From: Sasha Levin Date: Sun, 24 Mar 2024 18:11:45 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.8.2~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eac41c639bb358b2279ff2a74d278587d55e481d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bpf-report-rcu-qs-in-cpumap-kthread.patch b/queue-4.19/bpf-report-rcu-qs-in-cpumap-kthread.patch new file mode 100644 index 00000000000..e710e3934d8 --- /dev/null +++ b/queue-4.19/bpf-report-rcu-qs-in-cpumap-kthread.patch @@ -0,0 +1,55 @@ +From 640adab17cd2c6afde6f29eb470a4b3c8cad3553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 13:44:40 -0700 +Subject: bpf: report RCU QS in cpumap kthread + +From: Yan Zhai + +[ Upstream commit 00bf63122459e87193ee7f1bc6161c83a525569f ] + +When there are heavy load, cpumap kernel threads can be busy polling +packets from redirect queues and block out RCU tasks from reaching +quiescent states. It is insufficient to just call cond_resched() in such +context. Periodically raise a consolidated RCU QS before cond_resched +fixes the problem. + +Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") +Reviewed-by: Jesper Dangaard Brouer +Signed-off-by: Yan Zhai +Acked-by: Paul E. McKenney +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/c17b9f1517e19d813da3ede5ed33ee18496bb5d8.1710877680.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + kernel/bpf/cpumap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c +index 61fbcae82f0a1..6f7548138435b 100644 +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -243,6 +243,7 @@ static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu) + static int cpu_map_kthread_run(void *data) + { + struct bpf_cpu_map_entry *rcpu = data; ++ unsigned long last_qs = jiffies; + + set_current_state(TASK_INTERRUPTIBLE); + +@@ -262,10 +263,12 @@ static int cpu_map_kthread_run(void *data) + if (__ptr_ring_empty(rcpu->queue)) { + schedule(); + sched = 1; ++ last_qs = jiffies; + } else { + __set_current_state(TASK_RUNNING); + } + } else { ++ rcu_softirq_qs_periodic(last_qs); + sched = cond_resched(); + } + +-- +2.43.0 + diff --git a/queue-4.19/hsr-fix-uninit-value-access-in-hsr_get_node.patch b/queue-4.19/hsr-fix-uninit-value-access-in-hsr_get_node.patch new file mode 100644 index 00000000000..1dd58434aa4 --- /dev/null +++ b/queue-4.19/hsr-fix-uninit-value-access-in-hsr_get_node.patch @@ -0,0 +1,98 @@ +From 74aea71617d83e519eda61f6c9c563c3ce090cea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 00:27:19 +0900 +Subject: hsr: Fix uninit-value access in hsr_get_node() + +From: Shigeru Yoshida + +[ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] + +KMSAN reported the following uninit-value access issue [1]: + +===================================================== +BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 + hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 + fill_frame_info net/hsr/hsr_forward.c:577 [inline] + hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 + hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 + __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3087 [inline] + packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x318/0x740 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 + packet_alloc_skb net/packet/af_packet.c:2936 [inline] + packet_snd net/packet/af_packet.c:3030 [inline] + packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +===================================================== + +If the packet type ID field in the Ethernet header is either ETH_P_PRP or +ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() +reads an invalid value as a sequence number. This causes the above issue. + +This patch fixes the issue by returning NULL if the Ethernet header is not +followed by an HSR tag. + +Fixes: f266a683a480 ("net/hsr: Better frame dispatch") +Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 9c5a423f0f7a3..e1ef9799762c9 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -194,6 +194,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, + + if (ethhdr->h_proto == htons(ETH_P_PRP) || + ethhdr->h_proto == htons(ETH_P_HSR)) { ++ /* Check if skb contains hsr_ethhdr */ ++ if (skb->mac_len < sizeof(struct hsr_ethhdr)) ++ return NULL; ++ + /* Use the existing sequence_nr from the tag as starting point + * for filtering