start; + hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VDELAY, value & 0xFF); + + value = mode->vsync_end - mode->vsync_start; +-- +2.43.0 + diff --git a/queue-4.19/drm-rockchip-lvds-do-not-overwrite-error-code.patch b/queue-4.19/drm-rockchip-lvds-do-not-overwrite-error-code.patch new file mode 100644 index 00000000000..bf76076c186 --- /dev/null +++ b/queue-4.19/drm-rockchip-lvds-do-not-overwrite-error-code.patch @@ -0,0 +1,38 @@ +From f683e404419ef5aedc8a2c89c5ea30f5270b967b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:29:48 +0100 +Subject: drm/rockchip: lvds: do not overwrite error code + +From: Quentin Schulz + +[ Upstream commit 79b09453c4e369ca81cfb670d0136d089e3b92f0 ] + +ret variable stores the return value of drm_of_find_panel_or_bridge +which can return error codes different from EPROBE_DEFER. Therefore, +let's just return that error code instead of forcing it to EPROBE_DEFER. + +Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") +Cc: Quentin Schulz +Signed-off-by: Quentin Schulz +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-1-9c59a5779cf9@theobroma-systems.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_lvds.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c +index 456bd9f13baef..215885c780759 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c ++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c +@@ -374,7 +374,6 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master, + goto err_put_port; + } else if (ret) { + DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n"); +- ret = -EPROBE_DEFER; + goto err_put_port; + } + if (lvds->panel) +-- +2.43.0 + diff --git a/queue-4.19/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch b/queue-4.19/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch new file mode 100644 index 00000000000..6159787a540 --- /dev/null +++ b/queue-4.19/drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch @@ -0,0 +1,41 @@ +From ddd8c5ceb2d5dfe9d103c3fffe56e3932d3b5e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:29:49 +0100 +Subject: drm/rockchip: lvds: do not print scary message when probing defer + +From: Quentin Schulz + +[ Upstream commit 52d11c863ac92e36a0365249f7f6d27ac48c78bc ] + +This scary message can misled the user into thinking something bad has +happened and needs to be fixed, however it could simply be part of a +normal boot process where EPROBE_DEFER is taken into account. Therefore, +let's use dev_err_probe so that this message doesn't get shown (by +default) when the return code is EPROBE_DEFER. + +Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") +Cc: Quentin Schulz +Signed-off-by: Quentin Schulz +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231120-rk-lvds-defer-msg-v2-2-9c59a5779cf9@theobroma-systems.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_lvds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c +index 215885c780759..39a17c46dbf11 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c ++++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c +@@ -373,7 +373,7 @@ static int rockchip_lvds_bind(struct device *dev, struct device *master, + ret = -EINVAL; + goto err_put_port; + } else if (ret) { +- DRM_DEV_ERROR(dev, "failed to find panel and bridge node\n"); ++ dev_err_probe(dev, ret, "failed to find panel and bridge node\n"); + goto err_put_port; + } + if (lvds->panel) +-- +2.43.0 + diff --git a/queue-4.19/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch b/queue-4.19/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch new file mode 100644 index 00000000000..19128594c88 --- /dev/null +++ b/queue-4.19/drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch @@ -0,0 +1,41 @@ +From dfa940ad5bfe4dbd8008343c435b86ec8ce0aadc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 08:07:38 +0000 +Subject: drm/tegra: dsi: Add missing check for of_find_device_by_node + +From: Chen Ni + +[ Upstream commit afe6fcb9775882230cd29b529203eabd5d2a638d ] + +Add check for the return value of of_find_device_by_node() and return +the error if it fails in order to avoid NULL pointer dereference. + +Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") +Signed-off-by: Chen Ni +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20231024080738.825553-1-nichen@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index e2903bf7821b1..70cc960d3ff58 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1452,9 +1452,11 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) + np = of_parse_phandle(dsi->dev->of_node, "nvidia,ganged-mode", 0); + if (np) { + struct platform_device *gangster = of_find_device_by_node(np); ++ of_node_put(np); ++ if (!gangster) ++ return -EPROBE_DEFER; + + dsi->slave = platform_get_drvdata(gangster); +- of_node_put(np); + + if (!dsi->slave) { + put_device(&gangster->dev); +-- +2.43.0 + diff --git a/queue-4.19/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch b/queue-4.19/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch new file mode 100644 index 00000000000..b392466b5f1 --- /dev/null +++ b/queue-4.19/drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch @@ -0,0 +1,37 @@ +From d828638d79a633d5d6bf7ba4a1b5b7578701f0ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 17:22:09 +0200 +Subject: drm/tegra: dsi: Fix missing pm_runtime_disable() in the error + handling path of tegra_dsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 5286a9fc280c45b6b307ee1b07f7a997e042252c ] + +If an error occurs after calling pm_runtime_enable(), pm_runtime_disable() +should be called as already done in the remove function. + +Fixes: ef8187d75265 ("drm/tegra: dsi: Implement runtime PM") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/ee4a15c9cd4b574a55cd67c30d2411239ba2cee9.1693667005.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 44bf5a731ba72..fb7b000d4d341 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1583,6 +1583,7 @@ static int tegra_dsi_probe(struct platform_device *pdev) + return 0; + + unregister: ++ pm_runtime_disable(&pdev->dev); + mipi_dsi_host_unregister(&dsi->host); + mipi_free: + tegra_mipi_free(dsi->mipi); +-- +2.43.0 + diff --git a/queue-4.19/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch b/queue-4.19/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch new file mode 100644 index 00000000000..f71d0c5975d --- /dev/null +++ b/queue-4.19/drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch @@ -0,0 +1,116 @@ +From 21d84e31f2f51b34bbb7aae469f2d37241fa05ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 17:22:08 +0200 +Subject: drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 830c1ded356369cd1303e8bb87ce3fea6e744de8 ] + +If an error occurs after calling tegra_output_probe(), +tegra_output_remove() should be called as already done in the remove +function. + +Fixes: dec727399a4b ("drm/tegra: Add DSI support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/16820073278d031f6c474a08d5f22a255158585e.1693667005.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 54 ++++++++++++++++++++++++------------- + 1 file changed, 35 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 04bf4c89d870e..44bf5a731ba72 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1504,44 +1504,58 @@ static int tegra_dsi_probe(struct platform_device *pdev) + + if (!pdev->dev.pm_domain) { + dsi->rst = devm_reset_control_get(&pdev->dev, "dsi"); +- if (IS_ERR(dsi->rst)) +- return PTR_ERR(dsi->rst); ++ if (IS_ERR(dsi->rst)) { ++ err = PTR_ERR(dsi->rst); ++ goto remove; ++ } + } + + dsi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(dsi->clk)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), +- "cannot get DSI clock\n"); ++ if (IS_ERR(dsi->clk)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), ++ "cannot get DSI clock\n"); ++ goto remove; ++ } + + dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); +- if (IS_ERR(dsi->clk_lp)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), +- "cannot get low-power clock\n"); ++ if (IS_ERR(dsi->clk_lp)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), ++ "cannot get low-power clock\n"); ++ goto remove; ++ } + + dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); +- if (IS_ERR(dsi->clk_parent)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), +- "cannot get parent clock\n"); ++ if (IS_ERR(dsi->clk_parent)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), ++ "cannot get parent clock\n"); ++ goto remove; ++ } + + dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); +- if (IS_ERR(dsi->vdd)) +- return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), +- "cannot get VDD supply\n"); ++ if (IS_ERR(dsi->vdd)) { ++ err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), ++ "cannot get VDD supply\n"); ++ goto remove; ++ } + + err = tegra_dsi_setup_clocks(dsi); + if (err < 0) { + dev_err(&pdev->dev, "cannot setup clocks\n"); +- return err; ++ goto remove; + } + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); + dsi->regs = devm_ioremap_resource(&pdev->dev, regs); +- if (IS_ERR(dsi->regs)) +- return PTR_ERR(dsi->regs); ++ if (IS_ERR(dsi->regs)) { ++ err = PTR_ERR(dsi->regs); ++ goto remove; ++ } + + dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node); +- if (IS_ERR(dsi->mipi)) +- return PTR_ERR(dsi->mipi); ++ if (IS_ERR(dsi->mipi)) { ++ err = PTR_ERR(dsi->mipi); ++ goto remove; ++ } + + dsi->host.ops = &tegra_dsi_host_ops; + dsi->host.dev = &pdev->dev; +@@ -1572,6 +1586,8 @@ static int tegra_dsi_probe(struct platform_device *pdev) + mipi_dsi_host_unregister(&dsi->host); + mipi_free: + tegra_mipi_free(dsi->mipi); ++remove: ++ tegra_output_remove(&dsi->output); + return err; + } + +-- +2.43.0 + diff --git a/queue-4.19/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch b/queue-4.19/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch new file mode 100644 index 00000000000..1555696ce47 --- /dev/null +++ b/queue-4.19/drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch @@ -0,0 +1,71 @@ +From 035775f60404bddad8c3677f2f6712c79f7a795b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 18:56:40 +0800 +Subject: drm/tegra: dsi: Make use of the helper function dev_err_probe() + +From: Cai Huoqing + +[ Upstream commit fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 ] + +When possible use dev_err_probe help to properly deal with the +PROBE_DEFER error, the benefit is that DEFER issue will be logged +in the devices_deferred debugfs file. +And using dev_err_probe() can reduce code size, the error value +gets printed. + +Signed-off-by: Cai Huoqing +Signed-off-by: Thierry Reding +Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 7033ab28f7716..04bf4c89d870e 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1509,28 +1509,24 @@ static int tegra_dsi_probe(struct platform_device *pdev) + } + + dsi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(dsi->clk)) { +- dev_err(&pdev->dev, "cannot get DSI clock\n"); +- return PTR_ERR(dsi->clk); +- } ++ if (IS_ERR(dsi->clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), ++ "cannot get DSI clock\n"); + + dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); +- if (IS_ERR(dsi->clk_lp)) { +- dev_err(&pdev->dev, "cannot get low-power clock\n"); +- return PTR_ERR(dsi->clk_lp); +- } ++ if (IS_ERR(dsi->clk_lp)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), ++ "cannot get low-power clock\n"); + + dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); +- if (IS_ERR(dsi->clk_parent)) { +- dev_err(&pdev->dev, "cannot get parent clock\n"); +- return PTR_ERR(dsi->clk_parent); +- } ++ if (IS_ERR(dsi->clk_parent)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), ++ "cannot get parent clock\n"); + + dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); +- if (IS_ERR(dsi->vdd)) { +- dev_err(&pdev->dev, "cannot get VDD supply\n"); +- return PTR_ERR(dsi->vdd); +- } ++ if (IS_ERR(dsi->vdd)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), ++ "cannot get VDD supply\n"); + + err = tegra_dsi_setup_clocks(dsi); + if (err < 0) { +-- +2.43.0 + diff --git a/queue-4.19/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch b/queue-4.19/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch new file mode 100644 index 00000000000..81701a22186 --- /dev/null +++ b/queue-4.19/drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch @@ -0,0 +1,40 @@ +From 9194003c063b5893739ba2ca4b50e6d90ab19a47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:33:55 +0300 +Subject: drm/tegra: put drm_gem_object ref on error in tegra_fb_create + +From: Fedor Pchelkin + +[ Upstream commit 32e5a120a5105bce01561978ee55aee8e40ac0dc ] + +Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of +the found object. But if the following size check fails then the last +found object's ref count should be put there as the unreferencing loop +can't detect this situation. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/fb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/tegra/fb.c b/drivers/gpu/drm/tegra/fb.c +index 4c22cdded3c21..e39d33f66d795 100644 +--- a/drivers/gpu/drm/tegra/fb.c ++++ b/drivers/gpu/drm/tegra/fb.c +@@ -157,6 +157,7 @@ struct drm_framebuffer *tegra_fb_create(struct drm_device *drm, + + if (gem->size < size) { + err = -EINVAL; ++ drm_gem_object_put(gem); + goto unreference; + } + +-- +2.43.0 + diff --git a/queue-4.19/firmware-qcom-scm-add-wlan-vmid-for-qualcomm-scm-int.patch b/queue-4.19/firmware-qcom-scm-add-wlan-vmid-for-qualcomm-scm-int.patch new file mode 100644 index 00000000000..1fdc1b4d9f6 --- /dev/null +++ b/queue-4.19/firmware-qcom-scm-add-wlan-vmid-for-qualcomm-scm-int.patch @@ -0,0 +1,45 @@ +From 1ec9c70c8b8a7852ef27f177d2f5997c5293f74d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 13:16:01 +0300 +Subject: firmware: qcom: scm: Add WLAN VMID for Qualcomm SCM interface + +From: Govind Singh + +[ Upstream commit cc53aabcc283c36274d3f3ce9adc4b40c21d4838 ] + +Add WLAN related VMID's to support wlan driver to set up +the remote's permissions call via TrustZone. + +Signed-off-by: Govind Singh +Reviewed-by: Bjorn Andersson +Acked-by: Niklas Cassel +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Stable-dep-of: 117e7dc697c2 ("clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times") +Signed-off-by: Sasha Levin +--- + include/linux/qcom_scm.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/qcom_scm.h b/include/linux/qcom_scm.h +index 116b81ac442ad..1637385bcc171 100644 +--- a/include/linux/qcom_scm.h ++++ b/include/linux/qcom_scm.h +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2010-2015, 2018, The Linux Foundation. All rights reserved. + * Copyright (C) 2015 Linaro Ltd. + * + * This program is free software; you can redistribute it and/or modify +@@ -33,6 +33,8 @@ struct qcom_scm_vmperm { + + #define QCOM_SCM_VMID_HLOS 0x3 + #define QCOM_SCM_VMID_MSS_MSA 0xF ++#define QCOM_SCM_VMID_WLAN 0x18 ++#define QCOM_SCM_VMID_WLAN_CE 0x19 + #define QCOM_SCM_PERM_READ 0x4 + #define QCOM_SCM_PERM_WRITE 0x2 + #define QCOM_SCM_PERM_EXEC 0x1 +-- +2.43.0 + diff --git a/queue-4.19/fs-quota-erase-unused-but-set-variable-warning.patch b/queue-4.19/fs-quota-erase-unused-but-set-variable-warning.patch new file mode 100644 index 00000000000..98e35c6340d --- /dev/null +++ b/queue-4.19/fs-quota-erase-unused-but-set-variable-warning.patch @@ -0,0 +1,52 @@ +From 179c1592bcbd2d18c328d802b1b22ba761f5cfd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2019 08:58:57 +0800 +Subject: fs/quota: erase unused but set variable warning + +From: Jiang Biao + +[ Upstream commit 78bc3334a69ff289dbc973a9db7c52a2d7757e5b ] + +Local variable *reserved* of remove_dquot_ref() is only used if +define CONFIG_QUOTA_DEBUG, but not ebraced in CONFIG_QUOTA_DEBUG +macro, which leads to unused-but-set-variable warning when compiling. + +This patch ebrace it into CONFIG_QUOTA_DEBUG macro like what is done +in add_dquot_ref(). + +Signed-off-by: Jiang Biao +Signed-off-by: Jan Kara +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 683727c5758c0..b55d91d3d87c2 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1129,7 +1129,9 @@ static void remove_dquot_ref(struct super_block *sb, int type, + struct list_head *tofree_head) + { + struct inode *inode; ++#ifdef CONFIG_QUOTA_DEBUG + int reserved = 0; ++#endif + + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { +@@ -1141,8 +1143,10 @@ static void remove_dquot_ref(struct super_block *sb, int type, + */ + spin_lock(&dq_data_lock); + if (!IS_NOQUOTA(inode)) { ++#ifdef CONFIG_QUOTA_DEBUG + if (unlikely(inode_get_rsv_space(inode) > 0)) + reserved = 1; ++#endif + remove_inode_dquot_ref(inode, type, tofree_head); + } + spin_unlock(&dq_data_lock); +-- +2.43.0 + diff --git a/queue-4.19/fs-select-rework-stack-allocation-hack-for-clang.patch b/queue-4.19/fs-select-rework-stack-allocation-hack-for-clang.patch new file mode 100644 index 00000000000..47151e99f55 --- /dev/null +++ b/queue-4.19/fs-select-rework-stack-allocation-hack-for-clang.patch @@ -0,0 +1,67 @@ +From e793792fd8e21735db9c3e790edac4654a2035d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 21:23:34 +0100 +Subject: fs/select: rework stack allocation hack for clang + +From: Arnd Bergmann + +[ Upstream commit ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 ] + +A while ago, we changed the way that select() and poll() preallocate +a temporary buffer just under the size of the static warning limit of +1024 bytes, as clang was frequently going slightly above that limit. + +The warnings have recently returned and I took another look. As it turns +out, clang is not actually inherently worse at reserving stack space, +it just happens to inline do_select() into core_sys_select(), while gcc +never inlines it. + +Annotate do_select() to never be inlined and in turn remove the special +case for the allocation size. This should give the same behavior for +both clang and gcc all the time and once more avoids those warnings. + +Fixes: ad312f95d41c ("fs/select: avoid clang stack usage warning") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240216202352.2492798-1-arnd@kernel.org +Reviewed-by: Kees Cook +Reviewed-by: Andi Kleen +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/select.c | 2 +- + include/linux/poll.h | 4 ---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/fs/select.c b/fs/select.c +index 1c3985d0bcc3e..e09c43cd75bbb 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -448,7 +448,7 @@ static inline void wait_key_set(poll_table *wait, unsigned long in, + wait->_key |= POLLOUT_SET; + } + +-static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) ++static noinline_for_stack int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) + { + ktime_t expire, *to = NULL; + struct poll_wqueues table; +diff --git a/include/linux/poll.h b/include/linux/poll.h +index 1cdc32b1f1b08..7e0fdcf905d2e 100644 +--- a/include/linux/poll.h ++++ b/include/linux/poll.h +@@ -16,11 +16,7 @@ + extern struct ctl_table epoll_table[]; /* for sysctl */ + /* ~832 bytes of stack space used max in sys_select/sys_poll before allocating + additional memory. */ +-#ifdef __clang__ +-#define MAX_STACK_ALLOC 768 +-#else + #define MAX_STACK_ALLOC 832 +-#endif + #define FRONTEND_STACK_ALLOC 256 + #define SELECT_STACK_ALLOC FRONTEND_STACK_ALLOC + #define POLL_STACK_ALLOC FRONTEND_STACK_ALLOC +-- +2.43.0 + diff --git a/queue-4.19/gpu-host1x-mipi-update-tegra_mipi_request-to-be-node.patch b/queue-4.19/gpu-host1x-mipi-update-tegra_mipi_request-to-be-node.patch new file mode 100644 index 00000000000..f05815366dd --- /dev/null +++ b/queue-4.19/gpu-host1x-mipi-update-tegra_mipi_request-to-be-node.patch @@ -0,0 +1,73 @@ +From b148b983b80e327b8f1ba7be23e71b0d68c7bb4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 21:20:51 -0700 +Subject: gpu: host1x: mipi: Update tegra_mipi_request() to be node based + +From: Sowjanya Komatineni + +[ Upstream commit 767598d447aa46411289c5808b0e45e20a1823b4 ] + +Tegra CSI driver need a separate MIPI device for each channel as +calibration of corresponding MIPI pads for each channel should +happen independently. + +So, this patch updates tegra_mipi_request() API to add a device_node +pointer argument to allow creating mipi device for specific device +node rather than a device. + +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 2 +- + drivers/gpu/host1x/mipi.c | 4 ++-- + include/linux/host1x.h | 3 ++- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 70cc960d3ff58..7033ab28f7716 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1543,7 +1543,7 @@ static int tegra_dsi_probe(struct platform_device *pdev) + if (IS_ERR(dsi->regs)) + return PTR_ERR(dsi->regs); + +- dsi->mipi = tegra_mipi_request(&pdev->dev); ++ dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node); + if (IS_ERR(dsi->mipi)) + return PTR_ERR(dsi->mipi); + +diff --git a/drivers/gpu/host1x/mipi.c b/drivers/gpu/host1x/mipi.c +index e00809d996a29..762d349ad00f1 100644 +--- a/drivers/gpu/host1x/mipi.c ++++ b/drivers/gpu/host1x/mipi.c +@@ -206,9 +206,9 @@ static int tegra_mipi_power_down(struct tegra_mipi *mipi) + return 0; + } + +-struct tegra_mipi_device *tegra_mipi_request(struct device *device) ++struct tegra_mipi_device *tegra_mipi_request(struct device *device, ++ struct device_node *np) + { +- struct device_node *np = device->of_node; + struct tegra_mipi_device *dev; + struct of_phandle_args args; + int err; +diff --git a/include/linux/host1x.h b/include/linux/host1x.h +index aef6e2f738027..903c0ec204442 100644 +--- a/include/linux/host1x.h ++++ b/include/linux/host1x.h +@@ -327,7 +327,8 @@ int host1x_client_unregister(struct host1x_client *client); + + struct tegra_mipi_device; + +-struct tegra_mipi_device *tegra_mipi_request(struct device *device); ++struct tegra_mipi_device *tegra_mipi_request(struct device *device, ++ struct device_node *np); + void tegra_mipi_free(struct tegra_mipi_device *device); + int tegra_mipi_enable(struct tegra_mipi_device *device); + int tegra_mipi_disable(struct tegra_mipi_device *device); +-- +2.43.0 + diff --git a/queue-4.19/igb-fix-missing-time-sync-events.patch b/queue-4.19/igb-fix-missing-time-sync-events.patch new file mode 100644 index 00000000000..ae8500e9586 --- /dev/null +++ b/queue-4.19/igb-fix-missing-time-sync-events.patch @@ -0,0 +1,94 @@ +From 913867b61bb7d30a5325fe0618f495bb3ef294d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 15:57:11 -0800 +Subject: igb: Fix missing time sync events + +From: Vinicius Costa Gomes + +[ Upstream commit ee14cc9ea19ba9678177e2224a9c58cce5937c73 ] + +Fix "double" clearing of interrupts, which can cause external events +or timestamps to be missed. + +The E1000_TSIRC Time Sync Interrupt Cause register can be cleared in two +ways, by either reading it or by writing '1' into the specific cause +bit. This is documented in section 8.16.1. + +The following flow was used: + 1. read E1000_TSIRC into 'tsicr'; + 2. handle the interrupts present into 'tsirc' and mark them in 'ack'; + 3. write 'ack' into E1000_TSICR; + +As both (1) and (3) will clear the interrupt cause, if the same +interrupt happens again between (1) and (3) it will be ignored, +causing events to be missed. + +Remove the extra clear in (3). + +Fixes: 00c65578b47b ("igb: enable internal PPS for the i210") +Acked-by: Richard Cochran +Signed-off-by: Vinicius Costa Gomes +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 23 +++++------------------ + 1 file changed, 5 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c0e2323e50c6e..5d8d5915bc276 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6555,44 +6555,31 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { + struct e1000_hw *hw = &adapter->hw; +- u32 ack = 0, tsicr = rd32(E1000_TSICR); ++ u32 tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; + + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; + if (adapter->ptp_caps.pps) + ptp_clock_event(adapter->ptp_clock, &event); +- ack |= TSINTR_SYS_WRAP; + } + + if (tsicr & E1000_TSICR_TXTS) { + /* retrieve hardware timestamp */ + schedule_work(&adapter->ptp_tx_work); +- ack |= E1000_TSICR_TXTS; + } + +- if (tsicr & TSINTR_TT0) { ++ if (tsicr & TSINTR_TT0) + igb_perout(adapter, 0); +- ack |= TSINTR_TT0; +- } + +- if (tsicr & TSINTR_TT1) { ++ if (tsicr & TSINTR_TT1) + igb_perout(adapter, 1); +- ack |= TSINTR_TT1; +- } + +- if (tsicr & TSINTR_AUTT0) { ++ if (tsicr & TSINTR_AUTT0) + igb_extts(adapter, 0); +- ack |= TSINTR_AUTT0; +- } + +- if (tsicr & TSINTR_AUTT1) { ++ if (tsicr & TSINTR_AUTT1) + igb_extts(adapter, 1); +- ack |= TSINTR_AUTT1; +- } +- +- /* acknowledge the interrupts */ +- wr32(E1000_TSICR, ack); + } + + static irqreturn_t igb_msix_other(int irq, void *data) +-- +2.43.0 + diff --git a/queue-4.19/igb-move-perout-and-extts-isr-logic-to-separate-func.patch b/queue-4.19/igb-move-perout-and-extts-isr-logic-to-separate-func.patch new file mode 100644 index 00000000000..20ec1df8753 --- /dev/null +++ b/queue-4.19/igb-move-perout-and-extts-isr-logic-to-separate-func.patch @@ -0,0 +1,141 @@ +From 2c84128bd251213cd514e616bc98b734f24f1973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 16:34:57 +0200 +Subject: igb: move PEROUT and EXTTS isr logic to separate functions + +From: Ruud Bos + +[ Upstream commit cf99c1dd7b7729091043374b90807c7a5f9fd9b1 ] + +Remove code duplication in the tsync interrupt handler function by moving +this logic to separate functions. This keeps the interrupt handler readable +and allows the new functions to be extended for adapter types other than +i210. + +Signed-off-by: Ruud Bos +Tested-by: Gurucharan G +Signed-off-by: Tony Nguyen +Stable-dep-of: ee14cc9ea19b ("igb: Fix missing time sync events") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 81 +++++++++++++---------- + 1 file changed, 46 insertions(+), 35 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 00d8f1e8177e7..c0e2323e50c6e 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6511,12 +6511,52 @@ void igb_update_stats(struct igb_adapter *adapter) + } + } + ++static void igb_perout(struct igb_adapter *adapter, int tsintr_tt) ++{ ++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_PEROUT, tsintr_tt); ++ struct e1000_hw *hw = &adapter->hw; ++ struct timespec64 ts; ++ u32 tsauxc; ++ ++ if (pin < 0 || pin >= IGB_N_PEROUT) ++ return; ++ ++ spin_lock(&adapter->tmreg_lock); ++ ts = timespec64_add(adapter->perout[pin].start, ++ adapter->perout[pin].period); ++ /* u32 conversion of tv_sec is safe until y2106 */ ++ wr32((tsintr_tt == 1) ? E1000_TRGTTIML1 : E1000_TRGTTIML0, ts.tv_nsec); ++ wr32((tsintr_tt == 1) ? E1000_TRGTTIMH1 : E1000_TRGTTIMH0, (u32)ts.tv_sec); ++ tsauxc = rd32(E1000_TSAUXC); ++ tsauxc |= TSAUXC_EN_TT0; ++ wr32(E1000_TSAUXC, tsauxc); ++ adapter->perout[pin].start = ts; ++ spin_unlock(&adapter->tmreg_lock); ++} ++ ++static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) ++{ ++ int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_EXTTS, tsintr_tt); ++ struct e1000_hw *hw = &adapter->hw; ++ struct ptp_clock_event event; ++ u32 sec, nsec; ++ ++ if (pin < 0 || pin >= IGB_N_EXTTS) ++ return; ++ ++ nsec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPL1 : E1000_AUXSTMPL0); ++ sec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPH1 : E1000_AUXSTMPH0); ++ event.type = PTP_CLOCK_EXTTS; ++ event.index = tsintr_tt; ++ event.timestamp = sec * 1000000000ULL + nsec; ++ ptp_clock_event(adapter->ptp_clock, &event); ++} ++ + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { + struct e1000_hw *hw = &adapter->hw; ++ u32 ack = 0, tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; +- struct timespec64 ts; +- u32 ack = 0, tsauxc, sec, nsec, tsicr = rd32(E1000_TSICR); + + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; +@@ -6532,51 +6572,22 @@ static void igb_tsync_interrupt(struct igb_adapter *adapter) + } + + if (tsicr & TSINTR_TT0) { +- spin_lock(&adapter->tmreg_lock); +- ts = timespec64_add(adapter->perout[0].start, +- adapter->perout[0].period); +- /* u32 conversion of tv_sec is safe until y2106 */ +- wr32(E1000_TRGTTIML0, ts.tv_nsec); +- wr32(E1000_TRGTTIMH0, (u32)ts.tv_sec); +- tsauxc = rd32(E1000_TSAUXC); +- tsauxc |= TSAUXC_EN_TT0; +- wr32(E1000_TSAUXC, tsauxc); +- adapter->perout[0].start = ts; +- spin_unlock(&adapter->tmreg_lock); ++ igb_perout(adapter, 0); + ack |= TSINTR_TT0; + } + + if (tsicr & TSINTR_TT1) { +- spin_lock(&adapter->tmreg_lock); +- ts = timespec64_add(adapter->perout[1].start, +- adapter->perout[1].period); +- wr32(E1000_TRGTTIML1, ts.tv_nsec); +- wr32(E1000_TRGTTIMH1, (u32)ts.tv_sec); +- tsauxc = rd32(E1000_TSAUXC); +- tsauxc |= TSAUXC_EN_TT1; +- wr32(E1000_TSAUXC, tsauxc); +- adapter->perout[1].start = ts; +- spin_unlock(&adapter->tmreg_lock); ++ igb_perout(adapter, 1); + ack |= TSINTR_TT1; + } + + if (tsicr & TSINTR_AUTT0) { +- nsec = rd32(E1000_AUXSTMPL0); +- sec = rd32(E1000_AUXSTMPH0); +- event.type = PTP_CLOCK_EXTTS; +- event.index = 0; +- event.timestamp = sec * 1000000000ULL + nsec; +- ptp_clock_event(adapter->ptp_clock, &event); ++ igb_extts(adapter, 0); + ack |= TSINTR_AUTT0; + } + + if (tsicr & TSINTR_AUTT1) { +- nsec = rd32(E1000_AUXSTMPL1); +- sec = rd32(E1000_AUXSTMPH1); +- event.type = PTP_CLOCK_EXTTS; +- event.index = 1; +- event.timestamp = sec * 1000000000ULL + nsec; +- ptp_clock_event(adapter->ptp_clock, &event); ++ igb_extts(adapter, 1); + ack |= TSINTR_AUTT1; + } + +-- +2.43.0 + diff --git a/queue-4.19/iommu-amd-mark-interrupt-as-managed.patch b/queue-4.19/iommu-amd-mark-interrupt-as-managed.patch new file mode 100644 index 00000000000..063fde01d0b --- /dev/null +++ b/queue-4.19/iommu-amd-mark-interrupt-as-managed.patch @@ -0,0 +1,69 @@ +From ac0344872e1391aa4b84574a8da25443ab838a55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 17:34:00 -0600 +Subject: iommu/amd: Mark interrupt as managed + +From: Mario Limonciello + +[ Upstream commit 0feda94c868d396fac3b3cb14089d2d989a07c72 ] + +On many systems that have an AMD IOMMU the following sequence of +warnings is observed during bootup. + +``` +pci 0000:00:00.2 can't derive routing for PCI INT A +pci 0000:00:00.2: PCI INT A: not connected +``` + +This series of events happens because of the IOMMU initialization +sequence order and the lack of _PRT entries for the IOMMU. + +During initialization the IOMMU driver first enables the PCI device +using pci_enable_device(). This will call acpi_pci_irq_enable() +which will check if the interrupt is declared in a PCI routing table +(_PRT) entry. According to the PCI spec [1] these routing entries +are only required under PCI root bridges: + The _PRT object is required under all PCI root bridges + +The IOMMU is directly connected to the root complex, so there is no +parent bridge to look for a _PRT entry. The first warning is emitted +since no entry could be found in the hierarchy. The second warning is +then emitted because the interrupt hasn't yet been configured to any +value. The pin was configured in pci_read_irq() but the byte in +PCI_INTERRUPT_LINE return 0xff which means "Unknown". + +After that sequence of events pci_enable_msi() is called and this +will allocate an interrupt. + +That is both of these warnings are totally harmless because the IOMMU +uses MSI for interrupts. To avoid even trying to probe for a _PRT +entry mark the IOMMU as IRQ managed. This avoids both warnings. + +Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/06_Device_Configuration/Device_Configuration.html?highlight=_prt#prt-pci-routing-table [1] +Signed-off-by: Mario Limonciello +Fixes: cffe0a2b5a34 ("x86, irq: Keep balance of IOAPIC pin reference count") +Reviewed-by: Vasant Hegde +Link: https://lore.kernel.org/r/20240122233400.1802-1-mario.limonciello@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 12e7254b39489..efb11ca91dd72 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1733,6 +1733,9 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) + /* Prevent binding other PCI device drivers to IOMMU devices */ + iommu->dev->match_driver = false; + ++ /* ACPI _PRT won't have an IRQ for IOMMU */ ++ iommu->dev->irq_managed = 1; ++ + pci_read_config_dword(iommu->dev, cap_ptr + MMIO_CAP_HDR_OFFSET, + &iommu->cap); + pci_read_config_dword(iommu->dev, cap_ptr + MMIO_RANGE_OFFSET, +-- +2.43.0 + diff --git a/queue-4.19/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch b/queue-4.19/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch new file mode 100644 index 00000000000..e44f71fd081 --- /dev/null +++ b/queue-4.19/ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch @@ -0,0 +1,55 @@ +From 7a8a842965ed02ab2d926ebaf73b7458f465534e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 18:01:57 +0800 +Subject: ipv6: fib6_rules: flush route cache when rule is changed + +From: Shiming Cheng + +[ Upstream commit c4386ab4f6c600f75fdfd21143f89bac3e625d0d ] + +When rule policy is changed, ipv6 socket cache is not refreshed. +The sock's skb still uses a outdated route cache and was sent to +a wrong interface. + +To avoid this error we should update fib node's version when +rule is changed. Then skb's route will be reroute checked as +route cache version is already different with fib node version. +The route cache is refreshed to match the latest rule. + +Fixes: 101367c2f8c4 ("[IPV6]: Policy Routing Rules") +Signed-off-by: Shiming Cheng +Signed-off-by: Lena Wang +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/fib6_rules.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c +index f590446595d8b..1913801f4273c 100644 +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -437,6 +437,11 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule) + + nla_total_size(16); /* src */ + } + ++static void fib6_rule_flush_cache(struct fib_rules_ops *ops) ++{ ++ rt_genid_bump_ipv6(ops->fro_net); ++} ++ + static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { + .family = AF_INET6, + .rule_size = sizeof(struct fib6_rule), +@@ -449,6 +454,7 @@ static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { + .compare = fib6_rule_compare, + .fill = fib6_rule_fill, + .nlmsg_payload = fib6_rule_nlmsg_payload, ++ .flush_cache = fib6_rule_flush_cache, + .nlgroup = RTNLGRP_IPV6_RULE, + .policy = fib6_rule_policy, + .owner = THIS_MODULE, +-- +2.43.0 + diff --git a/queue-4.19/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch b/queue-4.19/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch new file mode 100644 index 00000000000..4892efba045 --- /dev/null +++ b/queue-4.19/l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch @@ -0,0 +1,47 @@ +From 8a5266dfa076d9cc6cbbcf8430faaea3ad12227d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reviewed-by: Tom Parkin +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index c0956781665e1..3ed3b85f30b6e 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1380,11 +1380,11 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + err = -ENOTCONN; + if (sk->sk_user_data == NULL) + goto end; +-- +2.43.0 + diff --git a/queue-4.19/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch b/queue-4.19/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch new file mode 100644 index 00000000000..a597f02d8b0 --- /dev/null +++ b/queue-4.19/md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch @@ -0,0 +1,73 @@ +From ee0ede135022ce7188f3742206fa27b57f33f184 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:40 +0800 +Subject: md: Don't clear MD_CLOSING when the raid is about to stop + +From: Li Nan + +[ Upstream commit 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 ] + +The raid should not be opened anymore when it is about to be stopped. +However, other processes can open it again if the flag MD_CLOSING is +cleared before exiting. From now on, this flag will not be cleared when +the raid will be stopped. + +Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240226031444.3606764-6-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 8123c44de7dc8..68eb3220be1c9 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5886,7 +5886,15 @@ static void md_clean(struct mddev *mddev) + mddev->persistent = 0; + mddev->level = LEVEL_NONE; + mddev->clevel[0] = 0; +- mddev->flags = 0; ++ /* ++ * Don't clear MD_CLOSING, or mddev can be opened again. ++ * 'hold_active != 0' means mddev is still in the creation ++ * process and will be used later. ++ */ ++ if (mddev->hold_active) ++ mddev->flags = 0; ++ else ++ mddev->flags &= BIT_ULL_MASK(MD_CLOSING); + mddev->sb_flags = 0; + mddev->ro = 0; + mddev->metadata_type[0] = 0; +@@ -7199,7 +7207,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + int err = 0; + void __user *argp = (void __user *)arg; + struct mddev *mddev = NULL; +- bool did_set_md_closing = false; + + if (!md_ioctl_valid(cmd)) + return -ENOTTY; +@@ -7294,7 +7301,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + err = -EBUSY; + goto out; + } +- did_set_md_closing = true; + mutex_unlock(&mddev->open_mutex); + sync_blockdev(bdev); + } +@@ -7458,7 +7464,7 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + mddev->hold_active = 0; + mddev_unlock(mddev); + out: +- if(did_set_md_closing) ++ if (cmd == STOP_ARRAY_RO || (err && cmd == STOP_ARRAY)) + clear_bit(MD_CLOSING, &mddev->flags); + return err; + } +-- +2.43.0 + diff --git a/queue-4.19/md-implement-set_read_only-to-hook-into-blkroset-pro.patch b/queue-4.19/md-implement-set_read_only-to-hook-into-blkroset-pro.patch new file mode 100644 index 00000000000..bc99742cb36 --- /dev/null +++ b/queue-4.19/md-implement-set_read_only-to-hook-into-blkroset-pro.patch @@ -0,0 +1,125 @@ +From 460b438542d671fbc164ce6f6ee56b87a4bb6145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Nov 2020 11:00:13 +0100 +Subject: md: implement ->set_read_only to hook into BLKROSET processing + +From: Christoph Hellwig + +[ Upstream commit 118cf084adb3964d06e1667cf7d702e56e5cd2c5 ] + +Implement the ->set_read_only method instead of parsing the actual +ioctl command. + +Signed-off-by: Christoph Hellwig +Acked-by: Song Liu +Signed-off-by: Jens Axboe +Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 62 ++++++++++++++++++++++++------------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index a137f8b4a0541..8123c44de7dc8 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7172,7 +7172,6 @@ static inline bool md_ioctl_valid(unsigned int cmd) + { + switch (cmd) { + case ADD_NEW_DISK: +- case BLKROSET: + case GET_ARRAY_INFO: + case GET_BITMAP_FILE: + case GET_DISK_INFO: +@@ -7200,7 +7199,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + int err = 0; + void __user *argp = (void __user *)arg; + struct mddev *mddev = NULL; +- int ro; + bool did_set_md_closing = false; + + if (!md_ioctl_valid(cmd)) +@@ -7391,35 +7389,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + goto unlock; + } + break; +- +- case BLKROSET: +- if (get_user(ro, (int __user *)(arg))) { +- err = -EFAULT; +- goto unlock; +- } +- err = -EINVAL; +- +- /* if the bdev is going readonly the value of mddev->ro +- * does not matter, no writes are coming +- */ +- if (ro) +- goto unlock; +- +- /* are we are already prepared for writes? */ +- if (mddev->ro != 1) +- goto unlock; +- +- /* transitioning to readauto need only happen for +- * arrays that call md_write_start +- */ +- if (mddev->pers) { +- err = restart_array(mddev); +- if (err == 0) { +- mddev->ro = 2; +- set_disk_ro(mddev->gendisk, 0); +- } +- } +- goto unlock; + } + + /* +@@ -7513,6 +7482,36 @@ static int md_compat_ioctl(struct block_device *bdev, fmode_t mode, + } + #endif /* CONFIG_COMPAT */ + ++static int md_set_read_only(struct block_device *bdev, bool ro) ++{ ++ struct mddev *mddev = bdev->bd_disk->private_data; ++ int err; ++ ++ err = mddev_lock(mddev); ++ if (err) ++ return err; ++ ++ if (!mddev->raid_disks && !mddev->external) { ++ err = -ENODEV; ++ goto out_unlock; ++ } ++ ++ /* ++ * Transitioning to read-auto need only happen for arrays that call ++ * md_write_start and which are not ready for writes yet. ++ */ ++ if (!ro && mddev->ro == 1 && mddev->pers) { ++ err = restart_array(mddev); ++ if (err) ++ goto out_unlock; ++ mddev->ro = 2; ++ } ++ ++out_unlock: ++ mddev_unlock(mddev); ++ return err; ++} ++ + static int md_open(struct block_device *bdev, fmode_t mode) + { + /* +@@ -7588,6 +7587,7 @@ static const struct block_device_operations md_fops = + #endif + .getgeo = md_getgeo, + .check_events = md_check_events, ++ .set_read_only = md_set_read_only, + }; + + static int md_thread(void *arg) +-- +2.43.0 + diff --git a/queue-4.19/md-switch-to-check_events-for-media-change-notificat.patch b/queue-4.19/md-switch-to-check_events-for-media-change-notificat.patch new file mode 100644 index 00000000000..2bd14d8e171 --- /dev/null +++ b/queue-4.19/md-switch-to-check_events-for-media-change-notificat.patch @@ -0,0 +1,141 @@ +From 6cb17b89f9481147d73ce606488c1d2c65a32523 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:25:41 +0200 +Subject: md: switch to ->check_events for media change notifications + +From: Christoph Hellwig + +[ Upstream commit a564e23f0f99759f453dbefcb9160dec6d99df96 ] + +md is the last driver using the legacy media_changed method. Switch +it over to (not so) new ->clear_events approach, which also removes the +need for the ->revalidate_disk method. + +Signed-off-by: Christoph Hellwig +[axboe: remove unused 'bdops' variable in disk_clear_events()] +Signed-off-by: Jens Axboe +Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/Locking | 4 +--- + block/genhd.c | 8 +------- + drivers/md/md.c | 19 ++++++++----------- + include/linux/blkdev.h | 2 -- + 4 files changed, 10 insertions(+), 23 deletions(-) + +diff --git a/Documentation/filesystems/Locking b/Documentation/filesystems/Locking +index efea228ccd8af..da300708404d1 100644 +--- a/Documentation/filesystems/Locking ++++ b/Documentation/filesystems/Locking +@@ -404,7 +404,6 @@ prototypes: + int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); + int (*direct_access) (struct block_device *, sector_t, void **, + unsigned long *); +- int (*media_changed) (struct gendisk *); + void (*unlock_native_capacity) (struct gendisk *); + int (*revalidate_disk) (struct gendisk *); + int (*getgeo)(struct block_device *, struct hd_geometry *); +@@ -417,13 +416,12 @@ release: yes + ioctl: no + compat_ioctl: no + direct_access: no +-media_changed: no + unlock_native_capacity: no + revalidate_disk: no + getgeo: no + swap_slot_free_notify: no (see below) + +-media_changed, unlock_native_capacity and revalidate_disk are called only from ++unlock_native_capacity and revalidate_disk are called only from + check_disk_change(). + + swap_slot_free_notify is called with swap_lock and sometimes the page lock +diff --git a/block/genhd.c b/block/genhd.c +index 27a410d310870..d2502e175aca0 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -1771,18 +1771,12 @@ void disk_flush_events(struct gendisk *disk, unsigned int mask) + */ + unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask) + { +- const struct block_device_operations *bdops = disk->fops; + struct disk_events *ev = disk->ev; + unsigned int pending; + unsigned int clearing = mask; + +- if (!ev) { +- /* for drivers still using the old ->media_changed method */ +- if ((mask & DISK_EVENT_MEDIA_CHANGE) && +- bdops->media_changed && bdops->media_changed(disk)) +- return DISK_EVENT_MEDIA_CHANGE; ++ if (!ev) + return 0; +- } + + disk_block_events(disk); + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 3cc28b2836078..a137f8b4a0541 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5455,6 +5455,7 @@ static int md_alloc(dev_t dev, char *name) + * remove it now. + */ + disk->flags |= GENHD_FL_EXT_DEVT; ++ disk->events |= DISK_EVENT_MEDIA_CHANGE; + mddev->gendisk = disk; + add_disk(disk); + +@@ -7565,20 +7566,17 @@ static void md_release(struct gendisk *disk, fmode_t mode) + mddev_put(mddev); + } + +-static int md_media_changed(struct gendisk *disk) +-{ +- struct mddev *mddev = disk->private_data; +- +- return mddev->changed; +-} +- +-static int md_revalidate(struct gendisk *disk) ++static unsigned int md_check_events(struct gendisk *disk, unsigned int clearing) + { + struct mddev *mddev = disk->private_data; ++ unsigned int ret = 0; + ++ if (mddev->changed) ++ ret = DISK_EVENT_MEDIA_CHANGE; + mddev->changed = 0; +- return 0; ++ return ret; + } ++ + static const struct block_device_operations md_fops = + { + .owner = THIS_MODULE, +@@ -7589,8 +7587,7 @@ static const struct block_device_operations md_fops = + .compat_ioctl = md_compat_ioctl, + #endif + .getgeo = md_getgeo, +- .media_changed = md_media_changed, +- .revalidate_disk= md_revalidate, ++ .check_events = md_check_events, + }; + + static int md_thread(void *arg) +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 56fe682d9beb4..ac407c1d4d40f 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1994,8 +1994,6 @@ struct block_device_operations { + int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); + unsigned int (*check_events) (struct gendisk *disk, + unsigned int clearing); +- /* ->media_changed() is DEPRECATED, use ->check_events() instead */ +- int (*media_changed) (struct gendisk *); + void (*unlock_native_capacity) (struct gendisk *); + int (*revalidate_disk) (struct gendisk *); + int (*getgeo)(struct block_device *, struct hd_geometry *); +-- +2.43.0 + diff --git a/queue-4.19/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch b/queue-4.19/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch new file mode 100644 index 00000000000..b2cdb519dc3 --- /dev/null +++ b/queue-4.19/media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch @@ -0,0 +1,256 @@ +From ff4b2c9ae5a41d8e5e80df02bae6331c5d7f66fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:24 +0000 +Subject: media: dvb-core: Fix use-after-free due to race at + dvb_register_device() + +From: Hyunwoo Kim + +[ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ] + +dvb_register_device() dynamically allocates fops with kmemdup() +to set the fops->owner. +And these fops are registered in 'file->f_ops' using replace_fops() +in the dvb_device_open() process, and kfree()d in dvb_free_device(). + +However, it is not common to use dynamically allocated fops instead +of 'static const' fops as an argument of replace_fops(), +and UAF may occur. +These UAFs can occur on any dvb type using dvb_register_device(), +such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. + +So, instead of kfree() the fops dynamically allocated in +dvb_register_device() in dvb_free_device() called during the +.disconnect() process, kfree() it collectively in exit_dvbdev() +called when the dvbdev.c module is removed. + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++--------- + include/media/dvbdev.h | 15 ++++++ + 2 files changed, 78 insertions(+), 21 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index cf0c428f5776b..35c272d77375e 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -37,6 +37,7 @@ + #include + + static DEFINE_MUTEX(dvbdev_mutex); ++static LIST_HEAD(dvbdevfops_list); + static int dvbdev_debug; + + module_param(dvbdev_debug, int, 0644); +@@ -464,14 +465,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + enum dvb_device_type type, int demux_sink_pads) + { + struct dvb_device *dvbdev; +- struct file_operations *dvbdevfops; ++ struct file_operations *dvbdevfops = NULL; ++ struct dvbdevfops_node *node = NULL, *new_node = NULL; + struct device *clsdev; + int minor; + int id, ret; + + mutex_lock(&dvbdev_register_lock); + +- if ((id = dvbdev_get_free_id (adap, type)) < 0){ ++ if ((id = dvbdev_get_free_id (adap, type)) < 0) { + mutex_unlock(&dvbdev_register_lock); + *pdvbdev = NULL; + pr_err("%s: couldn't find free device id\n", __func__); +@@ -479,18 +481,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + + *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); +- + if (!dvbdev){ + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + +- dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ /* ++ * When a device of the same type is probe()d more than once, ++ * the first allocated fops are used. This prevents memory leaks ++ * that can occur when the same device is probe()d repeatedly. ++ */ ++ list_for_each_entry(node, &dvbdevfops_list, list_head) { ++ if (node->fops->owner == adap->module && ++ node->type == type && ++ node->template == template) { ++ dvbdevfops = node->fops; ++ break; ++ } ++ } + +- if (!dvbdevfops){ +- kfree (dvbdev); +- mutex_unlock(&dvbdev_register_lock); +- return -ENOMEM; ++ if (dvbdevfops == NULL) { ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ if (!dvbdevfops) { ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); ++ if (!new_node) { ++ kfree(dvbdevfops); ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node->fops = dvbdevfops; ++ new_node->type = type; ++ new_node->template = template; ++ list_add_tail (&new_node->list_head, &dvbdevfops_list); + } + + memcpy(dvbdev, template, sizeof(struct dvb_device)); +@@ -501,20 +530,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdev->priv = priv; + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); +- + dvbdevfops->owner = adap->module; +- + list_add_tail (&dvbdev->list_head, &adap->device_list); +- + down_write(&minor_rwsem); + #ifdef CONFIG_DVB_DYNAMIC_MINORS + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- + if (minor == MAX_DVB_MINORS) { ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); +@@ -523,41 +552,47 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + #else + minor = nums2minor(adap->num, type, id); + #endif +- + dvbdev->minor = minor; + dvb_minors[minor] = dvb_device_get(dvbdev); + up_write(&minor_rwsem); +- + ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); + if (ret) { + pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", + __func__); +- ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return ret; + } + +- mutex_unlock(&dvbdev_register_lock); +- + clsdev = device_create(dvb_class, adap->device, + MKDEV(DVB_MAJOR, minor), + dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } ++ + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", + adap->num, dnames[type], id, minor, minor); + ++ mutex_unlock(&dvbdev_register_lock); + return 0; + } + EXPORT_SYMBOL(dvb_register_device); +@@ -586,7 +621,6 @@ static void dvb_free_device(struct kref *ref) + { + struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref); + +- kfree (dvbdev->fops); + kfree (dvbdev); + } + +@@ -1082,9 +1116,17 @@ static int __init init_dvbdev(void) + + static void __exit exit_dvbdev(void) + { ++ struct dvbdevfops_node *node, *next; ++ + class_destroy(dvb_class); + cdev_del(&dvb_device_cdev); + unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); ++ ++ list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { ++ list_del (&node->list_head); ++ kfree(node->fops); ++ kfree(node); ++ } + } + + subsys_initcall(init_dvbdev); +diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h +index 09279ed0051ea..0e2bda5ccadd5 100644 +--- a/include/media/dvbdev.h ++++ b/include/media/dvbdev.h +@@ -189,6 +189,21 @@ struct dvb_device { + void *priv; + }; + ++/** ++ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list ++ * ++ * @fops: Dynamically allocated fops for ->owner registration ++ * @type: type of dvb_device ++ * @template: dvb_device used for registration ++ * @list_head: list_head for dvbdevfops_list ++ */ ++struct dvbdevfops_node { ++ struct file_operations *fops; ++ enum dvb_device_type type; ++ const struct dvb_device *template; ++ struct list_head list_head; ++}; ++ + /** + * dvb_device_get - Increase dvb_device reference + * +-- +2.43.0 + diff --git a/queue-4.19/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch b/queue-4.19/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch new file mode 100644 index 00000000000..e71e66945aa --- /dev/null +++ b/queue-4.19/media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch @@ -0,0 +1,95 @@ +From 51bda8f72000c02ae481e7212eff28edc5e6ff53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 17:31:44 +0100 +Subject: media: dvb-frontends: avoid stack overflow warnings with clang + +From: Arnd Bergmann + +[ Upstream commit 7a4cf27d1f0538f779bf31b8c99eda394e277119 ] + +A previous patch worked around a KASAN issue in stv0367, now a similar +problem showed up with clang: + +drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than] + 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe) + +Rework the stv0367_writereg() function to be simpler and mark both +register access functions as noinline_for_stack so the temporary +i2c_msg structures do not get duplicated on the stack when KASAN_STACK +is enabled. + +Fixes: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN") +Signed-off-by: Arnd Bergmann +Reviewed-by: Justin Stitt +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/stv0367.c | 34 +++++++-------------------- + 1 file changed, 8 insertions(+), 26 deletions(-) + +diff --git a/drivers/media/dvb-frontends/stv0367.c b/drivers/media/dvb-frontends/stv0367.c +index 49f4472f09fa8..7a5b27de725e0 100644 +--- a/drivers/media/dvb-frontends/stv0367.c ++++ b/drivers/media/dvb-frontends/stv0367.c +@@ -128,50 +128,32 @@ static const s32 stv0367cab_RF_LookUp2[RF_LOOKUP_TABLE2_SIZE][RF_LOOKUP_TABLE2_S + } + }; + +-static +-int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len) ++static noinline_for_stack ++int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) + { +- u8 buf[MAX_XFER_SIZE]; ++ u8 buf[3] = { MSB(reg), LSB(reg), data }; + struct i2c_msg msg = { + .addr = state->config->demod_address, + .flags = 0, + .buf = buf, +- .len = len + 2 ++ .len = 3, + }; + int ret; + +- if (2 + len > sizeof(buf)) { +- printk(KERN_WARNING +- "%s: i2c wr reg=%04x: len=%d is too big!\n", +- KBUILD_MODNAME, reg, len); +- return -EINVAL; +- } +- +- +- buf[0] = MSB(reg); +- buf[1] = LSB(reg); +- memcpy(buf + 2, data, len); +- + if (i2cdebug) + printk(KERN_DEBUG "%s: [%02x] %02x: %02x\n", __func__, +- state->config->demod_address, reg, buf[2]); ++ state->config->demod_address, reg, data); + + ret = i2c_transfer(state->i2c, &msg, 1); + if (ret != 1) + printk(KERN_ERR "%s: i2c write error! ([%02x] %02x: %02x)\n", +- __func__, state->config->demod_address, reg, buf[2]); ++ __func__, state->config->demod_address, reg, data); + + return (ret != 1) ? -EREMOTEIO : 0; + } + +-static int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) +-{ +- u8 tmp = data; /* see gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 */ +- +- return stv0367_writeregs(state, reg, &tmp, 1); +-} +- +-static u8 stv0367_readreg(struct stv0367_state *state, u16 reg) ++static noinline_for_stack ++u8 stv0367_readreg(struct stv0367_state *state, u16 reg) + { + u8 b0[] = { 0, 0 }; + u8 b1[] = { 0 }; +-- +2.43.0 + diff --git a/queue-4.19/media-dvbdev-fix-error-logic-at-dvb_register_device.patch b/queue-4.19/media-dvbdev-fix-error-logic-at-dvb_register_device.patch new file mode 100644 index 00000000000..2270e35142b --- /dev/null +++ b/queue-4.19/media-dvbdev-fix-error-logic-at-dvb_register_device.patch @@ -0,0 +1,56 @@ +From 35d2fb9d66a9ac9141721ddc49db808facd69469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 14:32:29 +0200 +Subject: media: dvbdev: fix error logic at dvb_register_device() + +From: Mauro Carvalho Chehab + +[ Upstream commit 1fec2ecc252301110e4149e6183fa70460d29674 ] + +As reported by smatch: + + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:510 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:530 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:545 dvb_register_device() warn: '&dvbdev->list_head' not removed from list + +The error logic inside dvb_register_device() doesn't remove +devices from the dvb_adapter_list in case of errors. + +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 8273c969358e6..cf0c428f5776b 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -513,6 +513,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + break; + + if (minor == MAX_DVB_MINORS) { ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); +@@ -533,6 +534,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + __func__); + + dvb_media_device_free(dvbdev); ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); +@@ -548,6 +550,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + dvb_media_device_free(dvbdev); ++ list_del (&dvbdev->list_head); + kfree(dvbdevfops); + kfree(dvbdev); + return PTR_ERR(clsdev); +-- +2.43.0 + diff --git a/queue-4.19/media-dvbdev-fix-memleak-in-dvb_register_device.patch b/queue-4.19/media-dvbdev-fix-memleak-in-dvb_register_device.patch new file mode 100644 index 00000000000..eea7848a8a8 --- /dev/null +++ b/queue-4.19/media-dvbdev-fix-memleak-in-dvb_register_device.patch @@ -0,0 +1,38 @@ +From 1170c1a1bd7b738a053eff46777756aac30cf4f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 14:27:46 +0200 +Subject: media: dvbdev: Fix memleak in dvb_register_device + +From: Dinghao Liu + +[ Upstream commit 167faadfcf9339088910e9e85a1b711fcbbef8e9 ] + +When device_create() fails, dvbdev and dvbdevfops should +be freed just like when dvb_register_media_device() fails. + +Signed-off-by: Dinghao Liu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 5d68ad0ac5d26..8273c969358e6 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -547,6 +547,9 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ dvb_media_device_free(dvbdev); ++ kfree(dvbdevfops); ++ kfree(dvbdev); + return PTR_ERR(clsdev); + } + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", +-- +2.43.0 + diff --git a/queue-4.19/media-dvbdev-remove-double-unlock.patch b/queue-4.19/media-dvbdev-remove-double-unlock.patch new file mode 100644 index 00000000000..f04bd8c08a1 --- /dev/null +++ b/queue-4.19/media-dvbdev-remove-double-unlock.patch @@ -0,0 +1,35 @@ +From 73d2786f288727ae2b8707f91a60e48d2eef811d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2019 14:36:14 -0400 +Subject: media: dvbdev: remove double-unlock + +From: Mauro Carvalho Chehab + +[ Upstream commit 122d0e8dd050cc5dc3fb9e9b5f2dee3c5276ce35 ] + +As warned by smatch: + drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:529 dvb_register_device() error: double unlock 'sem:&minor_rwsem' + +Reported-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index b8335ede66264..1f80c4fa31c9b 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -536,7 +536,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvb_media_device_free(dvbdev); + kfree(dvbdevfops); + kfree(dvbdev); +- up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); + return ret; + } +-- +2.43.0 + diff --git a/queue-4.19/media-edia-dvbdev-fix-a-use-after-free.patch b/queue-4.19/media-edia-dvbdev-fix-a-use-after-free.patch new file mode 100644 index 00000000000..5055906cfff --- /dev/null +++ b/queue-4.19/media-edia-dvbdev-fix-a-use-after-free.patch @@ -0,0 +1,84 @@ +From f327af44862a627973e031760648e6667014c876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 14:40:43 +0100 +Subject: media: edia: dvbdev: fix a use-after-free + +From: Zhipeng Lu + +[ Upstream commit 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 ] + +In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed +in several error-handling paths. However, *pdvbdev is not set to NULL +after dvbdev's deallocation, causing use-after-frees in many places, +for example, in the following call chain: + +budget_register + |-> dvb_dmxdev_init + |-> dvb_register_device + |-> dvb_dmxdev_release + |-> dvb_unregister_device + |-> dvb_remove_device + |-> dvb_device_put + |-> kref_put + +When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in +dvb_register_device) could point to memory that had been freed in +dvb_register_device. Thereafter, this pointer is transferred to +kref_put and triggering a use-after-free. + +Link: https://lore.kernel.org/linux-media/20240203134046.3120099-1-alexious@zju.edu.cn +Fixes: b61901024776 ("V4L/DVB (5244): Dvbdev: fix illegal re-usage of fileoperations struct") +Signed-off-by: Zhipeng Lu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 35c272d77375e..f426e1bf16f0a 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -504,6 +504,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + if (!dvbdevfops) { + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } +@@ -512,6 +513,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + if (!new_node) { + kfree(dvbdevfops); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } +@@ -545,6 +547,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); + return -EINVAL; +@@ -567,6 +570,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return ret; + } +@@ -585,6 +589,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); + kfree(dvbdev); ++ *pdvbdev = NULL; + mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } +-- +2.43.0 + diff --git a/queue-4.19/media-em28xx-annotate-unchecked-call-to-media_device.patch b/queue-4.19/media-em28xx-annotate-unchecked-call-to-media_device.patch new file mode 100644 index 00000000000..6878215395c --- /dev/null +++ b/queue-4.19/media-em28xx-annotate-unchecked-call-to-media_device.patch @@ -0,0 +1,42 @@ +From 6ce0c6c1f903bcb0f42dfc0c15eca34bfd118025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 05:42:26 -0800 +Subject: media: em28xx: annotate unchecked call to media_device_register() + +From: Nikita Zhandarovich + +[ Upstream commit fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 ] + +Static analyzers generate alerts for an unchecked call to +`media_device_register()`. However, in this case, the device will work +reliably without the media controller API. + +Add a comment above the call to prevent future unnecessary changes. + +Suggested-by: Mauro Carvalho Chehab +Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index b14bff7b4ec88..b9874324d1c44 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3990,6 +3990,10 @@ static int em28xx_usb_probe(struct usb_interface *intf, + * topology will likely change after the load of the em28xx subdrivers. + */ + #ifdef CONFIG_MEDIA_CONTROLLER ++ /* ++ * No need to check the return value, the device will still be ++ * usable without media controller API. ++ */ + retval = media_device_register(dev->media_dev); + #endif + +-- +2.43.0 + diff --git a/queue-4.19/media-go7007-add-check-of-return-value-of-go7007_rea.patch b/queue-4.19/media-go7007-add-check-of-return-value-of-go7007_rea.patch new file mode 100644 index 00000000000..59a5bc95e8f --- /dev/null +++ b/queue-4.19/media-go7007-add-check-of-return-value-of-go7007_rea.patch @@ -0,0 +1,40 @@ +From c0fb6a9b9cf5ba59d72569b7f822f254600ab24d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Feb 2024 07:07:05 -0800 +Subject: media: go7007: add check of return value of go7007_read_addr() + +From: Daniil Dulov + +[ Upstream commit 0b70530ee740861f4776ff724fcc25023df1799a ] + +If go7007_read_addr() returns error channel is not assigned a value. +In this case go to allocfail. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 866b8695d67e ("Staging: add the go7007 video driver") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index b84a6f6548610..957c07479713f 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1206,7 +1206,9 @@ static int go7007_usb_probe(struct usb_interface *intf, + u16 channel; + + /* read channel number from GPIO[1:0] */ +- go7007_read_addr(go, 0x3c81, &channel); ++ if (go7007_read_addr(go, 0x3c81, &channel)) ++ goto allocfail; ++ + channel &= 0x3; + go->board_id = GO7007_BOARDID_ADLINK_MPG24; + usb->board = board = &board_adlink_mpg24; +-- +2.43.0 + diff --git a/queue-4.19/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch b/queue-4.19/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch new file mode 100644 index 00000000000..73bc63bffea --- /dev/null +++ b/queue-4.19/media-go7007-fix-a-memleak-in-go7007_load_encoder.patch @@ -0,0 +1,57 @@ +From 8ccebdc54f161c113c6f9e50bda3bbcc8e109dfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 12:37:13 +0800 +Subject: media: go7007: fix a memleak in go7007_load_encoder + +From: Zhipeng Lu + +[ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ] + +In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without +a deallocation thereafter. After the following call chain: + +saa7134_go7007_init + |-> go7007_boot_encoder + |-> go7007_load_encoder + |-> kfree(go) + +go is freed and thus bounce is leaked. + +Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-driver.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c +index c7b5a3321cd74..15f78d3ce3bac 100644 +--- a/drivers/media/usb/go7007/go7007-driver.c ++++ b/drivers/media/usb/go7007/go7007-driver.c +@@ -88,7 +88,7 @@ static int go7007_load_encoder(struct go7007 *go) + const struct firmware *fw_entry; + char fw_name[] = "go7007/go7007fw.bin"; + void *bounce; +- int fw_len, rv = 0; ++ int fw_len; + u16 intr_val, intr_data; + + if (go->boot_fw == NULL) { +@@ -117,9 +117,11 @@ static int go7007_load_encoder(struct go7007 *go) + go7007_read_interrupt(go, &intr_val, &intr_data) < 0 || + (intr_val & ~0x1) != 0x5a5a) { + v4l2_err(go, "error transferring firmware\n"); +- rv = -1; ++ kfree(go->boot_fw); ++ go->boot_fw = NULL; ++ return -1; + } +- return rv; ++ return 0; + } + + MODULE_FIRMWARE("go7007/go7007fw.bin"); +-- +2.43.0 + diff --git a/queue-4.19/media-media-dvb-use-kmemdup-rather-than-duplicating-.patch b/queue-4.19/media-media-dvb-use-kmemdup-rather-than-duplicating-.patch new file mode 100644 index 00000000000..9d3284d7d13 --- /dev/null +++ b/queue-4.19/media-media-dvb-use-kmemdup-rather-than-duplicating-.patch @@ -0,0 +1,73 @@ +From 589cc419fc34b75f2ba1b1111d0b002adef88509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2019 13:28:37 -0300 +Subject: media: media/dvb: Use kmemdup rather than duplicating its + implementation + +From: Fuqian Huang + +[ Upstream commit f6af820ef1be58c2e4b81aa479b9f109eb6344ce ] + +kmemdup is introduced to duplicate a region of memory in a neat way. +Rather than kmalloc/kzalloc + memcpy, which the programmer needs to +write the size twice (sometimes lead to mistakes), kmemdup improves +readability, leads to smaller code and also reduce the chances of mistakes. +Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy. + +Signed-off-by: Fuqian Huang +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 3 +-- + drivers/media/dvb-frontends/drx39xyj/drxj.c | 5 ++--- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 1f80c4fa31c9b..5d68ad0ac5d26 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -485,7 +485,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + return -ENOMEM; + } + +- dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + + if (!dvbdevfops){ + kfree (dvbdev); +@@ -502,7 +502,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); + +- memcpy(dvbdevfops, template->fops, sizeof(struct file_operations)); + dvbdevfops->owner = adap->module; + + list_add_tail (&dvbdev->list_head, &adap->device_list); +diff --git a/drivers/media/dvb-frontends/drx39xyj/drxj.c b/drivers/media/dvb-frontends/drx39xyj/drxj.c +index 9670bc98b45a9..33cf6dccb547f 100644 +--- a/drivers/media/dvb-frontends/drx39xyj/drxj.c ++++ b/drivers/media/dvb-frontends/drx39xyj/drxj.c +@@ -12287,7 +12287,8 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) + if (state == NULL) + goto error; + +- demod = kmalloc(sizeof(struct drx_demod_instance), GFP_KERNEL); ++ demod = kmemdup(&drxj_default_demod_g, ++ sizeof(struct drx_demod_instance), GFP_KERNEL); + if (demod == NULL) + goto error; + +@@ -12311,8 +12312,6 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) + state->demod = demod; + + /* setup the demod data */ +- memcpy(demod, &drxj_default_demod_g, sizeof(struct drx_demod_instance)); +- + demod->my_i2c_dev_addr = demod_addr; + demod->my_common_attr = demod_comm_attr; + demod->my_i2c_dev_addr->user_data = state; +-- +2.43.0 + diff --git a/queue-4.19/media-pvrusb2-fix-pvr2_stream_callback-casts.patch b/queue-4.19/media-pvrusb2-fix-pvr2_stream_callback-casts.patch new file mode 100644 index 00000000000..a1766185114 --- /dev/null +++ b/queue-4.19/media-pvrusb2-fix-pvr2_stream_callback-casts.patch @@ -0,0 +1,115 @@ +From 16c07251a26e73a0b0aa11cdb0f094896439c4b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:04:27 +0100 +Subject: media: pvrusb2: fix pvr2_stream_callback casts + +From: Arnd Bergmann + +[ Upstream commit 30baa4a96b23add91a87305baaeba82c4e109e1f ] + +clang-16 complains about a control flow integrity (KCFI) issue in pvrusb2, +which casts three different prototypes into pvr2_stream_callback: + +drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1070:30: error: cast from 'void (*)(struct pvr2_v4l2_fh *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1070 | pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/media/usb/pvrusb2/pvrusb2-context.c:110:6: error: cast from 'void (*)(struct pvr2_context *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 110 | (void (*)(void *))pvr2_context_notify, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/media/usb/pvrusb2/pvrusb2-dvb.c:152:6: error: cast from 'void (*)(struct pvr2_dvb_adapter *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 152 | (pvr2_stream_callback) pvr2_dvb_notify, adap); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Change the functions to actually take a void* argument so the cast is no longer +needed. + +Fixes: bb8ce9d9143c ("V4L/DVB (7682): pvrusb2-dvb: finish up stream & buffer handling") +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 8 ++++---- + drivers/media/usb/pvrusb2/pvrusb2-dvb.c | 6 ++++-- + drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 6 ++++-- + 3 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index 9236463ba269f..28a9cfef8f9f2 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -99,8 +99,10 @@ static void pvr2_context_destroy(struct pvr2_context *mp) + } + + +-static void pvr2_context_notify(struct pvr2_context *mp) ++static void pvr2_context_notify(void *ptr) + { ++ struct pvr2_context *mp = ptr; ++ + pvr2_context_set_notify(mp,!0); + } + +@@ -115,9 +117,7 @@ static void pvr2_context_check(struct pvr2_context *mp) + pvr2_trace(PVR2_TRACE_CTXT, + "pvr2_context %p (initialize)", mp); + /* Finish hardware initialization */ +- if (pvr2_hdw_initialize(mp->hdw, +- (void (*)(void *))pvr2_context_notify, +- mp)) { ++ if (pvr2_hdw_initialize(mp->hdw, pvr2_context_notify, mp)) { + mp->video_stream.stream = + pvr2_hdw_get_video_stream(mp->hdw); + /* Trigger interface initialization. By doing this +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c +index 4b32b21411695..f326ab9a272e6 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c +@@ -97,8 +97,10 @@ static int pvr2_dvb_feed_thread(void *data) + return stat; + } + +-static void pvr2_dvb_notify(struct pvr2_dvb_adapter *adap) ++static void pvr2_dvb_notify(void *ptr) + { ++ struct pvr2_dvb_adapter *adap = ptr; ++ + wake_up(&adap->buffer_wait_data); + } + +@@ -158,7 +160,7 @@ static int pvr2_dvb_stream_do_start(struct pvr2_dvb_adapter *adap) + } + + pvr2_stream_set_callback(pvr->video_stream.stream, +- (pvr2_stream_callback) pvr2_dvb_notify, adap); ++ pvr2_dvb_notify, adap); + + ret = pvr2_stream_set_buffer_count(stream, PVR2_DVB_BUFFER_COUNT); + if (ret < 0) return ret; +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +index 04d334152eae2..5e2c9aa649648 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +@@ -1055,8 +1055,10 @@ static int pvr2_v4l2_open(struct file *file) + } + + +-static void pvr2_v4l2_notify(struct pvr2_v4l2_fh *fhp) ++static void pvr2_v4l2_notify(void *ptr) + { ++ struct pvr2_v4l2_fh *fhp = ptr; ++ + wake_up(&fhp->wait_data); + } + +@@ -1089,7 +1091,7 @@ static int pvr2_v4l2_iosetup(struct pvr2_v4l2_fh *fh) + + hdw = fh->channel.mc_head->hdw; + sp = fh->pdi->stream->stream; +- pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); ++ pvr2_stream_set_callback(sp, pvr2_v4l2_notify, fh); + pvr2_hdw_set_stream_type(hdw,fh->pdi->config); + if ((ret = pvr2_hdw_set_streaming(hdw,!0)) < 0) return ret; + return pvr2_ioread_set_enabled(fh->rhp,!0); +-- +2.43.0 + diff --git a/queue-4.19/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch b/queue-4.19/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch new file mode 100644 index 00000000000..53a5ed2532e --- /dev/null +++ b/queue-4.19/media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch @@ -0,0 +1,75 @@ +From 5b4c4aa5ae55b82c4eb1426fc3bbf8d20eab5e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 15:30:47 +0800 +Subject: media: pvrusb2: fix uaf in pvr2_context_set_notify + +From: Edward Adam Davis + +[ Upstream commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee ] + +[Syzbot reported] +BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 +Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 + +CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: usb_hub_wq hub_event +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc4/0x620 mm/kasan/report.c:488 + kasan_report+0xda/0x110 mm/kasan/report.c:601 + pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 + pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] + pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 + +Freed by task 906: +kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 +kasan_save_track+0x14/0x30 mm/kasan/common.c:68 +kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 +poison_slab_object mm/kasan/common.c:241 [inline] +__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 +kasan_slab_free include/linux/kasan.h:184 [inline] +slab_free_hook mm/slub.c:2121 [inline] +slab_free mm/slub.c:4299 [inline] +kfree+0x105/0x340 mm/slub.c:4409 +pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] +pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 + +[Analyze] +Task A set disconnect_flag = !0, which resulted in Task B's condition being met +and releasing mp, leading to this issue. + +[Fix] +Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() +to avoid this issue. + +Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com +Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index 28a9cfef8f9f2..698b2cf65526d 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -276,9 +276,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) + void pvr2_context_disconnect(struct pvr2_context *mp) + { + pvr2_hdw_disconnect(mp->hdw); +- mp->disconnect_flag = !0; + if (!pvr2_context_shutok()) + pvr2_context_notify(mp); ++ mp->disconnect_flag = !0; + } + + +-- +2.43.0 + diff --git a/queue-4.19/media-tc358743-register-v4l2-async-device-only-after.patch b/queue-4.19/media-tc358743-register-v4l2-async-device-only-after.patch new file mode 100644 index 00000000000..3dec92ec5f5 --- /dev/null +++ b/queue-4.19/media-tc358743-register-v4l2-async-device-only-after.patch @@ -0,0 +1,51 @@ +From 1dc16a9f7374a1db83f2d761f9b1fe4778b7c044 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 10:01:11 +0100 +Subject: media: tc358743: register v4l2 async device only after successful + setup + +From: Alexander Stein + +[ Upstream commit 87399f1ff92203d65f1febf5919429f4bb613a02 ] + +Ensure the device has been setup correctly before registering the v4l2 +async device, thus allowing userspace to access. + +Signed-off-by: Alexander Stein +Reviewed-by: Robert Foss +Fixes: 4c5211a10039 ("[media] tc358743: register v4l2 asynchronous subdevice") +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240110090111.458115-1-alexander.stein@ew.tq-group.com +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 079b8db4bc48b..2650be358b027 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2107,9 +2107,6 @@ static int tc358743_probe(struct i2c_client *client, + state->mbus_fmt_code = MEDIA_BUS_FMT_RGB888_1X24; + + sd->dev = &client->dev; +- err = v4l2_async_register_subdev(sd); +- if (err < 0) +- goto err_hdl; + + mutex_init(&state->confctl_mutex); + +@@ -2167,6 +2164,10 @@ static int tc358743_probe(struct i2c_client *client, + if (err) + goto err_work_queues; + ++ err = v4l2_async_register_subdev(sd); ++ if (err < 0) ++ goto err_work_queues; ++ + v4l2_info(sd, "%s found @ 0x%x (%s)\n", client->name, + client->addr << 1, client->adapter->name); + +-- +2.43.0 + diff --git a/queue-4.19/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch b/queue-4.19/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch new file mode 100644 index 00000000000..d87eae9b1f0 --- /dev/null +++ b/queue-4.19/media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch @@ -0,0 +1,48 @@ +From 190d7f8d7cde7b37984ef2f2933aefe934334d35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:48:44 +0800 +Subject: media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity + +From: Zhipeng Lu + +[ Upstream commit 8f94b49a5b5d386c038e355bef6347298aabd211 ] + +The entity->name (i.e. name) is allocated in v4l2_m2m_register_entity +but isn't freed in its following error-handling paths. This patch +adds such deallocation to prevent memleak of entity->name. + +Fixes: be2fff656322 ("media: add helpers for memory-to-memory media controller") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-mem2mem.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-mem2mem.c b/drivers/media/v4l2-core/v4l2-mem2mem.c +index 75c51007768e3..5c4e4d101ca46 100644 +--- a/drivers/media/v4l2-core/v4l2-mem2mem.c ++++ b/drivers/media/v4l2-core/v4l2-mem2mem.c +@@ -775,11 +775,17 @@ static int v4l2_m2m_register_entity(struct media_device *mdev, + entity->function = function; + + ret = media_entity_pads_init(entity, num_pads, pads); +- if (ret) ++ if (ret) { ++ kfree(entity->name); ++ entity->name = NULL; + return ret; ++ } + ret = media_device_register_entity(mdev, entity); +- if (ret) ++ if (ret) { ++ kfree(entity->name); ++ entity->name = NULL; + return ret; ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-4.19/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch b/queue-4.19/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch new file mode 100644 index 00000000000..5de2496e71b --- /dev/null +++ b/queue-4.19/media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch @@ -0,0 +1,112 @@ +From 7354e08de118ab500019e44c3b661c464c26ff1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Feb 2024 20:47:53 +0800 +Subject: media: v4l2-tpg: fix some memleaks in tpg_alloc + +From: Zhipeng Lu + +[ Upstream commit 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c ] + +In tpg_alloc, resources should be deallocated in each and every +error-handling paths, since they are allocated in for statements. +Otherwise there would be memleaks because tpg_free is called only when +tpg_alloc return 0. + +Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 52 +++++++++++++++---- + 1 file changed, 42 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +index 2036b94269afe..182a300e2d445 100644 +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -113,6 +113,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + { + unsigned pat; + unsigned plane; ++ int ret = 0; + + tpg->max_line_width = max_w; + for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) { +@@ -121,14 +122,18 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + + tpg->lines[pat][plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->lines[pat][plane]) +- return -ENOMEM; ++ if (!tpg->lines[pat][plane]) { ++ ret = -ENOMEM; ++ goto free_lines; ++ } + if (plane == 0) + continue; + tpg->downsampled_lines[pat][plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->downsampled_lines[pat][plane]) +- return -ENOMEM; ++ if (!tpg->downsampled_lines[pat][plane]) { ++ ret = -ENOMEM; ++ goto free_lines; ++ } + } + } + for (plane = 0; plane < TPG_MAX_PLANES; plane++) { +@@ -136,18 +141,45 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) + + tpg->contrast_line[plane] = + vzalloc(array_size(pixelsz, max_w)); +- if (!tpg->contrast_line[plane]) +- return -ENOMEM; ++ if (!tpg->contrast_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + tpg->black_line[plane] = + vzalloc(array_size(pixelsz, max_w)); +- if (!tpg->black_line[plane]) +- return -ENOMEM; ++ if (!tpg->black_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + tpg->random_line[plane] = + vzalloc(array3_size(max_w, 2, pixelsz)); +- if (!tpg->random_line[plane]) +- return -ENOMEM; ++ if (!tpg->random_line[plane]) { ++ ret = -ENOMEM; ++ goto free_contrast_line; ++ } + } + return 0; ++ ++free_contrast_line: ++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) { ++ vfree(tpg->contrast_line[plane]); ++ vfree(tpg->black_line[plane]); ++ vfree(tpg->random_line[plane]); ++ tpg->contrast_line[plane] = NULL; ++ tpg->black_line[plane] = NULL; ++ tpg->random_line[plane] = NULL; ++ } ++free_lines: ++ for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) ++ for (plane = 0; plane < TPG_MAX_PLANES; plane++) { ++ vfree(tpg->lines[pat][plane]); ++ tpg->lines[pat][plane] = NULL; ++ if (plane == 0) ++ continue; ++ vfree(tpg->downsampled_lines[pat][plane]); ++ tpg->downsampled_lines[pat][plane] = NULL; ++ } ++ return ret; + } + EXPORT_SYMBOL_GPL(tpg_alloc); + +-- +2.43.0 + diff --git a/queue-4.19/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch b/queue-4.19/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch new file mode 100644 index 00000000000..7d726f89527 --- /dev/null +++ b/queue-4.19/mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch @@ -0,0 +1,42 @@ +From 031a9e03fb3caa89a866b64028a00b8e19116871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 11:50:10 +0000 +Subject: mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a + ref + +From: Peter Griffin + +[ Upstream commit d2b0680cf3b05490b579e71b0df6e07451977745 ] + +of_parse_phandle() returns a device_node with refcount incremented, which +the callee needs to call of_node_put() on when done. We should only call +of_node_put() when the property argument is provided though as otherwise +nothing has taken a reference on the node. + +Fixes: 45330bb43421 ("mfd: syscon: Allow property as NULL in syscon_regmap_lookup_by_phandle") +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20240220115012.471689-2-peter.griffin@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/syscon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c +index b6d05cd934e66..d73869889166f 100644 +--- a/drivers/mfd/syscon.c ++++ b/drivers/mfd/syscon.c +@@ -211,7 +211,9 @@ struct regmap *syscon_regmap_lookup_by_phandle(struct device_node *np, + return ERR_PTR(-ENODEV); + + regmap = syscon_node_to_regmap(syscon_np); +- of_node_put(syscon_np); ++ ++ if (property) ++ of_node_put(syscon_np); + + return regmap; + } +-- +2.43.0 + diff --git a/queue-4.19/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch b/queue-4.19/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch new file mode 100644 index 00000000000..0a07e3eb6f5 --- /dev/null +++ b/queue-4.19/mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch @@ -0,0 +1,50 @@ +From b5832b66090138cb06f00701c94b3b6f1e08531d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 22:37:39 +0100 +Subject: mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the + .remove function + +From: Christophe JAILLET + +[ Upstream commit ae5004a40a262d329039b99b62bd3fe7645b66ad ] + +This looks strange to call release_mem_region() in a remove function +without any request_mem_region() in the probe or "struct resource" +somewhere. + +So remove the corresponding code. + +Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/bb0bb1ed1e18de55e8c0547625bde271e64b8c31.1708983064.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wmt-sdmmc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c +index a132bc822b5c6..b6369bfd64fd5 100644 +--- a/drivers/mmc/host/wmt-sdmmc.c ++++ b/drivers/mmc/host/wmt-sdmmc.c +@@ -893,7 +893,6 @@ static int wmt_mci_remove(struct platform_device *pdev) + { + struct mmc_host *mmc; + struct wmt_mci_priv *priv; +- struct resource *res; + u32 reg_tmp; + + mmc = platform_get_drvdata(pdev); +@@ -921,9 +920,6 @@ static int wmt_mci_remove(struct platform_device *pdev) + clk_disable_unprepare(priv->clk_sdmmc); + clk_put(priv->clk_sdmmc); + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- release_mem_region(res->start, resource_size(res)); +- + mmc_free_host(mmc); + + dev_info(&pdev->dev, "WMT MCI device removed\n"); +-- +2.43.0 + diff --git a/queue-4.19/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch b/queue-4.19/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch new file mode 100644 index 00000000000..0cd90624ef9 --- /dev/null +++ b/queue-4.19/mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch @@ -0,0 +1,52 @@ +From 686c2596816a93762b38a8ded1e613b6bd127dfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:00:09 +0100 +Subject: mtd: rawnand: lpc32xx_mlc: fix irq handler prototype + +From: Arnd Bergmann + +[ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ] + +clang-16 warns about mismatched function prototypes: + +drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Change the interrupt handler to the normal way of just passing +a void* pointer and converting it inside the function.. + +Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/lpc32xx_mlc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/lpc32xx_mlc.c b/drivers/mtd/nand/raw/lpc32xx_mlc.c +index d240b8ff40cad..507b2bd58f734 100644 +--- a/drivers/mtd/nand/raw/lpc32xx_mlc.c ++++ b/drivers/mtd/nand/raw/lpc32xx_mlc.c +@@ -316,8 +316,9 @@ static int lpc32xx_nand_device_ready(struct mtd_info *mtd) + return 0; + } + +-static irqreturn_t lpc3xxx_nand_irq(int irq, struct lpc32xx_nand_host *host) ++static irqreturn_t lpc3xxx_nand_irq(int irq, void *data) + { ++ struct lpc32xx_nand_host *host = data; + uint8_t sr; + + /* Clear interrupt flag by reading status */ +@@ -790,7 +791,7 @@ static int lpc32xx_nand_probe(struct platform_device *pdev) + goto release_dma_chan; + } + +- if (request_irq(host->irq, (irq_handler_t)&lpc3xxx_nand_irq, ++ if (request_irq(host->irq, &lpc3xxx_nand_irq, + IRQF_TRIGGER_HIGH, DRV_NAME, host)) { + dev_err(&pdev->dev, "Error requesting NAND IRQ\n"); + res = -ENXIO; +-- +2.43.0 + diff --git a/queue-4.19/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch b/queue-4.19/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch new file mode 100644 index 00000000000..74d227ed00d --- /dev/null +++ b/queue-4.19/net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch @@ -0,0 +1,45 @@ +From f220a88840f2cea7d6c3d7fa0d3ddfcd06d28ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: net: kcm: fix incorrect parameter validation in the kcm_getsockopt) + function + +From: Gavrilov Ilia + +[ Upstream commit 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index a82892c288600..45450f0fd9acb 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1276,10 +1276,11 @@ static int kcm_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case KCM_RECV_DISABLE: + val = kcm->rx_disabled; +-- +2.43.0 + diff --git a/queue-4.19/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch b/queue-4.19/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch new file mode 100644 index 00000000000..721a4021d47 --- /dev/null +++ b/queue-4.19/net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch @@ -0,0 +1,42 @@ +From f0786b8e0dcc1186147ef0003af1c513d694f191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 23:58:20 +0200 +Subject: net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() + +From: Christophe JAILLET + +[ Upstream commit d6f4de70f73a106986ee315d7d512539f2f3303a ] + +The intent is to check if the strings' are truncated or not. So, >= should +be used instead of >, because strlcat() and snprintf() return the length of +the output, excluding the trailing NULL. + +Fixes: a02d69261134 ("SUNRPC: Provide functions for managing universal addresses") +Signed-off-by: Christophe JAILLET +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/addr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c +index 7404f02702a1c..eba3b6f4d4ace 100644 +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -287,10 +287,10 @@ char *rpc_sockaddr2uaddr(const struct sockaddr *sap, gfp_t gfp_flags) + } + + if (snprintf(portbuf, sizeof(portbuf), +- ".%u.%u", port >> 8, port & 0xff) > (int)sizeof(portbuf)) ++ ".%u.%u", port >> 8, port & 0xff) >= (int)sizeof(portbuf)) + return NULL; + +- if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) > sizeof(addrbuf)) ++ if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) >= sizeof(addrbuf)) + return NULL; + + return kstrdup(addrbuf, gfp_flags); +-- +2.43.0 + diff --git a/queue-4.19/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch b/queue-4.19/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch new file mode 100644 index 00000000000..2b274c2085d --- /dev/null +++ b/queue-4.19/net-x25-fix-incorrect-parameter-validation-in-the-x2.patch @@ -0,0 +1,47 @@ +From 9c45ccfacca1602656c0c169912196d507f40a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: net/x25: fix incorrect parameter validation in the x25_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit d6eb8de2015f0c24822e47356f839167ebde2945 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 9d0328bb30ca1..8d78f204ba3c1 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -475,12 +475,12 @@ static int x25_getsockopt(struct socket *sock, int level, int optname, + if (get_user(len, optlen)) + goto out; + +- len = min_t(unsigned int, len, sizeof(int)); +- + rc = -EINVAL; + if (len < 0) + goto out; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + rc = -EFAULT; + if (put_user(len, optlen)) + goto out; +-- +2.43.0 + diff --git a/queue-4.19/nfp-flower-handle-acti_netdevs-allocation-failure.patch b/queue-4.19/nfp-flower-handle-acti_netdevs-allocation-failure.patch new file mode 100644 index 00000000000..fadde0557e0 --- /dev/null +++ b/queue-4.19/nfp-flower-handle-acti_netdevs-allocation-failure.patch @@ -0,0 +1,45 @@ +From 3cfdde3b23437fc76e7edd512906ce410056b18c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 22:25:40 +0800 +Subject: nfp: flower: handle acti_netdevs allocation failure + +From: Duoming Zhou + +[ Upstream commit 84e95149bd341705f0eca6a7fcb955c548805002 ] + +The kmalloc_array() in nfp_fl_lag_do_work() will return null, if +the physical memory has run out. As a result, if we dereference +the acti_netdevs, the null pointer dereference bugs will happen. + +This patch adds a check to judge whether allocation failure occurs. +If it happens, the delayed work will be rescheduled and try again. + +Fixes: bb9a8d031140 ("nfp: flower: monitor and offload LAG groups") +Signed-off-by: Duoming Zhou +Reviewed-by: Louis Peens +Link: https://lore.kernel.org/r/20240308142540.9674-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/flower/lag_conf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c +index bf10598f66ae0..1b5e0cef97713 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/lag_conf.c +@@ -336,6 +336,11 @@ static void nfp_fl_lag_do_work(struct work_struct *work) + + acti_netdevs = kmalloc_array(entry->slave_cnt, + sizeof(*acti_netdevs), GFP_KERNEL); ++ if (!acti_netdevs) { ++ schedule_delayed_work(&lag->work, ++ NFP_FL_LAG_DELAY); ++ continue; ++ } + + /* Include sanity check in the loop. It may be that a bond has + * changed between processing the last notification and the +-- +2.43.0 + diff --git a/queue-4.19/nfs-fix-an-off-by-one-in-root_nfs_cat.patch b/queue-4.19/nfs-fix-an-off-by-one-in-root_nfs_cat.patch new file mode 100644 index 00000000000..b9a149dd2be --- /dev/null +++ b/queue-4.19/nfs-fix-an-off-by-one-in-root_nfs_cat.patch @@ -0,0 +1,42 @@ +From 25c748ab7e89b4434a2381481d4556b751b316c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 22:16:53 +0100 +Subject: NFS: Fix an off by one in root_nfs_cat() + +From: Christophe JAILLET + +[ Upstream commit 698ad1a538da0b6bf969cfee630b4e3a026afb87 ] + +The intent is to check if 'dest' is truncated or not. So, >= should be +used instead of >, because strlcat() returns the length of 'dest' and 'src' +excluding the trailing NULL. + +Fixes: 56463e50d1fc ("NFS: Use super.c for NFSROOT mount option parsing") +Signed-off-by: Christophe JAILLET +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfsroot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfsroot.c b/fs/nfs/nfsroot.c +index effaa4247b912..c0f2e1751c33e 100644 +--- a/fs/nfs/nfsroot.c ++++ b/fs/nfs/nfsroot.c +@@ -169,10 +169,10 @@ static int __init root_nfs_cat(char *dest, const char *src, + size_t len = strlen(dest); + + if (len && dest[len - 1] != ',') +- if (strlcat(dest, ",", destlen) > destlen) ++ if (strlcat(dest, ",", destlen) >= destlen) + return -1; + +- if (strlcat(dest, src, destlen) > destlen) ++ if (strlcat(dest, src, destlen) >= destlen) + return -1; + return 0; + } +-- +2.43.0 + diff --git a/queue-4.19/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch b/queue-4.19/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch new file mode 100644 index 00000000000..b23f0885ca4 --- /dev/null +++ b/queue-4.19/pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch @@ -0,0 +1,52 @@ +From 5493b56b9c7ab348581272d7f31bee66032b34c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 14:16:34 +0100 +Subject: PCI/AER: Fix rootport attribute paths in ABI docs + +From: Johan Hovold + +[ Upstream commit 0e7d29a39a546161ea3a49e8e282a43212d7ff68 ] + +The 'aer_stats' directory never made it into the sixth and final revision +of the series adding the sysfs AER attributes. + +Link: https://lore.kernel.org/r/20240202131635.11405-2-johan+linaro@kernel.org +Link: https://lore.kernel.org/lkml/20180621184822.GB14136@bhelgaas-glaptop.roam.corp.google.com/ +Fixes: 12833017e581 ("PCI/AER: Add sysfs attributes for rootport cumulative stats") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +index ff229d71961c3..afe7bdf4f9ad0 100644 +--- a/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats ++++ b/Documentation/ABI/testing/sysfs-bus-pci-devices-aer_stats +@@ -103,19 +103,19 @@ collectors) that are AER capable. These indicate the number of error messages as + device, so these counters include them and are thus cumulative of all the error + messages on the PCI hierarchy originating at that root port. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_cor ++What: /sys/bus/pci/devices//aer_rootport_total_err_cor + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_COR messages reported to rootport. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_fatal ++What: /sys/bus/pci/devices//aer_rootport_total_err_fatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com + Description: Total number of ERR_FATAL messages reported to rootport. + +-What: /sys/bus/pci/devices//aer_stats/aer_rootport_total_err_nonfatal ++What: /sys/bus/pci/devices//aer_rootport_total_err_nonfatal + Date: July 2018 + Kernel Version: 4.19.0 + Contact: linux-pci@vger.kernel.org, rajatja@google.com +-- +2.43.0 + diff --git a/queue-4.19/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch b/queue-4.19/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch new file mode 100644 index 00000000000..4267c4dc0c0 --- /dev/null +++ b/queue-4.19/pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch @@ -0,0 +1,56 @@ +From 30e6cca3fb334de40166fde4e429926c111a887b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 14:28:11 +0100 +Subject: PCI: Mark 3ware-9650SE Root Port Extended Tags as broken +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörg Wedekind + +[ Upstream commit baf67aefbe7d7deafa59ca49612d163f8889934c ] + +Per PCIe r6.1, sec 2.2.6.2 and 7.5.3.4, a Requester may not use 8-bit Tags +unless its Extended Tag Field Enable is set, but all Receivers/Completers +must handle 8-bit Tags correctly regardless of their Extended Tag Field +Enable. + +Some devices do not handle 8-bit Tags as Completers, so add a quirk for +them. If we find such a device, we disable Extended Tags for the entire +hierarchy to make peer-to-peer DMA possible. + +The 3ware 9650SE seems to have issues with handling 8-bit tags. Mark it as +broken. + +This fixes PCI Parity Errors like : + + 3w-9xxx: scsi0: ERROR: (0x06:0x000C): PCI Parity Error: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x000D): PCI Abort: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x000E): Controller Queue Error: clearing. + 3w-9xxx: scsi0: ERROR: (0x06:0x0010): Microcontroller Error: clearing. + +Link: https://lore.kernel.org/r/20240219132811.8351-1-joerg@wedekind.de +Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202425 +Signed-off-by: Jörg Wedekind +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 99a8a24ea79dc..bb51820890965 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5189,6 +5189,7 @@ static void quirk_no_ext_tags(struct pci_dev *pdev) + + pci_walk_bus(bridge->bus, pci_configure_extended_tags, NULL); + } ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_3WARE, 0x1004, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0132, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0140, quirk_no_ext_tags); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0141, quirk_no_ext_tags); +-- +2.43.0 + diff --git a/queue-4.19/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch b/queue-4.19/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch new file mode 100644 index 00000000000..1f3c7a493e8 --- /dev/null +++ b/queue-4.19/perf-evsel-fix-duplicate-initialization-of-data-id-i.patch @@ -0,0 +1,38 @@ +From d0903ade2c62aca20a37a5ac12a71ccc4f3fd219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Jan 2024 02:57:56 +0000 +Subject: perf evsel: Fix duplicate initialization of data->id in + evsel__parse_sample() + +From: Yang Jihong + +[ Upstream commit 4962aec0d684c8edb14574ccd0da53e4926ff834 ] + +data->id has been initialized at line 2362, remove duplicate initialization. + +Fixes: 3ad31d8a0df2 ("perf evsel: Centralize perf_sample initialization") +Signed-off-by: Yang Jihong +Reviewed-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240127025756.4041808-1-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 11a2aa80802d5..0644ae23122cd 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -2116,7 +2116,6 @@ int perf_evsel__parse_sample(struct perf_evsel *evsel, union perf_event *event, + data->period = evsel->attr.sample_period; + data->cpumode = event->header.misc & PERF_RECORD_MISC_CPUMODE_MASK; + data->misc = event->header.misc; +- data->id = -1ULL; + data->data_src = PERF_MEM_DATA_SRC_NONE; + + if (event->header.type != PERF_RECORD_SAMPLE) { +-- +2.43.0 + diff --git a/queue-4.19/perf-thread_map-free-strlist-on-normal-path-in-threa.patch b/queue-4.19/perf-thread_map-free-strlist-on-normal-path-in-threa.patch new file mode 100644 index 00000000000..52911d505dc --- /dev/null +++ b/queue-4.19/perf-thread_map-free-strlist-on-normal-path-in-threa.patch @@ -0,0 +1,45 @@ +From 8536390bc29e20a22375943e62bb71a5d4428b0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:32:28 +0000 +Subject: perf thread_map: Free strlist on normal path in + thread_map__new_by_tid_str() + +From: Yang Jihong + +[ Upstream commit 1eb3d924e3c0b8c27388b0583a989d757866efb6 ] + +slist needs to be freed in both error path and normal path in +thread_map__new_by_tid_str(). + +Fixes: b52956c961be3a04 ("perf tools: Allow multiple threads or processes in record, stat, top") +Reviewed-by: Arnaldo Carvalho de Melo +Signed-off-by: Yang Jihong +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240206083228.172607-6-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +--- + tools/perf/util/thread_map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/thread_map.c b/tools/perf/util/thread_map.c +index 5d467d8ae9abf..6ee38f2458040 100644 +--- a/tools/perf/util/thread_map.c ++++ b/tools/perf/util/thread_map.c +@@ -313,13 +313,13 @@ struct thread_map *thread_map__new_by_tid_str(const char *tid_str) + threads->nr = ntasks; + } + out: ++ strlist__delete(slist); + if (threads) + refcount_set(&threads->refcnt, 1); + return threads; + + out_free_threads: + zfree(&threads); +- strlist__delete(slist); + goto out; + } + +-- +2.43.0 + diff --git a/queue-4.19/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch b/queue-4.19/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch new file mode 100644 index 00000000000..49c08834234 --- /dev/null +++ b/queue-4.19/powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch @@ -0,0 +1,53 @@ +From 65d6860e16f93945dc17af0947f25c889c4c1b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 23:34:08 +1100 +Subject: powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() + etc. + +From: Michael Ellerman + +[ Upstream commit 20933531be0577cdd782216858c26150dbc7936f ] + +Move the prototypes into mpc10x.h which is included by all the relevant +C files, fixes: + + arch/powerpc/platforms/embedded6xx/ls_uart.c:59:6: error: no previous prototype for 'avr_uart_configure' + arch/powerpc/platforms/embedded6xx/ls_uart.c:82:6: error: no previous prototype for 'avr_uart_send' + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240305123410.3306253-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/embedded6xx/linkstation.c | 3 --- + arch/powerpc/platforms/embedded6xx/mpc10x.h | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/embedded6xx/linkstation.c b/arch/powerpc/platforms/embedded6xx/linkstation.c +index f514d5d28cd4f..3f3821eb4c36b 100644 +--- a/arch/powerpc/platforms/embedded6xx/linkstation.c ++++ b/arch/powerpc/platforms/embedded6xx/linkstation.c +@@ -97,9 +97,6 @@ static void __init linkstation_init_IRQ(void) + mpic_init(mpic); + } + +-extern void avr_uart_configure(void); +-extern void avr_uart_send(const char); +- + static void __noreturn linkstation_restart(char *cmd) + { + local_irq_disable(); +diff --git a/arch/powerpc/platforms/embedded6xx/mpc10x.h b/arch/powerpc/platforms/embedded6xx/mpc10x.h +index 5ad12023e5628..ebc258fa4858d 100644 +--- a/arch/powerpc/platforms/embedded6xx/mpc10x.h ++++ b/arch/powerpc/platforms/embedded6xx/mpc10x.h +@@ -156,4 +156,7 @@ int mpc10x_disable_store_gathering(struct pci_controller *hose); + /* For MPC107 boards that use the built-in openpic */ + void mpc10x_set_openpic(void); + ++void avr_uart_configure(void); ++void avr_uart_send(const char c); ++ + #endif /* __PPC_KERNEL_MPC10X_H */ +-- +2.43.0 + diff --git a/queue-4.19/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch b/queue-4.19/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch new file mode 100644 index 00000000000..680eb7279ec --- /dev/null +++ b/queue-4.19/powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch @@ -0,0 +1,118 @@ +From 5bf115678f6c436af8ffa61f59b618a35b0378de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 17:58:47 +0530 +Subject: powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value + checks + +From: Kajol Jain + +[ Upstream commit ad86d7ee43b22aa2ed60fb982ae94b285c1be671 ] + +Running event hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ +in one of the system throws below error: + + ---Logs--- + # perf list | grep hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles + hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=?/[Kernel PMU event] + + # perf stat -v -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 +Using CPUID 00800200 +Control descriptor is not initialized +Warning: +hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event is not supported by the kernel. +failed to read counter hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ + + Performance counter stats for 'system wide': + + hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ + + 2.000700771 seconds time elapsed + +The above error is because of the hcall failure as required +permission "Enable Performance Information Collection" is not set. +Based on current code, single_gpci_request function did not check the +error type incase hcall fails and by default returns EINVAL. But we can +have other reasons for hcall failures like H_AUTHORITY/H_PARAMETER with +detail_rc as GEN_BUF_TOO_SMALL, for which we need to act accordingly. + +Fix this issue by adding new checks in the single_gpci_request and +h_gpci_event_init functions. + +Result after fix patch changes: + + # perf stat -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 +Error: +No permission to enable hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event. + +Fixes: 220a0c609ad1 ("powerpc/perf: Add support for the hv gpci (get performance counter info) interface") +Reported-by: Akanksha J N +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240229122847.101162-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c +index 126409bb5626e..8ae70b5952a54 100644 +--- a/arch/powerpc/perf/hv-gpci.c ++++ b/arch/powerpc/perf/hv-gpci.c +@@ -157,6 +157,20 @@ static unsigned long single_gpci_request(u32 req, u32 starting_index, + + ret = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO, + virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE); ++ ++ /* ++ * ret value as 'H_PARAMETER' with detail_rc as 'GEN_BUF_TOO_SMALL', ++ * specifies that the current buffer size cannot accommodate ++ * all the information and a partial buffer returned. ++ * Since in this function we are only accessing data for a given starting index, ++ * we don't need to accommodate whole data and can get required count by ++ * accessing first entry data. ++ * Hence hcall fails only incase the ret value is other than H_SUCCESS or ++ * H_PARAMETER with detail_rc value as GEN_BUF_TOO_SMALL(0x1B). ++ */ ++ if (ret == H_PARAMETER && be32_to_cpu(arg->params.detail_rc) == 0x1B) ++ ret = 0; ++ + if (ret) { + pr_devel("hcall failed: 0x%lx\n", ret); + goto out; +@@ -221,6 +235,7 @@ static int h_gpci_event_init(struct perf_event *event) + { + u64 count; + u8 length; ++ unsigned long ret; + + /* Not our event */ + if (event->attr.type != event->pmu->type) +@@ -260,13 +275,23 @@ static int h_gpci_event_init(struct perf_event *event) + } + + /* check if the request works... */ +- if (single_gpci_request(event_get_request(event), ++ ret = single_gpci_request(event_get_request(event), + event_get_starting_index(event), + event_get_secondary_index(event), + event_get_counter_info_version(event), + event_get_offset(event), + length, +- &count)) { ++ &count); ++ ++ /* ++ * ret value as H_AUTHORITY implies that partition is not permitted to retrieve ++ * performance information, and required to set ++ * "Enable Performance Information Collection" option. ++ */ ++ if (ret == H_AUTHORITY) ++ return -EPERM; ++ ++ if (ret) { + pr_devel("gpci hcall failed\n"); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-4.19/quota-check-time-limit-when-back-out-space-inode-cha.patch b/queue-4.19/quota-check-time-limit-when-back-out-space-inode-cha.patch new file mode 100644 index 00000000000..6c4f8f4f09f --- /dev/null +++ b/queue-4.19/quota-check-time-limit-when-back-out-space-inode-cha.patch @@ -0,0 +1,57 @@ +From 4ace7b95b4b0380a05e1e8fef8ac465e8737204e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2019 14:40:10 +0800 +Subject: quota: check time limit when back out space/inode change + +From: Chengguang Xu + +[ Upstream commit 632a9f3acd6687376cbb0b178df6048e19cbacc9 ] + +When we fail from allocating inode/space, we back out +the change we already did. In a special case which has +exceeded soft limit by the change, we should also check +time limit and reset it properly. + +Signed-off-by: Chengguang Xu +Signed-off-by: Jan Kara +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index b55d91d3d87c2..895636fd655f6 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1760,13 +1760,11 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + if (!dquots[cnt]) + continue; + spin_lock(&dquots[cnt]->dq_dqb_lock); +- if (reserve) { +- dquots[cnt]->dq_dqb.dqb_rsvspace -= +- number; +- } else { +- dquots[cnt]->dq_dqb.dqb_curspace -= +- number; +- } ++ if (reserve) ++ dquot_free_reserved_space(dquots[cnt], ++ number); ++ else ++ dquot_decr_space(dquots[cnt], number); + spin_unlock(&dquots[cnt]->dq_dqb_lock); + } + spin_unlock(&inode->i_lock); +@@ -1817,7 +1815,7 @@ int dquot_alloc_inode(struct inode *inode) + continue; + /* Back out changes we already did */ + spin_lock(&dquots[cnt]->dq_dqb_lock); +- dquots[cnt]->dq_dqb.dqb_curinodes--; ++ dquot_decr_inodes(dquots[cnt], 1); + spin_unlock(&dquots[cnt]->dq_dqb_lock); + } + goto warn_put_all; +-- +2.43.0 + diff --git a/queue-4.19/quota-code-cleanup-for-__dquot_alloc_space.patch b/queue-4.19/quota-code-cleanup-for-__dquot_alloc_space.patch new file mode 100644 index 00000000000..0b0d2104909 --- /dev/null +++ b/queue-4.19/quota-code-cleanup-for-__dquot_alloc_space.patch @@ -0,0 +1,45 @@ +From 03a005e50851d70cbe4d39407bbc50879b372859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2019 13:03:59 +0800 +Subject: quota: code cleanup for __dquot_alloc_space() + +From: Chengguang Xu + +[ Upstream commit df15a2a59d0b29d86e17140b83ed231adaded12f ] + +Replace (flags & DQUOT_SPACE_RESERVE) with +variable reserve. + +Signed-off-by: Chengguang Xu +Signed-off-by: Jan Kara +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 868936076f41d..683727c5758c0 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1743,7 +1743,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { + if (!dquots[cnt]) + continue; +- if (flags & DQUOT_SPACE_RESERVE) { ++ if (reserve) { + ret = dquot_add_space(dquots[cnt], 0, number, flags, + &warn[cnt]); + } else { +@@ -1756,7 +1756,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + if (!dquots[cnt]) + continue; + spin_lock(&dquots[cnt]->dq_dqb_lock); +- if (flags & DQUOT_SPACE_RESERVE) { ++ if (reserve) { + dquots[cnt]->dq_dqb.dqb_rsvspace -= + number; + } else { +-- +2.43.0 + diff --git a/queue-4.19/quota-fix-potential-null-pointer-dereference.patch b/queue-4.19/quota-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..7e4e0cbfcb9 --- /dev/null +++ b/queue-4.19/quota-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,278 @@ +From 8685209308d8632ec9b034bcb52a2502407bcd71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 16:18:52 +0800 +Subject: quota: Fix potential NULL pointer dereference + +From: Wang Jianjian + +[ Upstream commit d0aa72604fbd80c8aabb46eda00535ed35570f1f ] + +Below race may cause NULL pointer dereference + +P1 P2 +dquot_free_inode quota_off + drop_dquot_ref + remove_dquot_ref + dquots = i_dquot(inode) + dquots = i_dquot(inode) + srcu_read_lock + dquots[cnt]) != NULL (1) + dquots[type] = NULL (2) + spin_lock(&dquots[cnt]->dq_dqb_lock) (3) + .... + +If dquot_free_inode(or other routines) checks inode's quota pointers (1) +before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer +dereference will be triggered. + +So let's fix it by using a temporary pointer to avoid this issue. + +Signed-off-by: Wang Jianjian +Signed-off-by: Jan Kara +Message-Id: <20240202081852.2514092-1-wangjianjian3@huawei.com> +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 98 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 57 insertions(+), 41 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index dd9c381b874fd..133ca865de976 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -399,15 +399,17 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + EXPORT_SYMBOL(dquot_mark_dquot_dirty); + + /* Dirtify all the dquots - this can block when journalling */ +-static inline int mark_all_dquot_dirty(struct dquot * const *dquot) ++static inline int mark_all_dquot_dirty(struct dquot * const *dquots) + { + int ret, err, cnt; ++ struct dquot *dquot; + + ret = err = 0; + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquot[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) + /* Even in case of error we have to continue */ +- ret = mark_dquot_dirty(dquot[cnt]); ++ ret = mark_dquot_dirty(dquot); + if (!err) + err = ret; + } +@@ -1674,6 +1676,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + struct dquot_warn warn[MAXQUOTAS]; + int reserve = flags & DQUOT_SPACE_RESERVE; + struct dquot **dquots; ++ struct dquot *dquot; + + if (!inode_quota_active(inode)) { + if (reserve) { +@@ -1693,27 +1696,26 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + index = srcu_read_lock(&dquot_srcu); + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; + if (reserve) { +- ret = dquot_add_space(dquots[cnt], 0, number, flags, +- &warn[cnt]); ++ ret = dquot_add_space(dquot, 0, number, flags, &warn[cnt]); + } else { +- ret = dquot_add_space(dquots[cnt], number, 0, flags, +- &warn[cnt]); ++ ret = dquot_add_space(dquot, number, 0, flags, &warn[cnt]); + } + if (ret) { + /* Back out changes we already did */ + for (cnt--; cnt >= 0; cnt--) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); + if (reserve) +- dquot_free_reserved_space(dquots[cnt], +- number); ++ dquot_free_reserved_space(dquot, number); + else +- dquot_decr_space(dquots[cnt], number); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ dquot_decr_space(dquot, number); ++ spin_unlock(&dquot->dq_dqb_lock); + } + spin_unlock(&inode->i_lock); + goto out_flush_warn; +@@ -1744,6 +1746,7 @@ int dquot_alloc_inode(struct inode *inode) + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; ++ struct dquot *dquot; + + if (!inode_quota_active(inode)) + return 0; +@@ -1754,17 +1757,19 @@ int dquot_alloc_inode(struct inode *inode) + index = srcu_read_lock(&dquot_srcu); + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- ret = dquot_add_inodes(dquots[cnt], 1, &warn[cnt]); ++ ret = dquot_add_inodes(dquot, 1, &warn[cnt]); + if (ret) { + for (cnt--; cnt >= 0; cnt--) { +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; + /* Back out changes we already did */ +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- dquot_decr_inodes(dquots[cnt], 1); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); ++ dquot_decr_inodes(dquot, 1); ++ spin_unlock(&dquot->dq_dqb_lock); + } + goto warn_put_all; + } +@@ -1786,6 +1791,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); + int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + { + struct dquot **dquots; ++ struct dquot *dquot; + int cnt, index; + + if (!inode_quota_active(inode)) { +@@ -1801,9 +1807,8 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + spin_lock(&inode->i_lock); + /* Claim reserved quotas to allocated quotas */ + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquots[cnt]) { +- struct dquot *dquot = dquots[cnt]; +- ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) { + spin_lock(&dquot->dq_dqb_lock); + if (WARN_ON_ONCE(dquot->dq_dqb.dqb_rsvspace < number)) + number = dquot->dq_dqb.dqb_rsvspace; +@@ -1828,6 +1833,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); + void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + { + struct dquot **dquots; ++ struct dquot *dquot; + int cnt, index; + + if (!inode_quota_active(inode)) { +@@ -1843,9 +1849,8 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + spin_lock(&inode->i_lock); + /* Claim reserved quotas to allocated quotas */ + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- if (dquots[cnt]) { +- struct dquot *dquot = dquots[cnt]; +- ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (dquot) { + spin_lock(&dquot->dq_dqb_lock); + if (WARN_ON_ONCE(dquot->dq_dqb.dqb_curspace < number)) + number = dquot->dq_dqb.dqb_curspace; +@@ -1872,6 +1877,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot **dquots; ++ struct dquot *dquot; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + + if (!inode_quota_active(inode)) { +@@ -1892,17 +1898,18 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + int wtype; + + warn[cnt].w_type = QUOTA_NL_NOWARN; +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- wtype = info_bdq_free(dquots[cnt], number); ++ spin_lock(&dquot->dq_dqb_lock); ++ wtype = info_bdq_free(dquot, number); + if (wtype != QUOTA_NL_NOWARN) +- prepare_warning(&warn[cnt], dquots[cnt], wtype); ++ prepare_warning(&warn[cnt], dquot, wtype); + if (reserve) +- dquot_free_reserved_space(dquots[cnt], number); ++ dquot_free_reserved_space(dquot, number); + else +- dquot_decr_space(dquots[cnt], number); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ dquot_decr_space(dquot, number); ++ spin_unlock(&dquot->dq_dqb_lock); + } + if (reserve) + *inode_reserved_space(inode) -= number; +@@ -1927,6 +1934,7 @@ void dquot_free_inode(struct inode *inode) + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; ++ struct dquot *dquot; + int index; + + if (!inode_quota_active(inode)) +@@ -1937,16 +1945,16 @@ void dquot_free_inode(struct inode *inode) + spin_lock(&inode->i_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { + int wtype; +- + warn[cnt].w_type = QUOTA_NL_NOWARN; +- if (!dquots[cnt]) ++ dquot = srcu_dereference(dquots[cnt], &dquot_srcu); ++ if (!dquot) + continue; +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- wtype = info_idq_free(dquots[cnt], 1); ++ spin_lock(&dquot->dq_dqb_lock); ++ wtype = info_idq_free(dquot, 1); + if (wtype != QUOTA_NL_NOWARN) +- prepare_warning(&warn[cnt], dquots[cnt], wtype); +- dquot_decr_inodes(dquots[cnt], 1); +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ prepare_warning(&warn[cnt], dquot, wtype); ++ dquot_decr_inodes(dquot, 1); ++ spin_unlock(&dquot->dq_dqb_lock); + } + spin_unlock(&inode->i_lock); + mark_all_dquot_dirty(dquots); +@@ -1973,7 +1981,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + qsize_t rsv_space = 0; + qsize_t inode_usage = 1; + struct dquot *transfer_from[MAXQUOTAS] = {}; +- int cnt, ret = 0; ++ int cnt, index, ret = 0; + char is_valid[MAXQUOTAS] = {}; + struct dquot_warn warn_to[MAXQUOTAS]; + struct dquot_warn warn_from_inodes[MAXQUOTAS]; +@@ -2062,8 +2070,16 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + spin_unlock(&inode->i_lock); + spin_unlock(&dq_data_lock); + ++ /* ++ * These arrays are local and we hold dquot references so we don't need ++ * the srcu protection but still take dquot_srcu to avoid warning in ++ * mark_all_dquot_dirty(). ++ */ ++ index = srcu_read_lock(&dquot_srcu); + mark_all_dquot_dirty(transfer_from); + mark_all_dquot_dirty(transfer_to); ++ srcu_read_unlock(&dquot_srcu, index); ++ + flush_warnings(warn_to); + flush_warnings(warn_from_inodes); + flush_warnings(warn_from_space); +-- +2.43.0 + diff --git a/queue-4.19/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch b/queue-4.19/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch new file mode 100644 index 00000000000..e76a4de1e35 --- /dev/null +++ b/queue-4.19/quota-fix-rcu-annotations-of-inode-dquot-pointers.patch @@ -0,0 +1,253 @@ +From 0ba758a4070206fff602ea3a9fc2fa487357ff89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 15:32:09 +0100 +Subject: quota: Fix rcu annotations of inode dquot pointers + +From: Jan Kara + +[ Upstream commit 179b8c97ebf63429589f5afeba59a181fe70603e ] + +Dquot pointers in i_dquot array in the inode are protected by +dquot_srcu. Annotate the array pointers with __rcu, perform the locked +dereferences with srcu_dereference_check() instead of plain reads, and +set the array elements with rcu_assign_pointer(). + +Fixes: b9ba6f94b238 ("quota: remove dqptr_sem") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202402061900.rTuYDlo6-lkp@intel.com/ +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 66 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 39 insertions(+), 27 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 133ca865de976..6bdb44fb07a7f 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -399,7 +399,7 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + EXPORT_SYMBOL(dquot_mark_dquot_dirty); + + /* Dirtify all the dquots - this can block when journalling */ +-static inline int mark_all_dquot_dirty(struct