From: Greg Kroah-Hartman Date: Mon, 4 Mar 2024 06:57:50 +0000 (+0100) Subject: 6.7-stable patches X-Git-Tag: v4.19.309~80 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a53e3dbecca438ed2188e38ca6ca9453ae3ef3c0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.7-stable patches added patches: btrfs-dev-replace-properly-validate-device-names.patch btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch dmaengine-ptdma-use-consistent-dma-masks.patch drm-amd-display-add-monitor-patch-for-specific-edp.patch drm-amdgpu-pm-fix-the-power1_min_cap-value.patch drm-buddy-fix-range-bias.patch gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch landlock-fix-asymmetric-private-inodes-referring.patch mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch mmc-sdhci-xenon-fix-phy-init-clock-stability.patch mtd-rawnand-marvell-fix-layouts.patch revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch --- diff --git a/queue-6.7/btrfs-dev-replace-properly-validate-device-names.patch b/queue-6.7/btrfs-dev-replace-properly-validate-device-names.patch new file mode 100644 index 00000000000..d447d03afa2 --- /dev/null +++ b/queue-6.7/btrfs-dev-replace-properly-validate-device-names.patch @@ -0,0 +1,72 @@ +From 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Wed, 14 Feb 2024 16:19:24 +0100 +Subject: btrfs: dev-replace: properly validate device names + +From: David Sterba + +commit 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 upstream. + +There's a syzbot report that device name buffers passed to device +replace are not properly checked for string termination which could lead +to a read out of bounds in getname_kernel(). + +Add a helper that validates both source and target device name buffers. +For devid as the source initialize the buffer to empty string in case +something tries to read it later. + +This was originally analyzed and fixed in a different way by Edward Adam +Davis (see links). + +Link: https://lore.kernel.org/linux-btrfs/000000000000d1a1d1060cc9c5e7@google.com/ +Link: https://lore.kernel.org/linux-btrfs/tencent_44CA0665C9836EF9EEC80CB9E7E206DF5206@qq.com/ +CC: stable@vger.kernel.org # 4.19+ +CC: Edward Adam Davis +Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com +Reviewed-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -727,6 +727,23 @@ leave: + return ret; + } + ++static int btrfs_check_replace_dev_names(struct btrfs_ioctl_dev_replace_args *args) ++{ ++ if (args->start.srcdevid == 0) { ++ if (memchr(args->start.srcdev_name, 0, ++ sizeof(args->start.srcdev_name)) == NULL) ++ return -ENAMETOOLONG; ++ } else { ++ args->start.srcdev_name[0] = 0; ++ } ++ ++ if (memchr(args->start.tgtdev_name, 0, ++ sizeof(args->start.tgtdev_name)) == NULL) ++ return -ENAMETOOLONG; ++ ++ return 0; ++} ++ + int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, + struct btrfs_ioctl_dev_replace_args *args) + { +@@ -739,10 +756,9 @@ int btrfs_dev_replace_by_ioctl(struct bt + default: + return -EINVAL; + } +- +- if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || +- args->start.tgtdev_name[0] == '\0') +- return -EINVAL; ++ ret = btrfs_check_replace_dev_names(args); ++ if (ret < 0) ++ return ret; + + ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, + args->start.srcdevid, diff --git a/queue-6.7/btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch b/queue-6.7/btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch new file mode 100644 index 00000000000..0392a51d528 --- /dev/null +++ b/queue-6.7/btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch @@ -0,0 +1,211 @@ +From e2b54eaf28df0c978626c9736b94f003b523b451 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 23 Feb 2024 16:38:43 +0000 +Subject: btrfs: fix double free of anonymous device after snapshot creation failure + +From: Filipe Manana + +commit e2b54eaf28df0c978626c9736b94f003b523b451 upstream. + +When creating a snapshot we may do a double free of an anonymous device +in case there's an error committing the transaction. The second free may +result in freeing an anonymous device number that was allocated by some +other subsystem in the kernel or another btrfs filesystem. + +The steps that lead to this: + +1) At ioctl.c:create_snapshot() we allocate an anonymous device number + and assign it to pending_snapshot->anon_dev; + +2) Then we call btrfs_commit_transaction() and end up at + transaction.c:create_pending_snapshot(); + +3) There we call btrfs_get_new_fs_root() and pass it the anonymous device + number stored in pending_snapshot->anon_dev; + +4) btrfs_get_new_fs_root() frees that anonymous device number because + btrfs_lookup_fs_root() returned a root - someone else did a lookup + of the new root already, which could some task doing backref walking; + +5) After that some error happens in the transaction commit path, and at + ioctl.c:create_snapshot() we jump to the 'fail' label, and after + that we free again the same anonymous device number, which in the + meanwhile may have been reallocated somewhere else, because + pending_snapshot->anon_dev still has the same value as in step 1. + +Recently syzbot ran into this and reported the following trace: + + ------------[ cut here ]------------ + ida_free called for id=51 which is not allocated. + WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 + Modules linked in: + CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 + RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 + Code: 10 42 80 3c 28 (...) + RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 + RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 + RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 + RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 + R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 + R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 + FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 + Call Trace: + + btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 + create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 + create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 + btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 + create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 + btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 + btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 + __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 + btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 + btrfs_ioctl+0xa74/0xd40 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:871 [inline] + __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7fca3e67dda9 + Code: 28 00 00 00 (...) + RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 + RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 + RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 + + +Where we get an explicit message where we attempt to free an anonymous +device number that is not currently allocated. It happens in a different +code path from the example below, at btrfs_get_root_ref(), so this change +may not fix the case triggered by syzbot. + +To fix at least the code path from the example above, change +btrfs_get_root_ref() and its callers to receive a dev_t pointer argument +for the anonymous device number, so that in case it frees the number, it +also resets it to 0, so that up in the call chain we don't attempt to do +the double free. + +CC: stable@vger.kernel.org # 5.10+ +Link: https://lore.kernel.org/linux-btrfs/000000000000f673a1061202f630@google.com/ +Fixes: e03ee2fe873e ("btrfs: do not ASSERT() if the newly created subvolume already got read") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 22 +++++++++++----------- + fs/btrfs/disk-io.h | 2 +- + fs/btrfs/ioctl.c | 2 +- + fs/btrfs/transaction.c | 2 +- + 4 files changed, 14 insertions(+), 14 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1286,12 +1286,12 @@ void btrfs_free_fs_info(struct btrfs_fs_ + * + * @objectid: root id + * @anon_dev: preallocated anonymous block device number for new roots, +- * pass 0 for new allocation. ++ * pass NULL for a new allocation. + * @check_ref: whether to check root item references, If true, return -ENOENT + * for orphan roots + */ + static struct btrfs_root *btrfs_get_root_ref(struct btrfs_fs_info *fs_info, +- u64 objectid, dev_t anon_dev, ++ u64 objectid, dev_t *anon_dev, + bool check_ref) + { + struct btrfs_root *root; +@@ -1321,9 +1321,9 @@ again: + * that common but still possible. In that case, we just need + * to free the anon_dev. + */ +- if (unlikely(anon_dev)) { +- free_anon_bdev(anon_dev); +- anon_dev = 0; ++ if (unlikely(anon_dev && *anon_dev)) { ++ free_anon_bdev(*anon_dev); ++ *anon_dev = 0; + } + + if (check_ref && btrfs_root_refs(&root->root_item) == 0) { +@@ -1345,7 +1345,7 @@ again: + goto fail; + } + +- ret = btrfs_init_fs_root(root, anon_dev); ++ ret = btrfs_init_fs_root(root, anon_dev ? *anon_dev : 0); + if (ret) + goto fail; + +@@ -1381,7 +1381,7 @@ fail: + * root's anon_dev to 0 to avoid a double free, once by btrfs_put_root() + * and once again by our caller. + */ +- if (anon_dev) ++ if (anon_dev && *anon_dev) + root->anon_dev = 0; + btrfs_put_root(root); + return ERR_PTR(ret); +@@ -1397,7 +1397,7 @@ fail: + struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info, + u64 objectid, bool check_ref) + { +- return btrfs_get_root_ref(fs_info, objectid, 0, check_ref); ++ return btrfs_get_root_ref(fs_info, objectid, NULL, check_ref); + } + + /* +@@ -1405,11 +1405,11 @@ struct btrfs_root *btrfs_get_fs_root(str + * the anonymous block device id + * + * @objectid: tree objectid +- * @anon_dev: if zero, allocate a new anonymous block device or use the +- * parameter value ++ * @anon_dev: if NULL, allocate a new anonymous block device or use the ++ * parameter value if not NULL + */ + struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info, +- u64 objectid, dev_t anon_dev) ++ u64 objectid, dev_t *anon_dev) + { + return btrfs_get_root_ref(fs_info, objectid, anon_dev, true); + } +--- a/fs/btrfs/disk-io.h ++++ b/fs/btrfs/disk-io.h +@@ -64,7 +64,7 @@ void btrfs_free_fs_roots(struct btrfs_fs + struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info, + u64 objectid, bool check_ref); + struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info, +- u64 objectid, dev_t anon_dev); ++ u64 objectid, dev_t *anon_dev); + struct btrfs_root *btrfs_get_fs_root_commit_root(struct btrfs_fs_info *fs_info, + struct btrfs_path *path, + u64 objectid); +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -721,7 +721,7 @@ static noinline int create_subvol(struct + free_extent_buffer(leaf); + leaf = NULL; + +- new_root = btrfs_get_new_fs_root(fs_info, objectid, anon_dev); ++ new_root = btrfs_get_new_fs_root(fs_info, objectid, &anon_dev); + if (IS_ERR(new_root)) { + ret = PTR_ERR(new_root); + btrfs_abort_transaction(trans, ret); +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1834,7 +1834,7 @@ static noinline int create_pending_snaps + } + + key.offset = (u64)-1; +- pending->snap = btrfs_get_new_fs_root(fs_info, objectid, pending->anon_dev); ++ pending->snap = btrfs_get_new_fs_root(fs_info, objectid, &pending->anon_dev); + if (IS_ERR(pending->snap)) { + ret = PTR_ERR(pending->snap); + pending->snap = NULL; diff --git a/queue-6.7/btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch b/queue-6.7/btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch new file mode 100644 index 00000000000..fc80735eb8a --- /dev/null +++ b/queue-6.7/btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch @@ -0,0 +1,156 @@ +From 5897710b28cabab04ea6c7547f27b7989de646ae Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 16 Feb 2024 22:17:10 +0000 +Subject: btrfs: send: don't issue unnecessary zero writes for trailing hole + +From: Filipe Manana + +commit 5897710b28cabab04ea6c7547f27b7989de646ae upstream. + +If we have a sparse file with a trailing hole (from the last extent's end +to i_size) and then create an extent in the file that ends before the +file's i_size, then when doing an incremental send we will issue a write +full of zeroes for the range that starts immediately after the new extent +ends up to i_size. While this isn't incorrect because the file ends up +with exactly the same data, it unnecessarily results in using extra space +at the destination with one or more extents full of zeroes instead of +having a hole. In same cases this results in using megabytes or even +gigabytes of unnecessary space. + +Example, reproducer: + + $ cat test.sh + #!/bin/bash + + DEV=/dev/sdh + MNT=/mnt/sdh + + mkfs.btrfs -f $DEV + mount $DEV $MNT + + # Create 1G sparse file. + xfs_io -f -c "truncate 1G" $MNT/foobar + + # Create base snapshot. + btrfs subvolume snapshot -r $MNT $MNT/mysnap1 + + # Create send stream (full send) for the base snapshot. + btrfs send -f /tmp/1.snap $MNT/mysnap1 + + # Now write one extent at the beginning of the file and one somewhere + # in the middle, leaving a gap between the end of this second extent + # and the file's size. + xfs_io -c "pwrite -S 0xab 0 128K" \ + -c "pwrite -S 0xcd 512M 128K" \ + $MNT/foobar + + # Now create a second snapshot which is going to be used for an + # incremental send operation. + btrfs subvolume snapshot -r $MNT $MNT/mysnap2 + + # Create send stream (incremental send) for the second snapshot. + btrfs send -p $MNT/mysnap1 -f /tmp/2.snap $MNT/mysnap2 + + # Now recreate the filesystem by receiving both send streams and + # verify we get the same content that the original filesystem had + # and file foobar has only two extents with a size of 128K each. + umount $MNT + mkfs.btrfs -f $DEV + mount $DEV $MNT + + btrfs receive -f /tmp/1.snap $MNT + btrfs receive -f /tmp/2.snap $MNT + + echo -e "\nFile fiemap in the second snapshot:" + # Should have: + # + # 128K extent at file range [0, 128K[ + # hole at file range [128K, 512M[ + # 128K extent file range [512M, 512M + 128K[ + # hole at file range [512M + 128K, 1G[ + xfs_io -r -c "fiemap -v" $MNT/mysnap2/foobar + + # File should be using 256K of data (two 128K extents). + echo -e "\nSpace used by the file: $(du -h $MNT/mysnap2/foobar | cut -f 1)" + + umount $MNT + +Running the test, we can see with fiemap that we get an extent for the +range [512M, 1G[, while in the source filesystem we have an extent for +the range [512M, 512M + 128K[ and a hole for the rest of the file (the +range [512M + 128K, 1G[): + + $ ./test.sh + (...) + File fiemap in the second snapshot: + /mnt/sdh/mysnap2/foobar: + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..255]: 26624..26879 256 0x0 + 1: [256..1048575]: hole 1048320 + 2: [1048576..2097151]: 2156544..3205119 1048576 0x1 + + Space used by the file: 513M + +This happens because once we finish processing an inode, at +finish_inode_if_needed(), we always issue a hole (write operations full +of zeros) if there's a gap between the end of the last processed extent +and the file's size, even if that range is already a hole in the parent +snapshot. Fix this by issuing the hole only if the range is not already +a hole. + +After this change, running the test above, we get the expected layout: + + $ ./test.sh + (...) + File fiemap in the second snapshot: + /mnt/sdh/mysnap2/foobar: + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..255]: 26624..26879 256 0x0 + 1: [256..1048575]: hole 1048320 + 2: [1048576..1048831]: 26880..27135 256 0x1 + 3: [1048832..2097151]: hole 1048320 + + Space used by the file: 256K + +A test case for fstests will follow soon. + +CC: stable@vger.kernel.org # 6.1+ +Reported-by: Dorai Ashok S A +Link: https://lore.kernel.org/linux-btrfs/c0bf7818-9c45-46a8-b3d3-513230d0c86e@inix.me/ +Reviewed-by: Sweet Tea Dorminy +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6705,11 +6705,20 @@ static int finish_inode_if_needed(struct + if (ret) + goto out; + } +- if (sctx->cur_inode_last_extent < +- sctx->cur_inode_size) { +- ret = send_hole(sctx, sctx->cur_inode_size); +- if (ret) ++ if (sctx->cur_inode_last_extent < sctx->cur_inode_size) { ++ ret = range_is_hole_in_parent(sctx, ++ sctx->cur_inode_last_extent, ++ sctx->cur_inode_size); ++ if (ret < 0) { + goto out; ++ } else if (ret == 0) { ++ ret = send_hole(sctx, sctx->cur_inode_size); ++ if (ret < 0) ++ goto out; ++ } else { ++ /* Range is already a hole, skip. */ ++ ret = 0; ++ } + } + } + if (need_truncate) { diff --git a/queue-6.7/ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch b/queue-6.7/ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch new file mode 100644 index 00000000000..60f1b84bed9 --- /dev/null +++ b/queue-6.7/ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch @@ -0,0 +1,71 @@ +From 51d31149a88b5c5a8d2d33f06df93f6187a25b4c Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Mon, 19 Feb 2024 13:14:32 +0800 +Subject: ceph: switch to corrected encoding of max_xattr_size in mdsmap + +From: Xiubo Li + +commit 51d31149a88b5c5a8d2d33f06df93f6187a25b4c upstream. + +The addition of bal_rank_mask with encoding version 17 was merged +into ceph.git in Oct 2022 and made it into v18.2.0 release normally. +A few months later, the much delayed addition of max_xattr_size got +merged, also with encoding version 17, placed before bal_rank_mask +in the encoding -- but it didn't make v18.2.0 release. + +The way this ended up being resolved on the MDS side is that +bal_rank_mask will continue to be encoded in version 17 while +max_xattr_size is now encoded in version 18. This does mean that +older kernels will misdecode version 17, but this is also true for +v18.2.0 and v18.2.1 clients in userspace. + +The best we can do is backport this adjustment -- see ceph.git +commit 78abfeaff27fee343fb664db633de5b221699a73 for details. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/64440 +Fixes: d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") +Signed-off-by: Xiubo Li +Reviewed-by: Patrick Donnelly +Reviewed-by: Venky Shankar +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mdsmap.c | 7 ++++--- + fs/ceph/mdsmap.h | 6 +++++- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/ceph/mdsmap.c ++++ b/fs/ceph/mdsmap.c +@@ -380,10 +380,11 @@ struct ceph_mdsmap *ceph_mdsmap_decode(s + ceph_decode_skip_8(p, end, bad_ext); + /* required_client_features */ + ceph_decode_skip_set(p, end, 64, bad_ext); ++ /* bal_rank_mask */ ++ ceph_decode_skip_string(p, end, bad_ext); ++ } ++ if (mdsmap_ev >= 18) { + ceph_decode_64_safe(p, end, m->m_max_xattr_size, bad_ext); +- } else { +- /* This forces the usage of the (sync) SETXATTR Op */ +- m->m_max_xattr_size = 0; + } + bad_ext: + doutc(cl, "m_enabled: %d, m_damaged: %d, m_num_laggy: %d\n", +--- a/fs/ceph/mdsmap.h ++++ b/fs/ceph/mdsmap.h +@@ -27,7 +27,11 @@ struct ceph_mdsmap { + u32 m_session_timeout; /* seconds */ + u32 m_session_autoclose; /* seconds */ + u64 m_max_file_size; +- u64 m_max_xattr_size; /* maximum size for xattrs blob */ ++ /* ++ * maximum size for xattrs blob. ++ * Zeroed by default to force the usage of the (sync) SETXATTR Op. ++ */ ++ u64 m_max_xattr_size; + u32 m_max_mds; /* expected up:active mds number */ + u32 m_num_active_mds; /* actual up:active mds number */ + u32 possible_max_rank; /* possible max rank index */ diff --git a/queue-6.7/crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch b/queue-6.7/crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch new file mode 100644 index 00000000000..ec60faf306c --- /dev/null +++ b/queue-6.7/crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch @@ -0,0 +1,57 @@ +From 1c0cf6d19690141002889d72622b90fc01562ce4 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 23 Feb 2024 14:20:35 +0100 +Subject: crypto: arm64/neonbs - fix out-of-bounds access on short input + +From: Ard Biesheuvel + +commit 1c0cf6d19690141002889d72622b90fc01562ce4 upstream. + +The bit-sliced implementation of AES-CTR operates on blocks of 128 +bytes, and will fall back to the plain NEON version for tail blocks or +inputs that are shorter than 128 bytes to begin with. + +It will call straight into the plain NEON asm helper, which performs all +memory accesses in granules of 16 bytes (the size of a NEON register). +For this reason, the associated plain NEON glue code will copy inputs +shorter than 16 bytes into a temporary buffer, given that this is a rare +occurrence and it is not worth the effort to work around this in the asm +code. + +The fallback from the bit-sliced NEON version fails to take this into +account, potentially resulting in out-of-bounds accesses. So clone the +same workaround, and use a temp buffer for short in/outputs. + +Fixes: fc074e130051 ("crypto: arm64/aes-neonbs-ctr - fallback to plain NEON for final chunk") +Cc: +Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com +Reviewed-by: Eric Biggers +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arm64/crypto/aes-neonbs-glue.c ++++ b/arch/arm64/crypto/aes-neonbs-glue.c +@@ -227,8 +227,19 @@ static int ctr_encrypt(struct skcipher_r + src += blocks * AES_BLOCK_SIZE; + } + if (nbytes && walk.nbytes == walk.total) { ++ u8 buf[AES_BLOCK_SIZE]; ++ u8 *d = dst; ++ ++ if (unlikely(nbytes < AES_BLOCK_SIZE)) ++ src = dst = memcpy(buf + sizeof(buf) - nbytes, ++ src, nbytes); ++ + neon_aes_ctr_encrypt(dst, src, ctx->enc, ctx->key.rounds, + nbytes, walk.iv); ++ ++ if (unlikely(nbytes < AES_BLOCK_SIZE)) ++ memcpy(d, dst, nbytes); ++ + nbytes = 0; + } + kernel_neon_end(); diff --git a/queue-6.7/dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch b/queue-6.7/dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch new file mode 100644 index 00000000000..88b4374774d --- /dev/null +++ b/queue-6.7/dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch @@ -0,0 +1,36 @@ +From 9ba17defd9edd87970b701085402bc8ecc3a11d4 Mon Sep 17 00:00:00 2001 +From: Joy Zou +Date: Wed, 31 Jan 2024 11:33:18 -0500 +Subject: dmaengine: fsl-edma: correct calculation of 'nbytes' in multi-fifo scenario + +From: Joy Zou + +commit 9ba17defd9edd87970b701085402bc8ecc3a11d4 upstream. + +The 'nbytes' should be equivalent to burst * width in audio multi-fifo +setups. Given that the FIFO width is fixed at 32 bits, adjusts the burst +size for multi-fifo configurations to match the slave maxburst in the +configuration. + +Cc: stable@vger.kernel.org +Fixes: 72f5801a4e2b ("dmaengine: fsl-edma: integrate v3 support") +Signed-off-by: Joy Zou +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240131163318.360315-1-Frank.Li@nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/fsl-edma-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/fsl-edma-common.c ++++ b/drivers/dma/fsl-edma-common.c +@@ -503,7 +503,7 @@ void fsl_edma_fill_tcd(struct fsl_edma_c + if (fsl_chan->is_multi_fifo) { + /* set mloff to support multiple fifo */ + burst = cfg->direction == DMA_DEV_TO_MEM ? +- cfg->src_addr_width : cfg->dst_addr_width; ++ cfg->src_maxburst : cfg->dst_maxburst; + nbytes |= EDMA_V3_TCD_NBYTES_MLOFF(-(burst * 4)); + /* enable DMLOE/SMLOE */ + if (cfg->direction == DMA_MEM_TO_DEV) { diff --git a/queue-6.7/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch b/queue-6.7/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch new file mode 100644 index 00000000000..ff918b2ec09 --- /dev/null +++ b/queue-6.7/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch @@ -0,0 +1,54 @@ +From 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e Mon Sep 17 00:00:00 2001 +From: Peng Ma +Date: Thu, 1 Feb 2024 16:50:07 -0500 +Subject: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read + +From: Peng Ma + +commit 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e upstream. + +There is chip (ls1028a) errata: + +The SoC may hang on 16 byte unaligned read transactions by QDMA. + +Unaligned read transactions initiated by QDMA may stall in the NOC +(Network On-Chip), causing a deadlock condition. Stalled transactions will +trigger completion timeouts in PCIe controller. + +Workaround: +Enable prefetch by setting the source descriptor prefetchable bit +( SD[PF] = 1 ). + +Implement this workaround. + +Cc: stable@vger.kernel.org +Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs") +Signed-off-by: Peng Ma +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240201215007.439503-1-Frank.Li@nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/fsl-qdma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/fsl-qdma.c ++++ b/drivers/dma/fsl-qdma.c +@@ -109,6 +109,7 @@ + #define FSL_QDMA_CMD_WTHROTL_OFFSET 20 + #define FSL_QDMA_CMD_DSEN_OFFSET 19 + #define FSL_QDMA_CMD_LWC_OFFSET 16 ++#define FSL_QDMA_CMD_PF BIT(17) + + /* Field definition for Descriptor status */ + #define QDMA_CCDF_STATUS_RTE BIT(5) +@@ -384,7 +385,8 @@ static void fsl_qdma_comp_fill_memcpy(st + qdma_csgf_set_f(csgf_dest, len); + /* Descriptor Buffer */ + cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE << +- FSL_QDMA_CMD_RWTTYPE_OFFSET); ++ FSL_QDMA_CMD_RWTTYPE_OFFSET) | ++ FSL_QDMA_CMD_PF; + sdf->data = QDMA_SDDF_CMD(cmd); + + cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE << diff --git a/queue-6.7/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch b/queue-6.7/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch new file mode 100644 index 00000000000..3d824a01f43 --- /dev/null +++ b/queue-6.7/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch @@ -0,0 +1,95 @@ +From 87a39071e0b639f45e05d296cc0538eef44ec0bd Mon Sep 17 00:00:00 2001 +From: Curtis Klein +Date: Thu, 1 Feb 2024 17:04:06 -0500 +Subject: dmaengine: fsl-qdma: init irq after reg initialization + +From: Curtis Klein + +commit 87a39071e0b639f45e05d296cc0538eef44ec0bd upstream. + +Initialize the qDMA irqs after the registers are configured so that +interrupts that may have been pending from a primary kernel don't get +processed by the irq handler before it is ready to and cause panic with +the following trace: + + Call trace: + fsl_qdma_queue_handler+0xf8/0x3e8 + __handle_irq_event_percpu+0x78/0x2b0 + handle_irq_event_percpu+0x1c/0x68 + handle_irq_event+0x44/0x78 + handle_fasteoi_irq+0xc8/0x178 + generic_handle_irq+0x24/0x38 + __handle_domain_irq+0x90/0x100 + gic_handle_irq+0x5c/0xb8 + el1_irq+0xb8/0x180 + _raw_spin_unlock_irqrestore+0x14/0x40 + __setup_irq+0x4bc/0x798 + request_threaded_irq+0xd8/0x190 + devm_request_threaded_irq+0x74/0xe8 + fsl_qdma_probe+0x4d4/0xca8 + platform_drv_probe+0x50/0xa0 + really_probe+0xe0/0x3f8 + driver_probe_device+0x64/0x130 + device_driver_attach+0x6c/0x78 + __driver_attach+0xbc/0x158 + bus_for_each_dev+0x5c/0x98 + driver_attach+0x20/0x28 + bus_add_driver+0x158/0x220 + driver_register+0x60/0x110 + __platform_driver_register+0x44/0x50 + fsl_qdma_driver_init+0x18/0x20 + do_one_initcall+0x48/0x258 + kernel_init_freeable+0x1a4/0x23c + kernel_init+0x10/0xf8 + ret_from_fork+0x10/0x18 + +Cc: stable@vger.kernel.org +Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs") +Signed-off-by: Curtis Klein +Signed-off-by: Yi Zhao +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240201220406.440145-1-Frank.Li@nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/fsl-qdma.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/dma/fsl-qdma.c ++++ b/drivers/dma/fsl-qdma.c +@@ -1199,10 +1199,6 @@ static int fsl_qdma_probe(struct platfor + if (!fsl_qdma->queue) + return -ENOMEM; + +- ret = fsl_qdma_irq_init(pdev, fsl_qdma); +- if (ret) +- return ret; +- + fsl_qdma->irq_base = platform_get_irq_byname(pdev, "qdma-queue0"); + if (fsl_qdma->irq_base < 0) + return fsl_qdma->irq_base; +@@ -1241,16 +1237,19 @@ static int fsl_qdma_probe(struct platfor + + platform_set_drvdata(pdev, fsl_qdma); + +- ret = dma_async_device_register(&fsl_qdma->dma_dev); ++ ret = fsl_qdma_reg_init(fsl_qdma); + if (ret) { +- dev_err(&pdev->dev, +- "Can't register NXP Layerscape qDMA engine.\n"); ++ dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n"); + return ret; + } + +- ret = fsl_qdma_reg_init(fsl_qdma); ++ ret = fsl_qdma_irq_init(pdev, fsl_qdma); ++ if (ret) ++ return ret; ++ ++ ret = dma_async_device_register(&fsl_qdma->dma_dev); + if (ret) { +- dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n"); ++ dev_err(&pdev->dev, "Can't register NXP Layerscape qDMA engine.