From: Greg Kroah-Hartman Date: Fri, 26 May 2023 19:08:00 +0000 (+0100) Subject: 6.3-stable patches X-Git-Tag: review~68 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abda49f032209949f664dd21c8d501dfc2a0d179;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch cifs-fix-cifs_limit_bvec_subset-to-correctly-check-the-maxmimum-size.patch cifs-fix-smb1-mount-regression.patch ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch m68k-move-signal-frame-following-exception-on-68020-030.patch mmc-block-ensure-error-propagation-for-non-blk.patch mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch parisc-allow-to-reboot-machine-after-system-halt.patch parisc-enable-lockdep-support.patch parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch parisc-use-num_present_cpus-in-alternative-patching-code.patch platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch power-supply-bq25890-fix-external_power_changed-race.patch sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch x86-mm-avoid-incomplete-global-invlpg-flushes.patch xtensa-add-__bswap-si-di-2-helpers.patch xtensa-fix-signal-delivery-to-fdpic-process.patch --- diff --git a/queue-6.3/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch b/queue-6.3/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch new file mode 100644 index 00000000000..3bca9071021 --- /dev/null +++ b/queue-6.3/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch @@ -0,0 +1,33 @@ +From 7843380d07bbeffd3ce6504e73cf61f840ae76ca Mon Sep 17 00:00:00 2001 +From: Adam Stylinski +Date: Sun, 21 May 2023 10:52:23 -0400 +Subject: ALSA: hda/ca0132: add quirk for EVGA X299 DARK + +From: Adam Stylinski + +commit 7843380d07bbeffd3ce6504e73cf61f840ae76ca upstream. + +This quirk is necessary for surround and other DSP effects to work +with the onboard ca0132 based audio chipset for the EVGA X299 dark +mainboard. + +Signed-off-by: Adam Stylinski +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=67071 +Link: https://lore.kernel.org/r/ZGopOe19T1QOwizS@eggsbenedict.adamsnet +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_ca0132.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1306,6 +1306,7 @@ static const struct snd_pci_quirk ca0132 + SND_PCI_QUIRK(0x1458, 0xA026, "Gigabyte G1.Sniper Z97", QUIRK_R3DI), + SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI), + SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI), ++ SND_PCI_QUIRK(0x3842, 0x104b, "EVGA X299 Dark", QUIRK_R3DI), + SND_PCI_QUIRK(0x3842, 0x1055, "EVGA Z390 DARK", QUIRK_R3DI), + SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D), diff --git a/queue-6.3/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch b/queue-6.3/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch new file mode 100644 index 00000000000..ef02319d858 --- /dev/null +++ b/queue-6.3/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch @@ -0,0 +1,67 @@ +From 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 18 May 2023 13:35:20 +0200 +Subject: ALSA: hda: Fix unhandled register update during auto-suspend period +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 upstream. + +It's reported that the recording started right after the driver probe +doesn't work properly, and it turned out that this is related with the +codec auto-suspend. Namely, after the probe phase, the usage count +goes zero, and the auto-suspend is programmed, but the codec is kept +still active until the auto-suspend expiration. When an application +(e.g. alsactl) updates the mixer values at this moment, the values are +cached but not actually written. Then, starting arecord thereafter +also results in the silence because of the missing unmute. + +The root cause is the handling of "lazy update" mode; when a mixer +value is updated *after* the suspend, it should update only the cache +and exits. At the resume, the cached value is written to the device, +in turn. The problem is that the current code misinterprets the state +of auto-suspend as if it were already suspended. + +Although we can add the check of the actual device state after +pm_runtime_get_if_in_use() for catching the missing state, this won't +suffice; the second call of regmap_update_bits_check() will skip +writing the register because the cache has been already updated by the +first call. So we'd need fixes in two different places. + +OTOH, a simpler fix is to replace pm_runtime_get_if_in_use() with +pm_runtime_get_if_active() (with ign_usage_count=true). This change +implies that the driver takes the pm refcount if the device is still +in ACTIVE state and continues the processing. A small caveat is that +this will leave the auto-suspend timer. But, since the timer callback +itself checks the device state and aborts gracefully when it's active, +this won't be any substantial problem. + +Long story short: we address the missing register-write problem just +by replacing the pm_runtime_*() call in snd_hda_keep_power_up(). + +Fixes: fc4f000bf8c0 ("ALSA: hda - Fix unexpected resume through regmap code path") +Reported-by: Amadeusz Sławiński +Closes: https://lore.kernel.org/r/a7478636-af11-92ab-731c-9b13c582a70d@linux.intel.com +Suggested-by: Cezary Rojewski +Cc: +Link: https://lore.kernel.org/r/20230518113520.15213-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/hdac_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/hda/hdac_device.c ++++ b/sound/hda/hdac_device.c +@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm); + int snd_hdac_keep_power_up(struct hdac_device *codec) + { + if (!atomic_inc_not_zero(&codec->in_pm)) { +- int ret = pm_runtime_get_if_in_use(&codec->dev); ++ int ret = pm_runtime_get_if_active(&codec->dev, true); + if (!ret) + return -1; + if (ret < 0) diff --git a/queue-6.3/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch b/queue-6.3/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch new file mode 100644 index 00000000000..0c41d450059 --- /dev/null +++ b/queue-6.3/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch @@ -0,0 +1,33 @@ +From 4ca110cab46561cd74a2acd9b447435acb4bec5f Mon Sep 17 00:00:00 2001 +From: Bin Li +Date: Wed, 24 May 2023 19:37:55 +0800 +Subject: ALSA: hda/realtek: Enable headset onLenovo M70/M90 + +From: Bin Li + +commit 4ca110cab46561cd74a2acd9b447435acb4bec5f upstream. + +Lenovo M70/M90 Gen4 are equipped with ALC897, and they need +ALC897_FIXUP_HEADSET_MIC_PIN quirk to make its headset mic work. +The previous quirk for M70/M90 is for Gen3. + +Signed-off-by: Bin Li +Cc: +Link: https://lore.kernel.org/r/20230524113755.1346928-1-bin.li@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11699,6 +11699,8 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3321, "Lenovo ThinkCentre M70 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x331b, "Lenovo ThinkCentre M90 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD), + SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD), diff --git a/queue-6.3/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch b/queue-6.3/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch new file mode 100644 index 00000000000..5003ea3559c --- /dev/null +++ b/queue-6.3/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch @@ -0,0 +1,85 @@ +From 8b271370e963370703819bd9795a54d658071bed Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Tue, 16 May 2023 16:46:30 +0000 +Subject: ASoC: rt5682: Disable jack detection interrupt during suspend + +From: Matthias Kaehlcke + +commit 8b271370e963370703819bd9795a54d658071bed upstream. + +The rt5682 driver switches its regmap to cache-only when the +device suspends and back to regular mode on resume. When the +jack detect interrupt fires rt5682_irq() schedules the jack +detect work. This can result in invalid reads from the regmap +in cache-only mode if the work runs before the device has +resumed: + +[ 56.245502] rt5682 9-001a: ASoC: error at soc_component_read_no_lock on rt5682.9-001a for register: [0x000000f0] -16 + +Disable the jack detection interrupt during suspend and +re-enable it on resume. The driver already schedules the +jack detection work on resume, so any state change during +suspend is still handled. + +This is essentially the same as commit f7d00a9be147 ("SoC: +rt5682s: Disable jack detection interrupt during suspend") +for the rt5682s. + +Cc: stable@kernel.org +Signed-off-by: Matthias Kaehlcke +--- + sound/soc/codecs/rt5682-i2c.c | 4 +++- + sound/soc/codecs/rt5682.c | 6 ++++++ + sound/soc/codecs/rt5682.h | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5682-i2c.c ++++ b/sound/soc/codecs/rt5682-i2c.c +@@ -267,7 +267,9 @@ static int rt5682_i2c_probe(struct i2c_c + ret = devm_request_threaded_irq(&i2c->dev, i2c->irq, NULL, + rt5682_irq, IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING + | IRQF_ONESHOT, "rt5682", rt5682); +- if (ret) ++ if (!ret) ++ rt5682->irq = i2c->irq; ++ else + dev_err(&i2c->dev, "Failed to reguest IRQ: %d\n", ret); + } + +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -2959,6 +2959,9 @@ static int rt5682_suspend(struct snd_soc + if (rt5682->is_sdw) + return 0; + ++ if (rt5682->irq) ++ disable_irq(rt5682->irq); ++ + cancel_delayed_work_sync(&rt5682->jack_detect_work); + cancel_delayed_work_sync(&rt5682->jd_check_work); + if (rt5682->hs_jack && (rt5682->jack_type & SND_JACK_HEADSET) == SND_JACK_HEADSET) { +@@ -3027,6 +3030,9 @@ static int rt5682_resume(struct snd_soc_ + mod_delayed_work(system_power_efficient_wq, + &rt5682->jack_detect_work, msecs_to_jiffies(0)); + ++ if (rt5682->irq) ++ enable_irq(rt5682->irq); ++ + return 0; + } + #else +--- a/sound/soc/codecs/rt5682.h ++++ b/sound/soc/codecs/rt5682.h +@@ -1462,6 +1462,7 @@ struct rt5682_priv { + int pll_out[RT5682_PLLS]; + + int jack_type; ++ int irq; + int irq_work_delay_time; + }; + diff --git a/queue-6.3/cifs-fix-cifs_limit_bvec_subset-to-correctly-check-the-maxmimum-size.patch b/queue-6.3/cifs-fix-cifs_limit_bvec_subset-to-correctly-check-the-maxmimum-size.patch new file mode 100644 index 00000000000..36996cb3637 --- /dev/null +++ b/queue-6.3/cifs-fix-cifs_limit_bvec_subset-to-correctly-check-the-maxmimum-size.patch @@ -0,0 +1,49 @@ +From 4ef4aee67eed640064fff95a693c0184cedb7bec Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 23 May 2023 13:48:41 +0100 +Subject: cifs: Fix cifs_limit_bvec_subset() to correctly check the maxmimum size + +From: David Howells + +commit 4ef4aee67eed640064fff95a693c0184cedb7bec upstream. + +Fix cifs_limit_bvec_subset() so that it limits the span to the maximum +specified and won't return with a size greater than max_size. + +Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") +Cc: stable@vger.kernel.org # 6.3 +Reported-by: Shyam Prasad N +Reviewed-by: Shyam Prasad N +Signed-off-by: David Howells +cc: Steve French +cc: Rohith Surabattula +cc: Paulo Alcantara +cc: Tom Talpey +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index ba7f2e09d6c8..df88b8c04d03 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3353,9 +3353,10 @@ static size_t cifs_limit_bvec_subset(const struct iov_iter *iter, size_t max_siz + while (n && ix < nbv) { + len = min3(n, bvecs[ix].bv_len - skip, max_size); + span += len; ++ max_size -= len; + nsegs++; + ix++; +- if (span >= max_size || nsegs >= max_segs) ++ if (max_size == 0 || nsegs >= max_segs) + break; + skip = 0; + n -= len; +-- +2.40.1 + diff --git a/queue-6.3/cifs-fix-smb1-mount-regression.patch b/queue-6.3/cifs-fix-smb1-mount-regression.patch new file mode 100644 index 00000000000..a397082377d --- /dev/null +++ b/queue-6.3/cifs-fix-smb1-mount-regression.patch @@ -0,0 +1,40 @@ +From 72a7804a667eeac98888610521179f0418883158 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 23 May 2023 17:38:38 -0300 +Subject: cifs: fix smb1 mount regression + +From: Paulo Alcantara + +commit 72a7804a667eeac98888610521179f0418883158 upstream. + +cifs.ko maps NT_STATUS_NOT_FOUND to -EIO when SMB1 servers couldn't +resolve referral paths. Proceed to tree connect when we get -EIO from +dfs_get_referral() as well. + +Reported-by: Kris Karas (Bug Reporting) +Tested-by: Woody Suwalski +Fixes: 8e3554150d6c ("cifs: fix sharing of DFS connections") +Cc: stable@vger.kernel.org # v6.2+ +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/dfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/dfs.c b/fs/cifs/dfs.c +index a93dbca1411b..2f93bf8c3325 100644 +--- a/fs/cifs/dfs.c ++++ b/fs/cifs/dfs.c +@@ -303,7 +303,7 @@ int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) + if (!nodfs) { + rc = dfs_get_referral(mnt_ctx, ctx->UNC + 1, NULL, NULL); + if (rc) { +- if (rc != -ENOENT && rc != -EOPNOTSUPP) ++ if (rc != -ENOENT && rc != -EOPNOTSUPP && rc != -EIO) + goto out; + nodfs = true; + } +-- +2.40.1 + diff --git a/queue-6.3/ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch b/queue-6.3/ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch new file mode 100644 index 00000000000..6dc6bf51633 --- /dev/null +++ b/queue-6.3/ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch @@ -0,0 +1,125 @@ +From 3632679d9e4f879f49949bb5b050e0de553e4739 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Mon, 22 May 2023 14:08:20 +0200 +Subject: ipv{4,6}/raw: fix output xfrm lookup wrt protocol + +From: Nicolas Dichtel + +commit 3632679d9e4f879f49949bb5b050e0de553e4739 upstream. + +With a raw socket bound to IPPROTO_RAW (ie with hdrincl enabled), the +protocol field of the flow structure, build by raw_sendmsg() / +rawv6_sendmsg()), is set to IPPROTO_RAW. This breaks the ipsec policy +lookup when some policies are defined with a protocol in the selector. + +For ipv6, the sin6_port field from 'struct sockaddr_in6' could be used to +specify the protocol. Just accept all values for IPPROTO_RAW socket. + +For ipv4, the sin_port field of 'struct sockaddr_in' could not be used +without breaking backward compatibility (the value of this field was never +checked). Let's add a new kind of control message, so that the userland +could specify which protocol is used. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +CC: stable@vger.kernel.org +Signed-off-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20230522120820.1319391-1-nicolas.dichtel@6wind.