duplicate frames. + */ +-- +2.43.0 + diff --git a/queue-4.19/hsr-handle-failures-in-module-init.patch b/queue-4.19/hsr-handle-failures-in-module-init.patch new file mode 100644 index 00000000000..ae36961e3c6 --- /dev/null +++ b/queue-4.19/hsr-handle-failures-in-module-init.patch @@ -0,0 +1,61 @@ +From 56c59a8418822c1cdc616eb2ec8c182b2631565b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 13:04:52 +0100 +Subject: hsr: Handle failures in module init + +From: Felix Maurer + +[ Upstream commit 3cf28cd492308e5f63ed00b29ea03ca016264376 ] + +A failure during registration of the netdev notifier was not handled at +all. A failure during netlink initialization did not unregister the netdev +notifier. + +Handle failures of netdev notifier registration and netlink initialization. +Both functions should only return negative values on failure and thereby +lead to the hsr module not being loaded. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: Felix Maurer +Reviewed-by: Shigeru Yoshida +Reviewed-by: Breno Leitao +Link: https://lore.kernel.org/r/3ce097c15e3f7ace98fc7fd9bcbf299f092e63d1.1710504184.git.fmaurer@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c +index cd37d0011b424..c22013ff44795 100644 +--- a/net/hsr/hsr_main.c ++++ b/net/hsr/hsr_main.c +@@ -115,14 +115,21 @@ static struct notifier_block hsr_nb = { + + static int __init hsr_init(void) + { +- int res; ++ int err; + + BUILD_BUG_ON(sizeof(struct hsr_tag) != HSR_HLEN); + +- register_netdevice_notifier(&hsr_nb); +- res = hsr_netlink_init(); ++ err = register_netdevice_notifier(&hsr_nb); ++ if (err) ++ return err; ++ ++ err = hsr_netlink_init(); ++ if (err) { ++ unregister_netdevice_notifier(&hsr_nb); ++ return err; ++ } + +- return res; ++ return 0; + } + + static void __exit hsr_exit(void) +-- +2.43.0 + diff --git a/queue-4.19/ice-rework-flex-descriptor-programming.patch b/queue-4.19/ice-rework-flex-descriptor-programming.patch new file mode 100644 index 00000000000..ef79983664e --- /dev/null +++ b/queue-4.19/ice-rework-flex-descriptor-programming.patch @@ -0,0 +1,206 @@ +From 88164cd4365dd53a8c522454c94da23923f4cd7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Aug 2018 06:29:44 -0700 +Subject: ice: Rework flex descriptor programming + +From: Anirudh Venkataramanan + +[ Upstream commit 22ef683b48182f4d6125a2fb2725eb8a141514ff ] + +The driver can support two flex descriptor profiles, ICE_RXDID_FLEX_NIC +and ICE_RXDID_FLEX_NIC_2. This patch reworks the current flex programming +logic to add support for the latter profile. + +Signed-off-by: Anirudh Venkataramanan +Tested-by: Tony Brelinski +Signed-off-by: Jeff Kirsher +Stable-dep-of: 00bf63122459 ("bpf: report RCU QS in cpumap kthread") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_common.c | 102 ++++++++++++++---- + .../net/ethernet/intel/ice/ice_lan_tx_rx.h | 24 +++-- + 2 files changed, 92 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c +index f8d00263d9019..72a6f22ee423f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -7,16 +7,16 @@ + + #define ICE_PF_RESET_WAIT_COUNT 200 + +-#define ICE_NIC_FLX_ENTRY(hw, mdid, idx) \ +- wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(ICE_RXDID_FLEX_NIC), \ ++#define ICE_PROG_FLEX_ENTRY(hw, rxdid, mdid, idx) \ ++ wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(rxdid), \ + ((ICE_RX_OPC_MDID << \ + GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_S) & \ + GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_M) | \ + (((mdid) << GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_S) & \ + GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_M)) + +-#define ICE_NIC_FLX_FLG_ENTRY(hw, flg_0, flg_1, flg_2, flg_3, idx) \ +- wr32((hw), GLFLXP_RXDID_FLAGS(ICE_RXDID_FLEX_NIC, idx), \ ++#define ICE_PROG_FLG_ENTRY(hw, rxdid, flg_0, flg_1, flg_2, flg_3, idx) \ ++ wr32((hw), GLFLXP_RXDID_FLAGS(rxdid, idx), \ + (((flg_0) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_S) & \ + GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_M) | \ + (((flg_1) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_1_S) & \ +@@ -290,30 +290,85 @@ ice_aq_get_link_info(struct ice_port_info *pi, bool ena_lse, + } + + /** +- * ice_init_flex_parser - initialize rx flex parser ++ * ice_init_flex_flags + * @hw: pointer to the hardware structure ++ * @prof_id: Rx Descriptor Builder profile ID + * +- * Function to initialize flex descriptors ++ * Function to initialize Rx flex flags + */ +-static void ice_init_flex_parser(struct ice_hw *hw) ++static void ice_init_flex_flags(struct ice_hw *hw, enum ice_rxdid prof_id) + { + u8 idx = 0; + +- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_LOW, 0); +- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_HIGH, 1); +- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_LOWER, 2); +- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_HIGH, 3); +- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_FRG, ICE_RXFLG_UDP_GRE, +- ICE_RXFLG_PKT_DSI, ICE_RXFLG_FIN, idx++); +- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_SYN, ICE_RXFLG_RST, +- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++); +- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, +- ICE_RXFLG_EVLAN_x8100, ICE_RXFLG_EVLAN_x9100, +- idx++); +- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_VLAN_x8100, ICE_RXFLG_TNL_VLAN, +- ICE_RXFLG_TNL_MAC, ICE_RXFLG_TNL0, idx++); +- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2, +- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx); ++ /* Flex-flag fields (0-2) are programmed with FLG64 bits with layout: ++ * flexiflags0[5:0] - TCP flags, is_packet_fragmented, is_packet_UDP_GRE ++ * flexiflags1[3:0] - Not used for flag programming ++ * flexiflags2[7:0] - Tunnel and VLAN types ++ * 2 invalid fields in last index ++ */ ++ switch (prof_id) { ++ /* Rx flex flags are currently programmed for the NIC profiles only. ++ * Different flag bit programming configurations can be added per ++ * profile as needed. ++ */ ++ case ICE_RXDID_FLEX_NIC: ++ case ICE_RXDID_FLEX_NIC_2: ++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_FRG, ++ ICE_RXFLG_UDP_GRE, ICE_RXFLG_PKT_DSI, ++ ICE_RXFLG_FIN, idx++); ++ /* flex flag 1 is not used for flexi-flag programming, skipping ++ * these four FLG64 bits. ++ */ ++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_SYN, ICE_RXFLG_RST, ++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++); ++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_DSI, ++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_EVLAN_x8100, ++ ICE_RXFLG_EVLAN_x9100, idx++); ++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_VLAN_x8100, ++ ICE_RXFLG_TNL_VLAN, ICE_RXFLG_TNL_MAC, ++ ICE_RXFLG_TNL0, idx++); ++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2, ++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx); ++ break; ++ ++ default: ++ ice_debug(hw, ICE_DBG_INIT, ++ "Flag programming for profile ID %d not supported\n", ++ prof_id); ++ } ++} ++ ++/** ++ * ice_init_flex_flds ++ * @hw: pointer to the hardware structure ++ * @prof_id: Rx Descriptor Builder profile ID ++ * ++ * Function to initialize flex descriptors ++ */ ++static void ice_init_flex_flds(struct ice_hw *hw, enum ice_rxdid prof_id) ++{ ++ enum ice_flex_rx_mdid mdid; ++ ++ switch (prof_id) { ++ case ICE_RXDID_FLEX_NIC: ++ case ICE_RXDID_FLEX_NIC_2: ++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_LOW, 0); ++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_HIGH, 1); ++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_FLOW_ID_LOWER, 2); ++ ++ mdid = (prof_id == ICE_RXDID_FLEX_NIC_2) ? ++ ICE_RX_MDID_SRC_VSI : ICE_RX_MDID_FLOW_ID_HIGH; ++ ++ ICE_PROG_FLEX_ENTRY(hw, prof_id, mdid, 3); ++ ++ ice_init_flex_flags(hw, prof_id); ++ break; ++ ++ default: ++ ice_debug(hw, ICE_DBG_INIT, ++ "Field init for profile ID %d not supported\n", ++ prof_id); ++ } + } + + /** +@@ -494,7 +549,8 @@ enum ice_status ice_init_hw(struct ice_hw *hw) + if (status) + goto err_unroll_fltr_mgmt_struct; + +- ice_init_flex_parser(hw); ++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC); ++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC_2); + + return 0; + +diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +index 068dbc740b766..94504023d86e2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h ++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +@@ -188,23 +188,25 @@ struct ice_32b_rx_flex_desc_nic { + * with a specific metadata (profile 7 reserved for HW) + */ + enum ice_rxdid { +- ICE_RXDID_START = 0, +- ICE_RXDID_LEGACY_0 = ICE_RXDID_START, +- ICE_RXDID_LEGACY_1, +- ICE_RXDID_FLX_START, +- ICE_RXDID_FLEX_NIC = ICE_RXDID_FLX_START, +- ICE_RXDID_FLX_LAST = 63, +- ICE_RXDID_LAST = ICE_RXDID_FLX_LAST ++ ICE_RXDID_LEGACY_0 = 0, ++ ICE_RXDID_LEGACY_1 = 1, ++ ICE_RXDID_FLEX_NIC = 2, ++ ICE_RXDID_FLEX_NIC_2 = 6, ++ ICE_RXDID_HW = 7, ++ ICE_RXDID_LAST = 63, + }; + + /* Receive Flex Descriptor Rx opcode values */ + #define ICE_RX_OPC_MDID 0x01 + + /* Receive Descriptor MDID values */ +-#define ICE_RX_MDID_FLOW_ID_LOWER 5 +-#define ICE_RX_MDID_FLOW_ID_HIGH 6 +-#define ICE_RX_MDID_HASH_LOW 56 +-#define ICE_RX_MDID_HASH_HIGH 57 ++enum ice_flex_rx_mdid { ++ ICE_RX_MDID_FLOW_ID_LOWER = 5, ++ ICE_RX_MDID_FLOW_ID_HIGH, ++ ICE_RX_MDID_SRC_VSI = 19, ++ ICE_RX_MDID_HASH_LOW = 56, ++ ICE_RX_MDID_HASH_HIGH, ++}; + + /* Rx Flag64 packet flag bits */ + enum ice_rx_flg64_bits { +-- +2.43.0 + diff --git a/queue-4.19/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch b/queue-4.19/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch new file mode 100644 index 00000000000..fdc57de71fb --- /dev/null +++ b/queue-4.19/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch @@ -0,0 +1,47 @@ +From 85a7db233defac1d3b3cc0e95495bd70084cc402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 00:57:59 +0900 +Subject: kconfig: fix infinite loop when expanding a macro at the end of file + +From: Masahiro Yamada + +[ Upstream commit af8bbce92044dc58e4cc039ab94ee5d470a621f5 ] + +A macro placed at the end of a file with no newline causes an infinite +loop. + +[Test Kconfig] + $(info,hello) + \ No newline at end of file + +I realized that flex-provided input() returns 0 instead of EOF when it +reaches the end of a file. + +Fixes: 104daea149c4 ("kconfig: reference environment variables directly and remove 'option env='") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/zconf.l | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/zconf.l b/scripts/kconfig/zconf.l +index c2f577d719647..2a47ce9b219a0 100644 +--- a/scripts/kconfig/zconf.l ++++ b/scripts/kconfig/zconf.l +@@ -292,8 +292,11 @@ static char *expand_token(const char *in, size_t n) + new_string(); + append_string(in, n); + +- /* get the whole line because we do not know the end of token. */ +- while ((c = input()) != EOF) { ++ /* ++ * get the whole line because we do not know the end of token. ++ * input() returns 0 (not EOF!) when it reachs the end of file. ++ */ ++ while ((c = input()) != 0) { + if (c == '\n') { + unput(c); + break; +-- +2.43.0 + diff --git a/queue-4.19/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch b/queue-4.19/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch new file mode 100644 index 00000000000..652b28d785a --- /dev/null +++ b/queue-4.19/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch @@ -0,0 +1,89 @@ +From b25930af55e734f452ce3fa42faa7bb96e663039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 15:55:35 -0500 +Subject: net/bnx2x: Prevent access to a freed page in page_pool + +From: Thinh Tran + +[ Upstream commit d27e2da94a42655861ca4baea30c8cd65546f25d ] + +Fix race condition leading to system crash during EEH error handling + +During EEH error recovery, the bnx2x driver's transmit timeout logic +could cause a race condition when handling reset tasks. The +bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), +which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() +SGEs are freed using bnx2x_free_rx_sge_range(). However, this could +overlap with the EEH driver's attempt to reset the device using +bnx2x_io_slot_reset(), which also tries to free SGEs. This race +condition can result in system crashes due to accessing freed memory +locations in bnx2x_free_rx_sge() + +799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, +800 struct bnx2x_fastpath *fp, u16 index) +801 { +802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; +803 struct page *page = sw_buf->page; +.... +where sw_buf was set to NULL after the call to dma_unmap_page() +by the preceding thread. + + EEH: Beginning: 'slot_reset' + PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() + bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... + bnx2x 0011:01:00.0: enabling device (0140 -> 0142) + bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc0080000025065fc + Oops: Kernel access of bad area, sig: 11 [#1] + ..... + Call