\n"); + return ret; + } + diff --git a/queue-6.7/dmaengine-ptdma-use-consistent-dma-masks.patch b/queue-6.7/dmaengine-ptdma-use-consistent-dma-masks.patch new file mode 100644 index 00000000000..a3028f6f1e3 --- /dev/null +++ b/queue-6.7/dmaengine-ptdma-use-consistent-dma-masks.patch @@ -0,0 +1,40 @@ +From df2515a17914ecfc2a0594509deaf7fcb8d191ac Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 22 Feb 2024 17:30:53 +0100 +Subject: dmaengine: ptdma: use consistent DMA masks + +From: Tadeusz Struk + +commit df2515a17914ecfc2a0594509deaf7fcb8d191ac upstream. + +The PTDMA driver sets DMA masks in two different places for the same +device inconsistently. First call is in pt_pci_probe(), where it uses +48bit mask. The second call is in pt_dmaengine_register(), where it +uses a 64bit mask. Using 64bit dma mask causes IO_PAGE_FAULT errors +on DMA transfers between main memory and other devices. +Without the extra call it works fine. Additionally the second call +doesn't check the return value so it can silently fail. +Remove the superfluous dma_set_mask() call and only use 48bit mask. + +Cc: stable@vger.kernel.org +Fixes: b0b4a6b10577 ("dmaengine: ptdma: register PTDMA controller as a DMA resource") +Reviewed-by: Basavaraj Natikar +Signed-off-by: Tadeusz Struk +Link: https://lore.kernel.org/r/20240222163053.13842-1-tstruk@gigaio.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/ptdma/ptdma-dmaengine.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/dma/ptdma/ptdma-dmaengine.c ++++ b/drivers/dma/ptdma/ptdma-dmaengine.c +@@ -385,8 +385,6 @@ int pt_dmaengine_register(struct pt_devi + chan->vc.desc_free = pt_do_cleanup; + vchan_init(&chan->vc, dma_dev); + +- dma_set_mask_and_coherent(pt->dev, DMA_BIT_MASK(64)); +- + ret = dma_async_device_register(dma_dev); + if (ret) + goto err_reg; diff --git a/queue-6.7/drm-amd-display-add-monitor-patch-for-specific-edp.patch b/queue-6.7/drm-amd-display-add-monitor-patch-for-specific-edp.patch new file mode 100644 index 00000000000..8e5dc9e0a54 --- /dev/null +++ b/queue-6.7/drm-amd-display-add-monitor-patch-for-specific-edp.patch @@ -0,0 +1,60 @@ +From b7cdccc6a849568775f738b1e233f751a8fed013 Mon Sep 17 00:00:00 2001 +From: Ryan Lin +Date: Wed, 28 Feb 2024 11:39:21 -0700 +Subject: drm/amd/display: Add monitor patch for specific eDP + +From: Ryan Lin + +commit b7cdccc6a849568775f738b1e233f751a8fed013 upstream. + +[WHY] +Some eDP panels' ext caps don't write initial values. The value of +dpcd_addr (0x317) can be random and the backlight control interface +will be incorrect. + +[HOW] +Add new panel patches to remove sink ext caps. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org # 6.5.x +Cc: Tsung-hua Lin +Cc: Chris Chi +Reviewed-by: Wayne Lin +Acked-by: Alex Hung +Signed-off-by: Ryan Lin +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +@@ -66,6 +66,8 @@ static void apply_edid_quirks(struct edi + /* Workaround for some monitors that do not clear DPCD 0x317 if FreeSync is unsupported */ + case drm_edid_encode_panel_id('A', 'U', 'O', 0xA7AB): + case drm_edid_encode_panel_id('A', 'U', 'O', 0xE69B): ++ case drm_edid_encode_panel_id('B', 'O', 'E', 0x092A): ++ case drm_edid_encode_panel_id('L', 'G', 'D', 0x06D1): + DRM_DEBUG_DRIVER("Clearing DPCD 0x317 on monitor with panel id %X\n", panel_id); + edid_caps->panel_patch.remove_sink_ext_caps = true; + break; +@@ -119,6 +121,8 @@ enum dc_edid_status dm_helpers_parse_edi + + edid_caps->edid_hdmi = connector->display_info.is_hdmi; + ++ apply_edid_quirks(edid_buf, edid_caps); ++ + sad_count = drm_edid_to_sad((struct edid *) edid->raw_edid, &sads); + if (sad_count <= 0) + return result; +@@ -145,8 +149,6 @@ enum dc_edid_status dm_helpers_parse_edi + else + edid_caps->speaker_flags = DEFAULT_SPEAKER_LOCATION; + +- apply_edid_quirks(edid_buf, edid_caps); +- + kfree(sads); + kfree(sadb); + diff --git a/queue-6.7/drm-amdgpu-pm-fix-the-power1_min_cap-value.patch b/queue-6.7/drm-amdgpu-pm-fix-the-power1_min_cap-value.patch new file mode 100644 index 00000000000..7c4e53a0f05 --- /dev/null +++ b/queue-6.7/drm-amdgpu-pm-fix-the-power1_min_cap-value.patch @@ -0,0 +1,131 @@ +From 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb Mon Sep 17 00:00:00 2001 +From: Ma Jun +Date: Thu, 22 Feb 2024 17:08:42 +0800 +Subject: drm/amdgpu/pm: Fix the power1_min_cap value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +commit 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb upstream. + +It's unreasonable to use 0 as the power1_min_cap when +OD is disabled. So, use the same lower limit as the value +used when OD is enabled. + +Fixes: 1958946858a6 ("drm/amd/pm: Support for getting power1_cap_min value") +Signed-off-by: Ma Jun +Acked-by: Alex Deucher +Acked-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 9 ++++----- + drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 9 ++++----- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 9 ++++----- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 9 ++++----- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 9 ++++----- + 5 files changed, 20 insertions(+), 25 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c +@@ -1303,13 +1303,12 @@ static int arcturus_get_power_limit(stru + if (default_power_limit) + *default_power_limit = power_limit; + +- if (smu->od_enabled) { ++ if (smu->od_enabled) + od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_ODSETTING_POWERPERCENTAGE]); +- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]); +- } else { ++ else + od_percent_upper = 0; +- od_percent_lower = 100; +- } ++ ++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]); + + dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n", + od_percent_upper, od_percent_lower, power_limit); +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +@@ -2357,13 +2357,12 @@ static int navi10_get_power_limit(struct + *default_power_limit = power_limit; + + if (smu->od_enabled && +- navi10_od_feature_is_supported(od_settings, SMU_11_0_ODCAP_POWER_LIMIT)) { ++ navi10_od_feature_is_supported(od_settings, SMU_11_0_ODCAP_POWER_LIMIT)) + od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_ODSETTING_POWERPERCENTAGE]); +- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]); +- } else { ++ else + od_percent_upper = 0; +- od_percent_lower = 100; +- } ++ ++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]); + + dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n", + od_percent_upper, od_percent_lower, power_limit); +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -640,13 +640,12 @@ static int sienna_cichlid_get_power_limi + if (default_power_limit) + *default_power_limit = power_limit; + +- if (smu->od_enabled) { ++ if (smu->od_enabled) + od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]); +- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]); +- } else { ++ else + od_percent_upper = 0; +- od_percent_lower = 100; +- } ++ ++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]); + + dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n", + od_percent_upper, od_percent_lower, power_limit); +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2364,13 +2364,12 @@ static int smu_v13_0_0_get_power_limit(s + if (default_power_limit) + *default_power_limit = power_limit; + +- if (smu->od_enabled) { ++ if (smu->od_enabled) + od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]); +- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]); +- } else { ++ else + od_percent_upper = 0; +- od_percent_lower = 100; +- } ++ ++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]); + + dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n", + od_percent_upper, od_percent_lower, power_limit); +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -2328,13 +2328,12 @@ static int smu_v13_0_7_get_power_limit(s + if (default_power_limit) + *default_power_limit = power_limit; + +- if (smu->od_enabled) { ++ if (smu->od_enabled) + od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]); +- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]); +- } else { ++ else + od_percent_upper = 0; +- od_percent_lower = 100; +- } ++ ++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]); + + dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n", + od_percent_upper, od_percent_lower, power_limit); diff --git a/queue-6.7/drm-buddy-fix-range-bias.patch b/queue-6.7/drm-buddy-fix-range-bias.patch new file mode 100644 index 00000000000..4ac7a0837bc --- /dev/null +++ b/queue-6.7/drm-buddy-fix-range-bias.patch @@ -0,0 +1,59 @@ +From f41900e4a6ef019d64a70394b0e0c3bd048d4ec8 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Mon, 19 Feb 2024 12:18:52 +0000 +Subject: drm/buddy: fix range bias +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit f41900e4a6ef019d64a70394b0e0c3bd048d4ec8 upstream. + +There is a corner case here where start/end is after/before the block +range we are currently checking. If so we need to be sure that splitting +the block will eventually give use the block size we need. To do that we +should adjust the block range to account for the start/end, and only +continue with the split if the size/alignment will fit the requested +size. Not doing so can result in leaving split blocks unmerged when it +eventually fails. + +Fixes: afea229fe102 ("drm: improve drm_buddy_alloc function") +Signed-off-by: Matthew Auld +Cc: Arunpravin Paneer Selvam +Cc: Christian König +Cc: # v5.18+ +Reviewed-by: Arunpravin Paneer Selvam +Link: https://patchwork.freedesktop.org/patch/msgid/20240219121851.25774-4-matthew.auld@intel.