From: Greg Kroah-Hartman Date: Mon, 24 Feb 2025 11:09:24 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.6.80~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af63ef9e0da41b78eedf8aad56b7bcc0dc099070;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acct-block-access-to-kernel-internal-filesystems.patch acct-perform-last-write-from-workqueue.patch alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch drop_monitor-fix-incorrect-initialization-order.patch edac-qcom-correct-interrupt-enable-register-configuration.patch ftrace-correct-preemption-accounting-for-function-tracing.patch ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch tee-optee-fix-supplicant-wait-loop.patch --- diff --git a/queue-6.1/acct-block-access-to-kernel-internal-filesystems.patch b/queue-6.1/acct-block-access-to-kernel-internal-filesystems.patch new file mode 100644 index 0000000000..8b28be2902 --- /dev/null +++ b/queue-6.1/acct-block-access-to-kernel-internal-filesystems.patch @@ -0,0 +1,47 @@ +From 890ed45bde808c422c3c27d3285fc45affa0f930 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 11 Feb 2025 18:16:00 +0100 +Subject: acct: block access to kernel internal filesystems + +From: Christian Brauner + +commit 890ed45bde808c422c3c27d3285fc45affa0f930 upstream. + +There's no point in allowing anything kernel internal nor procfs or +sysfs. + +Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com +Link: https://lore.kernel.org/r/20250211-work-acct-v1-2-1c16aecab8b3@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Amir Goldstein +Reported-by: Zicheng Qu +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + kernel/acct.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -244,6 +244,20 @@ static int acct_on(struct filename *path + return -EACCES; + } + ++ /* Exclude kernel kernel internal filesystems. */ ++ if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) { ++ kfree(acct); ++ filp_close(file, NULL); ++ return -EINVAL; ++ } ++ ++ /* Exclude procfs and sysfs. */ ++ if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) { ++ kfree(acct); ++ filp_close(file, NULL); ++ return -EINVAL; ++ } ++ + if (!(file->f_mode & FMODE_CAN_WRITE)) { + kfree(acct); + filp_close(file, NULL); diff --git a/queue-6.1/acct-perform-last-write-from-workqueue.patch b/queue-6.1/acct-perform-last-write-from-workqueue.patch new file mode 100644 index 0000000000..fb4f864c77 --- /dev/null +++ b/queue-6.1/acct-perform-last-write-from-workqueue.patch @@ -0,0 +1,248 @@ +From 56d5f3eba3f5de0efdd556de4ef381e109b973a9 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 11 Feb 2025 18:15:59 +0100 +Subject: acct: perform last write from workqueue + +From: Christian Brauner + +commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 upstream. + +In [1] it was reported that the acct(2) system call can be used to +trigger NULL deref in cases where it is set to write to a file that +triggers an internal lookup. This can e.g., happen when pointing acc(2) +to /sys/power/resume. At the point the where the write to this file +happens the calling task has already exited and called exit_fs(). A +lookup will thus trigger a NULL-deref when accessing current->fs. + +Reorganize the code so that the the final write happens from the +workqueue but with the caller's credentials. This preserves the +(strange) permission model and has almost no regression risk. + +This api should stop to exist though. + +Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1] +Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Zicheng Qu +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + kernel/acct.c | 120 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 70 insertions(+), 50 deletions(-) + +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -104,48 +104,50 @@ struct bsd_acct_struct { + atomic_long_t count; + struct rcu_head rcu; + struct mutex lock; +- int active; ++ bool active; ++ bool check_space; + unsigned long needcheck; + struct file *file; + struct pid_namespace *ns; + struct work_struct work; + struct completion done; ++ acct_t ac; + }; + +-static void do_acct_process(struct bsd_acct_struct *acct); ++static void fill_ac(struct bsd_acct_struct *acct); ++static void acct_write_process(struct bsd_acct_struct *acct); + + /* + * Check the amount of free space and suspend/resume accordingly. + */ +-static int check_free_space(struct bsd_acct_struct *acct) ++static bool check_free_space(struct bsd_acct_struct *acct) + { + struct kstatfs sbuf; + +- if (time_is_after_jiffies(acct->needcheck)) +- goto out; ++ if (!acct->check_space) ++ return acct->active; + + /* May block */ + if (vfs_statfs(&acct->file->f_path, &sbuf)) +- goto out; ++ return acct->active; + + if (acct->active) { + u64 suspend = sbuf.f_blocks * SUSPEND; + do_div(suspend, 100); + if (sbuf.f_bavail <= suspend) { +- acct->active = 0; ++ acct->active = false; + pr_info("Process accounting paused\n"); + } + } else { + u64 resume = sbuf.f_blocks * RESUME; + do_div(resume, 100); + if (sbuf.f_bavail >= resume) { +- acct->active = 1; ++ acct->active = true; + pr_info("Process accounting resumed\n"); + } + } + + acct->needcheck = jiffies + ACCT_TIMEOUT*HZ; +-out: + return acct->active; + } + +@@ -190,7 +192,11 @@ static void acct_pin_kill(struct fs_pin + { + struct bsd_acct_struct *acct = to_acct(pin); + mutex_lock(&acct->lock); +- do_acct_process(acct); ++ /* ++ * Fill the accounting struct with the exiting task's info ++ * before punting to the workqueue. ++ */ ++ fill_ac(acct); + schedule_work(&acct->work); + wait_for_completion(&acct->done); + cmpxchg(&acct->ns->bacct, pin, NULL); +@@ -203,6 +209,9 @@ static void close_work(struct work_struc + { + struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work); + struct file *file = acct->file; ++ ++ /* We were fired by acct_pin_kill() which holds acct->lock. */ ++ acct_write_process(acct); + if (file->f_op->flush) + file->f_op->flush(file, NULL); + __fput_sync(file); +@@ -431,13 +440,27 @@ static u32 encode_float(u64 value) + * do_exit() or when switching to a different output file. + */ + +-static void fill_ac(acct_t *ac) ++static void fill_ac(struct bsd_acct_struct *acct) + { + struct pacct_struct *pacct = ¤t->signal->pacct; ++ struct file *file = acct->file; ++ acct_t *ac = &acct->ac; + u64 elapsed, run_time; + time64_t btime; + struct tty_struct *tty; + ++ lockdep_assert_held(&acct->lock); ++ ++ if (time_is_after_jiffies(acct->needcheck)) { ++ acct->check_space = false; ++ ++ /* Don't fill in @ac if nothing will be written. */ ++ if (!acct->active) ++ return; ++ } else { ++ acct->check_space = true; ++ } ++ + /* + * Fill the accounting struct with the needed info as recorded + * by the different kernel functions. +@@ -485,64 +508,61 @@ static void fill_ac(acct_t *ac) + ac->ac_majflt = encode_comp_t(pacct->ac_majflt); + ac->ac_exitcode = pacct->ac_exitcode; + spin_unlock_irq(¤t->sighand->siglock); +-} +-/* +- * do_acct_process does all actual work. Caller holds the reference to file. +- */ +-static void do_acct_process(struct bsd_acct_struct *acct) +-{ +- acct_t ac; +- unsigned long flim; +- const struct cred *orig_cred; +- struct file *file = acct->file; +- +- /* +- * Accounting records are not subject to resource limits. +- */ +- flim = rlimit(RLIMIT_FSIZE); +- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; +- /* Perform file operations on behalf of whoever enabled accounting */ +- orig_cred = override_creds(file->f_cred); + +- /* +- * First check to see if there is enough free_space to continue +- * the process accounting system. +- */ +- if (!check_free_space(acct)) +- goto out; +- +- fill_ac(&ac); + /* we really need to bite the bullet and change layout */ +- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid); +- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid); ++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid()); ++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid()); + #if ACCT_VERSION == 1 || ACCT_VERSION == 2 + /* backward-compatible 16 bit fields */ +- ac.ac_uid16 = ac.ac_uid; +- ac.ac_gid16 = ac.ac_gid; ++ ac->ac_uid16 = ac->ac_uid; ++ ac->ac_gid16 = ac->ac_gid; + #elif ACCT_VERSION == 3 + { + struct pid_namespace *ns = acct->ns; + +- ac.ac_pid = task_tgid_nr_ns(current, ns); ++ ac->ac_pid = task_tgid_nr_ns(current, ns); + rcu_read_lock(); +- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), +- ns); ++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns); + rcu_read_unlock(); + } + #endif ++} ++ ++static void acct_write_process(struct bsd_acct_struct *acct) ++{ ++ struct file *file = acct->file; ++ const struct cred *cred; ++ acct_t *ac = &acct->ac; ++ ++ /* Perform file operations on behalf of whoever enabled accounting */ ++ cred = override_creds(file->f_cred); ++ + /* +- * Get freeze protection. If the fs is frozen, just skip the write +- * as we could deadlock the system otherwise. ++ * First check to see if there is enough free_space to continue ++ * the process accounting system. Then get freeze protection. If ++ * the fs is frozen, just skip the write as we could deadlock ++ * the system otherwise. + */ +- if (file_start_write_trylock(file)) { ++ if (check_free_space(acct) && file_start_write_trylock(file)) { + /* it's been opened O_APPEND, so position is irrelevant */ + loff_t pos = 0; +- __kernel_write(file, &ac, sizeof(acct_t), &pos); ++ __kernel_write(file, ac, sizeof(acct_t), &pos); + file_end_write(file); + } +-out: ++ ++ revert_creds(cred); ++} ++ ++static void do_acct_process(struct bsd_acct_struct *acct) ++{ ++ unsigned long flim; ++ ++ /* Accounting records are not subject to resource limits. */ ++ flim = rlimit(RLIMIT_FSIZE); ++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; ++ fill_ac(acct); ++ acct_write_process(acct); + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; +- revert_creds(orig_cred); + } + + /** diff --git a/queue-6.1/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch b/queue-6.1/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch new file mode 100644 index 0000000000..d8b9fb2b74 --- /dev/null +++ b/queue-6.1/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch @@ -0,0 +1,41 @@ +From 822b7ec657e99b44b874e052d8540d8b54fe8569 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Thu, 13 Feb 2025 15:45:43 +0800 +Subject: ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() + +From: Wentao Liang + +commit 822b7ec657e99b44b874e052d8540d8b54fe8569 upstream. + +Check the return value of snd_ctl_rename_id() in +snd_hda_create_dig_out_ctls(). Ensure that failures +are properly handled. + +[ Note: the error cannot happen practically because the only error + condition in snd_ctl_rename_id() is the missing ID, but this is a + rename, hence it must be present. But for the code consistency, + it's safer to have always the proper return check -- tiwai ] + +Fixes: 5c219a340850 ("ALSA: hda: Fix kctl->id initialization") +Cc: stable@vger.kernel.org # 6.4+ +Signed-off-by: Wentao Liang +Link: https://patch.msgid.link/20250213074543.1620-1-vulab@iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_codec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2465,7 +2465,9 @@ int snd_hda_create_dig_out_ctls(struct h + break; + id = kctl->id; + id.index = spdif_index; +- snd_ctl_rename_id(codec->card, &kctl->id, &id); ++ err = snd_ctl_rename_id(codec->card, &kctl->id, &id); ++ if (err < 0) ++ return err; + } + bus->primary_dig_out_type = HDA_PCM_TYPE_HDMI; + } diff --git a/queue-6.1/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch b/queue-6.1/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch new file mode 100644 index 0000000000..d961564af0 --- /dev/null +++ b/queue-6.1/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch @@ -0,0 +1,31 @@ +From 6d1f86610f23b0bc334d6506a186f21a98f51392 Mon Sep 17 00:00:00 2001 +From: John Veness +Date: Mon, 17 Feb 2025 12:15:50 +0000 +Subject: ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED + +From: John Veness + +commit 6d1f86610f23b0bc334d6506a186f21a98f51392 upstream. + +Allows the LED on the dedicated mute button on the HP ProBook 450 G4 +laptop to change colour correctly. + +Signed-off-by: John Veness +Cc: +Link: https://patch.msgid.link/2fb55d48-6991-4a42-b591-4c78f2fad8d7@pelago.org.uk +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1098,6 +1098,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), diff --git a/queue-6.1/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch b/queue-6.1/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch new file mode 100644 index 0000000000..6fb0409368 --- /dev/null +++ b/queue-6.1/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch @@ -0,0 +1,41 @@ +From a8c9a453387640dbe45761970f41301a6985e7fa Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 16 Jan 2025 06:24:36 -0800 +Subject: ASoC: fsl_micfil: Enable default case in micfil_set_quality() + +From: Nikita Zhandarovich + +commit a8c9a453387640dbe45761970f41301a6985e7fa upstream. + +If 'micfil->quality' received from micfil_quality_set() somehow ends +up with an unpredictable value, switch() operator will fail to +initialize local variable qsel before regmap_update_bits() tries +to utilize it. + +While it is unlikely, play it safe and enable a default case that +returns -EINVAL error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250116142436.22389-1-n.zhandarovich@fintech.ru +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_micfil.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -123,6 +123,8 @@ static int micfil_set_quality(struct fsl + case QUALITY_VLOW2: + qsel = MICFIL_QSEL_VLOW2_QUALITY; + break; ++ default: ++ return -EINVAL; + } + + return regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL2, diff --git a/queue-6.1/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch b/queue-6.1/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch new file mode 100644 index 0000000000..f7bd3b3dfe --- /dev/null +++ b/queue-6.1/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch @@ -0,0 +1,71 @@ +From 07fb70d82e0df085980246bf17bc12537588795f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 12 Feb 2025 18:43:21 +0200 +Subject: drm/i915: Make sure all planes in use by the joiner have their crtc included +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 07fb70d82e0df085980246bf17bc12537588795f upstream. + +Any active plane needs to have its crtc included in the atomic +state. For planes enabled via uapi that is all handler in the core. +But when we use a plane for joiner the uapi code things the plane +is disabled and therefore doesn't have a crtc. So we need to pull +those in by hand. We do it first thing in +intel_joiner_add_affected_crtcs() so that any newly added crtc will +subsequently pull in all of its joined crtcs as well. + +The symptoms from failing to do this are: +- duct tape in the form of commit 1d5b09f8daf8 ("drm/i915: Fix NULL + ptr deref by checking new_crtc_state") +- the plane's hw state will get overwritten by the disabled + uapi state if it can't find the uapi counterpart plane in + the atomic state from where it should copy the correct state + +Cc: stable@vger.kernel.org +Reviewed-by: Maarten Lankhorst +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20250212164330.16891-2-ville.syrjala@linux.intel.com +(cherry picked from commit 91077d1deb5374eb8be00fb391710f00e751dc4b) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -6691,12 +6691,30 @@ static int intel_async_flip_check_hw(str + static int intel_bigjoiner_add_affected_crtcs(struct intel_atomic_state *state) + { + struct drm_i915_private *i915 = to_i915(state->base.dev); ++ const struct intel_plane_state *plane_state; + struct intel_crtc_state *crtc_state; ++ struct intel_plane *plane; + struct intel_crtc *crtc; + u8 affected_pipes = 0; + u8 modeset_pipes = 0; + int i; + ++ /* ++ * Any plane which is in use by the joiner needs its crtc. ++ * Pull those in first as this will not have happened yet ++ * if the plane remains disabled according to uapi. ++ */ ++ for_each_new_intel_plane_in_state(state, plane, plane_state, i) { ++ crtc = to_intel_crtc(plane_state->hw.crtc); ++ if (!crtc) ++ continue; ++ ++ crtc_state = intel_atomic_get_crtc_state(&state->base, crtc); ++ if (IS_ERR(crtc_state)) ++ return PTR_ERR(crtc_state); ++ } ++ ++ /* Now pull in all joined crtcs */ + for_each_new_intel_crtc_in_state(state, crtc, crtc_state, i) { + affected_pipes |= crtc_state->bigjoiner_pipes; + if (intel_crtc_needs_modeset(crtc_state)) diff --git a/queue-6.1/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch b/queue-6.1/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch new file mode 100644 index 0000000000..3047e9d903 --- /dev/null +++ b/queue-6.1/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch @@ -0,0 +1,42 @@ +From f063ac6b55df03ed25996bdc84d9e1c50147cfa1 Mon Sep 17 00:00:00 2001 +From: Jessica Zhang +Date: Tue, 11 Feb 2025 19:59:19 -0800 +Subject: drm/msm/dpu: Disable dither in phys encoder cleanup + +From: Jessica Zhang + +commit f063ac6b55df03ed25996bdc84d9e1c50147cfa1 upstream. + +Disable pingpong dither in dpu_encoder_helper_phys_cleanup(). + +This avoids the issue where an encoder unknowingly uses dither after +reserving a pingpong block that was previously bound to an encoder that +had enabled dither. + +Cc: stable@vger.kernel.org +Reported-by: Dmitry Baryshkov +Closes: https://lore.kernel.org/all/jr7zbj5w7iq4apg3gofuvcwf4r2swzqjk7sshwcdjll4mn6ctt@l2n3qfpujg3q/ +Signed-off-by: Jessica Zhang +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Fixes: 3c128638a07d ("drm/msm/dpu: add support for dither block in display") +Patchwork: https://patchwork.freedesktop.org/patch/636517/ +Link: https://lore.kernel.org/r/20250211-dither-disable-v1-1-ac2cb455f6b9@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -2059,6 +2059,9 @@ void dpu_encoder_helper_phys_cleanup(str + } + } + ++ if (phys_enc->hw_pp && phys_enc->hw_pp->ops.setup_dither) ++ phys_enc->hw_pp->ops.setup_dither(phys_enc->hw_pp, NULL); ++ + /* reset the merge 3D HW block */ + if (phys_enc->hw_pp && phys_enc->hw_pp->merge_3d) { + phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d, diff --git a/queue-6.1/drop_monitor-fix-incorrect-initialization-order.patch b/queue-6.1/drop_monitor-fix-incorrect-initialization-order.patch new file mode 100644 index 0000000000..b6dff1932d --- /dev/null +++ b/queue-6.1/drop_monitor-fix-incorrect-initialization-order.patch @@ -0,0 +1,137 @@ +From 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Thu, 13 Feb 2025 15:20:55 +0000 +Subject: drop_monitor: fix incorrect initialization order + +From: Gavrilov Ilia + +commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea upstream. + +Syzkaller reports the following bug: + +BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 + lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x119/0x179 lib/dump_stack.c:118 + debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] + do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] + _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 + reset_per_cpu_data+0xe6/0x240 [drop_monitor] + net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] + genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 + genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:651 [inline] + __sock_sendmsg+0x157/0x190 net/socket.c:663 + ____sys_sendmsg+0x712/0x870 net/socket.c:2378 + ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 + __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x62/0xc7 +RIP: 0033:0x7f3f9815aee9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 +RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 +RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 + +If drop_monitor is built as a kernel module, syzkaller may have time +to send a netlink NET_DM_CMD_START message during the module loading. +This will call the net_dm_monitor_start() function that uses +a spinlock that has not yet been initialized. + +To fix this, let's place resource initialization above the registration +of a generic netlink family. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller. + +Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -1716,30 +1716,30 @@ static int __init init_net_drop_monitor( + return -ENOSPC; + } + +- rc = genl_register_family(&net_drop_monitor_family); +- if (rc) { +- pr_err("Could not create drop monitor netlink family\n"); +- return rc; ++ for_each_possible_cpu(cpu) { ++ net_dm_cpu_data_init(cpu); ++ net_dm_hw_cpu_data_init(cpu); + } +- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = register_netdevice_notifier(&dropmon_net_notifier); + if (rc < 0) { + pr_crit("Failed to register netdevice notifier\n"); ++ return rc; ++ } ++ ++ rc = genl_register_family(&net_drop_monitor_family); ++ if (rc) { ++ pr_err("Could not create drop monitor netlink family\n"); + goto out_unreg; + } ++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = 0; + +- for_each_possible_cpu(cpu) { +- net_dm_cpu_data_init(cpu); +- net_dm_hw_cpu_data_init(cpu); +- } +- + goto out; + + out_unreg: +- genl_unregister_family(&net_drop_monitor_family); ++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + out: + return rc; + } +@@ -1748,19 +1748,18 @@ static void exit_net_drop_monitor(void) + { + int cpu; + +- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); +- + /* + * Because of the module_get/put we do in the trace state change path + * we are guaranteed not to have any current users when we get here + */ ++ BUG_ON(genl_unregister_family(&net_drop_monitor_family)); ++ ++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + + for_each_possible_cpu(cpu) { + net_dm_hw_cpu_data_fini(cpu); + net_dm_cpu_data_fini(cpu); + } +- +- BUG_ON(genl_unregister_family(&net_drop_monitor_family)); + } + + module_init(init_net_drop_monitor); diff --git a/queue-6.1/edac-qcom-correct-interrupt-enable-register-configuration.patch b/queue-6.1/edac-qcom-correct-interrupt-enable-register-configuration.patch new file mode 100644 index 0000000000..617aefa3ef --- /dev/null +++ b/queue-6.1/edac-qcom-correct-interrupt-enable-register-configuration.patch @@ -0,0 +1,49 @@ +From c158647c107358bf1be579f98e4bb705c1953292 Mon Sep 17 00:00:00 2001 +From: Komal Bajaj +Date: Tue, 19 Nov 2024 12:16:08 +0530 +Subject: EDAC/qcom: Correct interrupt enable register configuration + +From: Komal Bajaj + +commit c158647c107358bf1be579f98e4bb705c1953292 upstream. + +The previous implementation incorrectly configured the cmn_interrupt_2_enable +register for interrupt handling. Using cmn_interrupt_2_enable to configure +Tag, Data RAM ECC interrupts would lead to issues like double handling of the +interrupts (EL1 and EL3) as cmn_interrupt_2_enable is meant to be configured +for interrupts which needs to be handled by EL3. + +EL1 LLCC EDAC driver needs to use cmn_interrupt_0_enable register to configure +Tag, Data RAM ECC interrupts instead of cmn_interrupt_2_enable. + +Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs") +Signed-off-by: Komal Bajaj +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Manivannan Sadhasivam +Cc: +Link: https://lore.kernel.org/r/20241119064608.12326-1-quic_kbajaj@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/qcom_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/edac/qcom_edac.c ++++ b/drivers/edac/qcom_edac.c +@@ -95,7 +95,7 @@ static int qcom_llcc_core_setup(struct l + * Configure interrupt enable registers such that Tag, Data RAM related + * interrupts are propagated to interrupt controller for servicing + */ +- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable, ++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable, + TRP0_INTERRUPT_ENABLE, + TRP0_INTERRUPT_ENABLE); + if (ret) +@@ -113,7 +113,7 @@ static int qcom_llcc_core_setup(struct l + if (ret) + return ret; + +- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable, ++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable, + DRP0_INTERRUPT_ENABLE, + DRP0_INTERRUPT_ENABLE); + if (ret) diff --git a/queue-6.1/ftrace-correct-preemption-accounting-for-function-tracing.patch b/queue-6.1/ftrace-correct-preemption-accounting-for-function-tracing.patch new file mode 100644 index 0000000000..cdd4b9bb01 --- /dev/null +++ b/queue-6.1/ftrace-correct-preemption-accounting-for-function-tracing.patch @@ -0,0 +1,62 @@ +From 57b76bedc5c52c66968183b5ef57234894c25ce7 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 20 Feb 2025 15:07:49 +0100 +Subject: ftrace: Correct preemption accounting for function tracing. + +From: Sebastian Andrzej Siewior + +commit 57b76bedc5c52c66968183b5ef57234894c25ce7 upstream. + +The function tracer should record the preemption level at the point when +the function is invoked. If the tracing subsystem decrement the +preemption counter it needs to correct this before feeding the data into +the trace buffer. This was broken in the commit cited below while +shifting the preempt-disabled section. + +Use tracing_gen_ctx_dec() which properly subtracts one from the +preemption counter on a preemptible kernel. + +Cc: stable@vger.kernel.org +Cc: Wander Lairson Costa +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Thomas Gleixner +Link: https://lore.kernel.org/20250220140749.pfw8qoNZ@linutronix.de +Fixes: ce5e48036c9e7 ("ftrace: disable preemption when recursion locked") +Signed-off-by: Sebastian Andrzej Siewior +Tested-by: Wander Lairson Costa +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_functions.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace_functions.c ++++ b/kernel/trace/trace_functions.c +@@ -185,7 +185,7 @@ function_trace_call(unsigned long ip, un + if (bit < 0) + return; + +- trace_ctx = tracing_gen_ctx(); ++ trace_ctx = tracing_gen_ctx_dec(); + + cpu = smp_processor_id(); + data = per_cpu_ptr(tr->array_buffer.data, cpu); +@@ -285,7 +285,6 @@ function_no_repeats_trace_call(unsigned + struct trace_array *tr = op->private; + struct trace_array_cpu *data; + unsigned int trace_ctx; +- unsigned long flags; + int bit; + int cpu; + +@@ -312,8 +311,7 @@ function_no_repeats_trace_call(unsigned + if (is_repeat_check(tr, last_info, ip, parent_ip)) + goto out; + +- local_save_flags(flags); +- trace_ctx = tracing_gen_ctx_flags(flags); ++ trace_ctx = tracing_gen_ctx_dec(); + process_repeats(tr, ip, parent_ip, last_info, trace_ctx); + + trace_function(tr, ip, parent_ip, trace_ctx); diff --git a/queue-6.1/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch b/queue-6.1/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch new file mode 100644 index 0000000000..bc484c04b4 --- /dev/null +++ b/queue-6.1/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch @@ -0,0 +1,42 @@ +From 8eb4b09e0bbd30981305643229fe7640ad41b667 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 20 Feb 2025 15:20:11 -0500 +Subject: ftrace: Do not add duplicate entries in subops manager ops + +From: Steven Rostedt + +commit 8eb4b09e0bbd30981305643229fe7640ad41b667 upstream. + +Check if a function is already in the manager ops of a subops. A manager +ops contains multiple subops, and if two or more subops are tracing the +same function, the manager ops only needs a single entry in its hash. + +Cc: stable@vger.kernel.org +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Sven Schnelle +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Link: https://lore.kernel.org/20250220202055.226762894@goodmis.org +Fixes: 4f554e955614f ("ftrace: Add ftrace_set_filter_ips function") +Tested-by: Heiko Carstens +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5108,6 +5108,9 @@ __ftrace_match_addr(struct ftrace_hash * + return -ENOENT; + free_hash_entry(hash, entry); + return 0; ++ } else if (__ftrace_lookup_ip(hash, ip) != NULL) { ++ /* Already exists */ ++ return 0; + } + + return add_hash_entry(hash, ip); diff --git a/queue-6.1/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch b/queue-6.1/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch new file mode 100644 index 0000000000..35a87b1901 --- /dev/null +++ b/queue-6.1/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch @@ -0,0 +1,78 @@ +From 2ede647a6fde3e54a6bfda7cf01c716649655900 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= +Date: Mon, 3 Feb 2025 08:52:06 +0100 +Subject: mm,madvise,hugetlb: check for 0-length range after end address adjustment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Cañuelo Navarro + +commit 2ede647a6fde3e54a6bfda7cf01c716649655900 upstream. + +Add a sanity check to madvise_dontneed_free() to address a corner case in +madvise where a race condition causes the current vma being processed to +be backed by a different page size. + +During a madvise(MADV_DONTNEED) call on a memory region registered with a +userfaultfd, there's a period of time where the process mm lock is +temporarily released in order to send a UFFD_EVENT_REMOVE and let +userspace handle the event. During this time, the vma covering the +current address range may change due to an explicit mmap done concurrently +by another thread. + +If, after that change, the memory region, which was originally backed by +4KB pages, is now backed by hugepages, the end address is rounded down to +a hugepage boundary to avoid data loss (see "Fixes" below). This rounding +may cause the end address to be truncated to the same address as the +start. + +Make this corner case follow the same semantics as in other similar cases +where the requested region has zero length (ie. return 0). + +This will make madvise_walk_vmas() continue to the next vma in the range +(this time holding the process mm lock) which, due to the prev pointer +becoming stale because of the vma change, will be the same hugepage-backed +vma that was just checked before. The next time madvise_dontneed_free() +runs for this vma, if the start address isn't aligned to a hugepage +boundary, it'll return -EINVAL, which is also in line with the madvise +api. + +From userspace perspective, madvise() will return EINVAL because the start +address isn't aligned according to the new vma alignment requirements +(hugepage), even though it was correctly page-aligned when the call was +issued. + +Link: https://lkml.kernel.org/r/20250203075206.1452208-1-rcn@igalia.com +Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs") +Signed-off-by: Ricardo Cañuelo Navarro +Reviewed-by: Oscar Salvador +Cc: Florent Revest +Cc: Rik van Riel +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/madvise.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -879,7 +879,16 @@ static long madvise_dontneed_free(struct + */ + end = vma->vm_end; + } +- VM_WARN_ON(start >= end); ++ /* ++ * If the memory region between start and end was ++ * originally backed by 4kB pages and then remapped to ++ * be backed by hugepages while mmap_lock was dropped, ++ * the adjustment for hugetlb vma above may have rounded ++ * end down to the start address. ++ */ ++ if (start == end) ++ return 0; ++ VM_WARN_ON(start > end); + } + + if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED) diff --git a/queue-6.1/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch b/queue-6.1/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch new file mode 100644 index 0000000000..1df5353244 --- /dev/null +++ b/queue-6.1/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch @@ -0,0 +1,39 @@ +From 2b9df00cded911e2ca2cfae5c45082166b24f8aa Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:49 +0800 +Subject: mtd: rawnand: cadence: fix error code in cadence_nand_init() + +From: Niravkumar L Rabara + +commit 2b9df00cded911e2ca2cfae5c45082166b24f8aa upstream. + +Replace dma_request_channel() with dma_request_chan_by_mask() and use +helper functions to return proper error code instead of fixed -EBUSY. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2863,11 +2863,10 @@ static int cadence_nand_init(struct cdns + dma_cap_set(DMA_MEMCPY, mask); + + if (cdns_ctrl->caps1->has_dma) { +- cdns_ctrl->dmac = dma_request_channel(mask, NULL, NULL); +- if (!cdns_ctrl->dmac) { +- dev_err(cdns_ctrl->dev, +- "Unable to get a DMA channel\n"); +- ret = -EBUSY; ++ cdns_ctrl->dmac = dma_request_chan_by_mask(&mask); ++ if (IS_ERR(cdns_ctrl->dmac)) { ++ ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac), ++ "%d: Failed to get a DMA channel\n", ret); + goto disable_irq; + } + } diff --git a/queue-6.1/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch b/queue-6.1/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch new file mode 100644 index 0000000000..775e56f6a6 --- /dev/null +++ b/queue-6.1/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch @@ -0,0 +1,39 @@ +From f37d135b42cb484bdecee93f56b9f483214ede78 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:51 +0800 +Subject: mtd: rawnand: cadence: fix incorrect device in dma_unmap_single + +From: Niravkumar L Rabara + +commit f37d135b42cb484bdecee93f56b9f483214ede78 upstream. + +dma_map_single is using physical/bus device (DMA) but dma_unmap_single +is using framework device(NAND controller), which is incorrect. +Fixed dma_unmap_single to use correct physical/bus device. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -1858,12 +1858,12 @@ static int cadence_nand_slave_dma_transf + dma_async_issue_pending(cdns_ctrl->dmac); + wait_for_completion(&finished); + +- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir); ++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir); + + return 0; + + err_unmap: +- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir); ++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir); + + err: + dev_dbg(cdns_ctrl->dev, "Fall back to CPU I/O\n"); diff --git a/queue-6.1/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch b/queue-6.1/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch new file mode 100644 index 0000000000..f905fdfd3b --- /dev/null +++ b/queue-6.1/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch @@ -0,0 +1,116 @@ +From d76d22b5096c5b05208fd982b153b3f182350b19 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:50 +0800 +Subject: mtd: rawnand: cadence: use dma_map_resource for sdma address + +From: Niravkumar L Rabara + +commit d76d22b5096c5b05208fd982b153b3f182350b19 upstream. + +Remap the slave DMA I/O resources to enhance driver portability. +Using a physical address causes DMA translation failure when the +ARM SMMU is enabled. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 29 +++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -469,6 +469,8 @@ struct cdns_nand_ctrl { + struct { + void __iomem *virt; + dma_addr_t dma; ++ dma_addr_t iova_dma; ++ u32 size; + } io; + + int irq; +@@ -1830,11 +1832,11 @@ static int cadence_nand_slave_dma_transf + } + + if (dir == DMA_FROM_DEVICE) { +- src_dma = cdns_ctrl->io.dma; ++ src_dma = cdns_ctrl->io.iova_dma; + dst_dma = buf_dma; + } else { + src_dma = buf_dma; +- dst_dma = cdns_ctrl->io.dma; ++ dst_dma = cdns_ctrl->io.iova_dma; + } + + tx = dmaengine_prep_dma_memcpy(cdns_ctrl->dmac, dst_dma, src_dma, len, +@@ -2828,6 +2830,7 @@ cadence_nand_irq_cleanup(int irqnum, str + static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl) + { + dma_cap_mask_t mask; ++ struct dma_device *dma_dev = cdns_ctrl->dmac->device; + int ret; + + cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev, +@@ -2871,6 +2874,16 @@ static int cadence_nand_init(struct cdns + } + } + ++ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma, ++ cdns_ctrl->io.size, ++ DMA_BIDIRECTIONAL, 0); ++ ++ ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma); ++ if (ret) { ++ dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n"); ++ goto dma_release_chnl; ++ } ++ + nand_controller_init(&cdns_ctrl->controller); + INIT_LIST_HEAD(&cdns_ctrl->chips); + +@@ -2881,18 +2894,22 @@ static int cadence_nand_init(struct cdns + if (ret) { + dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n", + ret); +- goto dma_release_chnl; ++ goto unmap_dma_resource; + } + + kfree(cdns_ctrl->buf); + cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL); + if (!cdns_ctrl->buf) { + ret = -ENOMEM; +- goto dma_release_chnl; ++ goto unmap_dma_resource; + } + + return 0; + ++unmap_dma_resource: ++ dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma, ++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0); ++ + dma_release_chnl: + if (cdns_ctrl->dmac) + dma_release_channel(cdns_ctrl->dmac); +@@ -2914,6 +2931,8 @@ free_buf_desc: + static void cadence_nand_remove(struct cdns_nand_ctrl *cdns_ctrl) + { + cadence_nand_chips_cleanup(cdns_ctrl); ++ dma_unmap_resource(cdns_ctrl->dmac->device->dev, cdns_ctrl->io.iova_dma, ++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0); + cadence_nand_irq_cleanup(cdns_ctrl->irq, cdns_ctrl); + kfree(cdns_ctrl->buf); + dma_free_coherent(cdns_ctrl->dev, sizeof(struct cadence_nand_cdma_desc), +@@ -2982,7 +3001,9 @@ static int cadence_nand_dt_probe(struct + cdns_ctrl->io.virt = devm_platform_get_and_ioremap_resource(ofdev, 1, &res); + if (IS_ERR(cdns_ctrl->io.virt)) + return PTR_ERR(cdns_ctrl->io.virt); ++ + cdns_ctrl->io.dma = res->start; ++ cdns_ctrl->io.size = resource_size(res); + + dt->clk = devm_clk_get(cdns_ctrl->dev, "nf_clk"); + if (IS_ERR(dt->clk)) diff --git a/queue-6.1/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch b/queue-6.1/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch new file mode 100644 index 0000000000..5b82a1ce7f --- /dev/null +++ b/queue-6.1/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch @@ -0,0 +1,33 @@ +From 878e7b11736e062514e58f3b445ff343e6705537 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 18 Feb 2025 11:04:09 +0800 +Subject: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() + +From: Haoxiang Li + +commit 878e7b11736e062514e58f3b445ff343e6705537 upstream. + +Add check for the return value of nfp_app_ctrl_msg_alloc() in +nfp_bpf_cmsg_alloc() to prevent null pointer dereference. + +Fixes: ff3d43f7568c ("nfp: bpf: implement helpers for FW map ops") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20250218030409.2425798-1-haoxiang_li2024@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c +@@ -20,6 +20,8 @@ nfp_bpf_cmsg_alloc(struct nfp_app_bpf *b + struct sk_buff *skb; + + skb = nfp_app_ctrl_msg_alloc(bpf->app, size, GFP_KERNEL); ++ if (!skb) ++ return NULL; + skb_put(skb, size); + + return skb; diff --git a/queue-6.1/series b/queue-6.1/series index 626eed6efd..575a051d85 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -69,3 +69,21 @@ nouveau-svm-fix-missing-folio-unlock-put-after-make_.patch drm-msm-dpu-don-t-leak-bits_per_component-into-rando.patch nvme-ioctl-add-missing-space-in-err-message.patch bpf-skip-non-exist-keys-in-generic_map_lookup_batch.patch +drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch +drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch +tee-optee-fix-supplicant-wait-loop.patch +drop_monitor-fix-incorrect-initialization-order.patch +nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch +asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch +alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch +alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch +acct-perform-last-write-from-workqueue.patch +acct-block-access-to-kernel-internal-filesystems.patch +mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch +mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch +mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch +mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch +smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch +edac-qcom-correct-interrupt-enable-register-configuration.patch +ftrace-correct-preemption-accounting-for-function-tracing.patch +ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch diff --git a/queue-6.1/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch b/queue-6.1/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch new file mode 100644 index 0000000000..7f5aacb1be --- /dev/null +++ b/queue-6.1/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch @@ -0,0 +1,34 @@ +From 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 17 Feb 2025 15:20:38 +0800 +Subject: smb: client: Add check for next_buffer in receive_encrypted_standard() + +From: Haoxiang Li + +commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 upstream. + +Add check for the return value of cifs_buf_get() and cifs_small_buf_get() +in receive_encrypted_standard() to prevent null pointer dereference. + +Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -5158,6 +5158,10 @@ one_more: + next_buffer = (char *)cifs_buf_get(); + else + next_buffer = (char *)cifs_small_buf_get(); ++ if (!next_buffer) { ++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n"); ++ return -1; ++ } + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); + } + diff --git a/queue-6.1/tee-optee-fix-supplicant-wait-loop.patch b/queue-6.1/tee-optee-fix-supplicant-wait-loop.patch new file mode 100644 index 0000000000..ca1f7fead4 --- /dev/null +++ b/queue-6.1/tee-optee-fix-supplicant-wait-loop.patch @@ -0,0 +1,93 @@ +From 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Tue, 4 Feb 2025 13:04:18 +0530 +Subject: tee: optee: Fix supplicant wait loop + +From: Sumit Garg + +commit 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 upstream. + +OP-TEE supplicant is a user-space daemon and it's possible for it +be hung or crashed or killed in the middle of processing an OP-TEE +RPC call. It becomes more complicated when there is incorrect shutdown +ordering of the supplicant process vs the OP-TEE client application which +can eventually lead to system hang-up waiting for the closure of the +client application. + +Allow the client process waiting in kernel for supplicant response to +be killed rather than indefinitely waiting in an unkillable state. Also, +a normal uninterruptible wait should not have resulted in the hung-task +watchdog getting triggered, but the endless loop would. + +This fixes issues observed during system reboot/shutdown when supplicant +got hung for some reason or gets crashed/killed which lead to client +getting hung in an unkillable state. It in turn lead to system being in +hung up state requiring hard power off/on to recover. + +Fixes: 4fb0a5eb364d ("tee: add OP-TEE driver") +Suggested-by: Arnd Bergmann +Cc: stable@vger.kernel.org +Signed-off-by: Sumit Garg +Reviewed-by: Arnd Bergmann +Reviewed-by: Jens Wiklander +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/supp.c | 35 ++++++++--------------------------- + 1 file changed, 8 insertions(+), 27 deletions(-) + +--- a/drivers/tee/optee/supp.c ++++ b/drivers/tee/optee/supp.c +@@ -80,7 +80,6 @@ u32 optee_supp_thrd_req(struct tee_conte + struct optee *optee = tee_get_drvdata(ctx->teedev); + struct optee_supp *supp = &optee->supp; + struct optee_supp_req *req; +- bool interruptable; + u32 ret; + + /* +@@ -111,36 +110,18 @@ u32 optee_supp_thrd_req(struct tee_conte + /* + * Wait for supplicant to process and return result, once we've + * returned from wait_for_completion(&req->c) successfully we have +- * exclusive access again. ++ * exclusive access again. Allow the wait to be killable such that ++ * the wait doesn't turn into an indefinite state if the supplicant ++ * gets hung for some reason. + */ +- while (wait_for_completion_interruptible(&req->c)) { ++ if (wait_for_completion_killable(&req->c)) { + mutex_lock(&supp->mutex); +- interruptable = !supp->ctx; +- if (interruptable) { +- /* +- * There's no supplicant available and since the +- * supp->mutex currently is held none can +- * become available until the mutex released +- * again. +- * +- * Interrupting an RPC to supplicant is only +- * allowed as a way of slightly improving the user +- * experience in case the supplicant hasn't been +- * started yet. During normal operation the supplicant +- * will serve all requests in a timely manner and +- * interrupting then wouldn't make sense. +- */ +- if (req->in_queue) { +- list_del(&req->link); +- req->in_queue = false; +- } ++ if (req->in_queue) { ++ list_del(&req->link); ++ req->in_queue = false; + } + mutex_unlock(&supp->mutex); +- +- if (interruptable) { +- req->ret = TEEC_ERROR_COMMUNICATION; +- break; +- } ++ req->ret = TEEC_ERROR_COMMUNICATION; + } + + ret = req->ret;