From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 09:57:54 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v4.9.336~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d39099151f92807abfc4f21ad41b726fb2c01666;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: bluetooth-btusb-add-debug-message-for-csr-controllers.patch bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch can-can327-flush-tx_work-on-ldisc-.close.patch can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch can-slcan-fix-freed-work-crash.patch drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch drm-shmem-helper-avoid-vm_open-error-paths.patch drm-shmem-helper-remove-errant-put-in-error-path.patch drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch hid-usbhid-add-always_poll-quirk-for-some-mice.patch io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch mm-gup-fix-gup_pud_range-for-dax.patch net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch net-mana-fix-race-on-per-cq-variable-napi-work_done.patch revert-arm-dts-imx7-fix-nand-controller-size-cells.patch selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch tmpfs-fix-data-loss-from-failed-fallocate.patch --- diff --git a/queue-6.0/bluetooth-btusb-add-debug-message-for-csr-controllers.patch b/queue-6.0/bluetooth-btusb-add-debug-message-for-csr-controllers.patch new file mode 100644 index 00000000000..b9fb71e10c2 --- /dev/null +++ b/queue-6.0/bluetooth-btusb-add-debug-message-for-csr-controllers.patch @@ -0,0 +1,42 @@ +From 955aebd445e2b49622f2184b7abb82b05c060549 Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Sat, 29 Oct 2022 22:24:53 +0200 +Subject: Bluetooth: btusb: Add debug message for CSR controllers + +From: Ismael Ferreras Morezuelas + +commit 955aebd445e2b49622f2184b7abb82b05c060549 upstream. + +The rationale of showing this is that it's potentially critical +information to diagnose and find more CSR compatibility bugs in the +future and it will save a lot of headaches. + +Given that clones come from a wide array of vendors (some are actually +Barrot, some are something else) and these numbers are what let us find +differences between actual and fake ones, it will be immensely helpful +to scour the Internet looking for this pattern and building an actual +database to find correlations and improve the checks. + +Cc: stable@vger.kernel.org +Cc: Hans de Goede +Signed-off-by: Ismael Ferreras Morezuelas +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2042,6 +2042,11 @@ static int btusb_setup_csr(struct hci_de + + rp = (struct hci_rp_read_local_version *)skb->data; + ++ bt_dev_info(hdev, "CSR: Setting up dongle with HCI ver=%u rev=%04x; LMP ver=%u subver=%04x; manufacturer=%u", ++ le16_to_cpu(rp->hci_ver), le16_to_cpu(rp->hci_rev), ++ le16_to_cpu(rp->lmp_ver), le16_to_cpu(rp->lmp_subver), ++ le16_to_cpu(rp->manufacturer)); ++ + /* Detect a wide host of Chinese controllers that aren't CSR. + * + * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891 diff --git a/queue-6.0/bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch b/queue-6.0/bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch new file mode 100644 index 00000000000..76f4389ffc6 --- /dev/null +++ b/queue-6.0/bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch @@ -0,0 +1,127 @@ +From 42d7731e3e7409f9444ff44e30c025958f1b14f0 Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Sat, 29 Oct 2022 22:24:52 +0200 +Subject: Bluetooth: btusb: Fix CSR clones again by re-adding ERR_DATA_REPORTING quirk + +From: Ismael Ferreras Morezuelas + +commit 42d7731e3e7409f9444ff44e30c025958f1b14f0 upstream. + +A patch series by a Qualcomm engineer essentially removed my +quirk/workaround because they thought it was unnecessary. + +It wasn't, and it broke everything again: + +https://patchwork.kernel.org/project/netdevbpf/list/?series=661703&archive=both&state=* + +He argues that the quirk is not necessary because the code should check +if the dongle says if it's supported or not. The problem is that for +these Chinese CSR clones they say that it would work: + += New Index: 00:00:00:00:00:00 (Primary,USB,hci0) += Open Index: 00:00:00:00:00:00 +< HCI Command: Read Local Version Information (0x04|0x0001) plen 0 +> HCI Event: Command Complete (0x0e) plen 12 +> [hci0] 11.276039 + Read Local Version Information (0x04|0x0001) ncmd 1 + Status: Success (0x00) + HCI version: Bluetooth 5.0 (0x09) - Revision 2064 (0x0810) + LMP version: Bluetooth 5.0 (0x09) - Subversion 8978 (0x2312) + Manufacturer: Cambridge Silicon Radio (10) +... +< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 +> HCI Event: Command Complete (0x0e) plen 68 +> [hci0] 11.668030 + Read Local Supported Commands (0x04|0x0002) ncmd 1 + Status: Success (0x00) + Commands: 163 entries + ... + Read Default Erroneous Data Reporting (Octet 18 - Bit 2) + Write Default Erroneous Data Reporting (Octet 18 - Bit 3) + ... +... +< HCI Command: Read Default Erroneous Data Reporting (0x03|0x005a) plen 0 += Close Index: 00:1A:7D:DA:71:XX + +So bring it back wholesale. + +Fixes: 63b1a7dd38bf ("Bluetooth: hci_sync: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING") +Fixes: e168f6900877 ("Bluetooth: btusb: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING for fake CSR") +Fixes: 766ae2422b43 ("Bluetooth: hci_sync: Check LMP feature bit instead of quirk") +Cc: stable@vger.kernel.org +Cc: Zijun Hu +Cc: Luiz Augusto von Dentz +Cc: Hans de Goede +Tested-by: Ismael Ferreras Morezuelas +Signed-off-by: Ismael Ferreras Morezuelas +Reviewed-by: Hans de Goede +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + include/net/bluetooth/hci.h | 11 +++++++++++ + net/bluetooth/hci_sync.c | 9 +++++++-- + 3 files changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2104,6 +2104,7 @@ static int btusb_setup_csr(struct hci_de + * without these the controller will lock up. + */ + set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks); ++ set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks); + set_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks); + set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks); + +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -228,6 +228,17 @@ enum { + */ + HCI_QUIRK_VALID_LE_STATES, + ++ /* When this quirk is set, then erroneous data reporting ++ * is ignored. This is mainly due to the fact that the HCI ++ * Read Default Erroneous Data Reporting command is advertised, ++ * but not supported; these controllers often reply with unknown ++ * command and tend to lock up randomly. Needing a hard reset. ++ * ++ * This quirk can be set before hci_register_dev is called or ++ * during the hdev->setup vendor callback. ++ */ ++ HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, ++ + /* + * When this quirk is set, then the hci_suspend_notifier is not + * registered. This is intended for devices which drop completely +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -3459,7 +3459,8 @@ static int hci_read_page_scan_activity_s + static int hci_read_def_err_data_reporting_sync(struct hci_dev *hdev) + { + if (!(hdev->commands[18] & 0x04) || +- !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING)) ++ !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) || ++ test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks)) + return 0; + + return __hci_cmd_sync_status(hdev, HCI_OP_READ_DEF_ERR_DATA_REPORTING, +@@ -3977,7 +3978,8 @@ static int hci_set_err_data_report_sync( + bool enabled = hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED); + + if (!(hdev->commands[18] & 0x08) || +- !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING)) ++ !