From: Sasha Levin Date: Mon, 13 Jan 2025 14:02:58 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.1.125~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e1b8565c928c3b54dd8334b4be6e3057c380d01;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch b/queue-5.15/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch new file mode 100644 index 00000000000..2d893283174 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch @@ -0,0 +1,76 @@ +From 77a38607f2f8bdf5474ea2c3e1eae70d8905bd36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 22:43:39 +0000 +Subject: arm64: dts: rockchip: add hevc power domain clock to rk3328 + +From: Peter Geis + +[ Upstream commit 3699f2c43ea9984e00d70463f8c29baaf260ea97 ] + +There is a race condition at startup between disabling power domains not +used and disabling clocks not used on the rk3328. When the clocks are +disabled first, the hevc power domain fails to shut off leading to a +splat of failures. Add the hevc core clock to the rk3328 power domain +node to prevent this condition. + +rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 3-.... } +1087 jiffies s: 89 root: 0x8/. +rcu: blocking rcu_node structures (internal RCU debug): +Sending NMI from CPU 0 to CPUs 3: +NMI backtrace for cpu 3 +CPU: 3 UID: 0 PID: 86 Comm: kworker/3:3 Not tainted 6.12.0-rc5+ #53 +Hardware name: Firefly ROC-RK3328-CC (DT) +Workqueue: pm genpd_power_off_work_fn +pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : regmap_unlock_spinlock+0x18/0x30 +lr : regmap_read+0x60/0x88 +sp : ffff800081123c00 +x29: ffff800081123c00 x28: ffff2fa4c62cad80 x27: 0000000000000000 +x26: ffffd74e6e660eb8 x25: ffff2fa4c62cae00 x24: 0000000000000040 +x23: ffffd74e6d2f3ab8 x22: 0000000000000001 x21: ffff800081123c74 +x20: 0000000000000000 x19: ffff2fa4c0412000 x18: 0000000000000000 +x17: 77202c31203d2065 x16: 6c6469203a72656c x15: 6c6f72746e6f632d +x14: 7265776f703a6e6f x13: 2063766568206e69 x12: 616d6f64202c3431 +x11: 347830206f742030 x10: 3430303034783020 x9 : ffffd74e6c7369e0 +x8 : 3030316666206e69 x7 : 205d383738353733 x6 : 332e31202020205b +x5 : ffffd74e6c73fc88 x4 : ffffd74e6c73fcd4 x3 : ffffd74e6c740b40 +x2 : ffff800080015484 x1 : 0000000000000000 x0 : ffff2fa4c0412000 +Call trace: +regmap_unlock_spinlock+0x18/0x30 +rockchip_pmu_set_idle_request+0xac/0x2c0 +rockchip_pd_power+0x144/0x5f8 +rockchip_pd_power_off+0x1c/0x30 +_genpd_power_off+0x9c/0x180 +genpd_power_off.part.0.isra.0+0x130/0x2a8 +genpd_power_off_work_fn+0x6c/0x98 +process_one_work+0x170/0x3f0 +worker_thread+0x290/0x4a8 +kthread+0xec/0xf8 +ret_from_fork+0x10/0x20 +rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220 + +Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") +Signed-off-by: Peter Geis +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20241214224339.24674-1-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index f73cb7667bab..93ef90315cda 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -302,6 +302,7 @@ + + power-domain@RK3328_PD_HEVC { + reg = ; ++ clocks = <&cru SCLK_VENC_CORE>; + #power-domain-cells = <0>; + }; + power-domain@RK3328_PD_VIDEO { +-- +2.39.5 + diff --git a/queue-5.15/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch b/queue-5.15/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch new file mode 100644 index 00000000000..bb88e79c1c8 --- /dev/null +++ b/queue-5.15/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch @@ -0,0 +1,199 @@ +From fc2acb94faf4941b26c2a2c6c0939526558b9394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 16:41:48 +0800 +Subject: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() + +From: Yu Kuai + +[ Upstream commit fcede1f0a043ccefe9bc6ad57f12718e42f63f1d ] + +Our syzkaller report a following UAF for v6.6: + +BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 +Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 + +CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 + print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 + print_report+0x3e/0x70 mm/kasan/report.c:475 + kasan_report+0xb8/0xf0 mm/kasan/report.c:588 + hlist_add_head include/linux/list.h:1023 [inline] + bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 + __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 + ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 + ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 + ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 + ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 + iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 + iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 + ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 + ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 + do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 + __do_sys_ioctl fs/ioctl.c:869 [inline] + __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +Allocated by task 232719: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:188 [inline] + slab_post_alloc_hook mm/slab.h:768 [inline] + slab_alloc_node mm/slub.c:3492 [inline] + kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 + bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 + bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 + bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 + ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 + ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 + __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 + ext4_lookup_entry fs/ext4/namei.c:1774 [inline] + ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 + ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 + __lookup_slow+0x257/0x480 fs/namei.c:1696 + lookup_slow fs/namei.c:1713 [inline] + walk_component+0x454/0x5c0 fs/namei.c:2004 + link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 + link_path_walk fs/namei.c:3826 [inline] + path_openat+0x1b9/0x520 fs/namei.c:3826 + do_filp_open+0x1b7/0x400 fs/namei.c:3857 + do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 + do_sys_open fs/open.c:1443 [inline] + __do_sys_openat fs/open.c:1459 [inline] + __se_sys_openat fs/open.c:1454 [inline] + __x64_sys_openat+0x148/0x200 fs/open.c:1454 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +Freed by task 232726: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:164 [inline] + slab_free_hook mm/slub.c:1827 [inline] + slab_free_freelist_hook mm/slub.c:1853 [inline] + slab_free mm/slub.c:3820 [inline] + kmem_cache_free+0x110/0x760 mm/slub.c:3842 + bfq_put_queue+0x6a7/0xfb0 block/bfq-iosched.c:5428 + bfq_forget_entity block/bfq-wf2q.c:634 [inline] + bfq_put_idle_entity+0x142/0x240 block/bfq-wf2q.c:645 + bfq_forget_idle+0x189/0x1e0 block/bfq-wf2q.c:671 + bfq_update_vtime block/bfq-wf2q.c:1280 [inline] + __bfq_lookup_next_entity block/bfq-wf2q.c:1374 [inline] + bfq_lookup_next_entity+0x350/0x480 block/bfq-wf2q.c:1433 + bfq_update_next_in_service+0x1c0/0x4f0 block/bfq-wf2q.c:128 + bfq_deactivate_entity+0x10a/0x240 block/bfq-wf2q.c:1188 + bfq_deactivate_bfqq block/bfq-wf2q.c:1592 [inline] + bfq_del_bfqq_busy+0x2e8/0xad0 block/bfq-wf2q.c:1659 + bfq_release_process_ref+0x1cc/0x220 block/bfq-iosched.c:3139 + bfq_split_bfqq+0x481/0xdf0 block/bfq-iosched.c:6754 + bfq_init_rq+0xf29/0x17a0 block/bfq-iosched.c:6934 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 + __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 + ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 + ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 + ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 + ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 + iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 + iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 + ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 + ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 + do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 + __do_sys_ioctl fs/ioctl.c:869 [inline] + __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +commit 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after +splitting") fix the problem that if waker_bfqq is in the merge chain, +and current is the only procress, waker_bfqq can be freed from +bfq_split_bfqq(). However, the case that waker_bfqq is not in the merge +chain is missed, and if the procress reference of waker_bfqq is 0, +waker_bfqq can be freed as well. + +Fix the problem by checking procress reference if waker_bfqq is not in +the merge_chain. + +Fixes: 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting") +Signed-off-by: Hou Tao +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250108084148.1549973-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index c985c944fa65..d830ed169e65 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6577,16 +6577,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq) + if (new_bfqq == waker_bfqq) { + /* + * If waker_bfqq is in the merge chain, and current +- * is the only procress. ++ * is the only process, waker_bfqq can be freed. + */ + if (bfqq_process_refs(waker_bfqq) == 1) + return NULL; +- break; ++ ++ return waker_bfqq; + } + + new_bfqq = new_bfqq->new_bfqq; + } + ++ /* ++ * If waker_bfqq is not in the merge chain, and it's procress reference ++ * is 0, waker_bfqq can be freed. ++ */ ++ if (bfqq_process_refs(waker_bfqq) == 0) ++ return NULL; ++ + return waker_bfqq; + } + +-- +2.39.5 + diff --git a/queue-5.15/mptcp-drop-port-parameter-of-mptcp_pm_add_addr_signa.patch b/queue-5.15/mptcp-drop-port-parameter-of-mptcp_pm_add_addr_signa.patch new file mode 100644 index 00000000000..bb32afbcd17 --- /dev/null +++ b/queue-5.15/mptcp-drop-port-parameter-of-mptcp_pm_add_addr_signa.patch @@ -0,0 +1,97 @@ +From 7407923aaece553302f998ab37b56b0ce549f3fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 18:11:27 -0800 +Subject: mptcp: drop port parameter of mptcp_pm_add_addr_signal + +From: Geliang Tang + +[ Upstream commit af7939f390de17bde4a10a3bf0e337627fb42591 ] + +Drop the port parameter of mptcp_pm_add_addr_signal() and reflect it to +avoid passing too many parameters. + +Signed-off-by: Geliang Tang +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Stable-dep-of: cbb26f7d8451 ("mptcp: fix TCP options overflow.") +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 5 ++--- + net/mptcp/pm.c | 7 ++++--- + net/mptcp/protocol.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index e654701685a8..31bec175886c 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -651,7 +651,6 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * + bool drop_other_suboptions = false; + unsigned int opt_size = *size; + bool echo; +- bool port; + int len; + + /* add addr will strip the existing options, be sure to avoid breaking +@@ -660,12 +659,12 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * + if (!mptcp_pm_should_add_signal(msk) || + (opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) || + !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &opts->addr, +- &echo, &port, &drop_other_suboptions)) ++ &echo, &drop_other_suboptions)) + return false; + + if (drop_other_suboptions) + remaining += opt_size; +- len = mptcp_add_addr_len(opts->addr.family, echo, port); ++ len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port); + if (remaining < len) + return false; + +diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c +index b14eb6bccd36..4fa31301fe84 100644 +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -265,11 +265,12 @@ void mptcp_pm_mp_fail_received(struct sock *sk, u64 fail_seq) + bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb, + unsigned int opt_size, unsigned int remaining, + struct mptcp_addr_info *addr, bool *echo, +- bool *port, bool *drop_other_suboptions) ++ bool *drop_other_suboptions) + { + int ret = false; + u8 add_addr; + u8 family; ++ bool port; + + spin_lock_bh(&msk->pm.lock); + +@@ -287,10 +288,10 @@ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb, + } + + *echo = mptcp_pm_should_add_signal_echo(msk); +- *port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port); ++ port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port); + + family = *echo ? msk->pm.remote.family : msk->pm.local.family; +- if (remaining < mptcp_add_addr_len(family, *echo, *port)) ++ if (remaining < mptcp_add_addr_len(family, *echo, port)) + goto out_unlock; + + if (*echo) { +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 8f5e5a66babf..6026f0bcdea6 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -823,7 +823,7 @@ static inline int mptcp_rm_addr_len(const struct mptcp_rm_list *rm_list) + bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb, + unsigned int opt_size, unsigned int remaining, + struct mptcp_addr_info *addr, bool *echo, +- bool *port, bool *drop_other_suboptions); ++ bool *drop_other_suboptions); + bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, + struct mptcp_rm_list *rm_list); + int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc); +-- +2.39.5 + diff --git a/queue-5.15/mptcp-fix-tcp-options-overflow.patch b/queue-5.15/mptcp-fix-tcp-options-overflow.patch new file mode 100644 index 00000000000..1246d5eb6f1 --- /dev/null +++ b/queue-5.15/mptcp-fix-tcp-options-overflow.patch @@ -0,0 +1,126 @@ +From dd019501221313c2d531443b7e10d6942ee49785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Dec 2024 09:51:46 +0100 +Subject: mptcp: fix TCP options overflow. + +From: Paolo Abeni + +[ Upstream commit cbb26f7d8451fe56ccac802c6db48d16240feebd ] + +Syzbot reported the following splat: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 +RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] +RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 +Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 +RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 +RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac +R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 +R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_page_unref include/linux/skbuff_ref.h:43 [inline] + __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] + skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 + skb_release_all net/core/skbuff.c:1190 [inline] + __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 + tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] + tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 + tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 + tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 + tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 + ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 + NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 + NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 + __netif_receive_skb_one_core net/core/dev.c:5672 [inline] + __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 + process_backlog+0x662/0x15b0 net/core/dev.c:6117 + __napi_poll+0xcb/0x490 net/core/dev.c:6883 + napi_poll net/core/dev.c:6952 [inline] + net_rx_action+0x89b/0x1240 net/core/dev.c:7074 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 +RIP: 0033:0x7f34f4519ad5 +Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 +RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 +RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 +RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 +RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 +R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 +R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 + + +Eric noted a probable shinfo->nr_frags corruption, which indeed +occurs. + +The root cause is a buggy MPTCP option len computation in some +circumstances: the ADD_ADDR option should be mutually exclusive +with DSS since the blamed commit. + +Still, mptcp_established_options_add_addr() tries to set the +relevant info in mptcp_out_options, if the remaining space is +large enough even when DSS is present. + +Since the ADD_ADDR infos and the DSS share the same union +fields, adding first corrupts the latter. In the worst-case +scenario, such corruption increases the DSS binary layout, +exceeding the computed length and possibly overwriting the +skb shared info. + +Address the issue by enforcing mutual exclusion in +mptcp_established_options_add_addr(), too. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+38a095a81f30d82884c1@syzkaller.appspotmail.com +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538 +Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.1734771049.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 31bec175886c..bdabc5e889b7 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -662,8 +662,15 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * + &echo, &drop_other_suboptions)) + return false; + ++ /* ++ * Later on, mptcp_write_options() will enforce mutually exclusion with ++ * DSS, bail out if such option is set and we can't drop it. ++ */ + if (drop_other_suboptions) + remaining += opt_size; ++ else if (opts->suboptions & OPTION_MPTCP_DSS) ++ return false; ++ + len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port); + if (remaining < len) + return false; +-- +2.39.5 + diff --git a/queue-5.15/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch b/queue-5.15/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch new file mode 100644 index 00000000000..6cbfc468289 --- /dev/null +++ b/queue-5.15/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch @@ -0,0 +1,66 @@ +From c382368bc8bbbb5dd5d82d7c4b2359e29fe8636a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 21:20:32 +0800 +Subject: ocfs2: correct return value of ocfs2_local_free_info() + +From: Joseph Qi + +[ Upstream commit d32840ad4a111c6abd651fbf6b5996e6123913da ] + +Now in ocfs2_local_free_info(), it returns 0 even if it actually fails. +Though it doesn't cause any real problem since the only caller +dquot_disable() ignores the return value, we'd better return correct as it +is. + +Link: https://lkml.kernel.org/r/20230528132033.217664-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Stable-dep-of: 5f3fd772d152 ("ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv") +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_local.