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_buddy.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/drm_buddy.c ++++ b/drivers/gpu/drm/drm_buddy.c +@@ -332,6 +332,7 @@ alloc_range_bias(struct drm_buddy *mm, + u64 start, u64 end, + unsigned int order) + { ++ u64 req_size = mm->chunk_size << order; + struct drm_buddy_block *block; + struct drm_buddy_block *buddy; + LIST_HEAD(dfs); +@@ -367,6 +368,15 @@ alloc_range_bias(struct drm_buddy *mm, + if (drm_buddy_block_is_allocated(block)) + continue; + ++ if (block_start < start || block_end > end) { ++ u64 adjusted_start = max(block_start, start); ++ u64 adjusted_end = min(block_end, end); ++ ++ if (round_down(adjusted_end + 1, req_size) <= ++ round_up(adjusted_start, req_size)) ++ continue; ++ } ++ + if (contains(start, end, block_start, block_end) && + order == drm_buddy_block_order(block)) { + /* diff --git a/queue-6.7/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch b/queue-6.7/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch new file mode 100644 index 00000000000..04d35394ad7 --- /dev/null +++ b/queue-6.7/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch @@ -0,0 +1,151 @@ +From 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e Mon Sep 17 00:00:00 2001 +From: Alexander Ofitserov +Date: Wed, 28 Feb 2024 14:47:03 +0300 +Subject: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() + +From: Alexander Ofitserov + +commit 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e upstream. + +The gtp_link_ops operations structure for the subsystem must be +registered after registering the gtp_net_ops pernet operations structure. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +[ 1010.702740] gtp: GTP module unloaded +[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI +[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 +[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 +[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 +[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 +[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 +[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 +[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 +[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 +[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 +[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 +[ 1010.715968] PKRU: 55555554 +[ 1010.715972] Call Trace: +[ 1010.715985] ? __die_body.cold+0x1a/0x1f +[ 1010.715995] ? die_addr+0x43/0x70 +[ 1010.716002] ? exc_general_protection+0x199/0x2f0 +[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 +[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] +[ 1010.716042] __rtnl_newlink+0x1063/0x1700 +[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 +[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 +[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 +[ 1010.716076] ? __kernel_text_address+0x56/0xa0 +[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 +[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 +[ 1010.716098] ? arch_stack_walk+0x9e/0xf0 +[ 1010.716106] ? stack_trace_save+0x91/0xd0 +[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 +[ 1010.716121] ? __lock_acquire+0x15c5/0x5380 +[ 1010.716139] ? mark_held_locks+0x9e/0xe0 +[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 +[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 +[ 1010.716160] rtnl_newlink+0x69/0xa0 +[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 +[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716179] ? lock_acquire+0x1fe/0x560 +[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 +[ 1010.716196] netlink_rcv_skb+0x14d/0x440 +[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716208] ? netlink_ack+0xab0/0xab0 +[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 +[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 +[ 1010.716226] ? __virt_addr_valid+0x30b/0x590 +[ 1010.716233] netlink_unicast+0x54b/0x800 +[ 1010.716240] ? netlink_attachskb+0x870/0x870 +[ 1010.716248] ? __check_object_size+0x2de/0x3b0 +[ 1010.716254] netlink_sendmsg+0x938/0xe40 +[ 1010.716261] ? netlink_unicast+0x800/0x800 +[ 1010.716269] ? __import_iovec+0x292/0x510 +[ 1010.716276] ? netlink_unicast+0x800/0x800 +[ 1010.716284] __sock_sendmsg+0x159/0x190 +[ 1010.716290] ____sys_sendmsg+0x712/0x880 +[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 +[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 +[ 1010.716309] ? lock_acquire+0x1fe/0x560 +[ 1010.716315] ? drain_array_locked+0x90/0x90 +[ 1010.716324] ___sys_sendmsg+0xf8/0x170 +[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 +[ 1010.716337] ? lockdep_init_map_type+0x2c7/0x860 +[ 1010.716343] ? lockdep_hardirqs_on_prepare+0x430/0x430 +[ 1010.716350] ? debug_mutex_init+0x33/0x70 +[ 1010.716360] ? percpu_counter_add_batch+0x8b/0x140 +[ 1010.716367] ? lock_acquire+0x1fe/0x560 +[ 1010.716373] ? find_held_lock+0x2c/0x110 +[ 1010.716384] ? __fd_install+0x1b6/0x6f0 +[ 1010.716389] ? lock_downgrade+0x810/0x810 +[ 1010.716396] ? __fget_light+0x222/0x290 +[ 1010.716403] __sys_sendmsg+0xea/0x1b0 +[ 1010.716409] ? __sys_sendmsg_sock+0x40/0x40 +[ 1010.716419] ? lockdep_hardirqs_on_prepare+0x2b3/0x430 +[ 1010.716425] ? syscall_enter_from_user_mode+0x1d/0x60 +[ 1010.716432] do_syscall_64+0x30/0x40 +[ 1010.716438] entry_SYSCALL_64_after_hwframe+0x62/0xc7 +[ 1010.716444] RIP: 0033:0x7fd1508cbd49 +[ 1010.716452] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48 +[ 1010.716456] RSP: 002b:00007fff18872348 EFLAGS: 00000202 ORIG_RAX: 000000000000002e +[ 1010.716463] RAX: ffffffffffffffda RBX: 000055f72bf0eac0 RCX: 00007fd1508cbd49 +[ 1010.716468] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 +[ 1010.716473] RBP: 00007fff18872360 R08: 00007fff18872360 R09: 00007fff18872360 +[ 1010.716478] R10: 00007fff18872360 R11: 0000000000000202 R12: 000055f72bf0e1b0 +[ 1010.716482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 1010.716491] Modules linked in: gtp(+) udp_tunnel ib_core uinput af_packet rfkill qrtr joydev hid_generic usbhid hid kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm snd_hda_codec_generic ledtrig_audio irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_intel nls_utf8 snd_intel_dspcfg nls_cp866 psmouse aesni_intel vfat crypto_simd fat cryptd glue_helper snd_hda_codec pcspkr snd_hda_core i2c_i801 snd_hwdep i2c_smbus xhci_pci snd_pcm lpc_ich xhci_pci_renesas xhci_hcd qemu_fw_cfg tiny_power_button button sch_fq_codel vboxvideo drm_vram_helper drm_ttm_helper ttm vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore msr fuse efi_pstore dm_mod ip_tables x_tables autofs4 virtio_gpu virtio_dma_buf drm_kms_helper cec rc_core drm virtio_rng virtio_scsi rng_core virtio_balloon virtio_blk virtio_net virtio_console net_failover failover ahci libahci libata evdev scsi_mod input_leds serio_raw virtio_pci intel_agp +[ 1010.716674] virtio_ring intel_gtt virtio [last unloaded: gtp] +[ 1010.716693] ---[ end trace 04990a4ce61e174b ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Ofitserov +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240228114703.465107-1-oficerovas@altlinux.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1903,26 +1903,26 @@ static int __init gtp_init(void) + + get_random_bytes(>p_h_initval, sizeof(gtp_h_initval)); + +- err = rtnl_link_register(>p_link_ops); ++ err = register_pernet_subsys(>p_net_ops); + if (err < 0) + goto error_out; + +- err = register_pernet_subsys(>p_net_ops); ++ err = rtnl_link_register(>p_link_ops); + if (err < 0) +- goto unreg_rtnl_link; ++ goto unreg_pernet_subsys; + + err = genl_register_family(>p_genl_family); + if (err < 0) +- goto unreg_pernet_subsys; ++ goto unreg_rtnl_link; + + pr_info("GTP module loaded (pdp ctx size %zd bytes)\n", + sizeof(struct pdp_ctx)); + return 0; + +-unreg_pernet_subsys: +- unregister_pernet_subsys(>p_net_ops); + unreg_rtnl_link: + rtnl_link_unregister(>p_link_ops); ++unreg_pernet_subsys: ++ unregister_pernet_subsys(>p_net_ops); + error_out: + pr_err("error loading GTP module loaded\n"); + return err; diff --git a/queue-6.7/landlock-fix-asymmetric-private-inodes-referring.patch b/queue-6.7/landlock-fix-asymmetric-private-inodes-referring.patch new file mode 100644 index 00000000000..dd6ae349d21 --- /dev/null +++ b/queue-6.7/landlock-fix-asymmetric-private-inodes-referring.patch @@ -0,0 +1,63 @@ +From d9818b3e906a0ee1ab02ea79e74a2f755fc5461a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Mon, 19 Feb 2024 20:03:45 +0100 +Subject: landlock: Fix asymmetric private inodes referring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit d9818b3e906a0ee1ab02ea79e74a2f755fc5461a upstream. + +When linking or renaming a file, if only one of the source or +destination directory is backed by an S_PRIVATE inode, then the related +set of layer masks would be used as uninitialized by +is_access_to_paths_allowed(). This would result to indeterministic +access for one side instead of always being allowed. + +This bug could only be triggered with a mounted filesystem containing +both S_PRIVATE and !S_PRIVATE inodes, which doesn't seem possible. + +The collect_domain_accesses() calls return early if +is_nouser_or_private() returns false, which means that the directory's +superblock has SB_NOUSER or its inode has S_PRIVATE. Because rename or +link actions are only allowed on the same mounted filesystem, the +superblock is always the same