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) || ++ test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks)) + return 0; + + if (enabled == hdev->err_data_reporting) +@@ -4136,6 +4138,9 @@ static const struct { + HCI_QUIRK_BROKEN(STORED_LINK_KEY, + "HCI Delete Stored Link Key command is advertised, " + "but not supported."), ++ HCI_QUIRK_BROKEN(ERR_DATA_REPORTING, ++ "HCI Read Default Erroneous Data Reporting command is " ++ "advertised, but not supported."), + HCI_QUIRK_BROKEN(READ_TRANSMIT_POWER, + "HCI Read Transmit Power Level command is advertised, " + "but not supported."), diff --git a/queue-6.0/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch b/queue-6.0/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch new file mode 100644 index 00000000000..c84730f48fa --- /dev/null +++ b/queue-6.0/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch @@ -0,0 +1,95 @@ +From b5ca338751ad4783ec8d37b5d99c3e37b7813e59 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 29 Nov 2022 12:54:13 -0800 +Subject: Bluetooth: Fix crash when replugging CSR fake controllers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit b5ca338751ad4783ec8d37b5d99c3e37b7813e59 upstream. + +It seems fake CSR 5.0 clones can cause the suspend notifier to be +registered twice causing the following kernel panic: + +[ 71.986122] Call Trace: +[ 71.986124] +[ 71.986125] blocking_notifier_chain_register+0x33/0x60 +[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] +[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] +[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 +[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 +[ 71.986167] usb_probe_interface+0xe3/0x2b0 +[ 71.986171] really_probe+0xdb/0x380 +[ 71.986174] ? pm_runtime_barrier+0x54/0x90 +[ 71.986177] __driver_probe_device+0x78/0x170 +[ 71.986180] driver_probe_device+0x1f/0x90 +[ 71.986183] __device_attach_driver+0x89/0x110 +[ 71.986186] ? driver_allows_async_probing+0x70/0x70 +[ 71.986189] bus_for_each_drv+0x8c/0xe0 +[ 71.986192] __device_attach+0xb2/0x1e0 +[ 71.986195] bus_probe_device+0x92/0xb0 +[ 71.986198] device_add+0x422/0x9a0 +[ 71.986201] ? sysfs_merge_group+0xd4/0x110 +[ 71.986205] usb_set_configuration+0x57a/0x820 +[ 71.986208] usb_generic_driver_probe+0x4f/0x70 +[ 71.986211] usb_probe_device+0x3a/0x110 +[ 71.986213] really_probe+0xdb/0x380 +[ 71.986216] ? pm_runtime_barrier+0x54/0x90 +[ 71.986219] __driver_probe_device+0x78/0x170 +[ 71.986221] driver_probe_device+0x1f/0x90 +[ 71.986224] __device_attach_driver+0x89/0x110 +[ 71.986227] ? driver_allows_async_probing+0x70/0x70 +[ 71.986230] bus_for_each_drv+0x8c/0xe0 +[ 71.986232] __device_attach+0xb2/0x1e0 +[ 71.986235] bus_probe_device+0x92/0xb0 +[ 71.986237] device_add+0x422/0x9a0 +[ 71.986239] ? _dev_info+0x7d/0x98 +[ 71.986242] ? blake2s_update+0x4c/0xc0 +[ 71.986246] usb_new_device.cold+0x148/0x36d +[ 71.986250] hub_event+0xa8a/0x1910 +[ 71.986255] process_one_work+0x1c4/0x380 +[ 71.986259] worker_thread+0x51/0x390 +[ 71.986262] ? rescuer_thread+0x3b0/0x3b0 +[ 71.986264] kthread+0xdb/0x110 +[ 71.986266] ? kthread_complete_and_exit+0x20/0x20 +[ 71.986268] ret_from_fork+0x1f/0x30 +[ 71.986273] +[ 71.986274] ---[ end trace 0000000000000000 ]--- +[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17 + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216683 +Cc: stable@vger.kernel.org +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Leonardo Eugênio +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2757,7 +2757,8 @@ int hci_register_suspend_notifier(struct + { + int ret = 0; + +- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { ++ if (!hdev->suspend_notifier.notifier_call && ++ !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { + hdev->suspend_notifier.notifier_call = hci_suspend_notifier; + ret = register_pm_notifier(&hdev->suspend_notifier); + } +@@ -2769,8 +2770,11 @@ int hci_unregister_suspend_notifier(stru + { + int ret = 0; + +- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) ++ if (hdev->suspend_notifier.notifier_call) { + ret = unregister_pm_notifier(&hdev->suspend_notifier); ++ if (!ret) ++ hdev->suspend_notifier.notifier_call = NULL; ++ } + + return ret; + } diff --git a/queue-6.0/can-can327-flush-tx_work-on-ldisc-.close.patch b/queue-6.0/can-can327-flush-tx_work-on-ldisc-.close.patch new file mode 100644 index 00000000000..ca1d00543b0 --- /dev/null +++ b/queue-6.0/can-can327-flush-tx_work-on-ldisc-.close.patch @@ -0,0 +1,85 @@ +From f4a4d121ebecaa6f396f21745ce97de014281ccc Mon Sep 17 00:00:00 2001 +From: Max Staudt +Date: Sat, 3 Dec 2022 01:01:48 +0900 +Subject: can: can327: flush TX_work on ldisc .close() + +From: Max Staudt + +commit f4a4d121ebecaa6f396f21745ce97de014281ccc upstream. + +Additionally, remove it from .ndo_stop(). + +This ensures that the worker is not called after being freed, and that +the UART TX queue remains active to send final commands when the +netdev is stopped. + +Thanks to Jiri Slaby for finding this in slcan: + + https://lore.kernel.org/linux-can/20221201073426.17328-1-jirislaby@kernel.org/ + +A variant of this patch for slcan, with the flush in .ndo_stop() still +present, has been tested successfully on physical hardware: + + https://bugzilla.suse.com/show_bug.cgi?id=1205597 + +Fixes: 43da2f07622f ("can: can327: CAN/ldisc driver for ELM327 based OBD-II adapters") +Cc: "Jiri Slaby (SUSE)" +Cc: Max Staudt +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Max Staudt +Link: https://lore.kernel.org/all/20221202160148.282564-1-max@enpas.org +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/can327.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/can/can327.c b/drivers/net/can/can327.c +index ed3d0b8989a0..dc7192ecb001 100644 +--- a/drivers/net/can/can327.c ++++ b/drivers/net/can/can327.c +@@ -796,9 +796,9 @@ static int can327_netdev_close(struct net_device *dev) + + netif_stop_queue(dev); + +- /* Give UART one final chance to flush. */ +- clear_bit(TTY_DO_WRITE_WAKEUP, &elm->tty->flags); +- flush_work(&elm->tx_work); ++ /* We don't flush the UART TX queue here, as we want final stop ++ * commands (like the above dummy char) to be flushed out. ++ */ + + can_rx_offload_disable(&elm->offload); + elm->can.state = CAN_STATE_STOPPED; +@@ -1069,12 +1069,15 @@ static void can327_ldisc_close(struct tty_struct *tty) + { + struct can327 *elm = (struct can327 *)tty->disc_data; + +- /* unregister_netdev() calls .ndo_stop() so we don't have to. +- * Our .ndo_stop() also flushes the TTY write wakeup handler, +- * so we can safely set elm->tty = NULL after this. +- */ ++ /* unregister_netdev() calls .ndo_stop() so we don't have to. */ + unregister_candev(elm->dev); + ++ /* Give UART one final chance to flush. ++ * No need to clear TTY_DO_WRITE_WAKEUP since .write_wakeup() is ++ * serialised against .close() and will not be called once we return. ++ */ ++ flush_work(&elm->tx_work); ++ + /* Mark channel as dead */ + spin_lock_bh(&elm->lock); + tty->disc_data = NULL; +-- +2.38.1 + diff --git a/queue-6.0/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch b/queue-6.0/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch new file mode 100644 index 00000000000..b089b0cf0e4 --- /dev/null +++ b/queue-6.0/can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch @@ -0,0 +1,50 @@ +From 918ee4911f7a41fb4505dff877c1d7f9f64eb43e Mon Sep 17 00:00:00 2001 +From: Frank Jungclaus +Date: Wed, 30 Nov 2022 21:22:42 +0100 +Subject: can: esd_usb: Allow REC and TEC to return to zero + +From: Frank Jungclaus + +commit 918ee4911f7a41fb4505dff877c1d7f9f64eb43e upstream. + +We don't get any further EVENT from an esd CAN USB device for changes +on REC or TEC while those counters converge to 0 (with ecc == 0). So +when handling the "Back to Error Active"-event force txerr = rxerr = +0, otherwise the berr-counters might stay on values like 95 forever. + +Also, to make life easier during the ongoing development a +netdev_dbg() has been introduced to allow dumping error events send by +an esd CAN USB device. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Signed-off-by: Frank Jungclaus +Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/can/usb/esd_usb.c ++++ b/drivers/net/can/usb/esd_usb.c +@@ -234,6 +234,10 @@ static void esd_usb_rx_event(struct esd_ + u8 rxerr = msg->msg.rx.data[2]; + u8 txerr = msg->msg.rx.data[3]; + ++ netdev_dbg(priv->netdev, ++ "CAN_ERR_EV_EXT: dlc=%#02x state=%02x ecc=%02x rec=%02x tec=%02x\n", ++ msg->msg.rx.dlc, state, ecc, rxerr, txerr); ++ + skb = alloc_can_err_skb(priv->netdev, &cf); + if (skb == NULL) { + stats->rx_dropped++; +@@ -260,6 +264,8 @@ static void esd_usb_rx_event(struct esd_ + break; + default: + priv->can.state = CAN_STATE_ERROR_ACTIVE; ++ txerr = 0; ++ rxerr = 0; + break; + } + } else { diff --git a/queue-6.0/can-slcan-fix-freed-work-crash.patch b/queue-6.0/can-slcan-fix-freed-work-crash.patch new file mode 100644 index 00000000000..2abe453dc02 --- /dev/null +++ b/queue-6.0/can-slcan-fix-freed-work-crash.patch @@ -0,0 +1,100 @@ +From fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb Mon Sep 17 00:00:00 2001 +From: "Jiri Slaby (SUSE)" +Date: Thu, 1 Dec 2022 08:34:26 +0100 +Subject: can: slcan: fix freed work crash + +From: Jiri Slaby (SUSE) + +commit fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb upstream. + +The LTP test pty03 is causing a crash in slcan: + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + Workqueue: 0x0 (events) + RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) + Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e + RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 + RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 + RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 + R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 + R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 + FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 + Call Trace: + + worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) + kthread (/home/rich/kernel/linux/kernel/kthread.c:376) + ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) + +Apparently, the slcan's tx_work is freed while being scheduled. While +slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work), +slcan_close() (tty side) does not. So when the netdev is never set UP, +but the tty is stuffed with bytes and forced to wakeup write, the work +is scheduled, but never flushed. + +So add an additional flush_work() to slcan_close() to be sure the work +is flushed under all circumstances. + +The Fixes commit below moved flush_work() from slcan_close() to +slcan_netdev_close(). What was the rationale behind it? Maybe we can +drop the one in slcan_netdev_close()? + +I see the same pattern in can327. So it perhaps needs the very same fix. + +Fixes: cfcb4465e992 ("can: slcan: remove legacy infrastructure") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1205597 +Reported-by: Richard Palethorpe +Tested-by: Petr Vorel +Cc: Dario Binacchi +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Cc: Max Staudt +Signed-off-by: Jiri Slaby (SUSE) +Reviewed-by: Max Staudt +Link: https://lore.kernel.org/all/20221201073426.17328-1-jirislaby@kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan/slcan-core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/slcan/slcan-core.c b/drivers/net/can/slcan/slcan-core.c +index fbb34139daa1..f4db77007c13 100644 +--- a/drivers/net/can/slcan/slcan-core.c ++++ b/drivers/net/can/slcan/slcan-core.c +@@ -864,12 +864,14 @@ static void slcan_close(struct tty_struct *tty) + { + struct slcan *sl = (struct slcan *)tty->disc_data; + +- /* unregister_netdev() calls .ndo_stop() so we don't have to. +- * Our .ndo_stop() also flushes the TTY write wakeup handler, +- * so we can safely set sl->tty = NULL after this. +- */ + unregister_candev(sl->dev); + ++ /* ++ * The netdev needn't be UP (so .ndo_stop() is not called). Hence make ++ * sure this is not running before freeing it up. ++ */ ++ flush_work(&sl->tx_work); ++ + /* Mark channel as dead */ + spin_lock_bh(&sl->lock); + tty->disc_data = NULL; +-- +2.38.1 + diff --git a/queue-6.0/drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch b/queue-6.0/drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch new file mode 100644 index 00000000000..13f42c7bf3a --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch @@ -0,0 +1,35 @@ +From aeffc8fb2174f017a10df114bc312f899904dc68 Mon Sep 17 00:00:00 2001 +From: Aurabindo Pillai +Date: Fri, 25 Nov 2022 19:13:41 -0500 +Subject: drm/amd/display: fix array index out of bound error in DCN32 DML + +From: Aurabindo Pillai + +commit aeffc8fb2174f017a10df114bc312f899904dc68 upstream. + +[Why&How] +LinkCapacitySupport array is indexed with the number of voltage states and +not the number of max DPPs. Fix the error by changing the array +declaration to use the correct (larger) array size of total number of +voltage states. + +Signed-off-by: Aurabindo Pillai +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h +@@ -1152,7 +1152,7 @@ struct vba_vars_st { + double UrgBurstFactorLumaPre[DC__NUM_DPP__MAX]; + double UrgBurstFactorChromaPre[DC__NUM_DPP__MAX]; + bool NotUrgentLatencyHidingPre[DC__NUM_DPP__MAX]; +- bool LinkCapacitySupport[DC__NUM_DPP__MAX]; ++ bool LinkCapacitySupport[DC__VOLTAGE_STATES]; + bool VREADY_AT_OR_AFTER_VSYNC[DC__NUM_DPP__MAX]; + unsigned int MIN_DST_Y_NEXT_START[DC__NUM_DPP__MAX]; + unsigned int VFrontPorch[DC__NUM_DPP__MAX]; diff --git a/queue-6.0/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch b/queue-6.0/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch new file mode 100644 index 00000000000..f6f89af36d3 --- /dev/null +++ b/queue-6.0/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch @@ -0,0 +1,94 @@ +From bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Thu, 1 Dec 2022 11:17:31 +0800 +Subject: drm/amdgpu/sdma_v4_0: turn off SDMA ring buffer in the s2idle suspend + +From: Prike Liang + +commit bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 upstream. + +In the SDMA s0ix save process requires to turn off SDMA ring buffer for +avoiding the SDMA in-flight request, otherwise will suffer from SDMA page +fault which causes by page request from in-flight SDMA ring accessing at +SDMA restore phase. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2248 +Cc: stable@vger.kernel.org # 6.0,5.15+ +Fixes: f8f4e2a51834 ("drm/amdgpu: skipping SDMA hw_init and hw_fini for S0ix.") +Signed-off-by: Prike Liang +Reviewed-by: Alex Deucher +Tested-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -980,13 +980,13 @@ static void sdma_v4_0_ring_emit_fence(st + + + /** +- * sdma_v4_0_gfx_stop - stop the gfx async dma engines ++ * sdma_v4_0_gfx_enable - enable the gfx async dma engines + * + * @adev: amdgpu_device pointer +- * +- * Stop the gfx async dma ring buffers (VEGA10). ++ * @enable: enable SDMA RB/IB ++ * control the gfx async dma ring buffers (VEGA10). + */ +-static void sdma_v4_0_gfx_stop(struct amdgpu_device *adev) ++static void sdma_v4_0_gfx_enable(struct amdgpu_device *adev, bool enable) + { + struct amdgpu_ring *sdma[AMDGPU_MAX_SDMA_INSTANCES]; + u32 rb_cntl, ib_cntl; +@@ -1001,10 +1001,10 @@ static void sdma_v4_0_gfx_stop(struct am + } + + rb_cntl = RREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL); +- rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, 0); ++ rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, enable ? 1 : 0); + WREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL, rb_cntl); + ib_cntl = RREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL); +- ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, 0); ++ ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, enable ? 1 : 0); + WREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL, ib_cntl); + } + } +@@ -1131,7 +1131,7 @@ static void sdma_v4_0_enable(struct amdg + int i; + + if (!enable) { +- sdma_v4_0_gfx_stop(adev); ++ sdma_v4_0_gfx_enable(adev, enable); + sdma_v4_0_rlc_stop(adev); + if (adev->sdma.has_page_queue) + sdma_v4_0_page_stop(adev); +@@ -2043,8 +2043,10 @@ static int sdma_v4_0_suspend(void *handl + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + + /* SMU saves SDMA state for us */ +- if (adev->in_s0ix) ++ if (adev->in_s0ix) { ++ sdma_v4_0_gfx_enable(adev, false); + return 0; ++ } + + return sdma_v4_0_hw_fini(adev); + } +@@ -2054,8 +2056,12 @@ static int sdma_v4_0_resume(void *handle + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + + /* SMU restores SDMA state for us */ +- if (adev->in_s0ix) ++ if (adev->in_s0ix) { ++ sdma_v4_0_enable(adev, true); ++ sdma_v4_0_gfx_enable(adev, true); ++ amdgpu_ttm_set_buffer_funcs_status(adev, true); + return 0; ++ } + + return sdma_v4_0_hw_init(adev); + } diff --git a/queue-6.0/drm-shmem-helper-avoid-vm_open-error-paths.patch b/queue-6.0/drm-shmem-helper-avoid-vm_open-error-paths.patch new file mode 100644 index 00000000000..63848f37250 --- /dev/null +++ b/queue-6.0/drm-shmem-helper-avoid-vm_open-error-paths.patch @@ -0,0 +1,54 @@ +From 09bf649a74573cb596e211418a4f8008f265c5a9 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:48 -0800 +Subject: drm/shmem-helper: Avoid vm_open error paths + +From: Rob Clark + +commit 09bf649a74573cb596e211418a4f8008f265c5a9 upstream. + +vm_open() is not allowed to fail. Fortunately we are guaranteed that +the pages are already pinned, thanks to the initial mmap which is now +being cloned into a forked process, and only need to increment the +refcnt. So just increment it