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 2 ++ + include/uapi/linux/in.h | 1 + + net/ipv4/ip_sockglue.c | 12 +++++++++++- + net/ipv4/raw.c | 5 ++++- + net/ipv6/raw.c | 3 ++- + 5 files changed, 20 insertions(+), 3 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -76,6 +76,7 @@ struct ipcm_cookie { + __be32 addr; + int oif; + struct ip_options_rcu *opt; ++ __u8 protocol; + __u8 ttl; + __s16 tos; + char priority; +@@ -96,6 +97,7 @@ static inline void ipcm_init_sk(struct i + ipcm->sockc.tsflags = inet->sk.sk_tsflags; + ipcm->oif = READ_ONCE(inet->sk.sk_bound_dev_if); + ipcm->addr = inet->inet_saddr; ++ ipcm->protocol = inet->inet_num; + } + + #define IPCB(skb) ((struct inet_skb_parm*)((skb)->cb)) +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -163,6 +163,7 @@ struct in_addr { + #define IP_MULTICAST_ALL 49 + #define IP_UNICAST_IF 50 + #define IP_LOCAL_PORT_RANGE 51 ++#define IP_PROTOCOL 52 + + #define MCAST_EXCLUDE 0 + #define MCAST_INCLUDE 1 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -317,7 +317,14 @@ int ip_cmsg_send(struct sock *sk, struct + ipc->tos = val; + ipc->priority = rt_tos2priority(ipc->tos); + break; +- ++ case IP_PROTOCOL: ++ if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) ++ return -EINVAL; ++ val = *(int *)CMSG_DATA(cmsg); ++ if (val < 1 || val > 255) ++ return -EINVAL; ++ ipc->protocol = val; ++ break; + default: + return -EINVAL; + } +@@ -1761,6 +1768,9 @@ int do_ip_getsockopt(struct sock *sk, in + case IP_LOCAL_PORT_RANGE: + val = inet->local_port_range.hi << 16 | inet->local_port_range.lo; + break; ++ case IP_PROTOCOL: ++ val = inet_sk(sk)->inet_num; ++ break; + default: + sockopt_release_sock(sk); + return -ENOPROTOOPT; +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -532,6 +532,9 @@ static int raw_sendmsg(struct sock *sk, + } + + ipcm_init_sk(&ipc, inet); ++ /* Keep backward compat */ ++ if (hdrincl) ++ ipc.protocol = IPPROTO_RAW; + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +@@ -599,7 +602,7 @@ static int raw_sendmsg(struct sock *sk, + + flowi4_init_output(&fl4, ipc.oif, ipc.sockc.mark, tos, + RT_SCOPE_UNIVERSE, +- hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? ipc.protocol : sk->sk_protocol, + inet_sk_flowi_flags(sk) | + (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -793,7 +793,8 @@ static int rawv6_sendmsg(struct sock *sk + + if (!proto) + proto = inet->inet_num; +- else if (proto != inet->inet_num) ++ else if (proto != inet->inet_num && ++ inet->inet_num != IPPROTO_RAW) + return -EINVAL; + + if (proto > 255) diff --git a/queue-6.3/m68k-move-signal-frame-following-exception-on-68020-030.patch b/queue-6.3/m68k-move-signal-frame-following-exception-on-68020-030.patch new file mode 100644 index 00000000000..3a0b85a0096 --- /dev/null +++ b/queue-6.3/m68k-move-signal-frame-following-exception-on-68020-030.patch @@ -0,0 +1,90 @@ +From b845b574f86dcb6a70dfa698aa87a237b0878d2a Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sat, 6 May 2023 19:38:12 +1000 +Subject: m68k: Move signal frame following exception on 68020/030 + +From: Finn Thain + +commit b845b574f86dcb6a70dfa698aa87a237b0878d2a upstream. + +On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause +a stack page fault during instruction execution (i.e. not at an +instruction boundary) and produce a format 0xB exception frame. + +In this situation, the value of USP will be unreliable. If a signal is +to be delivered following the exception, this USP value is used to +calculate the location for a signal frame. This can result in a +corrupted user stack. + +The corruption was detected in dash (actually in glibc) where it showed +up as an intermittent "stack smashing detected" message and crash +following signal delivery for SIGCHLD. + +It was hard to reproduce that failure because delivery of the signal +raced with the page fault and because the kernel places an unpredictable +gap of up to 7 bytes between the USP and the signal frame. + +A format 0xB exception frame can be produced by a bus error or an +address error. The 68030 Users Manual says that address errors occur +immediately upon detection during instruction prefetch. The instruction +pipeline allows prefetch to overlap with other instructions, which means +an address error can arise during the execution of a different +instruction. So it seems likely that this patch may help in the address +error case also. + +Reported-and-tested-by: Stan Johnson +Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/ +Cc: Michael Schmitz +Cc: Andreas Schwab +Cc: stable@vger.kernel.org +Co-developed-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/9e66262a754fcba50208aa424188896cc52a1dd1.1683365892.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/signal.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/m68k/kernel/signal.c ++++ b/arch/m68k/kernel/signal.c +@@ -858,11 +858,17 @@ static inline int rt_setup_ucontext(stru + } + + static inline void __user * +-get_sigframe(struct ksignal *ksig, size_t frame_size) ++get_sigframe(struct ksignal *ksig, struct pt_regs *tregs, size_t frame_size) + { + unsigned long usp = sigsp(rdusp(), ksig); ++ unsigned long gap = 0; + +- return (void __user *)((usp - frame_size) & -8UL); ++ if (CPU_IS_020_OR_030 && tregs->format == 0xb) { ++ /* USP is unreliable so use worst-case value */ ++ gap = 256; ++ } ++ ++ return (void __user *)((usp - gap - frame_size) & -8UL); + } + + static int setup_frame(struct ksignal *ksig, sigset_t *set, +@@ -880,7 +886,7 @@ static int setup_frame(struct ksignal *k + return -EFAULT; + } + +- frame = get_sigframe(ksig, sizeof(*frame) + fsize); ++ frame = get_sigframe(ksig, tregs, sizeof(*frame) + fsize); + + if (fsize) + err |= copy_to_user (frame + 1, regs + 1, fsize); +@@ -952,7 +958,7 @@ static int setup_rt_frame(struct ksignal + return -EFAULT; + } + +- frame = get_sigframe(ksig, sizeof(*frame)); ++ frame = get_sigframe(ksig, tregs, sizeof(*frame)); + + if (fsize) + err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize); diff --git a/queue-6.3/mmc-block-ensure-error-propagation-for-non-blk.patch b/queue-6.3/mmc-block-ensure-error-propagation-for-non-blk.patch new file mode 100644 index 00000000000..033c81a7347 --- /dev/null +++ b/queue-6.3/mmc-block-ensure-error-propagation-for-non-blk.patch @@ -0,0 +1,80 @@ +From 003fb0a51162d940f25fc35e70b0996a12c9e08a Mon Sep 17 00:00:00 2001 +From: Christian Loehle +Date: Wed, 26 Apr 2023 16:59:39 +0000 +Subject: mmc: block: ensure error propagation for non-blk + +From: Christian Loehle + +commit 003fb0a51162d940f25fc35e70b0996a12c9e08a upstream. + +Requests to the mmc layer usually come through a block device IO. +The exceptions are the ioctl interface, RPMB chardev ioctl +and debugfs, which issue their own blk_mq requests through +blk_execute_rq and do not query the BLK_STS error but the +mmcblk-internal drv_op_result. This patch ensures that drv_op_result +defaults to an error and has to be overwritten by the operation +to be considered successful. + +The behavior leads to a bug where the request never propagates +the error, e.g. by directly erroring out at mmc_blk_mq_issue_rq if +mmc_blk_part_switch fails. The ioctl caller of the rpmb chardev then +can never see an error (BLK_STS_IOERR, but drv_op_result is unchanged) +and thus may assume that their call executed successfully when it did not. + +While always checking the blk_execute_rq return value would be +advised, let's eliminate the error by always setting +drv_op_result as -EIO to be overwritten on success (or other error) + +Fixes: 614f0388f580 ("mmc: block: move single ioctl() commands to block requests") +Signed-off-by: Christian Loehle +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/59c17ada35664b818b7bd83752119b2d@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -266,6 +266,7 @@ static ssize_t power_ro_lock_store(struc + goto out_put; + } + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP; ++ req_to_mmc_queue_req(req)->drv_op_result = -EIO; + blk_execute_rq(req, false); + ret = req_to_mmc_queue_req(req)->drv_op_result; + blk_mq_free_request(req); +@@ -653,6 +654,7 @@ static int mmc_blk_ioctl_cmd(struct mmc_ + idatas[0] = idata; + req_to_mmc_queue_req(req)->drv_op = + rpmb ? MMC_DRV_OP_IOCTL_RPMB : MMC_DRV_OP_IOCTL; ++ req_to_mmc_queue_req(req)->drv_op_result = -EIO; + req_to_mmc_queue_req(req)->drv_op_data = idatas; + req_to_mmc_queue_req(req)->ioc_count = 1; + blk_execute_rq(req, false); +@@ -724,6 +726,7 @@ static int mmc_blk_ioctl_multi_cmd(struc + } + req_to_mmc_queue_req(req)->drv_op = + rpmb ? MMC_DRV_OP_IOCTL_RPMB : MMC_DRV_OP_IOCTL; ++ req_to_mmc_queue_req(req)->drv_op_result = -EIO; + req_to_mmc_queue_req(req)->drv_op_data = idata; + req_to_mmc_queue_req(req)->ioc_count = n; + blk_execute_rq(req, false); +@@ -2808,6 +2811,7 @@ static int mmc_dbg_card_status_get(void + if (IS_ERR(req)) + return PTR_ERR(req); + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_CARD_STATUS; ++ req_to_mmc_queue_req(req)->drv_op_result = -EIO; + blk_execute_rq(req, false); + ret = req_to_mmc_queue_req(req)->drv_op_result; + if (ret >= 0) { +@@ -2846,6 +2850,7 @@ static int mmc_ext_csd_open(struct inode + goto out_free; + } + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_EXT_CSD; ++ req_to_mmc_queue_req(req)->drv_op_result = -EIO; + req_to_mmc_queue_req(req)->drv_op_data = &ext_csd; + blk_execute_rq(req, false); + err = req_to_mmc_queue_req(req)->drv_op_result; diff --git a/queue-6.3/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch b/queue-6.3/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch new file mode 100644 index 00000000000..21d7bde6eb6 --- /dev/null +++ b/queue-6.3/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch @@ -0,0 +1,79 @@ +From 81dce1490e28439c3cd8a8650b862a712f3061ba Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Thu, 4 May 2023 19:22:22 +0800 +Subject: mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works + +From: Haibo Chen + +commit 81dce1490e28439c3cd8a8650b862a712f3061ba upstream. + +After commit 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate +ESDHC_FLAG_HS400* only on 8bit bus"), the property "no-mmc-hs400" +from device tree file do not work any more. +This patch reorder the code, which can avoid the warning message +"drop HS400 support since no 8-bit bus" and also make the property +"no-mmc-hs400" from dts file works. + +Fixes: 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus") +Signed-off-by: Haibo Chen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230504112222.3599602-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1634,6 +1634,10 @@ sdhci_esdhc_imx_probe_dt(struct platform + if (ret) + return ret; + ++ /* HS400/HS400ES require 8 bit bus */ ++ if (!(host->mmc->caps & MMC_CAP_8_BIT_DATA)) ++ host->mmc->caps2 &= ~(MMC_CAP2_HS400 | MMC_CAP2_HS400_ES); ++ + if (mmc_gpio_get_cd(host->mmc) >= 0) + host->quirks &= ~SDHCI_QUIRK_BROKEN_CARD_DETECTION; + +@@ -1724,10 +1728,6 @@ static int sdhci_esdhc_imx_probe(struct + host->mmc_host_ops.init_card = usdhc_init_card; + } + +- err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data); +- if (err) +- goto disable_ahb_clk; +- + if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) + sdhci_esdhc_ops.platform_execute_tuning = + esdhc_executing_tuning; +@@ -1735,15 +1735,13 @@ static int sdhci_esdhc_imx_probe(struct + if (imx_data->socdata->flags & ESDHC_FLAG_ERR004536) + host->quirks |= SDHCI_QUIRK_BROKEN_ADMA; + +- if (host->mmc->caps & MMC_CAP_8_BIT_DATA && +- imx_data->socdata->flags & ESDHC_FLAG_HS400) ++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400) + host->mmc->caps2 |= MMC_CAP2_HS400; + + if (imx_data->socdata->flags & ESDHC_FLAG_BROKEN_AUTO_CMD23) + host->quirks2 |= SDHCI_QUIRK2_ACMD23_BROKEN; + +- if (host->mmc->caps & MMC_CAP_8_BIT_DATA && +- imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) { ++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) { + host->mmc->caps2 |= MMC_CAP2_HS400_ES; + host->mmc_host_ops.hs400_enhanced_strobe = + esdhc_hs400_enhanced_strobe; +@@ -1765,6 +1763,10 @@ static int sdhci_esdhc_imx_probe(struct + goto disable_ahb_clk; + } + ++ err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data); ++ if (err) ++ goto disable_ahb_clk; ++ + sdhci_esdhc_imx_hwinit(host); + + err = sdhci_add_host(host); diff --git a/queue-6.3/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch b/queue-6.3/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch new file mode 100644 index 00000000000..981532cec9c --- /dev/null +++ b/queue-6.3/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch @@ -0,0 +1,127 @@ +From 7e01c7f7046efc2c7c192c3619db43292b98e997 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 17 May 2023 13:38:08 +0000 +Subject: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize + +From: Tudor Ambarus + +commit 7e01c7f7046efc2c7c192c3619db43292b98e997 upstream. + +Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than +the calculated "min" value, but greater than zero, the logic sets +tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in +cdc_ncm_fill_tx_frame() where all the data is handled. + +For small values of dwNtbOutMaxSize the memory allocated during +alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to +how size is aligned at alloc time: + size = SKB_DATA_ALIGN(size); + size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +Thus we hit the same bug that we tried to squash with +commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero") + +Low values of dwNtbOutMaxSize do not cause an issue presently because at +alloc_skb() time more memory (512b) is allocated than required for the +SKB headers alone (320b), leaving some space (512b - 320b = 192b) +for CDC data (172b). + +However, if more elements (for example 3 x u64 = [24b]) were added to +one of the SKB header structs, say 'struct skb_shared_info', +increasing its original size (320b [320b aligned]) to something larger +(344b [384b aligned]), then suddenly the CDC data (172b) no longer +fits in the spare SKB data area (512b - 384b = 128b). + +Consequently the SKB bounds checking semantics fails and panics: + +skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev: +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:113! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +Workqueue: mld mld_ifc_work +RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] +RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 +[snip] +Call Trace: + + skb_put+0x151/0x210 net/core/skbuff.c:2047 + skb_put_zero include/linux/skbuff.h:2422 [inline] + cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] + cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 + cdc_ncm_tx_fixup+0xa3/0x100 + +Deal with too low values of dwNtbOutMaxSize, clamp it in the range +[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure +enough data space is allocated to handle CDC data by making sure +dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE. + +Fixes: 289507d3364f ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") +Cc: stable@vger.kernel.org +Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d +Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/ +Signed-off-by: Tudor Ambarus +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -181,9 +181,12 @@ static u32 cdc_ncm_check_tx_max(struct u + else + min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth32); + +- max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize)); +- if (max == 0) ++ if (le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) == 0) + max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */ ++ else ++ max = clamp_t(u32, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize), ++ USB_CDC_NCM_NTB_MIN_OUT_SIZE, ++ CDC_NCM_NTB_MAX_SIZE_TX); + + /* some devices set dwNtbOutMaxSize too low for the above default */ + min = min(min, max); +@@ -1244,6 +1247,9 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + * further. + */ + if (skb_out == NULL) { ++ /* If even the smallest allocation fails, abort. */ ++ if (ctx->tx_curr_size == USB_CDC_NCM_NTB_MIN_OUT_SIZE) ++ goto alloc_failed; + ctx->tx_low_mem_max_cnt = min(ctx->tx_low_mem_max_cnt + 1, + (unsigned)CDC_NCM_LOW_MEM_MAX_CNT); + ctx->tx_low_mem_val = ctx->tx_low_mem_max_cnt; +@@ -1262,13 +1268,8 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + skb_out = alloc_skb(ctx->tx_curr_size, GFP_ATOMIC); + + /* No allocation possible so we will abort */ +- if (skb_out == NULL) { +- if (skb != NULL) { +- dev_kfree_skb_any(skb); +- dev->net->stats.tx_dropped++; +- } +- goto exit_no_skb; +- } ++ if (!skb_out) ++ goto alloc_failed; + ctx->tx_low_mem_val--; + } + if (ctx->is_ndp16) { +@@ -1461,6 +1462,11 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + + return skb_out; + ++alloc_failed: ++ if (skb) { ++ dev_kfree_skb_any(skb); ++ dev->net->stats.tx_dropped++; ++ } + exit_no_skb: + /* Start timer, if there is a remaining non-empty skb */ + if (ctx->tx_curr_skb != NULL && n > 0) diff --git a/queue-6.3/parisc-allow-to-reboot-machine-after-system-halt.patch b/queue-6.3/parisc-allow-to-reboot-machine-after-system-halt.patch new file mode 100644 index 00000000000..e463aa6f7be --- /dev/null +++ b/queue-6.3/parisc-allow-to-reboot-machine-after-system-halt.patch @@ -0,0 +1,43 @@ +From 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 22 May 2023 22:57:30 +0200 +Subject: parisc: Allow to reboot machine after system halt + +From: Helge Deller + +commit 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 upstream. + +In case a machine can't power-off itself on system shutdown, +allow the user to reboot it by pressing the RETURN key. + +Cc: # v4.14+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/process.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/process.c ++++ b/arch/parisc/kernel/process.c +@@ -122,13 +122,18 @@ void machine_power_off(void) + /* It seems we have no way to power the system off via + * software. The user has to press the button himself. */ + +- printk(KERN_EMERG "System shut down completed.\n" +- "Please power this system off now."); ++ printk("Power off or press RETURN to reboot.\n"); + + /* prevent soft lockup/stalled CPU messages for endless loop. */ + rcu_sysrq_start(); + lockup_detector_soft_poweroff(); +- for (;;); ++ while (1) { ++ /* reboot if user presses RETURN key */ ++ if (pdc_iodc_getc() == 13) { ++ printk("Rebooting...\n"); ++ machine_restart(NULL); ++ } ++ } + } + + void (*pm_power_off)(void); diff --git a/queue-6.3/parisc-enable-lockdep-support.patch b/queue-6.3/parisc-enable-lockdep-support.patch new file mode 100644 index 00000000000..88bfa987749 --- /dev/null +++ b/queue-6.3/parisc-enable-lockdep-support.patch @@ -0,0 +1,29 @@ +From adf8e96a7ea670d45b5de7594acc67e8f4787ae6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 23 May 2023 09:06:40 +0200 +Subject: parisc: Enable LOCKDEP support + +From: Helge Deller + +commit adf8e96a7ea670d45b5de7594acc67e8f4787ae6 upstream. + +Cc: # v6.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -129,6 +129,10 @@ config PM + config STACKTRACE_SUPPORT + def_bool y + ++config LOCKDEP_SUPPORT ++ bool ++ default y ++ + config ISA_DMA_API + bool + diff --git a/queue-6.3/parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch b/queue-6.3/parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch new file mode 100644 index 00000000000..8b5b6a8adf2 --- /dev/null +++ b/queue-6.3/parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch @@ -0,0 +1,68 @@ +From 61e150fb310729c98227a5edf6e4a3619edc3702 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 24 May 2023 17:07:07 +0200 +Subject: parisc: Fix flush_dcache_page() for usage from irq context + +From: Helge Deller + +commit 61e150fb310729c98227a5edf6e4a3619edc3702 upstream. + +Since at least kernel 6.1, flush_dcache_page() is called with IRQs +disabled, e.g. from aio_complete(). + +But the current implementation for flush_dcache_page() on parisc +unintentionally re-enables IRQs, which may lead to deadlocks. + +Fix it by using xa_lock_irqsave() and xa_unlock_irqrestore() +for the flush_dcache_mmap_*lock() macros instead. + +Cc: linux-parisc@vger.kernel.org +Cc: stable@kernel.org # 5.18+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/cacheflush.h | 4 ++++ + arch/parisc/kernel/cache.c | 5 +++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/cacheflush.h ++++ b/arch/parisc/include/asm/cacheflush.h +@@ -48,6 +48,10 @@ void flush_dcache_page(struct page *page + + #define flush_dcache_mmap_lock(mapping) xa_lock_irq(&mapping->i_pages) + #define flush_dcache_mmap_unlock(mapping) xa_unlock_irq(&mapping->i_pages) ++#define flush_dcache_mmap_lock_irqsave(mapping, flags) \ ++ xa_lock_irqsave(&mapping->i_pages, flags) ++#define flush_dcache_mmap_unlock_irqrestore(mapping, flags) \ ++ xa_unlock_irqrestore(&mapping->i_pages, flags) + + #define flush_icache_page(vma,page) do { \ + flush_kernel_dcache_page_addr(page_address(page)); \ +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -399,6 +399,7 @@ void flush_dcache_page(struct page *page + unsigned long offset; + unsigned long addr, old_addr = 0; + unsigned long count = 0; ++ unsigned long flags; + pgoff_t pgoff; + + if (mapping && !mapping_mapped(mapping)) { +@@ -420,7 +421,7 @@ void flush_dcache_page(struct page *page + * to flush one address here for them all to become coherent + * on machines that support equivalent aliasing + */ +- flush_dcache_mmap_lock(mapping); ++ flush_dcache_mmap_lock_irqsave(mapping, flags); + vma_interval_tree_foreach(mpnt, &mapping->i_mmap, pgoff, pgoff) { + offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT; + addr = mpnt->vm_start + offset; +@@ -460,7 +461,7 @@ void flush_dcache_page(struct page *page + } + WARN_ON(++count == 4096); + } +- flush_dcache_mmap_unlock(mapping); ++ flush_dcache_mmap_unlock_irqrestore(mapping, flags); + } + EXPORT_SYMBOL(flush_dcache_page); + diff --git a/queue-6.3/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch b/queue-6.3/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch new file mode 100644 index 00000000000..c80ce246209 --- /dev/null +++ b/queue-6.3/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch @@ -0,0 +1,32 @@ +From 6888ff04e37d01295620a73f3f7efbc79f6ef152 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 24 May 2023 14:34:58 +0200 +Subject: parisc: Handle kgdb breakpoints only in kernel context + +From: Helge Deller + +commit 6888ff04e37d01295620a73f3f7efbc79f6ef152 upstream. + +The kernel kgdb break instructions should only be handled when running +in kernel context. + +Cc: # v5.4+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -302,8 +302,8 @@ static void handle_break(struct pt_regs + #endif + + #ifdef CONFIG_KGDB +- if (unlikely(iir == PARISC_KGDB_COMPILED_BREAK_INSN || +- iir == PARISC_KGDB_BREAK_INSN)) { ++ if (unlikely((iir == PARISC_KGDB_COMPILED_BREAK_INSN || ++ iir == PARISC_KGDB_BREAK_INSN)) && !user_mode(regs)) { + kgdb_handle_exception(9, SIGTRAP, 0, regs); + return; + } diff --git a/queue-6.3/parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch b/queue-6.3/parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch new file mode 100644 index 00000000000..3214558e0c5 --- /dev/null +++ b/queue-6.3/parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch @@ -0,0 +1,35 @@ +From df419492e428b6a2bce98d0f613c58a13da6666c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 24 May 2023 14:31:14 +0200 +Subject: parisc: Handle kprobes breakpoints only in kernel context + +From: Helge Deller + +commit df419492e428b6a2bce98d0f613c58a13da6666c upstream. + +The kernel kprobes break instructions should only be handled when running +in kernel context. + +Cc: # v5.18+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -291,11 +291,11 @@ static void handle_break(struct pt_regs + } + + #ifdef CONFIG_KPROBES +- if (unlikely(iir == PARISC_KPROBES_BREAK_INSN)) { ++ if (unlikely(iir == PARISC_KPROBES_BREAK_INSN && !user_mode(regs))) { + parisc_kprobe_break_handler(regs); + return; + } +- if (unlikely(iir == PARISC_KPROBES_BREAK_INSN2)) { ++ if (unlikely(iir == PARISC_KPROBES_BREAK_INSN2 && !user_mode(regs))) { + parisc_kprobe_ss_handler(regs); + return; + } diff --git a/queue-6.3/parisc-use-num_present_cpus-in-alternative-patching-code.patch b/queue-6.3/parisc-use-num_present_cpus-in-alternative-patching-code.patch new file mode 100644 index 00000000000..c9269bc9fca --- /dev/null +++ b/queue-6.3/parisc-use-num_present_cpus-in-alternative-patching-code.patch @@ -0,0 +1,32 @@ +From b6405f0829d7b1dd926ba3ca5f691cab835abfaa Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 19 May 2023 12:12:06 +0200 +Subject: parisc: Use num_present_cpus() in alternative patching code + +From: Helge Deller + +commit b6405f0829d7b1dd926ba3ca5f691cab835abfaa upstream. + +When patching the kernel code some alternatives depend on SMP vs. !SMP. +Use the value of num_present_cpus() instead of num_online_cpus() to +decide, otherwise we may run into issues if and additional CPU is +enabled after having loaded a module while only one CPU was enabled. + +Signed-off-by: Helge Deller +Cc: # v6.1+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/alternative.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/alternative.c ++++ b/arch/parisc/kernel/alternative.c +@@ -25,7 +25,7 @@ void __init_or_module apply_alternatives + { + struct alt_instr *entry; + int index = 0, applied = 0; +- int num_cpus = num_online_cpus(); ++ int num_cpus = num_present_cpus(); + u16 cond_check; + + cond_check = ALT_COND_ALWAYS | diff --git a/queue-6.3/platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch b/queue-6.3/platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch new file mode 100644 index 00000000000..8eb3f763f3a --- /dev/null +++ b/queue-6.3/platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch @@ -0,0 +1,63 @@ +From 3279decb2c3c8d58cb0b70ed5235c480735a36ee Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Tue, 23 May 2023 06:54:00 -0400 +Subject: platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain + +From: David Arcari + +commit 3279decb2c3c8d58cb0b70ed5235c480735a36ee upstream. + +Object Debug results in the following warning while attempting to load +ifs firmware: + +[ 220.007422] ODEBUG: object 000000003bf952db is on stack 00000000e843994b, but NOT annotated. +[ 220.007459] ------------[ cut here ]------------ +[ 220.007461] WARNING: CPU: 0 PID: 11774 at lib/debugobjects.c:548 __debug_object_init.cold+0x22e/0x2d5 +[ 220.137476] RIP: 0010:__debug_object_init.cold+0x22e/0x2d5 +[ 220.254774] Call Trace: +[ 220.257641] +[ 220.265606] scan_chunks_sanity_check+0x368/0x5f0 [intel_ifs] +[ 220.288292] ifs_load_firmware+0x2a3/0x400 [intel_ifs] +[ 220.332793] current_batch_store+0xea/0x160 [intel_ifs] +[ 220.357947] kernfs_fop_write_iter+0x355/0x530 +[ 220.363048] new_sync_write+0x28e/0x4a0 +[ 220.381226] vfs_write+0x62a/0x920 +[ 220.385160] ksys_write+0xf9/0x1d0 +[ 220.399421] do_syscall_64+0x59/0x90 +[ 220.440635] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 220.566845] ---[ end trace 3a01b299db142b41 ]--- + +Correct this by calling INIT_WORK_ONSTACK instead of INIT_WORK. + +Fixes: 684ec215706d ("platform/x86/intel/ifs: Authenticate and copy to secured memory") + +Signed-off-by: David Arcari +Cc: Jithu Joseph +Cc: Ashok Raj +Cc: Tony Luck +Cc: Hans de Goede +Cc: Mark Gross +Cc: Greg Kroah-Hartman +Cc: Thomas Gleixner +Cc: Dan Williams +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230523105400.674152-1-darcari@redhat.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/ifs/load.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel/ifs/load.c ++++ b/drivers/platform/x86/intel/ifs/load.c +@@ -208,7 +208,7 @@ static int scan_chunks_sanity_check(stru + continue; + reinit_completion(&ifs_done); + local_work.dev = dev; +- INIT_WORK(&local_work.w, copy_hashes_authenticate_chunks); ++ INIT_WORK_ONSTACK(&local_work.w, copy_hashes_authenticate_chunks); + schedule_work_on(cpu, &local_work.w); + wait_for_completion(&ifs_done); + if (ifsd->loading_error) { diff --git a/queue-6.3/power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch b/queue-6.3/power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch new file mode 100644 index 00000000000..124f0fbb1f0 --- /dev/null +++ b/queue-6.3/power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch @@ -0,0 +1,44 @@ +From f8319774d6f1567d6e7d03653174ab0c82c5c66d Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 18:07:30 +0200 +Subject: power: supply: axp288_fuel_gauge: Fix external_power_changed race + +From: Hans de Goede + +commit f8319774d6f1567d6e7d03653174ab0c82c5c66d upstream. + +fuel_gauge_external_power_changed() dereferences info->bat, +which gets sets in axp288_fuel_gauge_probe() like this: + + info->bat = devm_power_supply_register(dev, &fuel_gauge_desc, &psy_cfg); + +As soon as devm_power_supply_register() has called device_add() +the external_power_changed callback can get called. So there is a window +where fuel_gauge_external_power_changed() may get called while +info->bat has not been set yet leading to a NULL pointer dereference. + +Fixing this is easy. The external_power_changed callback gets passed +the power_supply which will eventually get stored in info->bat, +so fuel_gauge_external_power_changed() can simply directly use +the passed in psy argument which is always valid. + +Fixes: 30abb3d07929 ("power: supply: axp288_fuel_gauge: Take lock before updating the valid flag") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_fuel_gauge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -507,7 +507,7 @@ static void fuel_gauge_external_power_ch + mutex_lock(&info->lock); + info->valid = 0; /* Force updating of the cached registers */ + mutex_unlock(&info->lock); +- power_supply_changed(info->bat); ++ power_supply_changed(psy); + } + + static struct power_supply_desc fuel_gauge_desc = { diff --git a/queue-6.3/power-supply-bq25890-fix-external_power_changed-race.patch