for both source and destination +directories. However, it might be possible in theory to have an +S_PRIVATE parent source inode with an !S_PRIVATE parent destination +inode, or vice versa. + +To make sure this case is not an issue, explicitly initialized both set +of layer masks to 0, which means to allow all actions on the related +side. If at least on side has !S_PRIVATE, then +collect_domain_accesses() and is_access_to_paths_allowed() check for the +required access rights. + +Cc: Arnd Bergmann +Cc: Christian Brauner +Cc: Günther Noack +Cc: Jann Horn +Cc: Shervin Oloumi +Cc: stable@vger.kernel.org +Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") +Link: https://lore.kernel.org/r/20240219190345.2928627-1-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/security/landlock/fs.c ++++ b/security/landlock/fs.c +@@ -737,8 +737,8 @@ static int current_check_refer_path(stru + bool allow_parent1, allow_parent2; + access_mask_t access_request_parent1, access_request_parent2; + struct path mnt_dir; +- layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS], +- layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS]; ++ layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {}, ++ layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {}; + + if (!dom) + return 0; diff --git a/queue-6.7/mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch b/queue-6.7/mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch new file mode 100644 index 00000000000..5fb01d0bdf5 --- /dev/null +++ b/queue-6.7/mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch @@ -0,0 +1,119 @@ +From 3a75cb05d53f4a6823a32deb078de1366954a804 Mon Sep 17 00:00:00 2001 +From: Nhat Pham +Date: Mon, 19 Feb 2024 19:01:21 -0800 +Subject: mm: cachestat: fix folio read-after-free in cache walk + +From: Nhat Pham + +commit 3a75cb05d53f4a6823a32deb078de1366954a804 upstream. + +In cachestat, we access the folio from the page cache's xarray to compute +its page offset, and check for its dirty and writeback flags. However, we +do not hold a reference to the folio before performing these actions, +which means the folio can concurrently be released and reused as another +folio/page/slab. + +Get around this altogether by just using xarray's existing machinery for +the folio page offsets and dirty/writeback states. + +This changes behavior for tmpfs files to now always report zeroes in their +dirty and writeback counters. This is okay as tmpfs doesn't follow +conventional writeback cache behavior: its pages get "cleaned" during +swapout, after which they're no longer resident etc. + +Link: https://lkml.kernel.org/r/20240220153409.GA216065@cmpxchg.org +Fixes: cf264e1329fb ("cachestat: implement cachestat syscall") +Reported-by: Jann Horn +Suggested-by: Matthew Wilcox +Signed-off-by: Nhat Pham +Signed-off-by: Johannes Weiner +Tested-by: Jann Horn +Cc: [6.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 51 ++++++++++++++++++++++++++------------------------- + 1 file changed, 26 insertions(+), 25 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -4108,28 +4108,40 @@ static void filemap_cachestat(struct add + + rcu_read_lock(); + xas_for_each(&xas, folio, last_index) { ++ int order; + unsigned long nr_pages; + pgoff_t folio_first_index, folio_last_index; + ++ /* ++ * Don't deref the folio. It is not pinned, and might ++ * get freed (and reused) underneath us. ++ * ++ * We *could* pin it, but that would be expensive for ++ * what should be a fast and lightweight syscall. ++ * ++ * Instead, derive all information of interest from ++ * the rcu-protected xarray. ++ */ ++ + if (xas_retry(&xas, folio)) + continue; + ++ order = xa_get_order(xas.xa, xas.xa_index); ++ nr_pages = 1 << order; ++ folio_first_index = round_down(xas.xa_index, 1 << order); ++ folio_last_index = folio_first_index + nr_pages - 1; ++ ++ /* Folios might straddle the range boundaries, only count covered pages */ ++ if (folio_first_index < first_index) ++ nr_pages -= first_index - folio_first_index; ++ ++ if (folio_last_index > last_index) ++ nr_pages -= folio_last_index - last_index; ++ + if (xa_is_value(folio)) { + /* page is evicted */ + void *shadow = (void *)folio; + bool workingset; /* not used */ +- int order = xa_get_order(xas.xa, xas.xa_index); +- +- nr_pages = 1 << order; +- folio_first_index = round_down(xas.xa_index, 1 << order); +- folio_last_index = folio_first_index + nr_pages - 1; +- +- /* Folios might straddle the range boundaries, only count covered pages */ +- if (folio_first_index < first_index) +- nr_pages -= first_index - folio_first_index; +- +- if (folio_last_index > last_index) +- nr_pages -= folio_last_index - last_index; + + cs->nr_evicted += nr_pages; + +@@ -4147,24 +4159,13 @@ static void filemap_cachestat(struct add + goto resched; + } + +- nr_pages = folio_nr_pages(folio); +- folio_first_index = folio_pgoff(folio); +- folio_last_index = folio_first_index + nr_pages - 1; +- +- /* Folios might straddle the range boundaries, only count covered pages */ +- if (folio_first_index < first_index) +- nr_pages -= first_index - folio_first_index; +- +- if (folio_last_index > last_index) +- nr_pages -= folio_last_index - last_index; +- + /* page is in cache */ + cs->nr_cache += nr_pages; + +- if (folio_test_dirty(folio)) ++ if (xas_get_mark(&xas, PAGECACHE_TAG_DIRTY)) + cs->nr_dirty += nr_pages; + +- if (folio_test_writeback(folio)) ++ if (xas_get_mark(&xas, PAGECACHE_TAG_WRITEBACK)) + cs->nr_writeback += nr_pages; + + resched: diff --git a/queue-6.7/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch b/queue-6.7/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch new file mode 100644 index 00000000000..c119e9da143 --- /dev/null +++ b/queue-6.7/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch @@ -0,0 +1,72 @@ +From ff3206d2186d84e4f77e1378ba1d225633f17b9b Mon Sep 17 00:00:00 2001 +From: Ivan Semenov +Date: Tue, 6 Feb 2024 19:28:45 +0200 +Subject: mmc: core: Fix eMMC initialization with 1-bit bus connection + +From: Ivan Semenov + +commit ff3206d2186d84e4f77e1378ba1d225633f17b9b upstream. + +Initializing an eMMC that's connected via a 1-bit bus is current failing, +if the HW (DT) informs that 4-bit bus is supported. In fact this is a +regression, as we were earlier capable of falling back to 1-bit mode, when +switching to 4/8-bit bus failed. Therefore, let's restore the behaviour. + +Log for Samsung eMMC 5.1 chip connected via 1bit bus (only D0 pin) +Before patch: +[134509.044225] mmc0: switch to bus width 4 failed +[134509.044509] mmc0: new high speed MMC card at address 0001 +[134509.054594] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB +[134509.281602] mmc0: switch to bus width 4 failed +[134509.282638] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.282657] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.284598] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.284602] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.284609] ldm_validate_partition_table(): Disk read failed. +[134509.286495] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.286500] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.288303] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.288308] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.289540] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.289544] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.289553] mmcblk0: unable to read partition table +[134509.289728] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB +[134509.290283] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB +[134509.294577] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 +[134509.295835] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.295841] Buffer I/O error on dev mmcblk0, logical block 0, async page read + +After patch: + +[134551.089613] mmc0: switch to bus width 4 failed +[134551.090377] mmc0: new high speed MMC card at address 0001 +[134551.102271] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB +[134551.113365] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 +[134551.114262] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB +[134551.114925] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB + +Fixes: 577fb13199b1 ("mmc: rework selection of bus speed mode") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Semenov +Link: https://lore.kernel.org/r/20240206172845.34316-1-ivan@semenov.dev +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1006,10 +1006,12 @@ static int mmc_select_bus_width(struct m + static unsigned ext_csd_bits[] = { + EXT_CSD_BUS_WIDTH_8, + EXT_CSD_BUS_WIDTH_4, ++ EXT_CSD_BUS_WIDTH_1, + }; + static unsigned bus_widths[] = { + MMC_BUS_WIDTH_8, + MMC_BUS_WIDTH_4, ++ MMC_BUS_WIDTH_1, + }; + struct mmc_host *host = card->host; + unsigned idx, bus_width = 0; diff --git a/queue-6.7/mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch b/queue-6.7/mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch new file mode 100644 index 00000000000..26ca9c7356a --- /dev/null +++ b/queue-6.7/mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch @@ -0,0 +1,106 @@ +From 6b1ba3f9040be5efc4396d86c9752cdc564730be Mon Sep 17 00:00:00 2001 +From: Christophe Kerello +Date: Wed, 7 Feb 2024 15:39:51 +0100 +Subject: mmc: mmci: stm32: fix DMA API overlapping mappings warning + +From: Christophe Kerello + +commit 6b1ba3f9040be5efc4396d86c9752cdc564730be