directly. Previously if a signal was +delivered at the wrong time to the forking process, the +mutex_lock_interruptible() could fail resulting in the pages_use_count +not being incremented. + +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-3-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -571,12 +571,20 @@ static void drm_gem_shmem_vm_open(struct + { + struct drm_gem_object *obj = vma->vm_private_data; + struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj); +- int ret; + + WARN_ON(shmem->base.import_attach); + +- ret = drm_gem_shmem_get_pages(shmem); +- WARN_ON_ONCE(ret != 0); ++ mutex_lock(&shmem->pages_lock); ++ ++ /* ++ * We should have already pinned the pages when the buffer was first ++ * mmap'd, vm_open() just grabs an additional reference for the new ++ * mm the vma is getting copied into (ie. on fork()). ++ */ ++ if (!WARN_ON_ONCE(!shmem->pages_use_count)) ++ shmem->pages_use_count++; ++ ++ mutex_unlock(&shmem->pages_lock); + + drm_gem_vm_open(vma); + } diff --git a/queue-6.0/drm-shmem-helper-remove-errant-put-in-error-path.patch b/queue-6.0/drm-shmem-helper-remove-errant-put-in-error-path.patch new file mode 100644 index 00000000000..1418a44ba36 --- /dev/null +++ b/queue-6.0/drm-shmem-helper-remove-errant-put-in-error-path.patch @@ -0,0 +1,39 @@ +From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:47 -0800 +Subject: drm/shmem-helper: Remove errant put in error path + +From: Rob Clark + +commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream. + +drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM +object getting prematurely freed leading to a later use-after-free. + +Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d +Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -622,10 +622,8 @@ int drm_gem_shmem_mmap(struct drm_gem_sh + } + + ret = drm_gem_shmem_get_pages(shmem); +- if (ret) { +- drm_gem_vm_close(vma); ++ if (ret) + return ret; +- } + + vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); diff --git a/queue-6.0/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch b/queue-6.0/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch new file mode 100644 index 00000000000..d89ef9865ab --- /dev/null +++ b/queue-6.0/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch @@ -0,0 +1,43 @@ +From 6e90293618ed476d6b11f82ce724efbb9e9a071b Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Thu, 1 Dec 2022 12:53:41 -0500 +Subject: drm/vmwgfx: Don't use screen objects when SEV is active + +From: Zack Rusin + +commit 6e90293618ed476d6b11f82ce724efbb9e9a071b upstream. + +When SEV is enabled gmr's and mob's are explicitly disabled because +the encrypted system memory can not be used by the hypervisor. + +The driver was disabling GMR's but the presentation code, which depends +on GMR's, wasn't honoring it which lead to black screen on hosts +with SEV enabled. + +Make sure screen objects presentation is not used when guest memory +regions have been disabled to fix presentation on SEV enabled hosts. + +Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active") +Cc: # v5.7+ +Signed-off-by: Zack Rusin +Reported-by: Nicholas Hunt +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221201175341.491884-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -950,6 +950,10 @@ int vmw_kms_sou_init_display(struct vmw_ + struct drm_device *dev = &dev_priv->drm; + int i, ret; + ++ /* Screen objects won't work if GMR's aren't available */ ++ if (!dev_priv->has_gmr) ++ return -ENOSYS; ++ + if (!(dev_priv->capabilities & SVGA_CAP_SCREEN_OBJECT_2)) { + return -ENOSYS; + } diff --git a/queue-6.0/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-6.0/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..df50e445304 --- /dev/null +++ b/queue-6.0/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch @@ -0,0 +1,72 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event + +From: ZhangPeng + +commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream. + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1315,6 +1315,9 @@ static s32 snto32(__u32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); diff --git a/queue-6.0/hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch b/queue-6.0/hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch new file mode 100644 index 00000000000..5aa1f617109 --- /dev/null +++ b/queue-6.0/hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch @@ -0,0 +1,37 @@ +From 2afac81dd16544d825f309fd992d2af6304353df Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Thu, 3 Nov 2022 16:57:42 +0100 +Subject: HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is + +From: Benjamin Tissoires + +commit 2afac81dd16544d825f309fd992d2af6304353df upstream. + +When I2C_HID_OF_ELAN is set, we need to turn on I2C_HID_CORE to +ensure we get all the HID requirements. + +Fixes: bd3cba00dcc6 ("HID: i2c-hid: elan: Add support for Elan eKTH6915 i2c-hid touchscreens") +Reported-by: kernel test robot +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/i2c-hid/Kconfig b/drivers/hid/i2c-hid/Kconfig +index 5273ee2bb134..d65abe65ce73 100644 +--- a/drivers/hid/i2c-hid/Kconfig ++++ b/drivers/hid/i2c-hid/Kconfig +@@ -66,6 +66,6 @@ endmenu + + config I2C_HID_CORE + tristate +- default y if I2C_HID_ACPI=y || I2C_HID_OF=y || I2C_HID_OF_GOODIX=y +- default m if I2C_HID_ACPI=m || I2C_HID_OF=m || I2C_HID_OF_GOODIX=m ++ default y if I2C_HID_ACPI=y || I2C_HID_OF=y || I2C_HID_OF_ELAN=y || I2C_HID_OF_GOODIX=y ++ default m if I2C_HID_ACPI=m || I2C_HID_OF=m || I2C_HID_OF_ELAN=m || I2C_HID_OF_GOODIX=m + select HID +-- +2.38.1 + diff --git a/queue-6.0/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-6.0/hid-hid-lg4ff-add-check-for-empty-lbuf.patch new file mode 100644 index 00000000000..837eea2a7f0 --- /dev/null +++ b/queue-6.0/hid-hid-lg4ff-add-check-for-empty-lbuf.patch @@ -0,0 +1,37 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: HID: hid-lg4ff: Add check for empty lbuf + +From: Anastasia Belova + +commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream. + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); diff --git a/queue-6.0/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch b/queue-6.0/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch new file mode 100644 index 00000000000..fa075e92edb --- /dev/null +++ b/queue-6.0/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch @@ -0,0 +1,51 @@ +From 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 8 Nov 2022 16:13:50 +0100 +Subject: HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 + +From: Hans de Goede + +commit 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 upstream. + +The Acer Aspire Switch V 10 (SW5-017)'s keyboard-dock uses the same +ITE controller setup as other Acer Switch 2-in-1's. + +This needs special handling for the wifi on/off toggle hotkey as well as +to properly report touchpad on/off keypresses. + +Add the USB-ids for the SW5-017's keyboard-dock with a quirk setting of +QUIRK_TOUCHPAD_ON_OFF_REPORT to fix both issues. + +Cc: Rudolf Polzer +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-ite.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1217,6 +1217,7 @@ + #define USB_DEVICE_ID_SYNAPTICS_DELL_K15A 0x6e21 + #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1002 0x73f4 + #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5 ++#define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017 0x73f6 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7 + + #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047 +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -121,6 +121,11 @@ static const struct hid_device_id ite_de + USB_VENDOR_ID_SYNAPTICS, + USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003), + .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT }, ++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */ ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017), ++ .