b/queue-6.3/power-supply-bq25890-fix-external_power_changed-race.patch new file mode 100644 index 00000000000..ac57fee770a --- /dev/null +++ b/queue-6.3/power-supply-bq25890-fix-external_power_changed-race.patch @@ -0,0 +1,64 @@ +From 029a443b9b6424170f00f6dd5b7682e682cce92e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 18:07:31 +0200 +Subject: power: supply: bq25890: Fix external_power_changed race + +From: Hans de Goede + +commit 029a443b9b6424170f00f6dd5b7682e682cce92e upstream. + +bq25890_charger_external_power_changed() dereferences bq->charger, +which gets sets in bq25890_power_supply_init() like this: + + bq->charger = devm_power_supply_register(bq->dev, &bq->desc, &psy_cfg); + +As soon as devm_power_supply_register() has called device_add() +the external_power_changed callback can get called. So there is a window +where bq25890_charger_external_power_changed() may get called while +bq->charger has not been set yet leading to a NULL pointer dereference. + +This race hits during boot sometimes on a Lenovo Yoga Book 1 yb1-x90f +when the cht_wcove_pwrsrc (extcon) power_supply is done with detecting +the connected charger-type which happens to exactly hit the small window: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + + RIP: 0010:__power_supply_is_supplied_by+0xb/0xb0 + + Call Trace: + + __power_supply_get_supplier_property+0x19/0x50 + class_for_each_device+0xb1/0xe0 + power_supply_get_property_from_supplier+0x2e/0x50 + bq25890_charger_external_power_changed+0x38/0x1b0 [bq25890_charger] + __power_supply_changed_work+0x30/0x40 + class_for_each_device+0xb1/0xe0 + power_supply_changed_work+0x5f/0xe0 + + +Fixing this is easy. The external_power_changed callback gets passed +the power_supply which will eventually get stored in bq->charger, +so bq25890_charger_external_power_changed() can simply directly use +the passed in psy argument which is always valid. + +Fixes: eab25b4f93aa ("power: supply: bq25890: On the bq25892 set the IINLIM based on external charger detection") +Cc: stable@vger.kernel.org +Cc: Marek Vasut +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq25890_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/bq25890_charger.c ++++ b/drivers/power/supply/bq25890_charger.c +@@ -750,7 +750,7 @@ static void bq25890_charger_external_pow + if (bq->chip_version != BQ25892) + return; + +- ret = power_supply_get_property_from_supplier(bq->charger, ++ ret = power_supply_get_property_from_supplier(psy, + POWER_SUPPLY_PROP_USB_TYPE, + &val); + if (ret) diff --git a/queue-6.3/series b/queue-6.3/series index 5f7df29e679..25adc88ab1e 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -10,3 +10,27 @@ zsmalloc-move-lru-update-from-zs_map_object-to-zs_ma.patch watchdog-sp5100_tco-immediately-trigger-upon-starting.patch mm-vmemmap-devdax-fix-kernel-crash-when-probing-devdax-devices.patch ocfs2-switch-to-security_inode_init_security.patch +x86-mm-avoid-incomplete-global-invlpg-flushes.patch +platform-x86-intel-ifs-annotate-work-queue-on-stack-so-object-debug-does-not-complain.patch +cifs-fix-cifs_limit_bvec_subset-to-correctly-check-the-maxmimum-size.patch +cifs-fix-smb1-mount-regression.patch +alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch +alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch +alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch +sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch +mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch +mmc-block-ensure-error-propagation-for-non-blk.patch +power-supply-axp288_fuel_gauge-fix-external_power_changed-race.patch +power-supply-bq25890-fix-external_power_changed-race.patch +asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch +net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch +m68k-move-signal-frame-following-exception-on-68020-030.patch +ipv-4-6-raw-fix-output-xfrm-lookup-wrt-protocol.patch +xtensa-fix-signal-delivery-to-fdpic-process.patch +xtensa-add-__bswap-si-di-2-helpers.patch +parisc-use-num_present_cpus-in-alternative-patching-code.patch +parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch +parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch +parisc-allow-to-reboot-machine-after-system-halt.patch +parisc-enable-lockdep-support.patch +parisc-handle-kprobes-breakpoints-only-in-kernel-context.patch diff --git a/queue-6.3/sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch b/queue-6.3/sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch new file mode 100644 index 00000000000..3c00259d53b --- /dev/null +++ b/queue-6.3/sunrpc-don-t-change-task-tk_status-after-the-call-to-rpc_exit_task.patch @@ -0,0 +1,43 @@ +From d180891fba995bd54e25b089b1ec98d134873586 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 10 May 2023 12:28:00 -0400 +Subject: SUNRPC: Don't change task->tk_status after the call to rpc_exit_task + +From: Trond Myklebust + +commit d180891fba995bd54e25b089b1ec98d134873586 upstream. + +Some calls to rpc_exit_task() may deliberately change the value of +task->tk_status, for instance because it gets checked by the RPC call's +rpc_release() callback. That makes it wrong to reset the value to +task->tk_rpc_status. +In particular this causes a bug where the rpc_call_done() callback tries +to fail over a set of pNFS/flexfiles writes to a different IP address, +but the reset of task->tk_status causes nfs_commit_release_pages() to +immediately mark the file as having a fatal error. + +Fixes: 39494194f93b ("SUNRPC: Fix races with rpc_killall_tasks()") +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/sched.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -927,11 +927,10 @@ static void __rpc_execute(struct rpc_tas + */ + do_action = task->tk_action; + /* Tasks with an RPC error status should exit */ +- if (do_action != rpc_exit_task && ++ if (do_action && do_action != rpc_exit_task && + (status = READ_ONCE(task->tk_rpc_status)) != 0) { + task->tk_status = status; +- if (do_action != NULL) +- do_action = rpc_exit_task; ++ do_action = rpc_exit_task; + } + /* Callbacks override all actions */ + if (task->tk_callback) { diff --git a/queue-6.3/x86-mm-avoid-incomplete-global-invlpg-flushes.patch b/queue-6.3/x86-mm-avoid-incomplete-global-invlpg-flushes.patch new file mode 100644 index 00000000000..ef71ba8aa95 --- /dev/null +++ b/queue-6.3/x86-mm-avoid-incomplete-global-invlpg-flushes.patch @@ -0,0 +1,85 @@ +From ce0b15d11ad837fbacc5356941712218e38a0a83 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 16 May 2023 12:24:25 -0700 +Subject: x86/mm: Avoid incomplete Global INVLPG flushes + +From: Dave Hansen + +commit ce0b15d11ad837fbacc5356941712218e38a0a83 upstream. + +The INVLPG instruction is used to invalidate TLB entries for a +specified virtual address. When PCIDs are enabled, INVLPG is supposed +to invalidate TLB entries for the specified address for both the +current PCID *and* Global entries. (Note: Only kernel mappings set +Global=1.) + +Unfortunately, some INVLPG implementations can leave Global +translations unflushed when PCIDs are enabled. + +As a workaround, never enable PCIDs on affected processors. + +I expect there to eventually be microcode mitigations to replace this +software workaround. However, the exact version numbers where that +will happen are not known today. Once the version numbers are set in +stone, the processor list can be tweaked to only