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index 7a1c8da9e44b..fbab536741e2 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -815,7 +815,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + struct ocfs2_quota_chunk *chunk; + struct ocfs2_local_disk_chunk *dchunk; + int mark_clean = 1, len; +- int status; ++ int status = 0; + + iput(oinfo->dqi_gqinode); + ocfs2_simple_drop_lockres(OCFS2_SB(sb), &oinfo->dqi_gqlock); +@@ -857,17 +857,14 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + oinfo->dqi_libh, + olq_update_info, + info); +- if (status < 0) { ++ if (status < 0) + mlog_errno(status); +- goto out; +- } +- + out: + ocfs2_inode_unlock(sb_dqopt(sb)->files[type], 1); + brelse(oinfo->dqi_libh); + brelse(oinfo->dqi_lqi_bh); + kfree(oinfo); +- return 0; ++ return status; + } + + static void olq_set_dquot(struct buffer_head *bh, void *private) +-- +2.39.5 + diff --git a/queue-5.15/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch b/queue-5.15/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch new file mode 100644 index 00000000000..2764baeb7fa --- /dev/null +++ b/queue-5.15/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch @@ -0,0 +1,73 @@ +From fe6b9548fbfed4161e0b9df6d5f687359ae9ea66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 21:39:25 -0500 +Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv + +From: Dennis Lam + +[ Upstream commit 5f3fd772d152229d94602bca243fbb658068a597 ] + +When mounting ocfs2 and then remounting it as read-only, a +slab-use-after-free occurs after the user uses a syscall to +quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the +dangling pointer. + +During the remounting process, the pointer dqi_priv is freed but is never +set as null leaving it to be accessed. Additionally, the read-only option +for remounting sets the DQUOT_SUSPENDED flag instead of setting the +DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the +next quota, the function ocfs2_get_next_id is called and only checks the +quota usage flags and not the quota suspended flags. + +To fix this, I set dqi_priv to null when it is freed after remounting with +read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. + +[akpm@linux-foundation.org: coding-style cleanups] +Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com +Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") +Signed-off-by: Dennis Lam +Reported-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com +Tested-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_global.c | 2 +- + fs/ocfs2/quota_local.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c +index effe92c7d693..cc464c9560e2 100644 +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -881,7 +881,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) + int status = 0; + + trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); +- if (!sb_has_quota_loaded(sb, type)) { ++ if (!sb_has_quota_active(sb, type)) { + status = -ESRCH; + goto out; + } +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index fbab536741e2..77d5aa90338f 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -864,6 +864,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + brelse(oinfo->dqi_libh); + brelse(oinfo->dqi_lqi_bh); + kfree(oinfo); ++ info->dqi_priv = NULL; + return status; + } + +-- +2.39.5 + diff --git a/queue-5.15/of-address-add-support-for-3-address-cell-bus.patch b/queue-5.15/of-address-add-support-for-3-address-cell-bus.patch new file mode 100644 index 00000000000..7795518d72f --- /dev/null +++ b/queue-5.15/of-address-add-support-for-3-address-cell-bus.patch @@ -0,0 +1,189 @@ +From 40ab4b838d4e93e5fd62de3674937037ee9b41a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:15:58 -0500 +Subject: of/address: Add support for 3 address cell bus + +From: Rob Herring + +[ Upstream commit 3d5089c4263d3594dc055e0f9c5cb990505cdd64 ] + +There's a few custom bus bindings (e.g. fsl,qoriq-mc) which use a +3 cell format with custom flags in the high cell. We can match these +buses as a fallback if we didn't match on PCI bus which is the only +standard bus binding with 3 address cells. + +Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-3-e2456c3e77ab@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 22 ++++++++ + drivers/of/unittest-data/tests-address.dtsi | 9 +++- + drivers/of/unittest.c | 58 ++++++++++++++++++++- + 3 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 60ead6105471..a95b57cea0d0 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -95,11 +95,17 @@ static int of_bus_default_translate(__be32 *addr, u64 offset, int na) + return 0; + } + ++static unsigned int of_bus_default_flags_get_flags(const __be32 *addr) ++{ ++ return of_read_number(addr, 1); ++} ++ + static unsigned int of_bus_default_get_flags(const __be32 *addr) + { + return IORESOURCE_MEM; + } + ++ + #ifdef CONFIG_PCI + static unsigned int of_bus_pci_get_flags(const __be32 *addr) + { +@@ -319,6 +325,11 @@ static unsigned int of_bus_isa_get_flags(const __be32 *addr) + return flags; + } + ++static int of_bus_default_flags_match(struct device_node *np) ++{ ++ return of_bus_n_addr_cells(np) == 3; ++} ++ + /* + * Array of bus specific translators + */ +@@ -348,6 +359,17 @@ static struct of_bus of_busses[] = { + .has_flags = true, + .get_flags = of_bus_isa_get_flags, + }, ++ /* Default with flags cell */ ++ { ++ .name = "default-flags", ++ .addresses = "reg", ++ .match = of_bus_default_flags_match, ++ .count_cells = of_bus_default_count_cells, ++ .map = of_bus_default_map, ++ .translate = of_bus_default_translate, ++ .has_flags = true, ++ .get_flags = of_bus_default_flags_get_flags, ++ }, + /* Default */ + { + .name = "default", +diff --git a/drivers/of/unittest-data/tests-address.dtsi b/drivers/of/unittest-data/tests-address.dtsi +index 6604a52bf6cb..bc0029cbf8ea 100644 +--- a/drivers/of/unittest-data/tests-address.dtsi ++++ b/drivers/of/unittest-data/tests-address.dtsi +@@ -14,7 +14,7 @@ + #size-cells = <1>; + /* ranges here is to make sure we don't use it for + * dma-ranges translation */ +- ranges = <0x70000000 0x70000000 0x40000000>, ++ ranges = <0x70000000 0x70000000 0x50000000>, + <0x00000000 0xd0000000 0x20000000>; + dma-ranges = <0x0 0x20000000 0x40000000>; + +@@ -43,6 +43,13 @@ + <0x42000000 0x0 0xc0000000 0x20000000 0x0 0x10000000>; + }; + ++ bus@a0000000 { ++ #address-cells = <3>; ++ #size-cells = <2>; ++ ranges = <0xf00baa 0x0 0x0 0xa0000000 0x0 0x100000>, ++ <0xf00bee 0x1 0x0 0xb0000000 0x0 0x200000>; ++ }; ++ + }; + }; + }; +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index a020296fbf41..d6a250cd7a40 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1045,7 +1045,7 @@ static void __init of_unittest_bus_ranges(void) + "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n", + np, range.flags, IORESOURCE_MEM); + if (!i) { +- unittest(range.size == 0x40000000, ++ unittest(range.size == 0x50000000, + "for_each_of_range wrong size on node %pOF size=%llx\n", + np, range.size); + unittest(range.cpu_addr == 0x70000000, +@@ -1071,6 +1071,61 @@ static void __init of_unittest_bus_ranges(void) + of_node_put(np); + } + ++static void __init of_unittest_bus_3cell_ranges(void) ++{ ++ struct device_node *np; ++ struct of_range range; ++ struct of_range_parser parser; ++ int i = 0; ++ ++ np = of_find_node_by_path("/testcase-data/address-tests/bus@a0000000"); ++ if (!np) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ ++ if (of_range_parser_init(&parser, np)) { ++ pr_err("missing ranges property\n"); ++ return; ++ } ++ ++ /* ++ * Get the "ranges" from the device tree ++ */ ++ for_each_of_range(&parser, &range) { ++ if (!i) { ++ unittest(range.flags == 0xf00baa, ++ "for_each_of_range wrong flags on node %pOF flags=%x\n", ++ np, range.flags); ++ unittest(range.size == 0x100000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xa0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x0, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } else { ++ unittest(range.flags == 0xf00bee, ++ "for_each_of_range wrong flags on node %pOF flags=%x\n", ++ np, range.flags); ++ unittest(range.size == 0x200000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xb0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x100000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } ++ i++; ++ } ++ ++ of_node_put(np); ++} ++ + static void __init of_unittest_parse_interrupts(void) + { + struct device_node *np; +@@ -3377,6 +3432,7 @@ static int __init of_unittest(void) + of_unittest_parse_dma_ranges(); + of_unittest_pci_dma_ranges(); + of_unittest_bus_ranges(); ++ of_unittest_bus_3cell_ranges(); + of_unittest_match_node(); + of_unittest_platform_populate(); + of_unittest_overlay(); +-- +2.39.5 + diff --git a/queue-5.15/of-address-fix-address-translation-when-address-size.patch b/queue-5.15/of-address-fix-address-translation-when-address-size.patch new file mode 100644 index 00000000000..23ef9923287 --- /dev/null +++ b/queue-5.15/of-address-fix-address-translation-when-address-size.patch @@ -0,0 +1,129 @@ +From d9070f72131337adb254c80e5698be0e9a46b2bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 13:02:16 +0200 +Subject: of: address: Fix address translation when address-size is greater + than 2 + +From: Herve Codina + +[ Upstream commit 42604f8eb7ba04b589375049cc76282dad4677d2 ] + +With the recent addition of of_pci_prop_ranges() in commit 407d1a51921e +("PCI: Create device tree node for bridge"), the ranges property can +have a 3 cells child address, a 3 cells parent address and a 2 cells +child size. + +A range item property for a PCI device is filled as follow: + 0 0 + <-- Child --> <-- Parent (PCI definition) --> <- BAR size (64bit) --> + +This allow to translate BAR addresses from the DT. For instance: +pci@0,0 { + #address-cells = <0x03>; + #size-cells = <0x02>; + device_type = "pci"; + compatible = "pci11ab,100", "pciclass,060400", "pciclass,0604"; + ranges = <0x82000000 0x00 0xe8000000 + 0x82000000 0x00 0xe8000000 + 0x00 0x4400000>; + ... + dev@0,0 { + #address-cells = <0x03>; + #size-cells = <0x02>; + compatible = "pci1055,9660", "pciclass,020000", "pciclass,0200"; + /* Translations for BAR0 to BAR5 */ + ranges = <0x00 0x00 0x00 0x82010000 0x00 0xe8000000 0x00 0x2000000 + 0x01 0x00 0x00 0x82010000 0x00 0xea000000 0x00 0x1000000 + 0x02 0x00 0x00 0x82010000 0x00 0xeb000000 0x00 0x800000 + 0x03 0x00 0x00 0x82010000 0x00 0xeb800000 0x00 0x800000 + 0x04 0x00 0x00 0x82010000 0x00 0xec000000 0x00 0x20000 + 0x05 0x00 0x00 0x82010000 0x00 0xec020000 0x00 0x2000>; + ... + pci-ep-bus@0 { + #address-cells = <0x01>; + #size-cells = <0x01>; + compatible = "simple-bus"; + /* Translate 0xe2000000 to BAR0 and 0xe0000000 to BAR1 */ + ranges = <0xe2000000 0x00 0x00 0x00 0x2000000 + 0xe0000000 0x01 0x00 0x00 0x1000000>; + ... + }; + }; +}; + +During the translation process, the "default-flags" map() function is +used to select the matching item in the ranges table and determine the +address offset from this matching item. +This map() function simply calls of_read_number() and when address-size +is greater than 2, the map() function skips the extra high address part +(ie part over 64bit). This lead to a wrong matching item and a wrong +offset computation. +Also during the translation itself, the extra high part related to the +parent address is not present in the translated address. + +Fix the "default-flags" map() and translate() in order to take into +account the child extra high address part in map() and the parent extra +high address part in translate() and so having a correct address +translation for ranges patterns such as the one given in the example +above. + +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20231017110221.189299-2-herve.codina@bootlin.com +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index a95b57cea0d0..7e74fe909282 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -105,6 +105,32 @@ static unsigned int of_bus_default_get_flags(const __be32 *addr) + return IORESOURCE_MEM; + } + ++static u64 of_bus_default_flags_map(__be32 *addr, const __be32 *range, int na, ++ int ns, int pna) ++{ ++ u64 cp, s, da; ++ ++ /* Check that flags match */ ++ if (*addr != *range) ++ return OF_BAD_ADDR; ++ ++ /* Read address values, skipping high cell */ ++ cp = of_read_number(range + 1, na - 1); ++ s = of_read_number(range + na + pna, ns); ++ da = of_read_number(addr + 1, na - 1); ++ ++ pr_debug("default flags map, cp=%llx, s=%llx, da=%llx\n", cp, s, da); ++ ++ if (da < cp || da >= (cp + s)) ++ return OF_BAD_ADDR; ++ return da - cp; ++} ++ ++static int of_bus_default_flags_translate(__be32 *addr, u64 offset, int na) ++{ ++ /* Keep "flags" part (high cell) in translated address */ ++ return of_bus_default_translate(addr + 1, offset, na - 1); ++} + + #ifdef CONFIG_PCI + static unsigned int of_bus_pci_get_flags(const __be32 *addr) +@@ -365,8 +391,8 @@ static struct of_bus of_busses[] = { + .addresses = "reg", + .match = of_bus_default_flags_match, + .count_cells = of_bus_default_count_cells, +- .map = of_bus_default_map, +- .translate = of_bus_default_translate, ++ .map = of_bus_default_flags_map, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_default_flags_get_flags, + }, +-- +2.39.5 + diff --git a/queue-5.15/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch b/queue-5.15/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch new file mode 100644 index 00000000000..0e3b77327c9 --- /dev/null +++ b/queue-5.15/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch @@ -0,0 +1,50 @@ +From 284be989f582676bd6dd78cd331fb7987155dc64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Nov 2024 11:05:37 +0100 +Subject: of: address: Preserve the flags portion on 1:1 dma-ranges mapping + +From: Andrea della Porta + +[ Upstream commit 7f05e20b989ac33c9c0f8c2028ec0a566493548f ] + +A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma +translations. In this specific case, the current behaviour is to zero out +the entire specifier so that the translation could be carried on as an +offset from zero. This includes address specifier that has flags (e.g. +PCI ranges). + +Once the flags portion has been zeroed, the translation chain is broken +since the mapping functions will check the upcoming address specifier +against mismatching flags, always failing the 1:1 mapping and its entire +purpose of always succeeding. + +Set to zero only the address portion while passing the flags through. + +Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea della Porta +Tested-by: Herve Codina +Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.1732441813.git.andrea.porta@suse.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 123a75a19bc1..9454725af850 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -466,7 +466,8 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus, + } + if (ranges == NULL || rlen == 0) { + offset = of_read_number(addr, na); +- memset(addr, 0, pna * 4); ++ /* set address to zero, pass flags through */ ++ memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); + pr_debug("empty ranges; 1:1 translation\n"); + goto finish; + } +-- +2.39.5 + diff --git a/queue-5.15/of-address-remove-duplicated-functions.patch b/queue-5.15/of-address-remove-duplicated-functions.patch new file mode 100644 index 00000000000..6213471bcc6 --- /dev/null +++ b/queue-5.15/of-address-remove-duplicated-functions.patch @@ -0,0 +1,72 @@ +From 698cf7ff12b43926f07fecca9e41c26bd707dbd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 13:02:17 +0200 +Subject: of: address: Remove duplicated functions + +From: Herve Codina + +[ Upstream commit 3eb030c60835668997d5763b1a0c7938faf169f6 ] + +The recently added of_bus_default_flags_translate() performs the exact +same operation as of_bus_pci_translate() and of_bus_isa_translate(). + +Avoid duplicated code replacing both of_bus_pci_translate() and +of_bus_isa_translate() with of_bus_default_flags_translate(). + +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20231017110221.189299-3-herve.codina@bootlin.com +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 7e74fe909282..b8e015af59df 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -221,10 +221,6 @@ static u64 of_bus_pci_map(__be32 *addr, const __be32 *range, int na, int ns, + return da - cp; + } + +-static int of_bus_pci_translate(__be32 *addr, u64 offset, int na) +-{ +- return of_bus_default_translate(addr + 1, offset, na - 1); +-} + #endif /* CONFIG_PCI */ + + int of_pci_address_to_resource(struct device_node *dev, int bar, +@@ -334,11 +330,6 @@ static u64 of_bus_isa_map(__be32 *addr, const __be32 *range, int na, int ns, + return da - cp; + } + +-static int of_bus_isa_translate(__be32 *addr, u64 offset, int na) +-{ +- return of_bus_default_translate(addr + 1, offset, na - 1); +-} +- + static unsigned int of_bus_isa_get_flags(const __be32 *addr) + { + unsigned int flags = 0; +@@ -369,7 +360,7 @@ static struct of_bus of_busses[] = { + .match = of_bus_pci_match, + .count_cells = of_bus_pci_count_cells, + .map = of_bus_pci_map, +- .translate = of_bus_pci_translate, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_pci_get_flags, + }, +@@ -381,7 +372,7 @@ static struct of_bus of_busses[] = { + .match = of_bus_isa_match, + .count_cells = of_bus_isa_count_cells, + .map = of_bus_isa_map, +- .translate = of_bus_isa_translate, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_isa_get_flags, + }, +-- +2.39.5 + diff --git a/queue-5.15/of-address-store-number-of-bus-flag-cells-rather-tha.patch b/queue-5.15/of-address-store-number-of-bus-flag-cells-rather-tha.patch new file mode 100644 index 00000000000..f2a20539a63 --- /dev/null +++ b/queue-5.15/of-address-store-number-of-bus-flag-cells-rather-tha.patch @@ -0,0 +1,85 @@ +From 9e5343ac53c008e2f4382c42681c80cd408d8647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 08:53:58 -0500 +Subject: of: address: Store number of bus flag cells rather than bool + +From: Rob Herring + +[ Upstream commit 88696db08b7efa3b6bb722014ea7429e78f6be32 ] + +It is more useful to know how many flags cells a bus has rather than +whether a bus has flags or not as ultimately the number of cells is the +information used. Replace 'has_flags' boolean with 'flag_cells' count. + +Acked-by: Herve Codina +Link: https://lore.kernel.org/r/20231026135358.3564307-2-robh@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index b8e015af59df..123a75a19bc1 