From: Greg Kroah-Hartman Date: Tue, 10 Dec 2024 09:20:26 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.6.65~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d34589c5ea185e34f7bc1a794d69a50a737512b2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch bcache-revert-replacing-is_err_or_null-with-is_err-again.patch can-dev-can_set_termination-allow-sleeping-gpios.patch nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch scsi-qla2xxx-fix-abort-in-bsg-timeout.patch scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch scsi-qla2xxx-fix-use-after-free-on-unload.patch scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch scsi-ufs-core-sysfs-prevent-div-by-zero.patch tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch watchdog-rti-of-honor-timeout-sec-property.patch --- diff --git a/queue-5.15/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch b/queue-5.15/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch new file mode 100644 index 00000000000..0f4a0efc783 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch @@ -0,0 +1,36 @@ +From e2974a220594c06f536e65dfd7b2447e0e83a1cb Mon Sep 17 00:00:00 2001 +From: Sahas Leelodharry +Date: Mon, 2 Dec 2024 03:28:33 +0000 +Subject: ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) + +From: Sahas Leelodharry + +commit e2974a220594c06f536e65dfd7b2447e0e83a1cb upstream. + +Fixes the 3.5mm headphone jack on the Samsung Galaxy Book 3 360 +NP730QFG laptop. +Unlike the other Galaxy Book3 series devices, this device only needs +the ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET quirk. +Verified changes on the device and compared with codec state in Windows. + +[ white-space fixes by tiwai ] + +Signed-off-by: Sahas Leelodharry +Cc: +Link: https://patch.msgid.link/QB1PR01MB40047D4CC1282DB7F1333124CC352@QB1PR01MB4004.CANPRD01.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9345,6 +9345,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xca06, "Samsung Galaxy Book3 360 (NP730QFG)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC), diff --git a/queue-5.15/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch b/queue-5.15/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch new file mode 100644 index 00000000000..fce26e08a68 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch @@ -0,0 +1,31 @@ +From 3a83f7baf1346aca885cb83cb888e835fef7c472 Mon Sep 17 00:00:00 2001 +From: Nazar Bilinskyi +Date: Sun, 1 Dec 2024 01:16:31 +0200 +Subject: ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 + +From: Nazar Bilinskyi + +commit 3a83f7baf1346aca885cb83cb888e835fef7c472 upstream. + +HP ProBook 430 G8 has a mute and micmute LEDs that can be made to work +using quirk ALC236_FIXUP_HP_GPIO_LED. Enable already existing quirk. + +Signed-off-by: Nazar Bilinskyi +Cc: +Link: https://patch.msgid.link/20241130231631.8929-1-nbilinskyi@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9212,6 +9212,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), ++ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-5.15/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch b/queue-5.15/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch new file mode 100644 index 00000000000..df24f434dd0 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch @@ -0,0 +1,43 @@ +From a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 Mon Sep 17 00:00:00 2001 +From: Marie Ramlow +Date: Sat, 30 Nov 2024 17:52:40 +0100 +Subject: ALSA: usb-audio: add mixer mapping for Corsair HS80 + +From: Marie Ramlow + +commit a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 upstream. + +The Corsair HS80 RGB Wireless is a USB headset with a mic and a sidetone +feature. It has the same quirk as the Virtuoso series. +This labels the mixers appropriately, so applications don't +move the sidetone volume when they actually intend to move the main +headset volume. + +Signed-off-by: Marie Ramlow +cc: +Link: https://patch.msgid.link/20241130165240.17838-1-me@nycode.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_maps.