Trace: + [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) + [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 + [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 + [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 + [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 + [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 + [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 + +To solve this issue, we need to verify page pool allocations before +freeing. + +Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element") +Signed-off-by: Thinh Tran +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +index df5e8c2e8eafe..844195849ae76 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1008,9 +1008,6 @@ static inline void bnx2x_set_fw_mac_addr(__le16 *fw_hi, __le16 *fw_mid, + static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp, + struct bnx2x_alloc_pool *pool) + { +- if (!pool->page) +- return; +- + put_page(pool->page); + + pool->page = NULL; +@@ -1021,6 +1018,9 @@ static inline void bnx2x_free_rx_sge_range(struct bnx2x *bp, + { + int i; + ++ if (!fp->page_pool.page) ++ return; ++ + if (fp->mode == TPA_MODE_DISABLED) + return; + +-- +2.43.0 + diff --git a/queue-4.19/net-hsr-fix-placement-of-logical-operator-in-a-multi.patch b/queue-4.19/net-hsr-fix-placement-of-logical-operator-in-a-multi.patch new file mode 100644 index 00000000000..9f5961a1639 --- /dev/null +++ b/queue-4.19/net-hsr-fix-placement-of-logical-operator-in-a-multi.patch @@ -0,0 +1,67 @@ +From a468c608d0ca564952ec0d28f3801a677bcf1c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2019 13:31:30 -0400 +Subject: net: hsr: fix placement of logical operator in a multi-line statement + +From: Murali Karicheri + +[ Upstream commit 059477830022e1886f55a9641702461c249fa864 ] + +In a multi-line statement exceeding 80 characters, logical operator +should be at the end of a line instead of being at the start. This +is seen when ran checkpatch.pl -f on files under net/hsr. The change +is per suggestion from checkpatch. + +Signed-off-by: Murali Karicheri +Signed-off-by: David S. Miller +Stable-dep-of: ddbec99f5857 ("hsr: Fix uninit-value access in hsr_get_node()") +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 8 ++++---- + net/hsr/hsr_framereg.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index adfb497606785..886fad5922b3c 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -63,8 +63,8 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb) + return false; + + /* Correct ether type?. */ +- if (!(ethHdr->h_proto == htons(ETH_P_PRP) +- || ethHdr->h_proto == htons(ETH_P_HSR))) ++ if (!(ethHdr->h_proto == htons(ETH_P_PRP) || ++ ethHdr->h_proto == htons(ETH_P_HSR))) + return false; + + /* Get the supervision header from correct location. */ +@@ -336,8 +336,8 @@ static int hsr_fill_frame_info(struct hsr_frame_info *frame, + /* FIXME: */ + WARN_ONCE(1, "HSR: VLAN not yet supported"); + } +- if (ethhdr->h_proto == htons(ETH_P_PRP) +- || ethhdr->h_proto == htons(ETH_P_HSR)) { ++ if (ethhdr->h_proto == htons(ETH_P_PRP) || ++ ethhdr->h_proto == htons(ETH_P_HSR)) { + frame->skb_std = NULL; + frame->skb_hsr = skb; + frame->sequence_nr = hsr_get_skb_sequence_nr(skb); +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 37795502bb511..9c5a423f0f7a3 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -192,8 +192,8 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, + + /* Everyone may create a node entry, connected node to a HSR device. */ + +- if (ethhdr->h_proto == htons(ETH_P_PRP) +- || ethhdr->h_proto == htons(ETH_P_HSR)) { ++ if (ethhdr->h_proto == htons(ETH_P_PRP) || ++ ethhdr->h_proto == htons(ETH_P_HSR)) { + /* Use the existing sequence_nr from the tag as starting point + * for filtering duplicate frames. + */ +-- +2.43.0 + diff --git a/queue-4.19/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch b/queue-4.19/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch new file mode 100644 index 00000000000..212d1803914 --- /dev/null +++ b/queue-4.19/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch @@ -0,0 +1,76 @@ +From 7f8ef8fa7550564abba9bdeaf20658d97938cf49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 13:44:34 -0700 +Subject: rcu: add a helper to report consolidated flavor QS + +From: Yan Zhai + +[ Upstream commit 1a77557d48cff187a169c2aec01c0dd78a5e7e50 ] + +When under heavy load, network processing can run CPU-bound for many +tens of seconds. Even in preemptible kernels (non-RT kernel), this can +block RCU Tasks grace periods, which can cause trace-event removal to +take more than a minute, which is unacceptably long. + +This commit therefore creates a new helper function that passes through +both RCU and RCU-Tasks quiescent states every 100 milliseconds. This +hard-coded value suffices for current workloads. + +Suggested-by: Paul E. McKenney +Reviewed-by: Jesper Dangaard Brouer +Signed-off-by: Yan Zhai +Reviewed-by: Paul E. McKenney +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/90431d46ee112d2b0af04dbfe936faaca11810a5.1710877680.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 00bf63122459 ("bpf: report RCU QS in cpumap kthread") +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index cf139d6e5c1d3..38a9730b685b9 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -196,6 +196,37 @@ do { \ + cond_resched(); \ + } while (0) + ++/** ++ * rcu_softirq_qs_periodic - Report RCU and RCU-Tasks quiescent states ++ * @old_ts: jiffies at start of processing. ++ * ++ * This helper is for long-running softirq handlers, such as NAPI threads in ++ * networking. The caller should initialize the variable passed in as @old_ts ++ * at the beginning of the softirq handler. When invoked frequently, this macro ++ * will invoke rcu_softirq_qs() every 100 milliseconds thereafter, which will ++ * provide both RCU and RCU-Tasks quiescent states. Note that this macro ++ * modifies its old_ts argument. ++ * ++ * Because regions of code that have disabled softirq act as RCU read-side ++ * critical sections, this macro should be invoked with softirq (and ++ * preemption) enabled. ++ * ++ * The macro is not needed when CONFIG_PREEMPT_RT is defined. RT kernels would ++ * have more chance to invoke schedule() calls and provide necessary quiescent ++ * states. As a contrast, calling cond_resched() only won't achieve the same ++ * effect because cond_resched() does not provide RCU-Tasks quiescent states. ++ */ ++#define rcu_softirq_qs_periodic(old_ts) \ ++do { \ ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && \ ++ time_after(jiffies, (old_ts) + HZ / 10)) { \ ++ preempt_disable(); \ ++ rcu_softirq_qs(); \ ++ preempt_enable(); \ ++ (old_ts) = jiffies; \ ++ } \ ++} while (0) ++ + /* + * Infrastructure to implement the synchronize_() primitives in + * TREE_RCU and rcu_barrier_() primitives in TINY_RCU. +-- +2.43.0 + diff --git a/queue-4.19/rds-introduce-acquire-release-ordering-in-acquire-re.patch b/queue-4.19/rds-introduce-acquire-release-ordering-in-acquire-re.patch new file mode 100644 index 00000000000..d16cfc0ddca --- /dev/null +++ b/queue-4.19/rds-introduce-acquire-release-ordering-in-acquire-re.patch @@ -0,0 +1,51 @@ +From f6ac3624db2fea5a2366e7a24829d932bfba8a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 18:28:38 +0900 +Subject: rds: introduce acquire/release ordering in acquire/release_in_xmit() + +From: Yewon Choi + +[ Upstream commit 1422f28826d2a0c11e5240b3e951c9e214d8656e ] + +acquire/release_in_xmit() work as bit lock in rds_send_xmit(), so they +are expected to ensure acquire/release memory ordering semantics. +However, test_and_set_bit/clear_bit() don't imply such semantics, on +top of this, following smp_mb__after_atomic() does not guarantee release +ordering (memory barrier actually should be placed before clear_bit()). + +Instead, we use clear_bit_unlock/test_and_set_bit_lock() here. + +Fixes: 0f4b1c7e89e6 ("rds: fix rds_send_xmit() serialization") +Fixes: 1f9ecd7eacfd ("RDS: Pass rds_conn_path to rds_send_xmit()") +Signed-off-by: Yewon Choi +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/ZfQUxnNTO9AJmzwc@libra05 +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rds/send.