upstream. + +Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: + +DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, +overlapping mappings aren't supported +WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 +add_dma_entry+0x234/0x2f4 +Modules linked in: +CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 +Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) +Workqueue: events_freezable mmc_rescan +Call trace: +add_dma_entry+0x234/0x2f4 +debug_dma_map_sg+0x198/0x350 +__dma_map_sg_attrs+0xa0/0x110 +dma_map_sg_attrs+0x10/0x2c +sdmmc_idma_prep_data+0x80/0xc0 +mmci_prep_data+0x38/0x84 +mmci_start_data+0x108/0x2dc +mmci_request+0xe4/0x190 +__mmc_start_request+0x68/0x140 +mmc_start_request+0x94/0xc0 +mmc_wait_for_req+0x70/0x100 +mmc_send_tuning+0x108/0x1ac +sdmmc_execute_tuning+0x14c/0x210 +mmc_execute_tuning+0x48/0xec +mmc_sd_init_uhs_card.part.0+0x208/0x464 +mmc_sd_init_card+0x318/0x89c +mmc_attach_sd+0xe4/0x180 +mmc_rescan+0x244/0x320 + +DMA API debug brings to light leaking dma-mappings as dma_map_sg and +dma_unmap_sg are not correctly balanced. + +If an error occurs in mmci_cmd_irq function, only mmci_dma_error +function is called and as this API is not managed on stm32 variant, +dma_unmap_sg is never called in this error path. + +Signed-off-by: Christophe Kerello +Fixes: 46b723dd867d ("mmc: mmci: add stm32 sdmmc variant") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240207143951.938144-1-christophe.kerello@foss.st.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmci_stm32_sdmmc.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/mmc/host/mmci_stm32_sdmmc.c ++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c +@@ -225,6 +225,8 @@ static int sdmmc_idma_start(struct mmci_ + struct scatterlist *sg; + int i; + ++ host->dma_in_progress = true; ++ + if (!host->variant->dma_lli || data->sg_len == 1 || + idma->use_bounce_buffer) { + u32 dma_addr; +@@ -263,9 +265,30 @@ static int sdmmc_idma_start(struct mmci_ + return 0; + } + ++static void sdmmc_idma_error(struct mmci_host *host) ++{ ++ struct mmc_data *data = host->data; ++ struct sdmmc_idma *idma = host->dma_priv; ++ ++ if (!dma_inprogress(host)) ++ return; ++ ++ writel_relaxed(0, host->base + MMCI_STM32_IDMACTRLR); ++ host->dma_in_progress = false; ++ data->host_cookie = 0; ++ ++ if (!idma->use_bounce_buffer) ++ dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, ++ mmc_get_dma_dir(data)); ++} ++ + static void sdmmc_idma_finalize(struct mmci_host *host, struct mmc_data *data) + { ++ if (!dma_inprogress(host)) ++ return; ++ + writel_relaxed(0, host->base + MMCI_STM32_IDMACTRLR); ++ host->dma_in_progress = false; + + if (!data->host_cookie) + sdmmc_idma_unprep_data(host, data, 0); +@@ -676,6 +699,7 @@ static struct mmci_host_ops sdmmc_varian + .dma_setup = sdmmc_idma_setup, + .dma_start = sdmmc_idma_start, + .dma_finalize = sdmmc_idma_finalize, ++ .dma_error = sdmmc_idma_error, + .set_clkreg = mmci_sdmmc_set_clkreg, + .set_pwrreg = mmci_sdmmc_set_pwrreg, + .busy_complete = sdmmc_busy_complete, diff --git a/queue-6.7/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch b/queue-6.7/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch new file mode 100644 index 00000000000..f6715a8971c --- /dev/null +++ b/queue-6.7/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch @@ -0,0 +1,75 @@ +From 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 Mon Sep 17 00:00:00 2001 +From: Elad Nachman +Date: Thu, 22 Feb 2024 21:17:14 +0200 +Subject: mmc: sdhci-xenon: add timeout for PHY init complete + +From: Elad Nachman + +commit 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 upstream. + +AC5X spec says PHY init complete bit must be polled until zero. +We see cases in which timeout can take longer than the standard +calculation on AC5X, which is expected following the spec comment above. +According to the spec, we must wait as long as it takes for that bit to +toggle on AC5X. +Cap that with 100 delay loops so we won't get stuck forever. + +Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC") +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Elad Nachman +Link: https://lore.kernel.org/r/20240222191714.1216470-3-enachman@marvell.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-xenon-phy.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/mmc/host/sdhci-xenon-phy.c ++++ b/drivers/mmc/host/sdhci-xenon-phy.c +@@ -109,6 +109,8 @@ + #define XENON_EMMC_PHY_LOGIC_TIMING_ADJUST (XENON_EMMC_PHY_REG_BASE + 0x18) + #define XENON_LOGIC_TIMING_VALUE 0x00AA8977 + ++#define XENON_MAX_PHY_TIMEOUT_LOOPS 100 ++ + /* + * List offset of PHY registers and some special register values + * in eMMC PHY 5.0 or eMMC PHY 5.1 +@@ -259,18 +261,27 @@ static int xenon_emmc_phy_init(struct sd + /* get the wait time */ + wait /= clock; + wait++; +- /* wait for host eMMC PHY init completes */ +- udelay(wait); + +- reg = sdhci_readl(host, phy_regs->timing_adj); +- reg &= XENON_PHY_INITIALIZAION; +- if (reg) { ++ /* ++ * AC5X spec says bit must be polled until zero. ++ * We see cases in which timeout can take longer ++ * than the standard calculation on AC5X, which is ++ * expected following the spec comment above. ++ * According to the spec, we must wait as long as ++ * it takes for that bit to toggle on AC5X. ++ * Cap that with 100 delay loops so we won't get ++ * stuck here forever: ++ */ ++ ++ ret = read_poll_timeout(sdhci_readl, reg, ++ !(reg & XENON_PHY_INITIALIZAION), ++ wait, XENON_MAX_PHY_TIMEOUT_LOOPS * wait, ++ false, host, phy_regs->timing_adj); ++ if (ret) + dev_err(mmc_dev(host->mmc), "eMMC PHY init cannot complete after %d us\n", +- wait); +- return -ETIMEDOUT; +- } ++ wait * XENON_MAX_PHY_TIMEOUT_LOOPS); + +- return 0; ++ return ret; + } + + #define ARMADA_3700_SOC_PAD_1_8V 0x1 diff --git a/queue-6.7/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch b/queue-6.7/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch new file mode 100644 index 00000000000..5492f703a23 --- /dev/null +++ b/queue-6.7/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch @@ -0,0 +1,68 @@ +From 8e9f25a290ae0016353c9ea13314c95fb3207812 Mon Sep 17 00:00:00 2001 +From: Elad Nachman +Date: Thu, 22 Feb 2024 22:09:30 +0200 +Subject: mmc: sdhci-xenon: fix PHY init clock stability + +From: Elad Nachman + +commit 8e9f25a290ae0016353c9ea13314c95fb3207812 upstream. + +Each time SD/mmc phy is initialized, at times, in some of +the attempts, phy fails to completes its initialization +which results into timeout error. Per the HW spec, it is +a pre-requisite to ensure a stable SD clock before a phy +initialization is attempted. + +Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC") +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Elad Nachman +Link: https://lore.kernel.org/r/20240222200930.1277665-1-enachman@marvell.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-xenon-phy.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/mmc/host/sdhci-xenon-phy.c ++++ b/drivers/mmc/host/sdhci-xenon-phy.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + + #include "sdhci-pltfm.h" +@@ -218,6 +219,19 @@ static int xenon_alloc_emmc_phy(struct s + return 0; + } + ++static int xenon_check_stability_internal_clk(struct sdhci_host *host) ++{ ++ u32 reg; ++ int err; ++ ++ err = read_poll_timeout(sdhci_readw, reg, reg & SDHCI_CLOCK_INT_STABLE, ++ 1100, 20000, false, host, SDHCI_CLOCK_CONTROL); ++ if (err) ++ dev_err(mmc_dev(host->mmc), "phy_init: Internal clock never stabilized.\n"); ++ ++ return err; ++} ++ + /* + * eMMC 5.0/5.1 PHY init/re-init. + * eMMC PHY init should be executed after: +@@ -234,6 +248,11 @@ static int xenon_emmc_phy_init(struct sd + struct xenon_priv *priv = sdhci_pltfm_priv(pltfm_host); + struct xenon_emmc_phy_regs *phy_regs = priv->emmc_phy_regs; + ++ int ret = xenon_check_stability_internal_clk(host); ++ ++ if (ret) ++ return ret; ++ + reg = sdhci_readl(host, phy_regs->timing_adj); + reg |= XENON_PHY_INITIALIZAION; + sdhci_writel(host, reg, phy_regs->timing_adj); diff --git a/queue-6.7/mtd-rawnand-marvell-fix-layouts.patch b/queue-6.7/mtd-rawnand-marvell-fix-layouts.patch new file mode 100644 index 00000000000..dc51a5efb11 --- /dev/null +++ b/queue-6.7/mtd-rawnand-marvell-fix-layouts.patch @@ -0,0 +1,49 @@ +From e6a30d0c48a1e8a68f1cc413bee65302ab03ddfb Mon Sep 17 00:00:00 2001 +From: Elad Nachman +Date: Mon, 5 Feb 2024 15:44:35 +0200 +Subject: mtd: rawnand: marvell: fix layouts + +From: Elad Nachman + +commit e6a30d0c48a1e8a68f1cc413bee65302ab03ddfb upstream. + +The check in nand_base.c, nand_scan_tail() : has the following code: +(ecc->steps * ecc->size != mtd->writesize) which fails for some NAND chips. +Remove ECC entries in this driver which are not integral multiplications, +and adjust the number of chunks for entries which fails the above +calculation so it will calculate correctly (this was previously done +automatically before the check and was removed in a later commit). + +Fixes: 68c18dae6888 ("mtd: rawnand: marvell: add missing layouts") +Cc: stable@vger.kernel.org +Signed-off-by: Elad Nachman +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/marvell_nand.