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -574,6 +574,16 @@ static const struct usbmix_ctl_map usbmi + .id = USB_ID(0x1b1c, 0x0a42), + .map = corsair_virtuoso_map, + }, ++ { ++ /* Corsair HS80 RGB Wireless (wired mode) */ ++ .id = USB_ID(0x1b1c, 0x0a6a), ++ .map = corsair_virtuoso_map, ++ }, ++ { ++ /* Corsair HS80 RGB Wireless (wireless mode) */ ++ .id = USB_ID(0x1b1c, 0x0a6b), ++ .map = corsair_virtuoso_map, ++ }, + { /* Gigabyte TRX40 Aorus Master (rear panel + front mic) */ + .id = USB_ID(0x0414, 0xa001), + .map = aorus_master_alc1220vb_map, diff --git a/queue-5.15/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch b/queue-5.15/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch new file mode 100644 index 00000000000..312a3fb2a04 --- /dev/null +++ b/queue-5.15/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch @@ -0,0 +1,69 @@ +From ca62d90085f4af36de745883faab9f8a7cbb45d3 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 5 Dec 2024 12:16:52 +0000 +Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL + +From: Mark Rutland + +commit ca62d90085f4af36de745883faab9f8a7cbb45d3 upstream. + +Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' +variable, and a SETREGSET call with a length of zero will leave this +uninitialized. Consequently tagged_addr_ctrl_set() will consume an +arbitrary value, potentially leaking up to 64 bits of memory from the +kernel stack. The read is limited to a specific slot on the stack, and +the issue does not provide a write mechanism. + +As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and +rejects other values, a partial SETREGSET attempt will randomly succeed +or fail depending on the value of the uninitialized value, and the +exposure is significantly limited. + +Fix this by initializing the temporary value before copying the regset +from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, +NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing +value of the tagged address ctrl will be retained. + +The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the +user_aarch64_view used by a native AArch64 task to manipulate another +native AArch64 task. As get_tagged_addr_ctrl() only returns an error +value when called for a compat task, tagged_addr_ctrl_get() and +tagged_addr_ctrl_set() should never observe an error value from +get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that +such an error would be unexpected, and error handlnig is not missing in +either case. + +Fixes: 2200aa7154cb ("arm64: mte: ptrace: Add NT_ARM_TAGGED_ADDR_CTRL regset") +Cc: # 5.10.x +Signed-off-by: Mark Rutland +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20241205121655.1824269-2-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1075,7 +1075,7 @@ static int tagged_addr_ctrl_get(struct t + { + long ctrl = get_tagged_addr_ctrl(target); + +- if (IS_ERR_VALUE(ctrl)) ++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl))) + return ctrl; + + return membuf_write(&to, &ctrl, sizeof(ctrl)); +@@ -1089,6 +1089,10 @@ static int tagged_addr_ctrl_set(struct t + int ret; + long ctrl; + ++ ctrl = get_tagged_addr_ctrl(target); ++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl))) ++ return ctrl; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1); + if (ret) + return ret; diff --git a/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch b/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch new file mode 100644 index 00000000000..556d3e96449 --- /dev/null +++ b/queue-5.15/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch @@ -0,0 +1,46 @@ +From b2e382ae12a63560fca35050498e19e760adf8c0 Mon Sep 17 00:00:00 2001 +From: Liequan Che +Date: Mon, 2 Dec 2024 19:56:38 +0800 +Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again + +From: Liequan Che + +commit b2e382ae12a63560fca35050498e19e760adf8c0 upstream. + +Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in +node allocations") leads a NULL pointer deference in cache_set_flush(). + +1721 if (!IS_ERR_OR_NULL(c->root)) +1722 list_add(&c->root->list, &c->btree_cache); + +>From the above code in cache_set_flush(), if previous registration code +fails before allocating c->root, it is possible c->root is NULL as what +it is initialized. __bch_btree_node_alloc() never returns NULL but +c->root is possible to be NULL at above line 1721. + +This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this. + +Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") +Signed-off-by: Liequan Che +Cc: stable@vger.kernel.org +Cc: Zheng Wang +Reviewed-by: Mingzhe Zou +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20241202115638.28957-1-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1731,7 +1731,7 @@ static void cache_set_flush(struct closu + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +- if (!IS_ERR(c->root)) ++ if (!IS_ERR_OR_NULL(c->root)) + list_add(&c->root->list, &c->btree_cache); + + /* diff --git a/queue-5.15/can-dev-can_set_termination-allow-sleeping-gpios.patch b/queue-5.15/can-dev-can_set_termination-allow-sleeping-gpios.patch new file mode 100644 index 00000000000..afcea1f2c00 --- /dev/null +++ b/queue-5.15/can-dev-can_set_termination-allow-sleeping-gpios.patch @@ -0,0 +1,49 @@ +From ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Thu, 21 Nov 2024 11:08:25 +0100 +Subject: can: dev: can_set_termination(): allow sleeping GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 upstream. + +In commit 6e86a1543c37 ("can: dev: provide optional GPIO based +termination support") GPIO based termination support was added. + +For no particular reason that patch uses gpiod_set_value() to set the +GPIO. This leads to the following warning, if the systems uses a +sleeping GPIO, i.e. behind an I2C port expander: + +| WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c +| CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c + +Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the +use of sleeping GPIOs. + +Cc: Nicolai Buchwitz +Cc: Lino Sanfilippo +Cc: stable@vger.kernel.org +Reported-by: Leonard Göhrs +Tested-by: Leonard Göhrs +Fixes: 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") +Link: https://patch.msgid.link/20241121-dev-fix-can_set_termination-v1-1-41fa6e29216d@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev/dev.c ++++ b/drivers/net/can/dev/dev.c +@@ -409,7 +409,7 @@ static int can_set_termination(struct ne + else + set = 0; + +- gpiod_set_value(priv->termination_gpio, set); ++ gpiod_set_value_cansleep(priv->termination_gpio, set); + + return 0; + } diff --git a/queue-5.15/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch b/queue-5.15/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch new file mode 100644 index 00000000000..271e4b324a3 --- /dev/null +++ b/queue-5.15/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch @@ -0,0 +1,53 @@ +From 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 20 Nov 2024 02:23:37 +0900 +Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() + +From: Ryusuke Konishi + +commit 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d upstream. + +Syzbot reported that when searching for records in a directory where the +inode's i_size is corrupted and has a large value, memory access outside +the folio/page range may occur, or a use-after-free bug may be detected if +KASAN is enabled. + +This is because nilfs_last_byte(), which is called by nilfs_find_entry() +and others to calculate the number of valid bytes of directory data in a +page from i_size and the page index, loses the upper 32 bits of the 64-bit +size information due to an inappropriate type of local variable to which +the i_size value is assigned. + +This caused a large byte offset value due to underflow in the end address +calculation in the calling nilfs_find_entry(), resulting in memory access +that exceeds the folio/page size. + +Fix this issue by changing the type of the local variable causing the bit +loss from "unsigned int" to "u64". The return value of nilfs_last_byte() +is also of type "unsigned int", but it is truncated so as not to exceed +PAGE_SIZE and no bit loss occurs, so no change is required. + +Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com +Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 +Tested-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -76,7 +76,7 @@ static inline void nilfs_put_page(struct + */ + static unsigned int nilfs_last_byte(struct inode *inode, unsigned long page_nr) + { +- unsigned int last_byte = inode->i_size; ++ u64 last_byte = inode->i_size; + + last_byte -= page_nr << PAGE_SHIFT; + if (last_byte > PAGE_SIZE) diff --git a/queue-5.15/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch b/queue-5.15/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch new file mode 100644 index 00000000000..cfda8ca92b0 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch @@ -0,0 +1,227 @@ +From c423263082ee8ccfad59ab33e3d5da5dc004c21e Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:07 +0530 +Subject: scsi: qla2xxx: Fix abort in bsg timeout + +From: Quinn Tran + +commit c423263082ee8ccfad59ab33e3d5da5dc004c21e upstream. + +Current abort of bsg on timeout prematurely clears the +outstanding_cmds[]. Abort does not allow FW to return the IOCB/SRB. In +addition, bsg_job_done() is not called to return the BSG (i.e. leak). + +Abort the outstanding bsg/SRB and wait for the completion. The +completion IOCB will wake up the bsg_timeout thread. If abort is not +successful, then driver will forcibly call bsg_job_done() and free the +srb. + +Err Inject: + + - qaucli -z + - assign CT Passthru IOCB's NportHandle with another initiator + nport handle to trigger timeout. Remote port will drop CT request. + - bsg_job_done is properly called as part of cleanup + +kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. +kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. +kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f0838 msgcode 80000004 vendor cmd fa010000 +kernel: qla2xxx [0000:21:00.1]-507c:7: Abort command issued - hdl=4b, type=5 +kernel: qla2xxx [0000:21:00.1]-5040:7: ELS-CT pass-through-ct pass-through error hdl=4b comp_status-status=0x5 error subcode 1=0x0 error subcode 2=0xaf882e80. +kernel: qla2xxx [0000:21:00.1]-7009:7: qla2x00_bsg_job_done: sp hdl 4b, result=70000 bsg ptr ffff9971a42f0838 +kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=4b rval=0 +kernel: qla2xxx [0000:21:00.1]-708a:7: bsg abort success. bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=0x4b +kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. +kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. +kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f43b8 msgcode 80000004 vendor cmd fa010000 +kernel: qla2xxx [0000:21:00.1]-7012:7: qla_bsg_found : 2206 : Error Inject 2. +kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f43b8 sp=ffff99762c304440 handle=5e rval=5 +kernel: qla2xxx [0000:21:00.1]-704f:7: bsg abort fail. bsg=ffff9971a42f43b8 sp=ffff99762c304440 rval=5. +kernel: qla2xxx [0000:21:00.1]-7051:7: qla_bsg_found bsg_job_done : bsg ffff9971a42f43b8 result 0xfffffffa sp ffff99762c304440. + +Cc: stable@vger.kernel.org +Fixes: c449b4198701 ("scsi: qla2xxx: Use QP lock to search for bsg") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 114 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 92 insertions(+), 22 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -24,6 +24,7 @@ void qla2x00_bsg_job_done(srb_t *sp, int + { + struct bsg_job *bsg_job = sp->u.bsg_job; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ struct completion *comp = sp->comp; + + ql_dbg(ql_dbg_user, sp->vha, 0x7009, + "%s: sp hdl %x, result=%x bsg ptr %p\n", +@@ -35,6 +36,9 @@ void qla2x00_bsg_job_done(srb_t *sp, int + bsg_reply->result = res; + bsg_job_done(bsg_job, bsg_reply->result, + bsg_reply->reply_payload_rcv_len); ++ ++ if (comp) ++ complete(comp); + } + + void qla2x00_bsg_sp_free(srb_t *sp) +@@ -2968,7 +2972,7 @@ skip_chip_chk: + + static bool qla_bsg_found(struct qla_qpair *qpair, struct bsg_job *bsg_job) + { +- bool found = false; ++ bool found, do_bsg_done; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; + scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job)); + struct qla_hw_data *ha = vha->hw; +@@ -2976,6 +2980,11 @@ static bool qla_bsg_found(struct qla_qpa + int cnt; + unsigned long flags; + struct req_que *req; ++ int rval; ++ DECLARE_COMPLETION_ONSTACK(comp); ++ uint32_t ratov_j; ++ ++ found = do_bsg_done = false; + + spin_lock_irqsave(qpair->qp_lock_ptr, flags); + req = qpair->req; +@@ -2987,42 +2996,104 @@ static bool qla_bsg_found(struct qla_qpa + sp->type == SRB_ELS_CMD_HST || + sp->type == SRB_ELS_CMD_HST_NOLOGIN) && + sp->u.bsg_job == bsg_job) { +- req->outstanding_cmds[cnt] = NULL; +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); +- +- if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) { +- ql_log(ql_log_warn, vha, 0x7089, +- "mbx abort_command failed.