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -50,7 +50,7 @@ struct of_bus { + u64 (*map)(__be32 *addr, const __be32 *range, + int na, int ns, int pna); + int (*translate)(__be32 *addr, u64 offset, int na); +- bool has_flags; ++ int flag_cells; + unsigned int (*get_flags)(const __be32 *addr); + }; + +@@ -361,7 +361,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_pci_count_cells, + .map = of_bus_pci_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_pci_get_flags, + }, + #endif /* CONFIG_PCI */ +@@ -373,7 +373,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_isa_count_cells, + .map = of_bus_isa_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_isa_get_flags, + }, + /* Default with flags cell */ +@@ -384,7 +384,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_default_count_cells, + .map = of_bus_default_flags_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_default_flags_get_flags, + }, + /* Default */ +@@ -751,7 +751,7 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser, + int na = parser->na; + int ns = parser->ns; + int np = parser->pna + na + ns; +- int busflag_na = 0; ++ int busflag_na = parser->bus->flag_cells; + + if (!range) + return NULL; +@@ -761,10 +761,6 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser, + + range->flags = parser->bus->get_flags(parser->range); + +- /* A extra cell for resource flags */ +- if (parser->bus->has_flags) +- busflag_na = 1; +- + range->bus_addr = of_read_number(parser->range + busflag_na, na - busflag_na); + + if (parser->dma) +-- +2.39.5 + diff --git a/queue-5.15/of-unittest-add-bus-address-range-parsing-tests.patch b/queue-5.15/of-unittest-add-bus-address-range-parsing-tests.patch new file mode 100644 index 00000000000..575f137d9ce --- /dev/null +++ b/queue-5.15/of-unittest-add-bus-address-range-parsing-tests.patch @@ -0,0 +1,96 @@ +From b5bf318fe531be7834dc2a060dfd2d6762a9e6c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:15:56 -0500 +Subject: of: unittest: Add bus address range parsing tests + +From: Rob Herring + +[ Upstream commit 6d32dadb11a6480be62c6ada901bbdcbda1775c9 ] + +While there are tests for "dma-ranges" helpers, "ranges" is missing any +tests. It's the same underlying code, but for completeness add a test +for "ranges" parsing iterators. This is in preparation to add some +additional "ranges" helpers. + +Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-1-e2456c3e77ab@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 53 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 5a8d37cef0ba..a020296fbf41 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1019,6 +1019,58 @@ static void __init of_unittest_pci_dma_ranges(void) + of_node_put(np); + } + ++static void __init of_unittest_bus_ranges(void) ++{ ++ struct device_node *np; ++ struct of_range range; ++ struct of_range_parser parser; ++ int i = 0; ++ ++ np = of_find_node_by_path("/testcase-data/address-tests"); ++ if (!np) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ ++ if (of_range_parser_init(&parser, np)) { ++ pr_err("missing ranges property\n"); ++ return; ++ } ++ ++ /* ++ * Get the "ranges" from the device tree ++ */ ++ for_each_of_range(&parser, &range) { ++ unittest(range.flags == IORESOURCE_MEM, ++ "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n", ++ np, range.flags, IORESOURCE_MEM); ++ if (!i) { ++ unittest(range.size == 0x40000000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0x70000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x70000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } else { ++ unittest(range.size == 0x20000000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xd0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x00000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } ++ i++; ++ } ++ ++ of_node_put(np); ++} ++ + static void __init of_unittest_parse_interrupts(void) + { + struct device_node *np; +@@ -3324,6 +3376,7 @@ static int __init of_unittest(void) + of_unittest_dma_get_max_cpu_address(); + of_unittest_parse_dma_ranges(); + of_unittest_pci_dma_ranges(); ++ of_unittest_bus_ranges(); + of_unittest_match_node(); + of_unittest_platform_populate(); + of_unittest_overlay(); +-- +2.39.5 + diff --git a/queue-5.15/phy-usb-add-wake-on-functionality-for-newer-synopsis.patch b/queue-5.15/phy-usb-add-wake-on-functionality-for-newer-synopsis.patch new file mode 100644 index 00000000000..1761cb4ca0d --- /dev/null +++ b/queue-5.15/phy-usb-add-wake-on-functionality-for-newer-synopsis.patch @@ -0,0 +1,135 @@ +From 37011de452b21b71efb13ef16eed774a49c3a99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Feb 2022 19:24:21 -0800 +Subject: phy: usb: Add "wake on" functionality for newer Synopsis XHCI + controllers + +From: Al Cooper + +[ Upstream commit ae532b2b7aa5a3dad036aef4e0b177607172d276 ] + +Add "wake on" support for the newer Synopsis based XHCI only controller. +This works on the 72165 and 72164 and newer chips and does not work +on 7216 based systems. Also switch the USB sysclk to a slower clock +on suspend to save additional power in S2. The clock switch will only +save power on the 72165b0 and newer chips and is a nop on older chips. + +Signed-off-by: Al Cooper +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220215032422.5179-1-f.fainelli@gmail.com +Signed-off-by: Vinod Koul +Stable-dep-of: 0a92ea87bdd6 ("phy: usb: Toggle the PHY power during init") +Signed-off-by: Sasha Levin +--- + .../phy/broadcom/phy-brcm-usb-init-synopsys.c | 46 +++++++++++++++---- + 1 file changed, 38 insertions(+), 8 deletions(-) + +diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +index e63457e145c7..d2524b70ea16 100644 +--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c ++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +@@ -47,6 +47,8 @@ + #define USB_CTRL_USB_PM_SOFT_RESET_MASK 0x40000000 + #define USB_CTRL_USB_PM_BDC_SOFT_RESETB_MASK 0x00800000 + #define USB_CTRL_USB_PM_XHC_SOFT_RESETB_MASK 0x00400000 ++#define USB_CTRL_USB_PM_XHC_PME_EN_MASK 0x00000010 ++#define USB_CTRL_USB_PM_XHC_S2_CLK_SWITCH_EN_MASK 0x00000008 + #define USB_CTRL_USB_PM_STATUS 