dquot * const *dquots) ++static inline int mark_all_dquot_dirty(struct dquot __rcu * const *dquots) + { + int ret, err, cnt; + struct dquot *dquot; +@@ -996,14 +996,15 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + } + EXPORT_SYMBOL(dqget); + +-static inline struct dquot **i_dquot(struct inode *inode) ++static inline struct dquot __rcu **i_dquot(struct inode *inode) + { +- return inode->i_sb->s_op->get_dquots(inode); ++ /* Force __rcu for now until filesystems are fixed */ ++ return (struct dquot __rcu **)inode->i_sb->s_op->get_dquots(inode); + } + + static int dqinit_needed(struct inode *inode, int type) + { +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + int cnt; + + if (IS_NOQUOTA(inode)) +@@ -1093,14 +1094,16 @@ static void remove_dquot_ref(struct super_block *sb, int type) + */ + spin_lock(&dq_data_lock); + if (!IS_NOQUOTA(inode)) { +- struct dquot **dquots = i_dquot(inode); +- struct dquot *dquot = dquots[type]; ++ struct dquot __rcu **dquots = i_dquot(inode); ++ struct dquot *dquot = srcu_dereference_check( ++ dquots[type], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); + + #ifdef CONFIG_QUOTA_DEBUG + if (unlikely(inode_get_rsv_space(inode) > 0)) + reserved = 1; + #endif +- dquots[type] = NULL; ++ rcu_assign_pointer(dquots[type], NULL); + if (dquot) + dqput(dquot); + } +@@ -1453,7 +1456,8 @@ static int inode_quota_active(const struct inode *inode) + static int __dquot_initialize(struct inode *inode, int type) + { + int cnt, init_needed = 0; +- struct dquot **dquots, *got[MAXQUOTAS] = {}; ++ struct dquot __rcu **dquots; ++ struct dquot *got[MAXQUOTAS] = {}; + struct super_block *sb = inode->i_sb; + qsize_t rsv; + int ret = 0; +@@ -1528,7 +1532,7 @@ static int __dquot_initialize(struct inode *inode, int type) + if (!got[cnt]) + continue; + if (!dquots[cnt]) { +- dquots[cnt] = got[cnt]; ++ rcu_assign_pointer(dquots[cnt], got[cnt]); + got[cnt] = NULL; + /* + * Make quota reservation system happy if someone +@@ -1536,12 +1540,16 @@ static int __dquot_initialize(struct inode *inode, int type) + */ + rsv = inode_get_rsv_space(inode); + if (unlikely(rsv)) { ++ struct dquot *dquot = srcu_dereference_check( ++ dquots[cnt], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); ++ + spin_lock(&inode->i_lock); + /* Get reservation again under proper lock */ + rsv = __inode_get_rsv_space(inode); +- spin_lock(&dquots[cnt]->dq_dqb_lock); +- dquots[cnt]->dq_dqb.dqb_rsvspace += rsv; +- spin_unlock(&dquots[cnt]->dq_dqb_lock); ++ spin_lock(&dquot->dq_dqb_lock); ++ dquot->dq_dqb.dqb_rsvspace += rsv; ++ spin_unlock(&dquot->dq_dqb_lock); + spin_unlock(&inode->i_lock); + } + } +@@ -1563,7 +1571,7 @@ EXPORT_SYMBOL(dquot_initialize); + + bool dquot_initialize_needed(struct inode *inode) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + int i; + + if (!inode_quota_active(inode)) +@@ -1588,13 +1596,14 @@ EXPORT_SYMBOL(dquot_initialize_needed); + static void __dquot_drop(struct inode *inode) + { + int cnt; +- struct dquot **dquots = i_dquot(inode); ++ struct dquot __rcu **dquots = i_dquot(inode); + struct dquot *put[MAXQUOTAS]; + + spin_lock(&dq_data_lock); + for (cnt = 0; cnt < MAXQUOTAS; cnt++) { +- put[cnt] = dquots[cnt]; +- dquots[cnt] = NULL; ++ put[cnt] = srcu_dereference_check(dquots[cnt], &dquot_srcu, ++ lockdep_is_held(&dq_data_lock)); ++ rcu_assign_pointer(dquots[cnt], NULL); + } + spin_unlock(&dq_data_lock); + dqput_all(put); +@@ -1602,7 +1611,7 @@ static void __dquot_drop(struct inode *inode) + + void dquot_drop(struct inode *inode) + { +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + int cnt; + + if (IS_NOQUOTA(inode)) +@@ -1675,7 +1684,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; + int reserve = flags & DQUOT_SPACE_RESERVE; +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + + if (!inode_quota_active(inode)) { +@@ -1745,7 +1754,7 @@ int dquot_alloc_inode(struct inode *inode) + { + int cnt, ret = 0, index; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + struct dquot *dquot; + + if (!inode_quota_active(inode)) +@@ -1790,7 +1799,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); + */ + int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int cnt, index; + +@@ -1832,7 +1841,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); + */ + void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + { +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int cnt, index; + +@@ -1876,7 +1885,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + { + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot **dquots; ++ struct dquot __rcu **dquots; + struct dquot *dquot; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + +@@ -1933,7 +1942,7 @@ void dquot_free_inode(struct inode *inode) + { + unsigned int cnt; + struct dquot_warn warn[MAXQUOTAS]; +- struct dquot * const *dquots; ++ struct dquot __rcu * const *dquots; + struct dquot *dquot; + int index; + +@@ -1980,6 +1989,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + qsize_t cur_space; + qsize_t rsv_space = 0; + qsize_t inode_usage = 1; ++ struct dquot __rcu **dquots; + struct dquot *transfer_from[MAXQUOTAS] = {}; + int cnt, index, ret = 0; + char is_valid[MAXQUOTAS] = {}; +@@ -2012,6 +2022,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + } + cur_space = __inode_get_bytes(inode); + rsv_space = __inode_get_rsv_space(inode); ++ dquots = i_dquot(inode); + /* + * Build the transfer_from list, check limits, and update usage in + * the target structures. +@@ -2026,7 +2037,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + if (!sb_has_quota_active(inode->i_sb, cnt)) + continue; + is_valid[cnt] = 1; +- transfer_from[cnt] = i_dquot(inode)[cnt]; ++ transfer_from[cnt] = srcu_dereference_check(dquots[cnt], ++ &dquot_srcu, lockdep_is_held(&dq_data_lock)); + ret = dquot_add_inodes(transfer_to[cnt], inode_usage, + &warn_to[cnt]); + if (ret) +@@ -2065,7 +2077,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + rsv_space); + spin_unlock(&transfer_from[cnt]->dq_dqb_lock); + } +- i_dquot(inode)[cnt] = transfer_to[cnt]; ++ rcu_assign_pointer(dquots[cnt], transfer_to[cnt]); + } + spin_unlock(&inode->i_lock); + spin_unlock(&dq_data_lock); +@@ -2076,8 +2088,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + * mark_all_dquot_dirty(). + */ + index = srcu_read_lock(&dquot_srcu); +- mark_all_dquot_dirty(transfer_from); +- mark_all_dquot_dirty(transfer_to); ++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_from); ++ mark_all_dquot_dirty((struct dquot __rcu **)transfer_to); + srcu_read_unlock(&dquot_srcu, index); + + flush_warnings(warn_to); +-- +2.43.0 + diff --git a/queue-4.19/quota-simplify-drop_dquot_ref.patch b/queue-4.19/quota-simplify-drop_dquot_ref.patch new file mode 100644 index 00000000000..719550e3982 --- /dev/null +++ b/queue-4.19/quota-simplify-drop_dquot_ref.patch @@ -0,0 +1,132 @@ +From 91c96570ea83a6145306169604045422933b48a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:22 +0800 +Subject: quota: simplify drop_dquot_ref() + +From: Baokun Li + +[ Upstream commit 7bce48f0fec602b3b6c335963b26d9eefa417788 ] + +As Honza said, remove_inode_dquot_ref() currently does not release the +last dquot reference but instead adds the dquot to tofree_head list. This +is because dqput() can sleep while dropping of the last dquot reference +(writing back the dquot and calling ->release_dquot()) and that must not +happen under dq_list_lock. Now that dqput() queues the final dquot cleanup +into a workqueue, remove_inode_dquot_ref() can call dqput() unconditionally +and we can significantly simplify it. + +Here we open code the simplified code of remove_inode_dquot_ref() into +remove_dquot_ref() and remove the function put_dquot_list() which is no +longer used. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-6-libaokun1@huawei.com> +Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 70 +++++++----------------------------------------- + 1 file changed, 9 insertions(+), 61 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 895636fd655f6..dd9c381b874fd 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1074,59 +1074,7 @@ static int add_dquot_ref(struct super_block *sb, int type) + return err; + } + +-/* +- * Remove references to dquots from inode and add dquot to list for freeing +- * if we have the last reference to dquot +- */ +-static void remove_inode_dquot_ref(struct inode *inode, int type, +- struct list_head *tofree_head) +-{ +- struct dquot **dquots = i_dquot(inode); +- struct dquot *dquot = dquots[type]; +- +- if (!dquot) +- return; +- +- dquots[type] = NULL; +- if (list_empty(&dquot->dq_free)) { +- /* +- * The inode still has reference to dquot so it can't be in the +- * free list +- */ +- spin_lock(&dq_list_lock); +- list_add(&dquot->dq_free, tofree_head); +- spin_unlock(&dq_list_lock); +- } else { +- /* +- * Dquot is already in a list to put so we won't drop the last +- * reference here. +- */ +- dqput(dquot); +- } +-} +- +-/* +- * Free list of dquots +- * Dquots are removed from inodes and no new references can be got so we are +- * the only ones holding reference +- */ +-static void put_dquot_list(struct list_head *tofree_head) +-{ +- struct list_head *act_head; +- struct dquot *dquot; +- +- act_head = tofree_head->next; +- while (act_head != tofree_head) { +- dquot = list_entry(act_head, struct dquot, dq_free); +- act_head = act_head->next; +- /* Remove dquot from the list so we won't have problems... */ +- list_del_init(&dquot->dq_free); +- dqput(dquot); +- } +-} +- +-static void remove_dquot_ref(struct super_block *sb, int type, +- struct list_head *tofree_head) ++static void remove_dquot_ref(struct super_block *sb, int type) + { + struct inode *inode; + #ifdef CONFIG_QUOTA_DEBUG +@@ -1143,11 +1091,16 @@ static void remove_dquot_ref(struct super_block *sb, int type, + */ + spin_lock(&dq_data_lock); + if (!IS_NOQUOTA(inode)) { ++ struct dquot **dquots = i_dquot(inode); ++ struct dquot *dquot = dquots[type]; ++ + #ifdef CONFIG_QUOTA_DEBUG + if (unlikely(inode_get_rsv_space(inode) > 0)) + reserved = 1; + #endif +- remove_inode_dquot_ref(inode, type, tofree_head); ++ dquots[type] = NULL; ++ if (dquot) ++ dqput(dquot); + } + spin_unlock(&dq_data_lock); + } +@@ -1164,13 +1117,8 @@ static void remove_dquot_ref(struct super_block *sb, int type, + /* Gather all references from inodes and drop them */ + static void drop_dquot_ref(struct super_block *sb, int type) + { +- LIST_HEAD(tofree_head); +- +- if (sb->dq_op) { +- remove_dquot_ref(sb, type, &tofree_head); +- synchronize_srcu(&dquot_srcu); +- put_dquot_list(&tofree_head); +- } ++ if (sb->dq_op) ++ remove_dquot_ref(sb, type); + } + + static inline +-- +2.43.0 + diff --git a/queue-4.19/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch b/queue-4.19/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch new file mode 100644 index 00000000000..2c21778f1d0 --- /dev/null +++ b/queue-4.19/scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch @@ -0,0 +1,152 @@ +From d2964ad62c536a6eddec1ffc234be188b7ee9fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 13:44:06 +0100 +Subject: scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn + +From: Arnd Bergmann + +[ Upstream commit b69600231f751304db914c63b937f7098ed2895c ] + +Some callback functions used here take a boolean argument, others take a +status argument. This breaks KCFI type checking, so clang now warns about +the function pointer cast: + +drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Assuming the code is actually correct here and the callers always match the +argument types of the callee, rework this to replace the explicit cast with +a union of the two pointer types. This does not change the behavior of the +code, so if something is actually broken here, a larger rework may be +necessary. + +Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats") +Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.") +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfa.h | 9 ++++++++- + drivers/scsi/bfa/bfa_core.c | 4 +--- + drivers/scsi/bfa/bfa_ioc.h | 8 ++++++-- + drivers/scsi/bfa/bfad_bsg.c | 11 ++++------- + 4 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/bfa/bfa.h b/drivers/scsi/bfa/bfa.h +index 0e119d838e1b6..f312c356ffc4b 100644 +--- a/drivers/scsi/bfa/bfa.h ++++ b/drivers/scsi/bfa/bfa.h +@@ -28,7 +28,6 @@ + struct bfa_s; + + typedef void (*bfa_isr_func_t) (struct bfa_s *bfa, struct bfi_msg_s *m); +-typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); + + /* + * Interrupt message handlers +@@ -446,4 +445,12 @@ struct bfa_cb_pending_q_s { + (__qe)->data = (__data); \ + } while (0) + ++#define bfa_pending_q_init_status(__qe, __cbfn, __cbarg, __data) do { \ ++ bfa_q_qe_init(&((__qe)->hcb_qe.qe)); \ ++ (__qe)->hcb_qe.cbfn_status = (__cbfn); \ ++ (__qe)->hcb_qe.cbarg = (__cbarg); \ ++ (__qe)->hcb_qe.pre_rmv = BFA_TRUE; \ ++ (__qe)->data = (__data); \ ++} while (0) ++ + #endif /* __BFA_H__ */ +diff --git a/drivers/scsi/bfa/bfa_core.c b/drivers/scsi/bfa/bfa_core.c +index 10a63be925441..ada30a5cacc85 100644 +--- a/drivers/scsi/bfa/bfa_core.c ++++ b/drivers/scsi/bfa/bfa_core.c +@@ -1915,15 +1915,13 @@ bfa_comp_process(struct bfa_s *bfa, struct list_head *comp_q) + struct list_head *qe; + struct list_head *qen; + struct bfa_cb_qe_s *hcb_qe; +- bfa_cb_cbfn_status_t cbfn; + + list_for_each_safe(qe, qen, comp_q) { + hcb_qe = (struct bfa_cb_qe_s *) qe; + if (hcb_qe->pre_rmv) { + /* qe is invalid after return, dequeue before cbfn() */ + list_del(qe); +- cbfn = (bfa_cb_cbfn_status_t)(hcb_qe->cbfn); +- cbfn(hcb_qe->cbarg, hcb_qe->fw_status); ++ hcb_qe->cbfn_status(hcb_qe->cbarg, hcb_qe->fw_status); + } else + hcb_qe->cbfn(hcb_qe->cbarg, BFA_TRUE); + } +diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h +index 0f9fab770339a..179dd0416979d 100644 +--- a/drivers/scsi/bfa/bfa_ioc.h ++++ b/drivers/scsi/bfa/bfa_ioc.h +@@ -369,14 +369,18 @@ struct bfa_reqq_wait_s { + void *cbarg; + }; + +-typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); ++typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); ++typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); + + /* + * Generic BFA callback element. + */ + struct bfa_cb_qe_s { + struct list_head qe; +- bfa_cb_cbfn_t cbfn; ++ union { ++ bfa_cb_cbfn_status_t cbfn_status; ++ bfa_cb_cbfn_t cbfn; ++ }; + bfa_boolean_t once; + bfa_boolean_t pre_rmv; /* set for stack based qe(s) */ + bfa_status_t fw_status; /* to access fw status in comp proc */ +diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c +index 5d163ca1b3666..6735f61df191a 100644 +--- a/drivers/scsi/bfa/bfad_bsg.c ++++ b/drivers/scsi/bfa/bfad_bsg.c +@@ -2143,8 +2143,7 @@ bfad_iocmd_fcport_get_stats(struct bfad_s *bfad, void *cmd) + struct bfa_cb_pending_q_s cb_qe; + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, &iocmd->stats); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); + spin_lock_irqsave(&bfad->bfad_lock, flags); + iocmd->status = bfa_fcport_get_stats(&bfad->bfa, &cb_qe); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); +@@ -2167,7 +2166,7 @@ bfad_iocmd_fcport_reset_stats(struct bfad_s *bfad, void *cmd) + struct bfa_cb_pending_q_s cb_qe; + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, &fcomp, NULL); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + iocmd->status = bfa_fcport_clear_stats(&bfad->bfa, &cb_qe); +@@ -2451,8 +2450,7 @@ bfad_iocmd_qos_get_stats(struct bfad_s *bfad, void *cmd) + struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, &iocmd->stats); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); +@@ -2482,8 +2480,7 @@ bfad_iocmd_qos_reset_stats(struct bfad_s *bfad, void *cmd) + struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); + + init_completion(&fcomp.comp); +- bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, +- &fcomp, NULL); ++ bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); +-- +2.43.0 + diff --git a/queue-4.19/scsi-csiostor-avoid-function-pointer-casts.patch b/queue-4.19/scsi-csiostor-avoid-function-pointer-casts.patch new file mode 100644 index 00000000000..46740b1c82e --- /dev/null +++ b/queue-4.19/scsi-csiostor-avoid-function-pointer-casts.patch @@ -0,0 +1,135 @@ +From 6470c727412945e5aa8cbc09b4df5b83454ac9f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:05:00 +0100 +Subject: scsi: csiostor: Avoid function pointer casts + +From: Arnd Bergmann + +[ Upstream commit 9f3dbcb5632d6876226031d552ef6163bb3ad215 ] + +csiostor uses function pointer casts to keep the csio_ln_ev state machine +hidden, but this causes warnings about control flow integrity (KCFI) +violations in clang-16 and higher: + +drivers/scsi/csiostor/csio_lnode.c:1098:33: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1098 | return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1369:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1369 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1373:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1373 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/csiostor/csio_lnode.c:1377:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 1377 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Move the enum into a shared header so the correct types can be used without +the need for casts. + +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240213100518.457623-1-arnd@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_defs.h | 18 ++++++++++++++++-- + drivers/scsi/csiostor/csio_lnode.c | 8 ++++---- + drivers/scsi/csiostor/csio_lnode.h | 13 ------------- + 3 files changed, 20 insertions(+), 19 deletions(-) + +diff --git a/drivers/scsi/csiostor/csio_defs.h b/drivers/scsi/csiostor/csio_defs.h +index c38017b4af982..e50e93e7fe5a1 100644 +--- a/drivers/scsi/csiostor/csio_defs.h ++++ b/drivers/scsi/csiostor/csio_defs.h +@@ -73,7 +73,21 @@ csio_list_deleted(struct list_head *list) + #define csio_list_prev(elem) (((struct list_head *)(elem))->prev) + + /* State machine */ +-typedef void (*csio_sm_state_t)(void *, uint32_t); ++struct csio_lnode; ++ ++/* State machine evets */ ++enum csio_ln_ev { ++ CSIO_LNE_NONE = (uint32_t)0, ++ CSIO_LNE_LINKUP, ++ CSIO_LNE_FAB_INIT_DONE, ++ CSIO_LNE_LINK_DOWN, ++ CSIO_LNE_DOWN_LINK, ++ CSIO_LNE_LOGO, ++ CSIO_LNE_CLOSE, ++ CSIO_LNE_MAX_EVENT, ++}; ++ ++typedef void (*csio_sm_state_t)(struct csio_lnode *ln, enum csio_ln_ev evt); + + struct csio_sm { + struct list_head sm_list; +@@ -83,7 +97,7 @@ struct csio_sm { + static inline void + csio_set_state(void *smp, void *state) + { +- ((struct csio_sm *)smp)->sm_state = (csio_sm_state_t)state; ++ ((struct csio_sm *)smp)->sm_state = state; + } + + static inline void +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index 98944fb3f0b85..1c4e1c86c1d2f 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -1095,7 +1095,7 @@ csio_handle_link_down(struct csio_hw *hw, uint8_t portid, uint32_t fcfi, + int + csio_is_lnode_ready(struct csio_lnode *ln) + { +- return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); ++ return (csio_get_state(ln) == csio_lns_ready); + } + + /*****************************************************************************/ +@@ -1367,15 +1367,15 @@ csio_free_fcfinfo(struct kref *kref) + void + csio_lnode_state_to_str(struct csio_lnode *ln, int8_t *str) + { +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { ++ if (csio_get_state(ln) == csio_lns_uninit) { + strcpy(str, "UNINIT"); + return; + } +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { ++ if (csio_get_state(ln) == csio_lns_ready) { + strcpy(str, "READY"); + return; + } +- if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { ++ if (csio_get_state(ln) == csio_lns_offline) { + strcpy(str, "OFFLINE"); + return; + } +diff --git a/drivers/scsi/csiostor/csio_lnode.h b/drivers/scsi/csiostor/csio_lnode.h +index 372a67d122d38..607698a0f0631 100644 +--- a/drivers/scsi/csiostor/csio_lnode.h ++++ b/drivers/scsi/csiostor/csio_lnode.h +@@ -53,19 +53,6 @@ + extern int csio_fcoe_rnodes; + extern int csio_fdmi_enable; + +-/* State machine evets */ +-enum csio_ln_ev { +- CSIO_LNE_NONE = (uint32_t)0, +- CSIO_LNE_LINKUP, +- CSIO_LNE_FAB_INIT_DONE, +- CSIO_LNE_LINK_DOWN, +- CSIO_LNE_DOWN_LINK, +- CSIO_LNE_LOGO, +- CSIO_LNE_CLOSE, +- CSIO_LNE_MAX_EVENT, +-}; +- +- + struct csio_fcf_info { + struct list_head list; + uint8_t priority; +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 9ac6d62539c..1451d833d77 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -15,3 +15,119 @@ asoc-wm8962-fix-up-incorrect-error-message-in-wm8962.patch crypto-algif_aead-fix-uninitialized-ctx-init.patch crypto-af_alg-make-some-functions-static.patch crypto-algif_aead-only-wake-up-when-ctx-more-is-zero.patch +do_sys_name_to_handle-use-kzalloc-to-fix-kernel-info.patch +fs-select-rework-stack-allocation-hack-for-clang.patch +md-switch-to-check_events-for-media-change-notificat.patch +block-add-a-new-set_read_only-method.patch +md-implement-set_read_only-to-hook-into-blkroset-pro.patch +md-don-t-clear-md_closing-when-the-raid-is-about-to-.patch +aoe-fix-the-potential-use-after-free-problem-in-aoec.patch +timekeeping-fix-cross-timestamp-interpolation-on-cou.patch +timekeeping-fix-cross-timestamp-interpolation-corner.patch +timekeeping-fix-cross-timestamp-interpolation-for-no.patch +wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch +b43-dma-fix-use-true-false-for-bool-type-variable.patch +wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch +wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch +b43-main-fix-use-true-false-for-bool-type.patch +wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch +wifi-b43-disable-qos-for-bcm4331.patch +wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch +arm-dts-renesas-r8a73a4-fix-external-clocks-and-cloc.patch +cpufreq-brcmstb-avs-cpufreq-add-check-for-cpufreq_cp.patch +sock_diag-annotate-data-races-around-sock_diag_handl.patch +af_unix-annotate-data-race-of-gc_in_progress-in-wait.patch +wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch +acpi-processor_idle-fix-memory-leak-in-acpi_processo.patch +bus-tegra-aconnect-update-dependency-to-arch_tegra.patch +iommu-amd-mark-interrupt-as-managed.patch +wifi-brcmsmac-avoid-function-pointer-casts.patch +arm-dts-arm-realview-fix-development-chip-rom-compat.patch +acpi-scan-fix-device-check-notification-handling.patch +x86-relocs-ignore-relocations-in-.notes-section.patch +sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch +mmc-wmt-sdmmc-remove-an-incorrect-release_mem_region.patch +igb-move-perout-and-extts-isr-logic-to-separate-func.patch +igb-fix-missing-time-sync-events.patch +bluetooth-remove-superfluous-call-to-hci_conn_check_.patch +bluetooth-hci_core-fix-possible-buffer-overflow.patch +sr9800-add-check-for-usbnet_get_endpoints.patch +bpf-fix-hashtab-overflow-check-on-32-bit-arches.patch +bpf-fix-stackmap-overflow-check-on-32-bit-arches.patch +ipv6-fib6_rules-flush-route-cache-when-rule-is-chang.patch +tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch +l2tp-fix-incorrect-parameter-validation-in-the-pppol.patch +udp-fix-incorrect-parameter-validation-in-the-udp_li.patch +net-kcm-fix-incorrect-parameter-validation-in-the-kc.patch +net-x25-fix-incorrect-parameter-validation-in-the-x2.patch +nfp-flower-handle-acti_netdevs-allocation-failure.patch +dm-raid-fix-false-positive-for-requeue-needed-during.patch +dm-call-the-resume-method-on-internal-suspend.patch +drm-tegra-dsi-add-missing-check-for-of_find_device_b.patch +gpu-host1x-mipi-update-tegra_mipi_request-to-be-node.patch +drm-tegra-dsi-make-use-of-the-helper-function-dev_er.patch +drm-tegra-dsi-fix-some-error-handling-paths-in-tegra.patch +drm-tegra-dsi-fix-missing-pm_runtime_disable-in-the-.patch +drm-rockchip-inno_hdmi-fix-video-timing.patch +drm-don-t-treat-0-as-1-in-drm_fixp2int_ceil.patch +drm-rockchip-lvds-do-not-overwrite-error-code.patch +drm-rockchip-lvds-do-not-print-scary-message-when-pr.patch +media-tc358743-register-v4l2-async-device-only-after.patch +perf-evsel-fix-duplicate-initialization-of-data-id-i.patch +abi-sysfs-bus-pci-devices-aer_stats-uses-an-invalid-.patch +pci-aer-fix-rootport-attribute-paths-in-abi-docs.patch +media-em28xx-annotate-unchecked-call-to-media_device.patch +media-v4l2-tpg-fix-some-memleaks-in-tpg_alloc.patch +media-v4l2-mem2mem-fix-a-memleak-in-v4l2_m2m_registe.patch +media-dvbdev-remove-double-unlock.patch +media-media-dvb-use-kmemdup-rather-than-duplicating-.patch +media-dvbdev-fix-memleak-in-dvb_register_device.patch +media-dvbdev-fix-error-logic-at-dvb_register_device.patch +media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch +media-edia-dvbdev-fix-a-use-after-free.patch +clk-qcom-reset-allow-specifying-custom-reset-delay.patch +clk-qcom-reset-support-resetting-multiple-bits.patch +clk-qcom-reset-commonize-the-de-assert-functions.patch +clk-qcom-reset-ensure-write-completion-on-reset-de-a.patch +quota-code-cleanup-for-__dquot_alloc_space.patch +fs-quota-erase-unused-but-set-variable-warning.patch +quota-check-time-limit-when-back-out-space-inode-cha.patch +quota-simplify-drop_dquot_ref.patch +quota-fix-potential-null-pointer-dereference.patch +quota-fix-rcu-annotations-of-inode-dquot-pointers.patch +perf-thread_map-free-strlist-on-normal-path-in-threa.patch +drm-radeon-ni-fix-wrong-firmware-size-logging-in-ni_.patch +alsa-seq-fix-function-cast-warnings.patch +media-go7007-add-check-of-return-value-of-go7007_rea.patch +media-pvrusb2-fix-pvr2_stream_callback-casts.patch +firmware-qcom-scm-add-wlan-vmid-for-qualcomm-scm-int.patch +clk-qcom-dispcc-sdm845-adjust-internal-gdsc-wait-tim.patch +drm-mediatek-dsi-fix-dsi-rgb666-formats-and-definiti.patch +pci-mark-3ware-9650se-root-port-extended-tags-as-bro.patch +clk-hisilicon-hi3519-release-the-correct-number-of-g.patch +drm-tegra-put-drm_gem_object-ref-on-error-in-tegra_f.patch +mfd-syscon-call-of_node_put-only-when-of_parse_phand.patch +crypto-arm-rename-functions-to-avoid-conflict-with-c.patch +crypto-arm-sha-fix-function-cast-warnings.patch +mtd-rawnand-lpc32xx_mlc-fix-irq-handler-prototype.patch +asoc-meson-axg-tdm-interface-fix-mclk-setup-without-.patch +drm-amdgpu-fix-missing-break-in-atom_arg_imm-case-of.patch +media-pvrusb2-fix-uaf-in-pvr2_context_set_notify.patch +media-dvb-frontends-avoid-stack-overflow-warnings-wi.patch +media-go7007-fix-a-memleak-in-go7007_load_encoder.patch +drm-mediatek-fix-a-null-pointer-crash-in-mtk_drm_crt.patch +powerpc-hv-gpci-fix-the-h_get_perf_counter_info-hcal.patch +powerpc-embedded6xx-fix-no-previous-prototype-for-av.patch +backlight-lm3630a-initialize-backlight_properties-on.patch +backlight-lm3630a-don-t-set-bl-props.brightness-in-g.patch +backlight-da9052-fully-initialize-backlight_properti.patch +backlight-lm3639-fully-initialize-backlight_properti.patch +backlight-lp8788-fully-initialize-backlight_properti.patch +arch-powerpc-remove-linux-fb.h-from-backlight-code.patch +sparc32-fix-section-mismatch-in-leon_pci_grpci.patch +alsa-usb-audio-stop-parsing-channels-bits-when-all-c.patch +scsi-csiostor-avoid-function-pointer-casts.patch +scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch +net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch +nfs-fix-an-off-by-one-in-root_nfs_cat.patch +clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch diff --git a/queue-4.19/sock_diag-annotate-data-races-around-sock_diag_handl.patch b/queue-4.19/sock_diag-annotate-data-races-around-sock_diag_handl.patch new file mode 100644 index 00000000000..6edb526623a --- /dev/null +++ b/queue-4.19/sock_diag-annotate-data-races-around-sock_diag_handl.patch @@ -0,0 +1,74 @@ +From c70a5af51d75a2d80d36f8ce0f4f9dde356b459d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 11:25:55 +0000 +Subject: sock_diag: annotate data-races around sock_diag_handlers[family] + +From: Eric Dumazet + +[ Upstream commit efd402537673f9951992aea4ef0f5ff51d858f4b ] + +__sock_diag_cmd() and sock_diag_bind() read sock_diag_handlers[family] +without a lock held. + +Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues. + +Fixes: 8ef874bfc729 ("sock_diag: Move the sock_ code to net/core/") +Signed-off-by: Eric Dumazet +Reviewed-by: Guillaume Nault +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock_diag.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c +index 3312a5849a974..980a2d4650628 100644 +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -187,7 +187,7 @@ int sock_diag_register(const struct sock_diag_handler *hndl) + if (sock_diag_handlers[hndl->family]) + err = -EBUSY; + else +- sock_diag_handlers[hndl->family] = hndl; ++ WRITE_ONCE(sock_diag_handlers[hndl->family], hndl); + mutex_unlock(&sock_diag_table_mutex); + + return err; +@@ -203,7 +203,7 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld) + + mutex_lock(&sock_diag_table_mutex); + BUG_ON(sock_diag_handlers[family] != hnld); +- sock_diag_handlers[family] = NULL; ++ WRITE_ONCE(sock_diag_handlers[family], NULL); + mutex_unlock(&sock_diag_table_mutex); + } + EXPORT_SYMBOL_GPL(sock_diag_unregister); +@@ -221,7 +221,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh) + return -EINVAL; + req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX); + +- if (sock_diag_handlers[req->sdiag_family] == NULL) ++ if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL) + sock_load_diag_module(req->sdiag_family, 0); + + mutex_lock(&sock_diag_table_mutex); +@@ -280,12 +280,12 @@ static int sock_diag_bind(struct net *net, int group) + switch (group) { + case SKNLGRP_INET_TCP_DESTROY: + case SKNLGRP_INET_UDP_DESTROY: +- if (!sock_diag_handlers[AF_INET]) ++ if (!READ_ONCE(sock_diag_handlers[AF_INET])) + sock_load_diag_module(AF_INET, 0); + break; + case SKNLGRP_INET6_TCP_DESTROY: + case SKNLGRP_INET6_UDP_DESTROY: +- if (!sock_diag_handlers[AF_INET6]) ++ if (!READ_ONCE(sock_diag_handlers[AF_INET6])) + sock_load_diag_module(AF_INET6, 0); + break; + } +-- +2.43.0 + diff --git a/queue-4.19/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch b/queue-4.19/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch new file mode 100644 index 00000000000..b6b2c58de2b --- /dev/null +++ b/queue-4.19/sparc32-fix-section-mismatch-in-leon_pci_grpci.patch @@ -0,0 +1,62 @@ +From 92a374675b88d37ac5597af8b5ef78d39436fcff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Feb 2024 18:42:28 +0100 +Subject: sparc32: Fix section mismatch in leon_pci_grpci + +From: Sam Ravnborg + +[ Upstream commit 24338a6ae13cb743ced77da1b3a12c83f08a0c96 ] + +Passing a datastructre marked _initconst to platform_driver_register() +is wrong. Drop the __initconst notation. + +This fixes the following warnings: + +WARNING: modpost: vmlinux: section mismatch in reference: grpci1_of_driver+0x30 (section: .data) -> grpci1_of_match (section: .init.rodata) +WARNING: modpost: vmlinux: section mismatch in reference: grpci2_of_driver+0x30 (section: .data) -> grpci2_of_match (section: .init.rodata) + +Signed-off-by: Sam Ravnborg +Cc: "David S. Miller" +Cc: Andreas Larsson +Fixes: 4154bb821f0b ("sparc: leon: grpci1: constify of_device_id") +Fixes: 03949b1cb9f1 ("sparc: leon: grpci2: constify of_device_id") +Tested-by: Randy Dunlap # build-tested +Reviewed-by: Andreas Larsson +Tested-by: Andreas Larsson +Signed-off-by: Andreas Larsson +Link: https://lore.kernel.org/r/20240224-sam-fix-sparc32-all-builds-v2-7-1f186603c5c4@ravnborg.org +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/leon_pci_grpci1.c | 2 +- + arch/sparc/kernel/leon_pci_grpci2.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/kernel/leon_pci_grpci1.c b/arch/sparc/kernel/leon_pci_grpci1.c +index e6935d0ac1ec9..c32590bdd3120 100644 +--- a/arch/sparc/kernel/leon_pci_grpci1.c ++++ b/arch/sparc/kernel/leon_pci_grpci1.c +@@ -696,7 +696,7 @@ static int grpci1_of_probe(struct platform_device *ofdev) + return err; + } + +-static const struct of_device_id grpci1_of_match[] __initconst = { ++static const struct of_device_id grpci1_of_match[] = { + { + .name = "GAISLER_PCIFBRG", + }, +diff --git a/arch/sparc/kernel/leon_pci_grpci2.c b/arch/sparc/kernel/leon_pci_grpci2.c +index ca22f93d90454..dd06abc61657f 100644 +--- a/arch/sparc/kernel/leon_pci_grpci2.c ++++ b/arch/sparc/kernel/leon_pci_grpci2.c +@@ -887,7 +887,7 @@ static int grpci2_of_probe(struct platform_device *ofdev) + return err; + } + +-static const struct of_device_id grpci2_of_match[] __initconst = { ++static const struct of_device_id grpci2_of_match[] = { + { + .name = "GAISLER_GRPCI2", + }, +-- +2.43.0 + diff --git a/queue-4.19/sr9800-add-check-for-usbnet_get_endpoints.patch b/queue-4.19/sr9800-add-check-for-usbnet_get_endpoints.patch new file mode 100644 index 00000000000..d00d0cd3498 --- /dev/null +++ b/queue-4.19/sr9800-add-check-for-usbnet_get_endpoints.patch @@ -0,0 +1,40 @@ +From 205b7d5cbf712013d0a547d37c7ece3503a672ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 07:59:27 +0000 +Subject: sr9800: Add check for usbnet_get_endpoints + +From: Chen Ni + +[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ] + +Add check for usbnet_get_endpoints() and return the error if it fails +in order to transfer the error. + +Signed-off-by: Chen Ni +Reviewed-by: Simon Horman +Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") +Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9800.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index 8f8c9ede88c26..a5ff7df10505b 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) + + data->eeprom_len = SR9800_EEPROM_LEN; + +- usbnet_get_endpoints(dev, intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ goto out; + + /* LED Setting Rule : + * AABB:CCDD +-- +2.43.0 + diff --git a/queue-4.19/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch b/queue-4.19/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch new file mode 100644 index 00000000000..b27b75bb7ec --- /dev/null +++ b/queue-4.19/sunrpc-fix-some-memleaks-in-gssx_dec_option_array.patch @@ -0,0 +1,86 @@ +From ad8f3e80e3206d48bead79708448c1f7db01d128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 13:38:13 +0800 +Subject: SUNRPC: fix some memleaks in gssx_dec_option_array + +From: Zhipeng Lu + +[ Upstream commit 3cfcfc102a5e57b021b786a755a38935e357797d ] + +The creds and oa->data need to be freed in the error-handling paths after +their allocation. So this patch add these deallocations in the +corresponding paths. + +Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS auth") +Signed-off-by: Zhipeng Lu +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 444380f968f11..730a9c4dc9931 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -263,8 +263,8 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, + + creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL); + if (!creds) { +- kfree(oa->data); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto free_oa; + } + + oa->data[0].option.data = CREDS_VALUE; +@@ -278,29 +278,40 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, + + /* option buffer */ + p = xdr_inline_decode(xdr, 4); +- if (unlikely(p == NULL)) +- return -ENOSPC; ++ if (unlikely(p == NULL)) { ++ err = -ENOSPC; ++ goto free_creds; ++ } + + length = be32_to_cpup(p); + p = xdr_inline_decode(xdr, length); +- if (unlikely(p == NULL)) +- return -ENOSPC; ++ if (unlikely(p == NULL)) { ++ err = -ENOSPC; ++ goto free_creds; ++ } + + if (length == sizeof(CREDS_VALUE) && + memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) { + /* We have creds here. parse them */ + err = gssx_dec_linux_creds(xdr, creds); + if (err) +- return err; ++ goto free_creds; + oa->data[0].value.len = 1; /* presence */ + } else { + /* consume uninteresting buffer */ + err = gssx_dec_buffer(xdr, &dummy); + if (err) +- return err; ++ goto free_creds; + } + } + return 0; ++ ++free_creds: ++ kfree(creds); ++free_oa: ++ kfree(oa->data); ++ oa->data = NULL; ++ return err; + } + + static int gssx_dec_status(struct xdr_stream *xdr, +-- +2.43.0 + diff --git a/queue-4.19/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch b/queue-4.19/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch new file mode 100644 index 00000000000..b6673ace8a0 --- /dev/null +++ b/queue-4.19/tcp-fix-incorrect-parameter-validation-in-the-do_tcp.patch @@ -0,0 +1,47 @@ +From 773631d12ffc8a1c6ae9bf89f7529f34f82fe70c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:49 +0000 +Subject: tcp: fix incorrect parameter validation in the do_tcp_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 716edc9706deb3bb2ff56e2eeb83559cea8f22db ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gavrilov Ilia +Reviewed-by: Jason Xing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 712186336997b..3df973d22295c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3369,11 +3369,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case TCP_MAXSEG: + val = tp->mss_cache; +-- +2.43.0 + diff --git a/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-corner.patch b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-corner.patch new file mode 100644 index 00000000000..c9a3c33e573 --- /dev/null +++ b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-corner.patch @@ -0,0 +1,114 @@ +From 1b61d583866f210f45ac567cb9ecead4a28cf9a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:40 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation corner case decision + +From: Peter Hilber + +[ Upstream commit 87a41130881995f82f7adbafbfeddaebfb35f0ef ] + +The cycle_between() helper checks if parameter test is in the open interval +(before, after). Colloquially speaking, this also applies to the counter +wrap-around special case before > after. get_device_system_crosststamp() +currently uses cycle_between() at the first call site to decide whether to +interpolate for older counter readings. + +get_device_system_crosststamp() has the following problem with +cycle_between() testing against an open interval: Assume that, by chance, +cycles == tk->tkr_mono.cycle_last (in the following, "cycle_last" for +brevity). Then, cycle_between() at the first call site, with effective +argument values cycle_between(cycle_last, cycles, now), returns false, +enabling interpolation. During interpolation, +get_device_system_crosststamp() will then call cycle_between() at the +second call site (if a history_begin was supplied). The effective argument +values are cycle_between(history_begin->cycles, cycles, cycles), since +system_counterval.cycles == interval_start == cycles, per the assumption. +Due to the test against the open interval, cycle_between() returns false +again. This causes get_device_system_crosststamp() to return -EINVAL. + +This failure should be avoided, since get_device_system_crosststamp() works +both when cycles follows cycle_last (no interpolation), and when cycles +precedes cycle_last (interpolation). For the case cycles == cycle_last, +interpolation is actually unneeded. + +Fix this by changing cycle_between() into timestamp_in_interval(), which +now checks against the closed interval, rather than the open interval. + +This changes the get_device_system_crosststamp() behavior for three corner +cases: + +1. Bypass interpolation in the case cycles == tk->tkr_mono.cycle_last, + fixing the problem described above. + +2. At the first timestamp_in_interval() call site, cycles == now no longer + causes failure. + +3. At the second timestamp_in_interval() call site, history_begin->cycles + == system_counterval.cycles no longer causes failure. + adjust_historical_crosststamp() also works for this corner case, + where partial_history_cycles == total_history_cycles. + +These behavioral changes should not cause any problems. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231218073849.35294-3-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 7a306bad183bf..ab36b20cdbec2 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1091,13 +1091,15 @@ static int adjust_historical_crosststamp(struct system_time_snapshot *history, + } + + /* +- * cycle_between - true if test occurs chronologically between before and after ++ * timestamp_in_interval - true if ts is chronologically in [start, end] ++ * ++ * True if ts occurs chronologically at or after start, and before or at end. + */ +-static bool cycle_between(u64 before, u64 test, u64 after) ++static bool timestamp_in_interval(u64 start, u64 end, u64 ts) + { +- if (test > before && test < after) ++ if (ts >= start && ts <= end) + return true; +- if (before > after && (test > before || test < after)) ++ if (start > end && (ts >= start || ts <= end)) + return true; + return false; + } +@@ -1157,7 +1159,7 @@ int get_device_system_crosststamp(int (*get_time_fn) + */ + now = tk_clock_read(&tk->tkr_mono); + interval_start = tk->tkr_mono.cycle_last; +- if (!cycle_between(interval_start, cycles, now)) { ++ if (!timestamp_in_interval(interval_start, now, cycles)) { + clock_was_set_seq = tk->clock_was_set_seq; + cs_was_changed_seq = tk->cs_was_changed_seq; + cycles = interval_start; +@@ -1188,13 +1190,13 @@ int get_device_system_crosststamp(int (*get_time_fn) + bool discontinuity; + + /* +- * Check that the counter value occurs after the provided ++ * Check that the counter value is not before the provided + * history reference and that the history doesn't cross a + * clocksource change + */ + if (!history_begin || +- !cycle_between(history_begin->cycles, +- system_counterval.cycles, cycles) || ++ !timestamp_in_interval(history_begin->cycles, ++ cycles, system_counterval.cycles) || + history_begin->cs_was_changed_seq != cs_was_changed_seq) + return -EINVAL; + partial_history_cycles = cycles - system_counterval.cycles; +-- +2.43.0 + diff --git a/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-for-no.patch b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-for-no.patch new file mode 100644 index 00000000000..dcf772942f3 --- /dev/null +++ b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-for-no.patch @@ -0,0 +1,58 @@ +From 3213e6907c0bc0720404534102a44e7d5eb3cb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:41 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation for non-x86 + +From: Peter Hilber + +[ Upstream commit 14274d0bd31b4debf28284604589f596ad2e99f2 ] + +So far, get_device_system_crosststamp() unconditionally passes +system_counterval.cycles to timekeeping_cycles_to_ns(). But when +interpolating system time (do_interp == true), system_counterval.cycles is +before tkr_mono.cycle_last, contrary to the timekeeping_cycles_to_ns() +expectations. + +On x86, CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE will mitigate on +interpolating, setting delta to 0. With delta == 0, xtstamp->sys_monoraw +and xtstamp->sys_realtime are then set to the last update time, as +implicitly expected by adjust_historical_crosststamp(). On other +architectures, the resulting nonsense xtstamp->sys_monoraw and +xtstamp->sys_realtime corrupt the xtstamp (ts) adjustment in +adjust_historical_crosststamp(). + +Fix this by deriving xtstamp->sys_monoraw and xtstamp->sys_realtime from +the last update time when interpolating, by using the local variable +"cycles". The local variable already has the right value when +interpolating, unlike system_counterval.cycles. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/r/20231218073849.35294-4-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index ab36b20cdbec2..e43706e2c038f 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1172,10 +1172,8 @@ int get_device_system_crosststamp(int (*get_time_fn) + tk_core.timekeeper.offs_real); + base_raw = tk->tkr_raw.base; + +- nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, +- system_counterval.cycles); +- nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, +- system_counterval.cycles); ++ nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, cycles); ++ nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, cycles); + } while (read_seqcount_retry(&tk_core.seq, seq)); + + xtstamp->sys_realtime = ktime_add_ns(base_real, nsec_real); +-- +2.43.0 + diff --git a/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch new file mode 100644 index 00000000000..2fe7bcbd4dc --- /dev/null +++ b/queue-4.19/timekeeping-fix-cross-timestamp-interpolation-on-cou.patch @@ -0,0 +1,43 @@ +From 89f46dd91d6f67fa09bc2c6ce14907b9138d7ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 08:38:39 +0100 +Subject: timekeeping: Fix cross-timestamp interpolation on counter wrap + +From: Peter Hilber + +[ Upstream commit 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 ] + +cycle_between() decides whether get_device_system_crosststamp() will +interpolate for older counter readings. + +cycle_between() yields wrong results for a counter wrap-around where after +< before < test, and for the case after < test < before. + +Fix the comparison logic. + +Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") +Signed-off-by: Peter Hilber +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/r/20231218073849.35294-2-peter.hilber@opensynergy.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 087f71183c3f2..7a306bad183bf 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1097,7 +1097,7 @@ static bool cycle_between(u64 before, u64 test, u64 after) + { + if (test > before && test < after) + return true; +- if (test < before && before > after) ++ if (before > after && (test > before || test < after)) + return true; + return false; + } +-- +2.43.0 + diff --git a/queue-4.19/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch b/queue-4.19/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch new file mode 100644 index 00000000000..cd9b7d6885c --- /dev/null +++ b/queue-4.19/udp-fix-incorrect-parameter-validation-in-the-udp_li.patch @@ -0,0 +1,47 @@ +From e7e79e914d46cefec23bd4bc2d5e2aeaedd500bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 14:23:50 +0000 +Subject: udp: fix incorrect parameter validation in the udp_lib_getsockopt() + function + +From: Gavrilov Ilia + +[ Upstream commit 4bb3ba7b74fceec6f558745b25a43c6521cf5506 ] + +The 'len' variable can't be negative when assigned the result of +'min_t' because all 'min_t' parameters are cast to unsigned int, +and then the minimum one is chosen. + +To fix the logic, check 'len' as read from 'optlen', +where the types of relevant variables are (signed) int. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Willem de Bruijn +Signed-off-by: Gavrilov Ilia +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index a6048cc7fc35f..6e4b26c6f97c2 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2579,11 +2579,11 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname, + if (get_user(len, optlen)) + return -EFAULT; + +- len = min_t(unsigned int, len, sizeof(int)); +- + if (len < 0) + return -EINVAL; + ++ len = min_t(unsigned int, len, sizeof(int)); ++ + switch (optname) { + case UDP_CORK: + val = READ_ONCE(up->corkflag); +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch b/queue-4.19/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch new file mode 100644 index 00000000000..e39fac5aed2 --- /dev/null +++ b/queue-4.19/wifi-ath10k-fix-null-pointer-dereference-in-ath10k_w.patch @@ -0,0 +1,42 @@ +From 105e72f8283dd2431f709b39e1fdbb553d9a17ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 13:29:01 +0200 +Subject: wifi: ath10k: fix NULL pointer dereference in + ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() + +From: Xingyuan Mo + +[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] + +We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is +present before accessing it, otherwise a null pointer deference error will +occur. + +Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") +Signed-off-by: Xingyuan Mo +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index 243887fdb343e..c9df78950ff4b 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -684,6 +684,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, + } + + ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; ++ if (!ev) { ++ kfree(tb); ++ return -EPROTO; ++ } + + arg->desc_id = ev->desc_id; + arg->status = ev->status; +-- +2.43.0 + diff --git a/queue-4.19/wifi-b43-disable-qos-for-bcm4331.patch b/queue-4.19/wifi-b43-disable-qos-for-bcm4331.patch new file mode 100644 index 00000000000..92121f14cca --- /dev/null +++ b/queue-4.19/wifi-b43-disable-qos-for-bcm4331.patch @@ -0,0 +1,68 @@ +From 1319aab74e888355a7feee747f03e3a8ccbc620d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:58 +0000 +Subject: wifi: b43: Disable QoS for bcm4331 + +From: Rahul Rameshbabu + +[ Upstream commit 09795bded2e725443fe4a4803cae2079cdaf7b26 ] + +bcm4331 seems to not function correctly with QoS support. This may be due +to issues with currently available firmware or potentially a device +specific issue. + +When queues that are not of the default "best effort" priority are +selected, traffic appears to not transmit out of the hardware while no +errors are returned. This behavior is present among all the other priority +queues: video, voice, and background. While this can be worked around by +setting a kernel parameter, the default behavior is problematic for most +users and may be difficult to debug. This patch offers a working out-of-box +experience for bcm4331 users. + +Log of the issue (using ssh low-priority traffic as an example): + ssh -T -vvvv git@github.com + OpenSSH_9.6p1, OpenSSL 3.0.12 24 Oct 2023 + debug1: Reading configuration data /etc/ssh/ssh_config + debug2: checking match for 'host * exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'"' host github.com originally github.com + debug3: /etc/ssh/ssh_config line 5: matched 'host "github.com"' + debug1: Executing command: '/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'' + debug3: command returned status 0 + debug3: /etc/ssh/ssh_config line 5: matched 'exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0r"' + debug2: match found + debug1: /etc/ssh/ssh_config line 9: Applying options for * + debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/binary-eater/.ssh/known_hosts' + debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/binary-eater/.ssh/known_hosts2' + debug2: resolving "github.com" port 22 + debug3: resolve_host: lookup github.com:22 + debug3: channel_clear_timeouts: clearing + debug3: ssh_connect_direct: entering + debug1: Connecting to github.com [192.30.255.113] port 22. + debug3: set_sock_tos: set socket 3 IP_TOS 0x48 + +Fixes: e6f5b934fba8 ("b43: Add QOS support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-5-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c +index 8d50ebdbeb1e5..6d18c01b18dd7 100644 +--- a/drivers/net/wireless/broadcom/b43/main.c ++++ b/drivers/net/wireless/broadcom/b43/main.c +@@ -2605,7 +2605,8 @@ static void b43_request_firmware(struct work_struct *work) + + start_ieee80211: + wl->hw->queues = B43_QOS_QUEUE_NUM; +- if (!modparam_qos || dev->fw.opensource) ++ if (!modparam_qos || dev->fw.opensource || ++ dev->dev->chip_id == BCMA_CHIP_ID_BCM4331) + wl->hw->queues = 1; + + err = ieee80211_register_hw(wl->hw); +-- +2.43.0 + diff --git a/queue-4.19/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch b/queue-4.19/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch new file mode 100644 index 00000000000..b710340563a --- /dev/null +++ b/queue-4.19/wifi-b43-stop-correct-queue-in-dma-worker-when-qos-i.patch @@ -0,0 +1,66 @@ +From 8881c6c981fde8dd50d9ec856e90436c34a66bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:51 +0000 +Subject: wifi: b43: Stop correct queue in DMA worker when QoS is disabled + +From: Rahul Rameshbabu + +[ Upstream commit 581c8967d66c4961076dbbee356834e9c6777184 ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop queue 0 when QoS is +disabled to prevent trying to stop a non-existent queue and failing to stop +the actual queue instantiated. + +Fixes: bad691946966 ("b43: avoid packet losses in the dma worker code.") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-4-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c +index 9a3563de60a77..8d50ebdbeb1e5 100644 +--- a/drivers/net/wireless/broadcom/b43/main.c ++++ b/drivers/net/wireless/broadcom/b43/main.c +@@ -3626,7 +3626,7 @@ static void b43_tx_work(struct work_struct *work) + err = b43_dma_tx(dev, skb); + if (err == -ENOSPC) { + wl->tx_queue_stopped[queue_num] = true; +- ieee80211_stop_queue(wl->hw, queue_num); ++ b43_stop_queue(dev, queue_num); + skb_queue_head(&wl->tx_queue[queue_num], skb); + break; + } +@@ -3650,6 +3650,7 @@ static void b43_op_tx(struct ieee80211_hw *hw, + struct sk_buff *skb) + { + struct b43_wl *wl = hw_to_b43_wl(hw); ++ u16 skb_queue_mapping; + + if (unlikely(skb->len < 2 + 2 + 6)) { + /* Too short, this can't be a valid frame. */ +@@ -3658,12 +3659,12 @@ static void b43_op_tx(struct ieee80211_hw *hw, + } + B43_WARN_ON(skb_shinfo(skb)->nr_frags); + +- skb_queue_tail(&wl->tx_queue[skb->queue_mapping], skb); +- if (!wl->tx_queue_stopped[skb->queue_mapping]) { ++ skb_queue_mapping = skb_get_queue_mapping(skb); ++ skb_queue_tail(&wl->tx_queue[skb_queue_mapping], skb); ++ if (!wl->tx_queue_stopped[skb_queue_mapping]) + ieee80211_queue_work(wl->hw, &wl->tx_work); +- } else { +- ieee80211_stop_queue(wl->hw, skb->queue_mapping); +- } ++ else ++ b43_stop_queue(wl->current_dev, skb_queue_mapping); + } + + static void b43_qos_params_upload(struct b43_wldev *dev, +-- +2.43.0 + diff --git a/queue-4.19/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch b/queue-4.19/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch new file mode 100644 index 00000000000..d8ca9f8e8af --- /dev/null +++ b/queue-4.19/wifi-b43-stop-wake-correct-queue-in-dma-tx-path-when.patch @@ -0,0 +1,167 @@ +From ef1af361cb8ad1883523a5b9471361e78c88bbbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:33 +0000 +Subject: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is + disabled + +From: Rahul Rameshbabu + +[ Upstream commit 9636951e4468f02c72cc75a82dc65d003077edbc ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS +is disabled to prevent trying to stop/wake a non-existent queue and failing +to stop/wake the actual queue instantiated. + +Log of issue before change (with kernel parameter qos=0): + [ +5.112651] ------------[ cut here ]------------ + [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 + [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common + [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)] + [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS + [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 + [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00 + [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097 + [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 + [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900 + [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0 + [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000 + [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40 + [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000 + [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ +0.000001] CR2: 00007fafda7ae008 CR3: 000000046d220005 CR4: 00000000000606e0 + [ +0.000002] Call Trace: + [ +0.000003] + [ +0.000001] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000044] ? __warn+0x81/0x130 + [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000045] ? report_bug+0x171/0x1a0 + [ +0.000004] ? handle_bug+0x41/0x70 + [ +0.000004] ? exc_invalid_op+0x17/0x70 + [ +0.000003] ? asm_exc_invalid_op+0x1a/0x20 + [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] + [ +0.000043] ieee80211_wake_queue+0x4a/0x80 [mac80211] + [ +0.000044] b43_dma_handle_txstatus+0x29c/0x3a0 [b43] + [ +0.000016] ? __pfx_irq_thread_fn+0x10/0x10 + [ +0.000002] b43_handle_txstatus+0x61/0x80 [b43] + [ +0.000012] b43_interrupt_thread_handler+0x3f9/0x6b0 [b43] + [ +0.000011] irq_thread_fn+0x23/0x60 + [ +0.000002] irq_thread+0xfe/0x1c0 + [ +0.000002] ? __pfx_irq_thread_dtor+0x10/0x10 + [ +0.000001] ? __pfx_irq_thread+0x10/0x10 + [ +0.000001] kthread+0xe8/0x120 + [ +0.000003] ? __pfx_kthread+0x10/0x10 + [ +0.000003] ret_from_fork+0x34/0x50 + [ +0.000002] ? __pfx_kthread+0x10/0x10 + [ +0.000002] ret_from_fork_asm+0x1b/0x30 + [ +0.000004] + [ +0.000001] ---[ end trace 0000000000000000 ]--- + + [ +0.000065] ------------[ cut here ]------------ + [ +0.000001] WARNING: CPU: 0 PID: 56077 at net/mac80211/util.c:514 __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000077] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 + [ +0.000073] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common + [ +0.000084] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43] + [ +0.000012] CPU: 0 PID: 56077 Comm: kworker/u16:17 Tainted: G W O 6.6.7 #1-NixOS + [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 + [ +0.000001] Workqueue: phy7 b43_tx_work [b43] + [ +0.000019] RIP: 0010:__ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000076] Code: 74 11 48 8b 78 08 0f b7 d6 89 e9 4c 89 e6 e8 ab f4 00 00 65 ff 0d 9c b7 34 3f 0f 85 55 ff ff ff 0f 1f 44 00 00 e9 4b ff ff ff <0f> 0b 5b 5d 41 5c 41 5d c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 + [ +0.000002] RSP: 0000:ffffc90004157d50 EFLAGS: 00010097 + [ +0.000002] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 + [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882d65d0900 + [ +0.000002] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 + [ +0.000001] R10: 00000000000000ff R11: ffff88814d0155a0 R12: ffff8882d65d0900 + [ +0.000002] R13: 0000000000000000 R14: ffff8881002d2800 R15: 00000000000000d0 + [ +0.000002] FS: 0000000000000000(0000) GS:ffff88846f800000(0000) knlGS:0000000000000000 + [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ +0.000002] CR2: 00007f2e8c10c880 CR3: 0000000385b66005 CR4: 00000000000606f0 + [ +0.000002] Call Trace: + [ +0.000001] + [ +0.000001] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000075] ? __warn+0x81/0x130 + [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000075] ? report_bug+0x171/0x1a0 + [ +0.000005] ? handle_bug+0x41/0x70 + [ +0.000003] ? exc_invalid_op+0x17/0x70 + [ +0.000004] ? asm_exc_invalid_op+0x1a/0x20 + [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] + [ +0.000076] ieee80211_stop_queue+0x36/0x50 [mac80211] + [ +0.000077] b43_dma_tx+0x550/0x780 [b43] + [ +0.000023] b43_tx_work+0x90/0x130 [b43] + [ +0.000018] process_one_work+0x174/0x340 + [ +0.000003] worker_thread+0x27b/0x3a0 + [ +0.000004] ? __pfx_worker_thread+0x10/0x10 + [ +0.000002] kthread+0xe8/0x120 + [ +0.000003] ? __pfx_kthread+0x10/0x10 + [ +0.000004] ret_from_fork+0x34/0x50 + [ +0.000002] ? __pfx_kthread+0x10/0x10 + [ +0.000003] ret_from_fork_asm+0x1b/0x30 + [ +0.000006] + [ +0.000001] ---[ end trace 0000000000000000 ]--- + +Fixes: e6f5b934fba8 ("b43: Add QOS support") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-2-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/b43.h | 16 ++++++++++++++++ + drivers/net/wireless/broadcom/b43/dma.c | 4 ++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h +index a449561fccf28..f6bf07dfb7488 100644 +--- a/drivers/net/wireless/broadcom/b43/b43.h ++++ b/drivers/net/wireless/broadcom/b43/b43.h +@@ -1082,6 +1082,22 @@ static inline bool b43_using_pio_transfers(struct b43_wldev *dev) + return dev->__using_pio_transfers; + } + ++static inline void b43_wake_queue(struct b43_wldev *dev, int queue_prio) ++{ ++ if (dev->qos_enabled) ++ ieee80211_wake_queue(dev->wl->hw, queue_prio); ++ else ++ ieee80211_wake_queue(dev->wl->hw, 0); ++} ++ ++static inline void b43_stop_queue(struct b43_wldev *dev, int queue_prio) ++{ ++ if (dev->qos_enabled) ++ ieee80211_stop_queue(dev->wl->hw, queue_prio); ++ else ++ ieee80211_stop_queue(dev->wl->hw, 0); ++} ++ + /* Message printing */ + __printf(2, 3) void b43info(struct b43_wl *wl, const char *fmt, ...); + __printf(2, 3) void b43err(struct b43_wl *wl, const char *fmt, ...); +diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c +index cd809d5e46791..8a3806aec5ee8 100644 +--- a/drivers/net/wireless/broadcom/b43/dma.c ++++ b/drivers/net/wireless/broadcom/b43/dma.c +@@ -1461,7 +1461,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb) + should_inject_overflow(ring)) { + /* This TX ring is full. */ + unsigned int skb_mapping = skb_get_queue_mapping(skb); +- ieee80211_stop_queue(dev->wl->hw, skb_mapping); ++ b43_stop_queue(dev, skb_mapping); + dev->wl->tx_queue_stopped[skb_mapping] = true; + ring->stopped = true; + if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { +@@ -1632,7 +1632,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev, + } else { + /* If the driver queue is running wake the corresponding + * mac80211 queue. */ +- ieee80211_wake_queue(dev->wl->hw, ring->queue_prio); ++ b43_wake_queue(dev, ring->queue_prio); + if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { + b43dbg(dev->wl, "Woke up TX ring %d\n", ring->index); + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch b/queue-4.19/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch new file mode 100644 index 00000000000..762e72b6980 --- /dev/null +++ b/queue-4.19/wifi-b43-stop-wake-correct-queue-in-pio-tx-path-when.patch @@ -0,0 +1,59 @@ +From 647088fdab529c852a07965201a362cef6c6d804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2023 05:03:45 +0000 +Subject: wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is + disabled + +From: Rahul Rameshbabu + +[ Upstream commit 77135a38f6c2f950d2306ac3d37cbb407e6243f2 ] + +When QoS is disabled, the queue priority value will not map to the correct +ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS +is disabled to prevent trying to stop/wake a non-existent queue and failing +to stop/wake the actual queue instantiated. + +Fixes: 5100d5ac81b9 ("b43: Add PIO support for PCMCIA devices") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Julian Calaby +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231231050300.122806-3-sergeantsagara@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/pio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/pio.c b/drivers/net/wireless/broadcom/b43/pio.c +index a4ff5e2a42b95..b5126edcdc803 100644 +--- a/drivers/net/wireless/broadcom/b43/pio.c ++++ b/drivers/net/wireless/broadcom/b43/pio.c +@@ -538,7 +538,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) + if (total_len > (q->buffer_size - q->buffer_used)) { + /* Not enough memory on the queue. */ + err = -EBUSY; +- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); ++ b43_stop_queue(dev, skb_get_queue_mapping(skb)); + q->stopped = true; + goto out; + } +@@ -565,7 +565,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) + if (((q->buffer_size - q->buffer_used) < roundup(2 + 2 + 6, 4)) || + (q->free_packet_slots == 0)) { + /* The queue is full. */ +- ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); ++ b43_stop_queue(dev, skb_get_queue_mapping(skb)); + q->stopped = true; + } + +@@ -600,7 +600,7 @@ void b43_pio_handle_txstatus(struct b43_wldev *dev, + list_add(&pack->list, &q->packets_list); + + if (q->stopped) { +- ieee80211_wake_queue(dev->wl->hw, q->queue_prio); ++ b43_wake_queue(dev, q->queue_prio); + q->stopped = false; + } + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-brcmsmac-avoid-function-pointer-casts.patch b/queue-4.19/wifi-brcmsmac-avoid-function-pointer-casts.patch new file mode 100644 index 00000000000..6b601bff695 --- /dev/null +++ b/queue-4.19/wifi-brcmsmac-avoid-function-pointer-casts.patch @@ -0,0 +1,81 @@ +From a8fa39df34d12a7ca6e93c2672f5e03acfff4c5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 11:05:37 +0100 +Subject: wifi: brcmsmac: avoid function pointer casts + +From: Arnd Bergmann + +[ Upstream commit e1ea6db35fc3ba5ff063f097385e9f7a88c25356 ] + +An old cleanup went a little too far and causes a warning with clang-16 +and higher as it breaks control flow integrity (KCFI) rules: + +drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c:64:34: error: cast from 'void (*)(struct brcms_phy *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] + 64 | brcms_init_timer(physhim->wl, (void (*)(void *))fn, + | ^~~~~~~~~~~~~~~~~~~~ + +Change this one instance back to passing a void pointer so it can be +used with the timer callback interface. + +Fixes: d89a4c80601d ("staging: brcm80211: removed void * from softmac phy") +Signed-off-by: Arnd Bergmann +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240213100548.457854-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c | 3 ++- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c | 5 ++--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c +index 35e3b101e5cf0..bedb1f73ef24e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c +@@ -394,8 +394,9 @@ struct shared_phy *wlc_phy_shared_attach(struct shared_phy_params *shp) + return sh; + } + +-static void wlc_phy_timercb_phycal(struct brcms_phy *pi) ++static void wlc_phy_timercb_phycal(void *ptr) + { ++ struct brcms_phy *pi = ptr; + uint delay = 5; + + if (PHY_PERICAL_MPHASE_PENDING(pi)) { +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c +index a0de5db0cd646..b723817915365 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c +@@ -57,12 +57,11 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim) + } + + struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, +- void (*fn)(struct brcms_phy *pi), ++ void (*fn)(void *pi), + void *arg, const char *name) + { + return (struct wlapi_timer *) +- brcms_init_timer(physhim->wl, (void (*)(void *))fn, +- arg, name); ++ brcms_init_timer(physhim->wl, fn, arg, name); + } + + void wlapi_free_timer(struct wlapi_timer *t) +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h +index dd8774717adee..27d0934e600ed 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h +@@ -131,7 +131,7 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim); + + /* PHY to WL utility functions */ + struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, +- void (*fn)(struct brcms_phy *pi), ++ void (*fn)(void *pi), + void *arg, const char *name); + void wlapi_free_timer(struct wlapi_timer *t); + void wlapi_add_timer(struct wlapi_timer *t, uint ms, int periodic); +-- +2.43.0 + diff --git a/queue-4.19/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch b/queue-4.19/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch new file mode 100644 index 00000000000..0164fe59841 --- /dev/null +++ b/queue-4.19/wifi-libertas-fix-some-memleaks-in-lbs_allocate_cmd_.patch @@ -0,0 +1,57 @@ +From 0542a14f6e6e13f09a7c67dbaec927fb214ad1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 15:53:34 +0800 +Subject: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() + +From: Zhipeng Lu + +[ Upstream commit 5f0e4aede01cb01fa633171f0533affd25328c3a ] + +In the for statement of lbs_allocate_cmd_buffer(), if the allocation of +cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to +be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Signed-off-by: Zhipeng Lu +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240126075336.2825608-1-alexious@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cmd.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cmd.c b/drivers/net/wireless/marvell/libertas/cmd.c +index c1f4229187378..d1984f03fdfca 100644 +--- a/drivers/net/wireless/marvell/libertas/cmd.c ++++ b/drivers/net/wireless/marvell/libertas/cmd.c +@@ -1132,7 +1132,7 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) + if (!cmdarray[i].cmdbuf) { + lbs_deb_host("ALLOC_CMD_BUF: ptempvirtualaddr is NULL\n"); + ret = -1; +- goto done; ++ goto free_cmd_array; + } + } + +@@ -1140,8 +1140,17 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) + init_waitqueue_head(&cmdarray[i].cmdwait_q); + lbs_cleanup_and_insert_cmd(priv, &cmdarray[i]); + } +- ret = 0; ++ return 0; + ++free_cmd_array: ++ for (i = 0; i < LBS_NUM_CMD_BUFFERS; i++) { ++ if (cmdarray[i].cmdbuf) { ++ kfree(cmdarray[i].cmdbuf); ++ cmdarray[i].cmdbuf = NULL; ++ } ++ } ++ kfree(priv->cmd_array); ++ priv->cmd_array = NULL; + done: + return ret; + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch b/queue-4.19/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch new file mode 100644 index 00000000000..92626cb4521 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-debugfs-drop-unnecessary-error-check-fo.patch @@ -0,0 +1,46 @@ +From afc22d45d63c4f6b70aca6500c345f57d441054f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 11:02:15 +0800 +Subject: wifi: mwifiex: debugfs: Drop unnecessary error check for + debugfs_create_dir() + +From: Jinjie Ruan + +[ Upstream commit 50180c7f8e3de7c2d87f619131776598fcb1478d ] + +debugfs_create_dir() returns ERR_PTR and never return NULL. + +As Russell suggested, this patch removes the error checking for +debugfs_create_dir(). This is because the DebugFS kernel API is developed +in a way that the caller can safely ignore the errors that occur during +the creation of DebugFS nodes. The debugfs APIs have a IS_ERR() judge in +start_creating() which can handle it gracefully. So these checks are +unnecessary. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jinjie Ruan +Suggested-by: Russell King (Oracle) +Signed-off-by: Kalle Valo +Link: https://msgid.link/20230903030216.1509013-3-ruanjinjie@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c +index 0f62da50e11a2..63af04202d75f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -977,9 +977,6 @@ mwifiex_dev_debugfs_init(struct mwifiex_private *priv) + priv->dfs_dev_dir = debugfs_create_dir(priv->netdev->name, + mwifiex_dfs_dir); + +- if (!priv->dfs_dev_dir) +- return; +- + MWIFIEX_DFS_ADD_FILE(info); + MWIFIEX_DFS_ADD_FILE(debug); + MWIFIEX_DFS_ADD_FILE(getlog); +-- +2.43.0 + diff --git a/queue-4.19/x86-relocs-ignore-relocations-in-.notes-section.patch b/queue-4.19/x86-relocs-ignore-relocations-in-.notes-section.patch new file mode 100644 index 00000000000..d4b2d49a3ea --- /dev/null +++ b/queue-4.19/x86-relocs-ignore-relocations-in-.notes-section.patch @@ -0,0 +1,54 @@ +From 05df4f2d192433c48472c00910588d5ae69c3ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 09:51:12 -0800 +Subject: x86, relocs: Ignore relocations in .notes section + +From: Kees Cook + +[ Upstream commit aaa8736370db1a78f0e8434344a484f9fd20be3b ] + +When building with CONFIG_XEN_PV=y, .text symbols are emitted into +the .notes section so that Xen can find the "startup_xen" entry point. +This information is used prior to booting the kernel, so relocations +are not useful. In fact, performing relocations against the .notes +section means that the KASLR base is exposed since /sys/kernel/notes +is world-readable. + +To avoid leaking the KASLR base without breaking unprivileged tools that +are expecting to read /sys/kernel/notes, skip performing relocations in +the .notes section. The values readable in .notes are then identical to +those found in System.map. + +Reported-by: Guixiong Wei +Closes: https://lore.kernel.org/all/20240218073501.54555-1-guixiongwei@gmail.com/ +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Fixes: da1a679cde9b ("Add /sys/kernel/notes") +Reviewed-by: Juergen Gross +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/x86/tools/relocs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index aa046d46ff8ff..c7f1d1759c855 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -579,6 +579,14 @@ static void print_absolute_relocs(void) + if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { + continue; + } ++ /* ++ * Do not perform relocations in .notes section; any ++ * values there are meant for pre-boot consumption (e.g. ++ * startup_xen). ++ */ ++ if (sec_applies->shdr.sh_type == SHT_NOTE) { ++ continue; ++ } + sh_symtab = sec_symtab->symtab; + sym_strtab = sec_symtab->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { +-- +2.43.0 +