\n"); +- bsg_reply->result = -EIO; +- } else { +- ql_dbg(ql_dbg_user, vha, 0x708a, +- "mbx abort_command success.\n"); +- bsg_reply->result = 0; +- } +- /* ref: INIT */ +- kref_put(&sp->cmd_kref, qla2x00_sp_release); + + found = true; +- goto done; ++ sp->comp = ∁ ++ break; + } + } + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + +-done: +- return found; ++ if (!found) ++ return false; ++ ++ if (ha->flags.eeh_busy) { ++ /* skip over abort. EEH handling will return the bsg. Wait for it */ ++ rval = QLA_SUCCESS; ++ ql_dbg(ql_dbg_user, vha, 0x802c, ++ "eeh encounter. bsg %p sp=%p handle=%x \n", ++ bsg_job, sp, sp->handle); ++ } else { ++ rval = ha->isp_ops->abort_command(sp); ++ ql_dbg(ql_dbg_user, vha, 0x802c, ++ "Aborting bsg %p sp=%p handle=%x rval=%x\n", ++ bsg_job, sp, sp->handle, rval); ++ } ++ ++ switch (rval) { ++ case QLA_SUCCESS: ++ /* Wait for the command completion. */ ++ ratov_j = ha->r_a_tov / 10 * 4 * 1000; ++ ratov_j = msecs_to_jiffies(ratov_j); ++ ++ if (!wait_for_completion_timeout(&comp, ratov_j)) { ++ ql_log(ql_log_info, vha, 0x7089, ++ "bsg abort timeout. bsg=%p sp=%p handle %#x .\n", ++ bsg_job, sp, sp->handle); ++ ++ do_bsg_done = true; ++ } else { ++ /* fw had returned the bsg */ ++ ql_dbg(ql_dbg_user, vha, 0x708a, ++ "bsg abort success. bsg %p sp=%p handle=%#x\n", ++ bsg_job, sp, sp->handle); ++ do_bsg_done = false; ++ } ++ break; ++ default: ++ ql_log(ql_log_info, vha, 0x704f, ++ "bsg abort fail. bsg=%p sp=%p rval=%x.\n", ++ bsg_job, sp, rval); ++ ++ do_bsg_done = true; ++ break; ++ } ++ ++ if (!do_bsg_done) ++ return true; ++ ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); ++ /* ++ * recheck to make sure it's still the same bsg_job due to ++ * qp_lock_ptr was released earlier. ++ */ ++ if (req->outstanding_cmds[cnt] && ++ req->outstanding_cmds[cnt]->u.bsg_job != bsg_job) { ++ /* fw had returned the bsg */ ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ return true; ++ } ++ req->outstanding_cmds[cnt] = NULL; ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ /* ref: INIT */ ++ sp->comp = NULL; ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ bsg_reply->result = -ENXIO; ++ bsg_reply->reply_payload_rcv_len = 0; ++ ++ ql_dbg(ql_dbg_user, vha, 0x7051, ++ "%s bsg_job_done : bsg %p result %#x sp %p.\n", ++ __func__, bsg_job, bsg_reply->result, sp); ++ ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ ++ return true; + } + + int + qla24xx_bsg_timeout(struct bsg_job *bsg_job) + { +- struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ struct fc_bsg_request *bsg_request = bsg_job->request; + scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job)); + struct qla_hw_data *ha = vha->hw; + int i; + struct qla_qpair *qpair; + +- ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n", +- __func__, bsg_job); ++ ql_log(ql_log_info, vha, 0x708b, ++ "%s CMD timeout. bsg ptr %p msgcode %x vendor cmd %x\n", ++ __func__, bsg_job, bsg_request->msgcode, ++ bsg_request->rqst_data.h_vendor.vendor_cmd[0]); + + if (qla2x00_isp_reg_stat(ha)) { + ql_log(ql_log_info, vha, 0x9007, +@@ -3043,7 +3114,6 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_ + } + + ql_log(ql_log_info, vha, 0x708b, "SRB not found to abort.\n"); +- bsg_reply->result = -ENXIO; + + done: + return 0; diff --git a/queue-5.15/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch b/queue-5.15/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch new file mode 100644 index 00000000000..d73575d48d2 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch @@ -0,0 +1,46 @@ +From 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:11 +0530 +Subject: scsi: qla2xxx: Fix NVMe and NPIV connect issue + +From: Quinn Tran + +commit 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc upstream. + +NVMe controller fails to send connect command due to failure to locate +hw context buffer for NVMe queue 0 (blk_mq_hw_ctx, hctx_idx=0). The +cause of the issue is NPIV host did not initialize the vha->irq_offset +field. This field is given to blk-mq (blk_mq_pci_map_queues) to help +locate the beginning of IO Queues which in turn help locate NVMe queue +0. + +Initialize this field to allow NVMe to work properly with NPIV host. + + kernel: nvme nvme5: Connect command failed, errno: -18 + kernel: nvme nvme5: qid 0: secure concatenation is not supported + kernel: nvme nvme5: NVME-FC{5}: create_assoc failed, assoc_id 2e9100 ret 401 + kernel: nvme nvme5: NVME-FC{5}: reset: Reconnect attempt failed (401) + kernel: nvme nvme5: NVME-FC{5}: Reconnect attempt in 2 seconds + +Cc: stable@vger.kernel.org +Fixes: f0783d43dde4 ("scsi: qla2xxx: Use correct number of vectors for online CPUs") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_mid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -515,6 +515,7 @@ qla24xx_create_vhost(struct fc_vport *fc + return(NULL); + } + ++ vha->irq_offset = QLA_BASE_VECTORS; + host = vha->host; + fc_vport->dd_data = vha; + /* New host info */ diff --git a/queue-5.15/scsi-qla2xxx-fix-use-after-free-on-unload.patch b/queue-5.15/scsi-qla2xxx-fix-use-after-free-on-unload.patch new file mode 100644 index 00000000000..690f2a60c8f --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-use-after-free-on-unload.patch @@ -0,0 +1,98 @@ +From 07c903db0a2ff84b68efa1a74a4de353ea591eb0 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:08 +0530 +Subject: scsi: qla2xxx: Fix use after free on unload + +From: Quinn Tran + +commit 07c903db0a2ff84b68efa1a74a4de353ea591eb0 upstream. + +System crash is observed with stack trace warning of use after +free. There are 2 signals to tell dpc_thread to terminate (UNLOADING +flag and kthread_stop). + +On setting the UNLOADING flag when dpc_thread happens to run at the time +and sees the flag, this causes dpc_thread to exit and clean up +itself. When kthread_stop is called for final cleanup, this causes use +after free. + +Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop +as the main signal to exit dpc_thread. + +[596663.812935] kernel BUG at mm/slub.c:294! +[596663.812950] invalid opcode: 0000 [#1] SMP PTI +[596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1 +[596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 +[596663.812974] RIP: 0010:__slab_free+0x17d/0x360 + +... +[596663.813008] Call Trace: +[596663.813022] ? __dentry_kill+0x121/0x170 +[596663.813030] ? _cond_resched+0x15/0x30 +[596663.813034] ? _cond_resched+0x15/0x30 +[596663.813039] ? wait_for_completion+0x35/0x190 +[596663.813048] ? try_to_wake_up+0x63/0x540 +[596663.813055] free_task+0x5a/0x60 +[596663.813061] kthread_stop+0xf3/0x100 +[596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx] + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6851,12 +6851,15 @@ qla2x00_do_dpc(void *data) + set_user_nice(current, MIN_NICE); + + set_current_state(TASK_INTERRUPTIBLE); +- while (!kthread_should_stop()) { ++ while (1) { + ql_dbg(ql_dbg_dpc, base_vha, 0x4000, + "DPC handler sleeping.\n"); + + schedule(); + ++ if (kthread_should_stop()) ++ break; ++ + if (test_and_clear_bit(DO_EEH_RECOVERY, &base_vha->dpc_flags)) + qla_pci_set_eeh_busy(base_vha); + +@@ -6869,15 +6872,16 @@ qla2x00_do_dpc(void *data) + goto end_loop; + } + ++ if (test_bit(UNLOADING, &base_vha->dpc_flags)) ++ /* don't do any work. Wait to be terminated by kthread_stop */ ++ goto end_loop; ++ + ha->dpc_active = 1; + + ql_dbg(ql_dbg_dpc + ql_dbg_verbose, base_vha, 0x4001, + "DPC handler waking up, dpc_flags=0x%lx.\n", + base_vha->dpc_flags); + +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- break; +- + if (IS_P3P_TYPE(ha)) { + if (IS_QLA8044(ha)) { + if (test_and_clear_bit(ISP_UNRECOVERABLE, +@@ -7195,9 +7199,6 @@ end_loop: + */ + ha->dpc_active = 0; + +- /* Cleanup any residual CTX SRBs. */ +- qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16); +- + return 0; + } + diff --git a/queue-5.15/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch b/queue-5.15/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch new file mode 100644 index 00000000000..b28421c5b8c --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch @@ -0,0 +1,45 @@ +From 833c70e212fc40d3e98da941796f4c7bcaecdf58 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Fri, 15 Nov 2024 18:33:10 +0530 +Subject: scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt + +From: Saurav Kashyap + +commit 833c70e212fc40d3e98da941796f4c7bcaecdf58 upstream. + +Firmware supports multiple sg_cnt for request and response for CT +commands, so remove the redundant check. A check is