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); diff --git a/queue-6.0/hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch b/queue-6.0/hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch new file mode 100644 index 00000000000..1a0d30751d4 --- /dev/null +++ b/queue-6.0/hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch @@ -0,0 +1,46 @@ +From 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Thu, 10 Nov 2022 18:40:56 +0100 +Subject: HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b upstream. + +Commit f7d8e387d9ae ("HID: uclogic: Switch to Digitizer usage for +styluses") changed the usage used in UCLogic from "Pen" to "Digitizer". + +However, the IS_INPUT_APPLICATION() macro evaluates to false for +HID_DG_DIGITIZER causing issues with the XP-Pen Star G640 tablet. + +Add the HID_QUIRK_HIDINPUT_FORCE quirk to bypass the +IS_INPUT_APPLICATION() check. + +Reported-by: Torge Matthies +Reported-by: Alexander Zhang +Tested-by: Alexander Zhang +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-uclogic-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c +index 0fbc408c2607..7fa6fe04f1b2 100644 +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -192,6 +192,7 @@ static int uclogic_probe(struct hid_device *hdev, + * than the pen, so use QUIRK_MULTI_INPUT for all tablets. + */ + hdev->quirks |= HID_QUIRK_MULTI_INPUT; ++ hdev->quirks |= HID_QUIRK_HIDINPUT_FORCE; + + /* Allocate and assign driver data */ + drvdata = devm_kzalloc(&hdev->dev, sizeof(*drvdata), GFP_KERNEL); +-- +2.38.1 + diff --git a/queue-6.0/hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch b/queue-6.0/hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch new file mode 100644 index 00000000000..be38dad81ef --- /dev/null +++ b/queue-6.0/hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch @@ -0,0 +1,41 @@ +From a6f4f1662711bd03308371d9649783a5be596898 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Thu, 10 Nov 2022 18:49:18 +0100 +Subject: HID: uclogic: Fix frame templates for big endian architectures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit a6f4f1662711bd03308371d9649783a5be596898 upstream. + +When parsing a frame template with a placeholder indicating the number +of buttons present on the frame its value was incorrectly set on big +endian architectures due to double little endian conversion. + +In order to reproduce the issue and verify the fix, run the HID KUnit +tests on the PowerPC architecture: + + $ ./tools/testing/kunit/kunit.py run --kunitconfig=drivers/hid \ + --arch=powerpc --cross_compile=powerpc64-linux-gnu- + +Fixes: 867c89254425 ("HID: uclogic: Allow to generate frame templates") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-uclogic-rdesc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-uclogic-rdesc.c ++++ b/drivers/hid/hid-uclogic-rdesc.c +@@ -1119,7 +1119,7 @@ __u8 *uclogic_rdesc_template_apply(const + p[sizeof(btn_head)] < param_num) { + v = param_list[p[sizeof(btn_head)]]; + put_unaligned((__u8)0x2A, p); /* Usage Maximum */ +- put_unaligned_le16((__force u16)cpu_to_le16(v), p + 1); ++ put_unaligned((__force u16)cpu_to_le16(v), (s16 *)(p + 1)); + p += sizeof(btn_head) + 1; + } else { + p++; diff --git a/queue-6.0/hid-usbhid-add-always_poll-quirk-for-some-mice.patch b/queue-6.0/hid-usbhid-add-always_poll-quirk-for-some-mice.patch new file mode 100644 index 00000000000..e537e1c7095 --- /dev/null +++ b/queue-6.0/hid-usbhid-add-always_poll-quirk-for-some-mice.patch @@ -0,0 +1,78 @@ +From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001 +From: Ankit Patel +Date: Tue, 22 Nov 2022 15:35:20 +0800 +Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice + +From: Ankit Patel + +commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream. + +Some additional USB mouse devices are needing ALWAYS_POLL quirk without +which they disconnect and reconnect every 60s. + +Add below devices to the known quirk list. +CHERRY VID 0x046a, PID 0x000c +MICROSOFT VID 0x045e, PID 0x0783 +PRIMAX VID 0x0461, PID 0x4e2a + +Signed-off-by: Ankit Patel +Signed-off-by: Haotien Hsu +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -274,6 +274,7 @@ + #define USB_DEVICE_ID_CH_AXIS_295 0x001c + + #define USB_VENDOR_ID_CHERRY 0x046a ++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c + #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023 + #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027 + +@@ -917,6 +918,7 @@ + #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd + #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb + #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0 ++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783 + + #define USB_VENDOR_ID_MOJO 0x8282 + #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201 +@@ -1379,6 +1381,7 @@ + + #define USB_VENDOR_ID_PRIMAX 0x0461 + #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22 ++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS }, +@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS }, +@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-6.0/io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch b/queue-6.0/io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch new file mode 100644 index 00000000000..effa7f9cfba --- /dev/null +++ b/queue-6.0/io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch @@ -0,0 +1,92 @@ +From 998b30c3948e4d0b1097e639918c5cff332acac5 Mon Sep 17 00:00:00 2001 +From: Harshit Mogalapalli +Date: Tue, 6 Dec 2022 01:38:32 -0800 +Subject: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() + +From: Harshit Mogalapalli + +commit 998b30c3948e4d0b1097e639918c5cff332acac5 upstream. + +Syzkaller reports a NULL deref bug as follows: + + BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 + Read of size 4 at addr 0000000000000138 by task file1/1955 + + CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + ? io_tctx_exit_cb+0x53/0xd3 + kasan_report+0xbb/0x1f0 + ? io_tctx_exit_cb+0x53/0xd3 + kasan_check_range+0x140/0x190 + io_tctx_exit_cb+0x53/0xd3 + task_work_run+0x164/0x250 + ? task_work_cancel+0x30/0x30 + get_signal+0x1c3/0x2440 + ? lock_downgrade+0x6e0/0x6e0 + ? lock_downgrade+0x6e0/0x6e0 + ? exit_signals+0x8b0/0x8b0 + ? do_raw_read_unlock+0x3b/0x70 + ? do_raw_spin_unlock+0x50/0x230 + arch_do_signal_or_restart+0x82/0x2470 + ? kmem_cache_free+0x260/0x4b0 + ? putname+0xfe/0x140 + ? get_sigframe_size+0x10/0x10 + ? do_execveat_common.isra.0+0x226/0x710 + ? lockdep_hardirqs_on+0x79/0x100 + ? putname+0xfe/0x140 + ? do_execveat_common.isra.0+0x238/0x710 + exit_to_user_mode_prepare+0x15f/0x250 + syscall_exit_to_user_mode+0x19/0x50 + do_syscall_64+0x42/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0023:0x0 + Code: Unable to access opcode bytes at 0xffffffffffffffd6. + RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + Kernel panic - not syncing: panic_on_warn set ... + +This happens because the adding of task_work from io_ring_exit_work() +isn't synchronized with canceling all work items from eg exec. The +execution of the two are ordered in that they are both run by the task +itself, but if io_tctx_exit_cb() is queued while we're canceling all +work items off exec AND gets executed when the task exits to userspace +rather than in the main loop in io_uring_cancel_generic(), then we can +find current->io_uring == NULL and hit the above crash. + +It's safe to add this NULL check here, because the execution of the two +paths are done by the task itself. + +Cc: stable@vger.kernel.org +Fixes: d56d938b4bef ("io_uring: do ctx initiated file note removal") +Reported-by: syzkaller +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20221206093833.3812138-1-harshit.m.mogalapalli@oracle.com +[axboe: add code comment and also put an explanation in the commit msg] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2560,8 +2560,10 @@ static __cold void io_tctx_exit_cb(struc + /* + * When @in_idle, we're in cancellation and it's racy to remove the + * node. It'll be removed by the end of cancellation, just ignore it. ++ * tctx can be NULL if the queueing of this task_work raced with ++ * work cancelation off the exec path. + */ +- if (!atomic_read(&tctx->in_idle)) ++ if (tctx && !atomic_read(&tctx->in_idle)) + io_uring_del_tctx_node((unsigned long)work->ctx); + complete(&work->completion); + } diff --git a/queue-6.0/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch b/queue-6.0/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch new file mode 100644 index 00000000000..5c81f28439d --- /dev/null +++ b/queue-6.0/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch @@ -0,0 +1,48 @@ +From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 23 Nov 2022 10:08:33 +0100 +Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field + +From: Thomas Huth + +commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream. + +We recently experienced some weird huge time jumps in nested guests when +rebooting them in certain cases. After adding some debug code to the epoch +handling in vsie.c (thanks to David Hildenbrand for the idea!), it was +obvious that the "epdx" field (the multi-epoch extension) did not get set +to 0xff in case the "epoch" field was negative. +Seems like the code misses to copy the value from the epdx field from +the guest to the shadow control block. By doing so, the weird time +jumps are gone in our scenarios. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899 +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Signed-off-by: Thomas Huth +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # 4.19+ +Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com +Message-Id: <20221123090833.292938-1-thuth@redhat.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -546,8 +546,10 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI)) + scb_s->eca |= scb_o->eca & ECA_CEI; + /* Epoch Extension */ +- if (test_kvm_facility(vcpu->kvm, 139)) ++ if (test_kvm_facility(vcpu->kvm, 139)) { + scb_s->ecd |= scb_o->ecd & ECD_MEF; ++ scb_s->epdx = scb_o->epdx; ++ } + + /* etoken */ + if (test_kvm_facility(vcpu->kvm, 156)) diff --git a/queue-6.0/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-6.0/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch new file mode 100644 index 00000000000..22f3b1c3246 --- /dev/null +++ b/queue-6.0/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch @@ -0,0 +1,70 @@ +From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 16 Nov 2022 15:07:22 +0000 +Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks + +From: Hans Verkuil + +commit 5eef2141776da02772c44ec406d6871a790761ee upstream. + +Sanity checks were added to verify the v4l2_bt_timings blanking fields +in order to avoid integer overflows when userspace passes weird values. + +But that assumed that userspace would correctly fill in the front porch, +backporch and sync values, but sometimes all you know is the total +blanking, which is then assigned to just one of these fields. + +And that can fail with these checks. + +So instead set a maximum for the total horizontal and vertical +blanking and check that each field remains below that. + +That is still sufficient to avoid integer overflows, but it also +allows for more flexibility in how userspace fills in these fields. + +Signed-off-by: Hans Verkuil +Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct + const struct v4l2_bt_timings *bt = &t->bt; + const struct v4l2_bt_timings_cap *cap = &dvcap->bt; + u32 caps = cap->capabilities; ++ const u32 max_vert = 10240; ++ u32 max_hor = 3 * bt->width; + + if (t->type != V4L2_DV_BT_656_1120) + return false; +@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct + if (!bt->interlaced && + (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) + return false; +- if (bt->hfrontporch > 2 * bt->width || +- bt->hsync > 1024 || bt->hbackporch > 1024) ++ /* ++ * Some video receivers cannot properly separate the frontporch, ++ * backporch and sync values, and instead they only have the total ++ * blanking. That can be assigned to any of these three fields. ++ * So just check that none of these are way out of range. ++ */ ++ if (bt->hfrontporch > max_hor || ++ bt->hsync > max_hor || bt->hbackporch > max_hor) + return false; +- if (bt->vfrontporch > 4096 || +- bt->vsync > 128 || bt->vbackporch > 4096) ++ if (bt->vfrontporch > max_vert || ++ bt->vsync > max_vert || bt->vbackporch > max_vert) + return false; +- if (bt->interlaced && (bt->il_vfrontporch > 4096 || +- bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ if (bt->interlaced && (bt->il_vfrontporch > max_vert || ++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert)) + return false; + return fnc == NULL || fnc(t, fnc_handle); + } diff --git a/queue-6.0/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch b/queue-6.0/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch new file mode 100644 index 00000000000..7dba3a54470 --- /dev/null +++ b/queue-6.0/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch @@ -0,0 +1,112 @@ +From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 7 Dec 2022 16:53:15 -1000 +Subject: memcg: fix possible use-after-free in memcg_write_event_control() + +From: Tejun Heo + +commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. + +memcg_write_event_control() accesses the dentry->d_name of the specified +control fd to route the write call. As a cgroup interface file can't be +renamed, it's safe to access d_name as long as the specified file is a +regular cgroup file. Also, as these cgroup interface files can't be +removed before the directory, it's safe to access the parent too. + +Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a +call to __file_cft() which verified that the specified file is a regular +cgroupfs file before further accesses. The cftype pointer returned from +__file_cft() was no longer necessary and the commit inadvertently dropped +the file type check with it allowing any file to slip through. With the +invarients broken, the d_name and parent accesses can now race against +renames and removals of arbitrary files and cause use-after-free's. + +Fix the bug by resurrecting the file type check in __file_cft(). Now that +cgroupfs is implemented through kernfs, checking the file operations needs +to go through a layer of indirection. Instead, let's check the superblock +and dentry type. + +Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org +Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") +Signed-off-by: Tejun Heo +Reported-by: Jann Horn +Acked-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Muchun Song +Cc: Shakeel Butt +Cc: [3.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup-internal.h | 1 - + mm/memcontrol.c | 15 +++++++++++++-- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -68,6 +68,7 @@ struct css_task_iter { + struct list_head iters_node; /* css_set->task_iters */ + }; + ++extern struct file_system_type cgroup_fs_type; + extern struct cgroup_root cgrp_dfl_root; + extern struct css_set init_css_set; + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -168,7 +168,6 @@ extern struct mutex cgroup_mutex; + extern spinlock_t css_set_lock; + extern struct cgroup_subsys *cgroup_subsys[]; + extern struct list_head cgroup_roots; +-extern struct file_system_type cgroup_fs_type; + + /* iterate across the hierarchies */ + #define for_each_root(root) \ +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4772,6 +4772,7 @@ static ssize_t memcg_write_event_control + unsigned int efd, cfd; + struct fd efile; + struct fd cfile; ++ struct dentry *cdentry; + const char *name; + char *endp; + int ret; +@@ -4826,6 +4827,16 @@ static ssize_t memcg_write_event_control + goto out_put_cfile; + + /* ++ * The control file must be a regular cgroup1 file. As a regular cgroup ++ * file can't be renamed, it's safe to access its name afterwards. ++ */ ++ cdentry = cfile.file->f_path.dentry; ++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { ++ ret = -EINVAL; ++ goto out_put_cfile; ++ } ++ ++ /* + * Determine the event callbacks and set them in @event. This used + * to be done via struct cftype but cgroup core no longer knows + * about these events. The following is crude but the whole thing +@@ -4833,7 +4844,7 @@ static ssize_t memcg_write_event_control + * + * DO NOT ADD NEW FILES. + */ +- name = cfile.file->f_path.dentry->d_name.name; ++ name = cdentry->d_name.name; + + if (!strcmp(name, "memory.usage_in_bytes")) { + event->register_event = mem_cgroup_usage_register_event; +@@ -4857,7 +4868,7 @@ static ssize_t memcg_write_event_control + * automatically removed on cgroup destruction but the removal is + * asynchronous, so take an extra ref on @css. + */ +- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, ++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent, + &memory_cgrp_subsys); + ret = -EINVAL; + if (IS_ERR(cfile_css)) diff --git a/queue-6.0/mm-gup-fix-gup_pud_range-for-dax.patch b/queue-6.0/mm-gup-fix-gup_pud_range-for-dax.patch new file mode 100644 index 00000000000..32f6e5a1b0c --- /dev/null +++ b/queue-6.0/mm-gup-fix-gup_pud_range-for-dax.patch @@ -0,0 +1,87 @@ +From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001 +From: John Starks +Date: Tue, 6 