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -290,16 +290,13 @@ static const struct marvell_hw_ecc_layou + MARVELL_LAYOUT( 2048, 512, 4, 1, 1, 2048, 32, 30, 0, 0, 0), + MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,32, 30), + MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,64, 30), +- MARVELL_LAYOUT( 2048, 512, 12, 3, 2, 704, 0, 30,640, 0, 30), +- MARVELL_LAYOUT( 2048, 512, 16, 5, 4, 512, 0, 30, 0, 32, 30), ++ MARVELL_LAYOUT( 2048, 512, 16, 4, 4, 512, 0, 30, 0, 32, 30), + MARVELL_LAYOUT( 4096, 512, 4, 2, 2, 2048, 32, 30, 0, 0, 0), +- MARVELL_LAYOUT( 4096, 512, 8, 5, 4, 1024, 0, 30, 0, 64, 30), +- MARVELL_LAYOUT( 4096, 512, 12, 6, 5, 704, 0, 30,576, 32, 30), +- MARVELL_LAYOUT( 4096, 512, 16, 9, 8, 512, 0, 30, 0, 32, 30), ++ MARVELL_LAYOUT( 4096, 512, 8, 4, 4, 1024, 0, 30, 0, 64, 30), ++ MARVELL_LAYOUT( 4096, 512, 16, 8, 8, 512, 0, 30, 0, 32, 30), + MARVELL_LAYOUT( 8192, 512, 4, 4, 4, 2048, 0, 30, 0, 0, 0), +- MARVELL_LAYOUT( 8192, 512, 8, 9, 8, 1024, 0, 30, 0, 160, 30), +- MARVELL_LAYOUT( 8192, 512, 12, 12, 11, 704, 0, 30,448, 64, 30), +- MARVELL_LAYOUT( 8192, 512, 16, 17, 16, 512, 0, 30, 0, 32, 30), ++ MARVELL_LAYOUT( 8192, 512, 8, 8, 8, 1024, 0, 30, 0, 160, 30), ++ MARVELL_LAYOUT( 8192, 512, 16, 16, 16, 512, 0, 30, 0, 32, 30), + }; + + /** diff --git a/queue-6.7/revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch b/queue-6.7/revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch new file mode 100644 index 00000000000..0966a77105d --- /dev/null +++ b/queue-6.7/revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch @@ -0,0 +1,69 @@ +From 955558030954b9637b41c97b730f9b38c92ac488 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 9 Aug 2023 15:06:00 -0400 +Subject: Revert "drm/amd/pm: resolve reboot exception for si oland" + +From: Alex Deucher + +commit 955558030954b9637b41c97b730f9b38c92ac488 upstream. + +This reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86. + +This causes hangs on SI when DC is enabled and errors on driver +reboot and power off cycles. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3216 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2755 +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -6925,6 +6925,23 @@ static int si_dpm_enable(struct amdgpu_d + return 0; + } + ++static int si_set_temperature_range(struct amdgpu_device *adev) ++{ ++ int ret; ++ ++ ret = si_thermal_enable_alert(adev, false); ++ if (ret) ++ return ret; ++ ret = si_thermal_set_temperature_range(adev, R600_TEMP_RANGE_MIN, R600_TEMP_RANGE_MAX); ++ if (ret) ++ return ret; ++ ret = si_thermal_enable_alert(adev, true); ++ if (ret) ++ return ret; ++ ++ return ret; ++} ++ + static void si_dpm_disable(struct amdgpu_device *adev) + { + struct rv7xx_power_info *pi = rv770_get_pi(adev); +@@ -7608,6 +7625,18 @@ static int si_dpm_process_interrupt(stru + + static int si_dpm_late_init(void *handle) + { ++ int ret; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ ++ if (!adev->pm.dpm_enabled) ++ return 0; ++ ++ ret = si_set_temperature_range(adev); ++ if (ret) ++ return ret; ++#if 0 //TODO ? ++ si_dpm_powergate_uvd(adev, true); ++#endif + return 0; + } + diff --git a/queue-6.7/series b/queue-6.7/series index 08ee3e06a10..78f5fdedf9b 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -79,3 +79,26 @@ alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch +landlock-fix-asymmetric-private-inodes-referring.patch +gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch +mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch +mtd-rawnand-marvell-fix-layouts.patch +wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch +btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch +btrfs-dev-replace-properly-validate-device-names.patch +btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch +revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch +drm-buddy-fix-range-bias.patch +drm-amdgpu-pm-fix-the-power1_min_cap-value.patch +drm-amd-display-add-monitor-patch-for-specific-edp.patch +soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch +dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch +crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch +dmaengine-ptdma-use-consistent-dma-masks.patch +dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch +dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch +mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch +mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch +mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch +mmc-sdhci-xenon-fix-phy-init-clock-stability.patch +ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch diff --git a/queue-6.7/soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch b/queue-6.7/soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch new file mode 100644 index 00000000000..f76c7aa58b9 --- /dev/null +++ b/queue-6.7/soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch @@ -0,0 +1,95 @@ +From f79ee78767ca60e7a2c89eacd2dbdf237d97e838 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Sat, 17 Feb 2024 16:02:26 +0100 +Subject: soc: qcom: pmic_glink: Fix boot when QRTR=m + +From: Rob Clark + +commit f79ee78767ca60e7a2c89eacd2dbdf237d97e838 upstream. + +We need to bail out before adding/removing devices if we are going to +-EPROBE_DEFER. Otherwise boot can get stuck in a probe deferral loop due +to a long-standing issue in driver core (see commit fbc35b45f9f6 ("Add +documentation on meaning of -EPROBE_DEFER")). + +Deregistering the altmode child device can potentially also trigger bugs +in the DRM bridge implementation, which does not expect bridges to go +away. + +[DB: slightly fixed commit message by adding the word 'commit'] +Suggested-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20231213210644.8702-1-robdclark@gmail.com +[ johan: rebase on 6.8-rc4, amend commit message and mention DRM ] +Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") +Cc: # 6.3 +Cc: Bjorn Andersson +Signed-off-by: Johan Hovold +Reviewed-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Signed-off-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-5-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/pmic_glink.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/soc/qcom/pmic_glink.c ++++ b/drivers/soc/qcom/pmic_glink.c +@@ -268,10 +268,17 @@ static int pmic_glink_probe(struct platf + else + pg->client_mask = PMIC_GLINK_CLIENT_DEFAULT; + ++ pg->pdr = pdr_handle_alloc(pmic_glink_pdr_callback, pg); ++ if (IS_ERR(pg->pdr)) { ++ ret = dev_err_probe(&pdev->dev, PTR_ERR(pg->pdr), ++ "failed to initialize pdr\n"); ++ return ret; ++ } ++ + if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_UCSI)) { + ret = pmic_glink_add_aux_device(pg, &pg->ucsi_aux, "ucsi"); + if (ret) +- return ret; ++ goto out_release_pdr_handle; + } + if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_ALTMODE)) { + ret = pmic_glink_add_aux_device(pg, &pg->altmode_aux, "altmode"); +@@ -284,17 +291,11 @@ static int pmic_glink_probe(struct platf + goto out_release_altmode_aux; + } + +- pg->pdr = pdr_handle_alloc(pmic_glink_pdr_callback, pg); +- if (IS_ERR(pg->pdr)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(pg->pdr), "failed to initialize pdr\n"); +- goto out_release_aux_devices; +- } +- + service = pdr_add_lookup(pg->pdr, "tms/servreg", "msm/adsp/charger_pd"); + if (IS_ERR(service)) { + ret = dev_err_probe(&pdev->dev, PTR_ERR(service), + "failed adding pdr lookup for charger_pd\n"); +- goto out_release_pdr_handle; ++ goto out_release_aux_devices; + } + + mutex_lock(&__pmic_glink_lock); +@@ -303,8 +304,6 @@ static int pmic_glink_probe(struct platf + + return 0; + +-out_release_pdr_handle: +- pdr_handle_release(pg->pdr); + out_release_aux_devices: + if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_BATT)) + pmic_glink_del_aux_device(pg, &pg->ps_aux); +@@ -314,6 +313,8 @@ out_release_altmode_aux: + out_release_ucsi_aux: + if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_UCSI)) + pmic_glink_del_aux_device(pg, &pg->ucsi_aux); ++out_release_pdr_handle: ++ pdr_handle_release(pg->pdr); + + return ret; + } diff --git a/queue-6.7/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch b/queue-6.7/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch new file mode 100644 index 00000000000..9f82436a440 --- /dev/null +++ b/queue-6.7/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch @@ -0,0 +1,42 @@ +From f78c1375339a291cba492a70eaf12ec501d28a8e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 14 Feb 2024 20:08:35 +0100 +Subject: wifi: nl80211: reject iftype change with mesh ID change + +From: Johannes Berg + +commit f78c1375339a291cba492a70eaf12ec501d28a8e upstream. + +It's currently possible to change the mesh ID when the +interface isn't yet in mesh mode, at the same time as +changing it into mesh mode. This leads to an overwrite +of data in the wdev->u union for the interface type it +currently has, causing cfg80211_change_iface() to do +wrong things when switching. + +We could probably allow setting an interface to mesh +while setting the mesh ID at the same time by doing a +different order of operations here, but realistically +there's no userspace that's going to do this, so just +disallow changes in iftype when setting mesh ID. + +Cc: stable@vger.kernel.org +Fixes: 29cbe68c516a ("cfg80211/mac80211: add mesh join/leave commands") +Reported-by: syzbot+dd4779978217b1973180@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4185,6 +4185,8 @@ static int nl80211_set_interface(struct + + if (ntype != NL80211_IFTYPE_MESH_POINT) + return -EINVAL; ++ if (otype != NL80211_IFTYPE_MESH_POINT) ++ return -EINVAL; + if (netif_running(dev)) + return -EBUSY; +