there where sg_cnt +for request and response should be same. This is not required as driver +and FW have code to handle multiple and different sg_cnt on request and +response. + +Cc: stable@vger.kernel.org +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -494,16 +494,6 @@ qla2x00_process_ct(struct bsg_job *bsg_j + goto done; + } + +- if ((req_sg_cnt != bsg_job->request_payload.sg_cnt) || +- (rsp_sg_cnt != bsg_job->reply_payload.sg_cnt)) { +- ql_log(ql_log_warn, vha, 0x7011, +- "request_sg_cnt: %x dma_request_sg_cnt: %x reply_sg_cnt:%x " +- "dma_reply_sg_cnt: %x\n", bsg_job->request_payload.sg_cnt, +- req_sg_cnt, bsg_job->reply_payload.sg_cnt, rsp_sg_cnt); +- rval = -EAGAIN; +- goto done_unmap_sg; +- } +- + if (!vha->flags.online) { + ql_log(ql_log_warn, vha, 0x7012, + "Host is not online.\n"); diff --git a/queue-5.15/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch b/queue-5.15/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch new file mode 100644 index 00000000000..41009a88d1a --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch @@ -0,0 +1,36 @@ +From e4e268f898c8a08f0a1188677e15eadbc06e98f6 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Fri, 15 Nov 2024 18:33:12 +0530 +Subject: scsi: qla2xxx: Supported speed displayed incorrectly for VPorts + +From: Anil Gurumurthy + +commit e4e268f898c8a08f0a1188677e15eadbc06e98f6 upstream. + +The fc_function_template for vports was missing the +.show_host_supported_speeds. The base port had the same. + +Add .show_host_supported_speeds to the vport template as well. + +Cc: stable@vger.kernel.org +Fixes: 2c3dfe3f6ad8 ("[SCSI] qla2xxx: add support for NPIV") +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -3303,6 +3303,7 @@ struct fc_function_template qla2xxx_tran + .show_host_node_name = 1, + .show_host_port_name = 1, + .show_host_supported_classes = 1, ++ .show_host_supported_speeds = 1, + + .get_host_port_id = qla2x00_get_host_port_id, + .show_host_port_id = 1, diff --git a/queue-5.15/scsi-ufs-core-sysfs-prevent-div-by-zero.patch b/queue-5.15/scsi-ufs-core-sysfs-prevent-div-by-zero.patch new file mode 100644 index 00000000000..4717f3e71c2 --- /dev/null +++ b/queue-5.15/scsi-ufs-core-sysfs-prevent-div-by-zero.patch @@ -0,0 +1,44 @@ +From eb48e9fc0028bed94a40a9352d065909f19e333c Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Tue, 19 Nov 2024 22:25:22 -0800 +Subject: scsi: ufs: core: sysfs: Prevent div by zero + +From: Gwendal Grignou + +commit eb48e9fc0028bed94a40a9352d065909f19e333c upstream. + +Prevent a division by 0 when monitoring is not enabled. + +Fixes: 1d8613a23f3c ("scsi: ufs: core: Introduce HBA performance monitor sysfs nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Gwendal Grignou +Link: https://lore.kernel.org/r/20241120062522.917157-1-gwendal@chromium.org +Reviewed-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-sysfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/ufs/ufs-sysfs.c ++++ b/drivers/scsi/ufs/ufs-sysfs.c +@@ -371,6 +371,9 @@ static ssize_t read_req_latency_avg_show + struct ufs_hba *hba = dev_get_drvdata(dev); + struct ufs_hba_monitor *m = &hba->monitor; + ++ if (!m->nr_req[READ]) ++ return sysfs_emit(buf, "0\n"); ++ + return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[READ]), + m->nr_req[READ])); + } +@@ -438,6 +441,9 @@ static ssize_t write_req_latency_avg_sho + struct ufs_hba *hba = dev_get_drvdata(dev); + struct ufs_hba_monitor *m = &hba->monitor; + ++ if (!m->nr_req[WRITE]) ++ return sysfs_emit(buf, "0\n"); ++ + return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[WRITE]), + m->nr_req[WRITE])); + } diff --git a/queue-5.15/series b/queue-5.15/series index f13d8f5102c..1b8f44bb8a9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -445,3 +445,18 @@ ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch bpf-fix-exact-match-conditions-in-trie_get_next_key.patch hid-wacom-fix-when-get-product-name-maybe-null-pointer.patch +watchdog-rti-of-honor-timeout-sec-property.patch +can-dev-can_set_termination-allow-sleeping-gpios.patch +tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch +arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch +alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch +alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch +alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch +scsi-qla2xxx-fix-abort-in-bsg-timeout.patch +scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch +scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch +scsi-qla2xxx-fix-use-after-free-on-unload.patch +scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch +scsi-ufs-core-sysfs-prevent-div-by-zero.patch +nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch +bcache-revert-replacing-is_err_or_null-with-is_err-again.patch diff --git a/queue-5.15/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch b/queue-5.15/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch new file mode 100644 index 00000000000..eede3b0fba3 --- /dev/null +++ b/queue-5.15/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch @@ -0,0 +1,52 @@ +From e63fbd5f6810ed756bbb8a1549c7d4132968baa9 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Wed, 4 Dec 2024 04:22:28 +0800 +Subject: tracing: Fix cmp_entries_dup() to respect sort() comparison rules + +From: Kuan-Wei Chiu + +commit e63fbd5f6810ed756bbb8a1549c7d4132968baa9 upstream. + +The cmp_entries_dup() function used as the comparator for sort() +violated the symmetry and transitivity properties required by the +sorting algorithm. Specifically, it returned 1 whenever memcmp() was +non-zero, which broke the following expectations: + +* Symmetry: If x < y, then y > x. +* Transitivity: If x < y and y < z, then x < z. + +These violations could lead to incorrect sorting and failure to +correctly identify duplicate elements. + +Fix the issue by directly returning the result of memcmp(), which +adheres to the required comparison properties. + +Cc: stable@vger.kernel.org +Fixes: 08d43a5fa063 ("tracing: Add lock-free tracing_map") +Link: https://lore.kernel.org/20241203202228.1274403-1-visitorckw@gmail.com +Signed-off-by: Kuan-Wei Chiu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/tracing_map.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -845,15 +845,11 @@ int tracing_map_init(struct tracing_map + static int cmp_entries_dup(const void *A, const void *B) + { + const struct tracing_map_sort_entry *a, *b; +- int ret = 0; + + a = *(const struct tracing_map_sort_entry **)A; + b = *(const struct tracing_map_sort_entry **)B; + +- if (memcmp(a->key, b->key, a->elt->map->key_size)) +- ret = 1; +- +- return ret; ++ return memcmp(a->key, b->key, a->elt->map->key_size); + } + + static int cmp_entries_sum(const void *A, const void *B) diff --git a/queue-5.15/watchdog-rti-of-honor-timeout-sec-property.patch b/queue-5.15/watchdog-rti-of-honor-timeout-sec-property.patch new file mode 100644 index 00000000000..80a0036dba3 --- /dev/null +++ b/queue-5.15/watchdog-rti-of-honor-timeout-sec-property.patch @@ -0,0 +1,49 @@ +From 4962ee045d8f06638714d801ab0fb72f89c16690 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Thu, 7 Nov 2024 21:38:28 +0100 +Subject: watchdog: rti: of: honor timeout-sec property + +From: Alexander Sverdlin + +commit 4962ee045d8f06638714d801ab0fb72f89c16690 upstream. + +Currently "timeout-sec" Device Tree property is being silently ignored: +even though watchdog_init_timeout() is being used, the driver always passes +"heartbeat" == DEFAULT_HEARTBEAT == 60 as argument. + +Fix this by setting struct watchdog_device::timeout to DEFAULT_HEARTBEAT +and passing real module parameter value to watchdog_init_timeout() (which +may now be 0 if not specified). + +Cc: stable@vger.kernel.org +Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Vignesh Raghavendra +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20241107203830.1068456-1-alexander.sverdlin@siemens.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/rti_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/rti_wdt.c ++++ b/drivers/watchdog/rti_wdt.c +@@ -54,7 +54,7 @@ + + #define MAX_HW_ERROR 250 + +-static int heartbeat = DEFAULT_HEARTBEAT; ++static int heartbeat; + + /* + * struct to hold data for each WDT device +@@ -242,6 +242,7 @@ static int rti_wdt_probe(struct platform + wdd->min_timeout = 1; + wdd->max_hw_heartbeat_ms = (WDT_PRELOAD_MAX << WDT_PRELOAD_SHIFT) / + wdt->freq * 1000; ++ wdd->timeout = DEFAULT_HEARTBEAT; + wdd->parent = dev; + + watchdog_set_drvdata(wdd, wdt);