0x08 + #define USB_CTRL_USB_DEVICE_CTL1 0x10 + #define USB_CTRL_USB_DEVICE_CTL1_PORT_MODE_MASK 0x00000003 +@@ -190,10 +192,6 @@ static void usb_init_common(struct brcm_usb_init_params *params) + + pr_debug("%s\n", __func__); + +- USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN); +- /* 1 millisecond - for USB clocks to settle down */ +- usleep_range(1000, 2000); +- + if (USB_CTRL_MASK(USB_DEVICE_CTL1, PORT_MODE)) { + reg = brcm_usb_readl(USB_CTRL_REG(ctrl, USB_DEVICE_CTL1)); + reg &= ~USB_CTRL_MASK(USB_DEVICE_CTL1, PORT_MODE); +@@ -222,6 +220,17 @@ static void usb_wake_enable_7211b0(struct brcm_usb_init_params *params, + USB_CTRL_UNSET(ctrl, CTLR_CSHCR, ctl_pme_en); + } + ++static void usb_wake_enable_7216(struct brcm_usb_init_params *params, ++ bool enable) ++{ ++ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; ++ ++ if (enable) ++ USB_CTRL_SET(ctrl, USB_PM, XHC_PME_EN); ++ else ++ USB_CTRL_UNSET(ctrl, USB_PM, XHC_PME_EN); ++} ++ + static void usb_init_common_7211b0(struct brcm_usb_init_params *params) + { + void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; +@@ -295,6 +304,20 @@ static void usb_init_common_7211b0(struct brcm_usb_init_params *params) + usb2_eye_fix_7211b0(params); + } + ++static void usb_init_common_7216(struct brcm_usb_init_params *params) ++{ ++ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; ++ ++ USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN); ++ USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN); ++ ++ /* 1 millisecond - for USB clocks to settle down */ ++ usleep_range(1000, 2000); ++ ++ usb_wake_enable_7216(params, false); ++ usb_init_common(params); ++} ++ + static void usb_init_xhci(struct brcm_usb_init_params *params) + { + pr_debug("%s\n", __func__); +@@ -302,14 +325,20 @@ static void usb_init_xhci(struct brcm_usb_init_params *params) + xhci_soft_reset(params, 0); + } + +-static void usb_uninit_common(struct brcm_usb_init_params *params) ++static void usb_uninit_common_7216(struct brcm_usb_init_params *params) + { + void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; + + pr_debug("%s\n", __func__); + +- USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN); ++ if (!params->wake_enabled) { ++ USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN); + ++ /* Switch to using slower clock during suspend to save power */ ++ USB_CTRL_SET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN); ++ } else { ++ usb_wake_enable_7216(params, true); ++ } + } + + static void usb_uninit_common_7211b0(struct brcm_usb_init_params *params) +@@ -371,9 +400,9 @@ static void usb_set_dual_select(struct brcm_usb_init_params *params, int mode) + + static const struct brcm_usb_init_ops bcm7216_ops = { + .init_ipp = usb_init_ipp, +- .init_common = usb_init_common, ++ .init_common = usb_init_common_7216, + .init_xhci = usb_init_xhci, +- .uninit_common = usb_uninit_common, ++ .uninit_common = usb_uninit_common_7216, + .uninit_xhci = usb_uninit_xhci, + .get_dual_select = usb_get_dual_select, + .set_dual_select = usb_set_dual_select, +@@ -396,6 +425,7 @@ void brcm_usb_dvr_init_7216(struct brcm_usb_init_params *params) + + params->family_name = "7216"; + params->ops = &bcm7216_ops; ++ params->suspend_with_clocks = true; + } + + void brcm_usb_dvr_init_7211b0(struct brcm_usb_init_params *params) +-- +2.39.5 + diff --git a/queue-5.15/phy-usb-toggle-the-phy-power-during-init.patch b/queue-5.15/phy-usb-toggle-the-phy-power-during-init.patch new file mode 100644 index 00000000000..e4b7bbb1631 --- /dev/null +++ b/queue-5.15/phy-usb-toggle-the-phy-power-during-init.patch @@ -0,0 +1,43 @@ +From 58defff010052f422428a0c8659bf376351f029c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 14:35:40 -0700 +Subject: phy: usb: Toggle the PHY power during init + +From: Justin Chen + +[ Upstream commit 0a92ea87bdd6f77ca4e17fe19649882cf5209edd ] + +When bringing up the PHY, it might be in a bad state if left powered. +One case is we lose the PLL lock if the PLL is gated while the PHY +is powered. Toggle the PHY power so we can start from a known state. + +Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216") +Signed-off-by: Justin Chen +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20241024213540.1059412-1-justin.chen@broadcom.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +index d2524b70ea16..fa54da35719f 100644 +--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c ++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c +@@ -309,6 +309,12 @@ static void usb_init_common_7216(struct brcm_usb_init_params *params) + void __iomem *ctrl = params->regs[BRCM_REGS_CTRL]; + + USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN); ++ ++ /* ++ * The PHY might be in a bad state if it is already powered ++ * up. Toggle the power just in case. ++ */ ++ USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN); + USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN); + + /* 1 millisecond - for USB clocks to settle down */ +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 8986da6bbef..f9269c69419 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -64,3 +64,17 @@ iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch iio-inkern-call-iio_device_put-only-on-mapped-devices.patch iio-adc-ad7124-disable-all-channels-at-probe-time.patch +block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch +arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch +of-unittest-add-bus-address-range-parsing-tests.patch +of-address-add-support-for-3-address-cell-bus.patch +of-address-fix-address-translation-when-address-size.patch +of-address-remove-duplicated-functions.patch +of-address-store-number-of-bus-flag-cells-rather-tha.patch +of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch +phy-usb-add-wake-on-functionality-for-newer-synopsis.patch +phy-usb-toggle-the-phy-power-during-init.patch +ocfs2-correct-return-value-of-ocfs2_local_free_info.patch +ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch +mptcp-drop-port-parameter-of-mptcp_pm_add_addr_signa.patch +mptcp-fix-tcp-options-overflow.patch