Dec 2022 22:00:53 -0800 +Subject: mm/gup: fix gup_pud_range() for dax + +From: John Starks + +commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream. + +For dax pud, pud_huge() returns true on x86. So the function works as long +as hugetlb is configured. However, dax doesn't depend on hugetlb. +Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed +devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as +well. + +This fixes the below kernel panic: + +general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP + < snip > +Call Trace: + +get_user_pages_fast+0x1f/0x40 +iov_iter_get_pages+0xc6/0x3b0 +? mempool_alloc+0x5d/0x170 +bio_iov_iter_get_pages+0x82/0x4e0 +? bvec_alloc+0x91/0xc0 +? bio_alloc_bioset+0x19a/0x2a0 +blkdev_direct_IO+0x282/0x480 +? __io_complete_rw_common+0xc0/0xc0 +? filemap_range_has_page+0x82/0xc0 +generic_file_direct_write+0x9d/0x1a0 +? inode_update_time+0x24/0x30 +__generic_file_write_iter+0xbd/0x1e0 +blkdev_write_iter+0xb4/0x150 +? io_import_iovec+0x8d/0x340 +io_write+0xf9/0x300 +io_issue_sqe+0x3c3/0x1d30 +? sysvec_reschedule_ipi+0x6c/0x80 +__io_queue_sqe+0x33/0x240 +? fget+0x76/0xa0 +io_submit_sqes+0xe6a/0x18d0 +? __fget_light+0xd1/0x100 +__x64_sys_io_uring_enter+0x199/0x880 +? __context_tracking_enter+0x1f/0x70 +? irqentry_exit_to_user_mode+0x24/0x30 +? irqentry_exit+0x1d/0x30 +? __context_tracking_exit+0xe/0x70 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7fc97c11a7be + < snip > + +---[ end trace 48b2e0e67debcaeb ]--- +RIP: 0010:internal_get_user_pages_fast+0x340/0x990 + < snip > +Kernel panic - not syncing: Fatal exception +Kernel Offset: disabled + +Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com +Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") +Signed-off-by: John Starks +Signed-off-by: Saurabh Sengar +Cc: Jan Kara +Cc: Yu Zhao +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: David Hildenbrand +Cc: Dan Williams +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -2818,7 +2818,7 @@ static int gup_pud_range(p4d_t *p4dp, p4 + next = pud_addr_end(addr, end); + if (unlikely(!pud_present(pud))) + return 0; +- if (unlikely(pud_huge(pud))) { ++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) { + if (!gup_huge_pud(pud, pudp, addr, next, flags, + pages, nr)) + return 0; diff --git a/queue-6.0/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch b/queue-6.0/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch new file mode 100644 index 00000000000..6451ac50ee0 --- /dev/null +++ b/queue-6.0/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch @@ -0,0 +1,82 @@ +From f8bac7f9fdb0017b32157957ffffd490f95faa07 Mon Sep 17 00:00:00 2001 +From: "Radu Nicolae Pirea (OSS)" +Date: Wed, 7 Dec 2022 15:23:47 +0200 +Subject: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() + +From: Radu Nicolae Pirea (OSS) + +commit f8bac7f9fdb0017b32157957ffffd490f95faa07 upstream. + +The SJA1105 family has 45 L2 policing table entries +(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 +(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but +accounting for the difference in port count (5 in SJA1105 vs 10 in +SJA1110) does not fully explain the difference. Rather, the SJA1110 also +has L2 ingress policers for multicast traffic. If a packet is classified +as multicast, it will be processed by the policer index 99 + SRCPORT. + +The sja1105_init_l2_policing() function initializes all L2 policers such +that they don't interfere with normal packet reception by default. To have +a common code between SJA1105 and SJA1110, the index of the multicast +policer for the port is calculated because it's an index that is out of +bounds for SJA1105 but in bounds for SJA1110, and a bounds check is +performed. + +The code fails to do the proper thing when determining what to do with the +multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" +index will be equal to 45, which is also equal to +table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes +through the check. But at the same time, SJA1105 doesn't have multicast +policers. So the code programs the SHARINDX field of an out-of-bounds +element in the L2 Policing table of the static config. + +The comparison between index 45 and 45 entries should have determined the +code to not access this policer index on SJA1105, since its memory wasn't +even allocated. + +With enough bad luck, the out-of-bounds write could even overwrite other +valid kernel data, but in this case, the issue was detected using KASAN. + +Kernel log: + +sja1105 spi5.0: Probed switch chip: SJA1105Q +================================================================== +BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 +Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 +... +Workqueue: events_unbound deferred_probe_work_func +Call trace: +... +sja1105_setup+0x1cbc/0x2340 +dsa_register_switch+0x1284/0x18d0 +sja1105_probe+0x748/0x840 +... +Allocated by task 8: +... +sja1105_setup+0x1bcc/0x2340 +dsa_register_switch+0x1284/0x18d0 +sja1105_probe+0x748/0x840 +... + +Fixes: 38fbe91f2287 ("net: dsa: sja1105: configure the multicast policers, if present") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Radu Nicolae Pirea (OSS) +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/sja1105/sja1105_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1038,7 +1038,7 @@ static int sja1105_init_l2_policing(stru + + policing[bcast].sharindx = port; + /* Only SJA1110 has multicast policers */ +- if (mcast <= table->ops->max_entry_count) ++ if (mcast < table->ops->max_entry_count) + policing[mcast].sharindx = port; + } + diff --git a/queue-6.0/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch b/queue-6.0/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch new file mode 100644 index 00000000000..7d1ff8dfa63 --- /dev/null +++ b/queue-6.0/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch @@ -0,0 +1,103 @@ +From 18010ff776fa42340efc428b3ea6d19b3e7c7b21 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Fri, 2 Dec 2022 11:43:10 -0800 +Subject: net: mana: Fix race on per-CQ variable napi work_done + +From: Haiyang Zhang + +commit 18010ff776fa42340efc428b3ea6d19b3e7c7b21 upstream. + +After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be +cleared, and another CPU can start napi thread and access per-CQ variable, +cq->work_done. If the other thread (for example, from busy_poll) sets +it to a value >= budget, this thread will continue to run when it should +stop, and cause memory corruption and panic. + +To fix this issue, save the per-CQ work_done variable in a local variable +before napi_complete_done(), so it won't be corrupted by a possible +concurrent thread after napi_complete_done(). + +Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done +variable race is fixed, so the driver is able to reliably support features +like busy_poll. + +Cc: stable@vger.kernel.org +Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ") +Signed-off-by: Haiyang Zhang +Link: https://lore.kernel.org/r/1670010190-28595-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 9 ++++++++- + drivers/net/ethernet/microsoft/mana/mana_en.c | 16 +++++++++++----- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -498,7 +498,14 @@ enum { + + #define GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT BIT(0) + +-#define GDMA_DRV_CAP_FLAGS1 GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT ++/* Advertise to the NIC firmware: the NAPI work_done variable race is fixed, ++ * so the driver is able to reliably support features like busy_poll. ++ */ ++#define GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX BIT(2) ++ ++#define GDMA_DRV_CAP_FLAGS1 \ ++ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \ ++ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX) + + #define GDMA_DRV_CAP_FLAGS2 0 + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1303,10 +1303,11 @@ static void mana_poll_rx_cq(struct mana_ + xdp_do_flush(); + } + +-static void mana_cq_handler(void *context, struct gdma_queue *gdma_queue) ++static int mana_cq_handler(void *context, struct gdma_queue *gdma_queue) + { + struct mana_cq *cq = context; + u8 arm_bit; ++ int w; + + WARN_ON_ONCE(cq->gdma_cq != gdma_queue); + +@@ -1315,26 +1316,31 @@ static void mana_cq_handler(void *contex + else + mana_poll_tx_cq(cq); + +- if (cq->work_done < cq->budget && +- napi_complete_done(&cq->napi, cq->work_done)) { ++ w = cq->work_done; ++ ++ if (w < cq->budget && ++ napi_complete_done(&cq->napi, w)) { + arm_bit = SET_ARM_BIT; + } else { + arm_bit = 0; + } + + mana_gd_ring_cq(gdma_queue, arm_bit); ++ ++ return w; + } + + static int mana_poll(struct napi_struct *napi, int budget) + { + struct mana_cq *cq = container_of(napi, struct mana_cq, napi); ++ int w; + + cq->work_done = 0; + cq->budget = budget; + +- mana_cq_handler(cq, cq->gdma_cq); ++ w = mana_cq_handler(cq, cq->gdma_cq); + +- return min(cq->work_done, budget); ++ return min(w, budget); + } + + static void mana_schedule_napi(void *context, struct gdma_queue *gdma_queue) diff --git a/queue-6.0/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch b/queue-6.0/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch new file mode 100644 index 00000000000..171ca782fdc --- /dev/null +++ b/queue-6.0/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch @@ -0,0 +1,47 @@ +From ef19964da8a668c683f1d38274f6fb756e047945 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 5 Dec 2022 16:23:27 +0100 +Subject: Revert "ARM: dts: imx7: Fix NAND controller size-cells" + +From: Francesco Dolcini + +commit ef19964da8a668c683f1d38274f6fb756e047945 upstream. + +This reverts commit 753395ea1e45c724150070b5785900b6a44bd5fb. + +It introduced a boot regression on colibri-imx7, and potentially any +other i.MX7 boards with MTD partition list generated into the fdt by +U-Boot. + +While the commit we are reverting here is not obviously wrong, it fixes +only a dt binding checker warning that is non-functional, while it +introduces a boot regression and there is no obvious fix ready. + +Fixes: 753395ea1e45 ("ARM: dts: imx7: Fix NAND controller size-cells") +Signed-off-by: Francesco Dolcini +Reviewed-by: Miquel Raynal +Acked-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/ +Link: https://lore.kernel.org/all/20221205144917.6514168a@xps-13/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7s.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1270,10 +1270,10 @@ + clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>; + }; + +- gpmi: nand-controller@33002000 { ++ gpmi: nand-controller@33002000{ + compatible = "fsl,imx7d-gpmi-nand"; + #address-cells = <1>; +- #size-cells = <0>; ++ #size-cells = <1>; + reg = <0x33002000 0x2000>, <0x33004000 0x4000>; + reg-names = "gpmi-nand", "bch"; + interrupts = ; diff --git a/queue-6.0/selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch b/queue-6.0/selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch new file mode 100644 index 00000000000..d6d487e93df --- /dev/null +++ b/queue-6.0/selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch @@ -0,0 +1,43 @@ +From 6648eadba8d6b37c8e6cb1b906f68509b3b39385 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Thu, 1 Dec 2022 21:18:52 +0800 +Subject: selftests/tls: Fix tls selftests dependency to correct algorithm + +From: Tianjia Zhang + +commit 6648eadba8d6b37c8e6cb1b906f68509b3b39385 upstream. + +Commit d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") moves +SM3 and SM4 algorithm implementations from stand-alone library to crypto +API. The corresponding configuration options for the API version (generic) +are CONFIG_CRYPTO_SM3_GENERIC and CONFIG_CRYPTO_SM4_GENERIC, respectively. + +Replace option selected in selftests configuration from the library version +to the API version. + +Fixes: d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") +Reported-by: Hangbin Liu +Cc: Jason A. Donenfeld +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Tianjia Zhang +Link: https://lore.kernel.org/r/20221201131852.38501-1-tianjia.zhang@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/config | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config +index ead7963b9bf0..bd89198cd817 100644 +--- a/tools/testing/selftests/net/config ++++ b/tools/testing/selftests/net/config +@@ -43,5 +43,5 @@ CONFIG_NET_ACT_TUNNEL_KEY=m + CONFIG_NET_ACT_MIRRED=m + CONFIG_BAREUDP=m + CONFIG_IPV6_IOAM6_LWTUNNEL=y +-CONFIG_CRYPTO_SM4=y ++CONFIG_CRYPTO_SM4_GENERIC=y + CONFIG_AMT=m +-- +2.38.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 10400fb7d6f..efc2541fabe 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -54,3 +54,31 @@ xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch media-videobuf2-core-take-mmap_lock-in-vb2_get_unmap.patch fscache-fix-oops-due-to-race-with-cookie_lru-and-use.patch soundwire-intel-initialize-clock-stop-timeout.patch +revert-arm-dts-imx7-fix-nand-controller-size-cells.patch +media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch +memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch +mm-gup-fix-gup_pud_range-for-dax.patch +tmpfs-fix-data-loss-from-failed-fallocate.patch +bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch +bluetooth-btusb-add-debug-message-for-csr-controllers.patch +bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch +selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch +net-mana-fix-race-on-per-cq-variable-napi-work_done.patch +io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch +hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch +kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch +drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch +can-can327-flush-tx_work-on-ldisc-.close.patch +can-slcan-fix-freed-work-crash.patch +can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch +drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch +drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch +drm-shmem-helper-remove-errant-put-in-error-path.patch +drm-shmem-helper-avoid-vm_open-error-paths.patch +net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch +hid-usbhid-add-always_poll-quirk-for-some-mice.patch +hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch +hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch +hid-hid-lg4ff-add-check-for-empty-lbuf.patch +hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch +hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch diff --git a/queue-6.0/tmpfs-fix-data-loss-from-failed-fallocate.patch b/queue-6.0/tmpfs-fix-data-loss-from-failed-fallocate.patch new file mode 100644 index 00000000000..6f459fff781 --- /dev/null +++ b/queue-6.0/tmpfs-fix-data-loss-from-failed-fallocate.patch @@ -0,0 +1,64 @@ +From 44bcabd70cf1425b4243e02251c02b01638a8287 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Sun, 4 Dec 2022 16:51:50 -0800 +Subject: tmpfs: fix data loss from failed fallocate + +From: Hugh Dickins + +commit 44bcabd70cf1425b4243e02251c02b01638a8287 upstream. + +Fix tmpfs data loss when the fallocate system call is interrupted by a +signal, or fails for some other reason. The partial folio handling in +shmem_undo_range() forgot to consider this unfalloc case, and was liable +to erase or truncate out data which had already been committed earlier. + +It turns out that none of the partial folio handling there is appropriate +for the unfalloc case, which just wants to proceed to removal of whole +folios: which find_get_entries() provides, even when partially covered. + +Original patch by Rui Wang. + +Link: https://lore.kernel.org/linux-mm/33b85d82.7764.1842e9ab207.Coremail.chenguoqic@163.com/ +Link: https://lkml.kernel.org/r/a5dac112-cf4b-7af-a33-f386e347fd38@google.com +Fixes: b9a8a4195c7d ("truncate,shmem: Handle truncates that split large folios") +Signed-off-by: Hugh Dickins +Reported-by: Guoqi Chen + Link: https://lore.kernel.org/all/20221101032248.819360-1-kernel@hev.cc/ +Cc: Rui Wang +Cc: Huacai Chen +Cc: Matthew Wilcox +Cc: Vishal Moola (Oracle) +Cc: [5.17+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -958,6 +958,15 @@ static void shmem_undo_range(struct inod + index++; + } + ++ /* ++ * When undoing a failed fallocate, we want none of the partial folio ++ * zeroing and splitting below, but shall want to truncate the whole ++ * folio when !uptodate indicates that it was added by this fallocate, ++ * even when [lstart, lend] covers only a part of the folio. ++ */ ++ if (unfalloc) ++ goto whole_folios; ++ + same_folio = (lstart >> PAGE_SHIFT) == (lend >> PAGE_SHIFT); + folio = shmem_get_partial_folio(inode, lstart >> PAGE_SHIFT); + if (folio) { +@@ -983,6 +992,8 @@ static void shmem_undo_range(struct inod + folio_put(folio); + } + ++whole_folios: ++ + index = start; + while (index < end) { + cond_resched();