disable PCIDs on +affected processors with affected microcode. + +Note: if anyone wants a quick fix that doesn't require patching, just +stick 'nopcid' on your kernel command-line. + +Signed-off-by: Dave Hansen +Reviewed-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -9,6 +9,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -261,6 +262,24 @@ static void __init probe_page_size_mask( + } + } + ++#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ ++ .family = 6, \ ++ .model = _model, \ ++ } ++/* ++ * INVLPG may not properly flush Global entries ++ * on these CPUs when PCIDs are enabled. ++ */ ++static const struct x86_cpu_id invlpg_miss_ids[] = { ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), ++ {} ++}; ++ + static void setup_pcid(void) + { + if (!IS_ENABLED(CONFIG_X86_64)) +@@ -269,6 +288,12 @@ static void setup_pcid(void) + if (!boot_cpu_has(X86_FEATURE_PCID)) + return; + ++ if (x86_match_cpu(invlpg_miss_ids)) { ++ pr_info("Incomplete global flushes, disabling PCID"); ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ return; ++ } ++ + if (boot_cpu_has(X86_FEATURE_PGE)) { + /* + * This can't be cr4_set_bits_and_update_boot() -- the diff --git a/queue-6.3/xtensa-add-__bswap-si-di-2-helpers.patch b/queue-6.3/xtensa-add-__bswap-si-di-2-helpers.patch new file mode 100644 index 00000000000..869e710174c --- /dev/null +++ b/queue-6.3/xtensa-add-__bswap-si-di-2-helpers.patch @@ -0,0 +1,100 @@ +From 034f4a7877c32a8efd6beee4d71ed14e424499a9 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 6 May 2023 17:10:36 -0700 +Subject: xtensa: add __bswap{si,di}2 helpers + +From: Max Filippov + +commit 034f4a7877c32a8efd6beee4d71ed14e424499a9 upstream. + +gcc-13 may generate calls for __bswap{si,di}2. This breaks the kernel +build when optimization for size is selected. Add __bswap{si,di}2 +helpers to fix that. + +Cc: stable@vger.kernel.org +Fixes: 19c5699f9aff ("xtensa: don't link with libgcc") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/kernel/xtensa_ksyms.c | 4 ++++ + arch/xtensa/lib/Makefile | 2 +- + arch/xtensa/lib/bswapdi2.S | 21 +++++++++++++++++++++ + arch/xtensa/lib/bswapsi2.S | 16 ++++++++++++++++ + 4 files changed, 42 insertions(+), 1 deletion(-) + create mode 100644 arch/xtensa/lib/bswapdi2.S + create mode 100644 arch/xtensa/lib/bswapsi2.S + +--- a/arch/xtensa/kernel/xtensa_ksyms.c ++++ b/arch/xtensa/kernel/xtensa_ksyms.c +@@ -56,6 +56,8 @@ EXPORT_SYMBOL(empty_zero_page); + */ + extern long long __ashrdi3(long long, int); + extern long long __ashldi3(long long, int); ++extern long long __bswapdi2(long long); ++extern int __bswapsi2(int); + extern long long __lshrdi3(long long, int); + extern int __divsi3(int, int); + extern int __modsi3(int, int); +@@ -66,6 +68,8 @@ extern unsigned long long __umulsidi3(un + + EXPORT_SYMBOL(__ashldi3); + EXPORT_SYMBOL(__ashrdi3); ++EXPORT_SYMBOL(__bswapdi2); ++EXPORT_SYMBOL(__bswapsi2); + EXPORT_SYMBOL(__lshrdi3); + EXPORT_SYMBOL(__divsi3); + EXPORT_SYMBOL(__modsi3); +--- a/arch/xtensa/lib/Makefile ++++ b/arch/xtensa/lib/Makefile +@@ -4,7 +4,7 @@ + # + + lib-y += memcopy.o memset.o checksum.o \ +- ashldi3.o ashrdi3.o lshrdi3.o \ ++ ashldi3.o ashrdi3.o bswapdi2.o bswapsi2.o lshrdi3.o \ + divsi3.o udivsi3.o modsi3.o umodsi3.o mulsi3.o umulsidi3.o \ + usercopy.o strncpy_user.o strnlen_user.o + lib-$(CONFIG_PCI) += pci-auto.o +--- /dev/null ++++ b/arch/xtensa/lib/bswapdi2.S +@@ -0,0 +1,21 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later WITH GCC-exception-2.0 */ ++#include ++#include ++#include ++ ++ENTRY(__bswapdi2) ++ ++ abi_entry_default ++ ssai 8 ++ srli a4, a2, 16 ++ src a4, a4, a2 ++ src a4, a4, a4 ++ src a4, a2, a4 ++ srli a2, a3, 16 ++ src a2, a2, a3 ++ src a2, a2, a2 ++ src a2, a3, a2 ++ mov a3, a4 ++ abi_ret_default ++ ++ENDPROC(__bswapdi2) +--- /dev/null ++++ b/arch/xtensa/lib/bswapsi2.S +@@ -0,0 +1,16 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later WITH GCC-exception-2.0 */ ++#include ++#include ++#include ++ ++ENTRY(__bswapsi2) ++ ++ abi_entry_default ++ ssai 8 ++ srli a3, a2, 16 ++ src a3, a3, a2 ++ src a3, a3, a3 ++ src a2, a2, a3 ++ abi_ret_default ++ ++ENDPROC(__bswapsi2) diff --git a/queue-6.3/xtensa-fix-signal-delivery-to-fdpic-process.patch b/queue-6.3/xtensa-fix-signal-delivery-to-fdpic-process.patch new file mode 100644 index 00000000000..19a6a8e46f0 --- /dev/null +++ b/queue-6.3/xtensa-fix-signal-delivery-to-fdpic-process.patch @@ -0,0 +1,95 @@ +From 9c2cc74fb31ec76b8b118c97041a6a154a3ff219 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 2 May 2023 03:20:47 -0700 +Subject: xtensa: fix signal delivery to FDPIC process + +From: Max Filippov + +commit 9c2cc74fb31ec76b8b118c97041a6a154a3ff219 upstream. + +Fetch function descriptor pointed to by the signal handler pointer from +userspace on signal delivery and function pointer pointed to by the +sa_restorer on return from the signal handler. + +Cc: stable@vger.kernel.org +Fixes: e3ddb8bbe0f8 ("xtensa: add FDPIC and static PIE support for noMMU") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/kernel/signal.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +--- a/arch/xtensa/kernel/signal.c ++++ b/arch/xtensa/kernel/signal.c +@@ -343,7 +343,19 @@ static int setup_frame(struct ksignal *k + struct rt_sigframe *frame; + int err = 0, sig = ksig->sig; + unsigned long sp, ra, tp, ps; ++ unsigned long handler = (unsigned long)ksig->ka.sa.sa_handler; ++ unsigned long handler_fdpic_GOT = 0; + unsigned int base; ++ bool fdpic = IS_ENABLED(CONFIG_BINFMT_ELF_FDPIC) && ++ (current->personality & FDPIC_FUNCPTRS); ++ ++ if (fdpic) { ++ unsigned long __user *fdpic_func_desc = ++ (unsigned long __user *)handler; ++ if (__get_user(handler, &fdpic_func_desc[0]) || ++ __get_user(handler_fdpic_GOT, &fdpic_func_desc[1])) ++ return -EFAULT; ++ } + + sp = regs->areg[1]; + +@@ -373,20 +385,26 @@ static int setup_frame(struct ksignal *k + err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)); + + if (ksig->ka.sa.sa_flags & SA_RESTORER) { +- ra = (unsigned long)ksig->ka.sa.sa_restorer; ++ if (fdpic) { ++ unsigned long __user *fdpic_func_desc = ++ (unsigned long __user *)ksig->ka.sa.sa_restorer; ++ ++ err |= __get_user(ra, fdpic_func_desc); ++ } else { ++ ra = (unsigned long)ksig->ka.sa.sa_restorer; ++ } + } else { + + /* Create sys_rt_sigreturn syscall in stack frame */ + + err |= gen_return_code(frame->retcode); +- +- if (err) { +- return -EFAULT; +- } + ra = (unsigned long) frame->retcode; + } + +- /* ++ if (err) ++ return -EFAULT; ++ ++ /* + * Create signal handler execution context. + * Return context not modified until this point. + */ +@@ -394,8 +412,7 @@ static int setup_frame(struct ksignal *k + /* Set up registers for signal handler; preserve the threadptr */ + tp = regs->threadptr; + ps = regs->ps; +- start_thread(regs, (unsigned long) ksig->ka.sa.sa_handler, +- (unsigned long) frame); ++ start_thread(regs, handler, (unsigned long)frame); + + /* Set up a stack frame for a call4 if userspace uses windowed ABI */ + if (ps & PS_WOE_MASK) { +@@ -413,6 +430,8 @@ static int setup_frame(struct ksignal *k + regs->areg[base + 4] = (unsigned long) &frame->uc; + regs->threadptr = tp; + regs->ps = ps; ++ if (fdpic) ++ regs->areg[base + 11] = handler_fdpic_GOT; + + pr_debug("SIG rt deliver (%s:%d): signal=%d sp=%p pc=%08lx\n", + current->comm, current->pid, sig, frame, regs->pc);