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/rds/send.c b/net/rds/send.c +index c856e6c963af9..dcb338339b717 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -103,13 +103,12 @@ EXPORT_SYMBOL_GPL(rds_send_path_reset); + + static int acquire_in_xmit(struct rds_conn_path *cp) + { +- return test_and_set_bit(RDS_IN_XMIT, &cp->cp_flags) == 0; ++ return test_and_set_bit_lock(RDS_IN_XMIT, &cp->cp_flags) == 0; + } + + static void release_in_xmit(struct rds_conn_path *cp) + { +- clear_bit(RDS_IN_XMIT, &cp->cp_flags); +- smp_mb__after_atomic(); ++ clear_bit_unlock(RDS_IN_XMIT, &cp->cp_flags); + /* + * We don't use wait_on_bit()/wake_up_bit() because our waking is in a + * hot path and finding waiters is very rare. We don't want to walk +-- +2.43.0 + diff --git a/queue-4.19/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch b/queue-4.19/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch new file mode 100644 index 00000000000..61b6378dcab --- /dev/null +++ b/queue-4.19/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch @@ -0,0 +1,59 @@ +From c5b0a53d5b8fcf11582f132c5ebafbdb6752da14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 21:02:58 -0800 +Subject: rtc: mt6397: select IRQ_DOMAIN instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 544c42f798e1651dcb04fb0395219bf0f1c2607e ] + +IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set +it directly thru "make *config", so drivers should select it instead +of depending on it if they need it. +Relying on it being set for a dependency is risky. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on" for IRQ_DOMAIN to +"select" for RTC_DRV_MT6397. + +Fixes: 04d3ba70a3c9 ("rtc: mt6397: add IRQ domain dependency") +Cc: Arnd Bergmann +Cc: Eddie Huang +Cc: Sean Wang +Cc: Matthias Brugger +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-mediatek@lists.infradead.org +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: linux-rtc@vger.kernel.org +Cc: Marc Zyngier +Cc: Philipp Zabel +Cc: Peter Rosin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20240213050258.6167-1-rdunlap@infradead.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig +index b5845f16a3a26..199cc39459198 100644 +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -1719,7 +1719,8 @@ config RTC_DRV_MOXART + + config RTC_DRV_MT6397 + tristate "MediaTek PMIC based RTC" +- depends on MFD_MT6397 || (COMPILE_TEST && IRQ_DOMAIN) ++ depends on MFD_MT6397 || COMPILE_TEST ++ select IRQ_DOMAIN + help + This selects the MediaTek(R) RTC driver. RTC is part of MediaTek + MT6397 PMIC. You should enable MT6397 PMIC MFD before select +-- +2.43.0 + diff --git a/queue-4.19/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch b/queue-4.19/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch new file mode 100644 index 00000000000..c42af09548c --- /dev/null +++ b/queue-4.19/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch @@ -0,0 +1,49 @@ +From 22c40184b5020a4a3f60bd07aafa2eaf7639235b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 17:04:57 +0200 +Subject: serial: 8250_exar: Don't remove GPIO device on suspend + +From: Andy Shevchenko + +[ Upstream commit 73b5a5c00be39e23b194bad10e1ea8bb73eee176 ] + +It seems a copy&paste mistake that suspend callback removes the GPIO +device. There is no counterpart of this action, means once suspended +there is no more GPIO device available untile full unbind-bind cycle +is performed. Remove suspicious GPIO device removal in suspend. + +Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240219150627.2101198-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_exar.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c +index 195f58c5b477f..319737919381d 100644 +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -553,6 +553,7 @@ static void exar_pci_remove(struct pci_dev *pcidev) + for (i = 0; i < priv->nr; i++) + serial8250_unregister_port(priv->line[i]); + ++ /* Ensure that every init quirk is properly torn down */ + if (priv->board->exit) + priv->board->exit(pcidev); + } +@@ -567,10 +568,6 @@ static int __maybe_unused exar_suspend(struct device *dev) + if (priv->line[i] >= 0) + serial8250_suspend_port(priv->line[i]); + +- /* Ensure that every init quirk is properly torn down */ +- if (priv->board->exit) +- priv->board->exit(pcidev); +- + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/serial-max310x-fix-syntax-error-in-irq-error-message.patch b/queue-4.19/serial-max310x-fix-syntax-error-in-irq-error-message.patch new file mode 100644 index 00000000000..540e9ac013f --- /dev/null +++ b/queue-4.19/serial-max310x-fix-syntax-error-in-irq-error-message.patch @@ -0,0 +1,40 @@ +From 3911d2d30418b66aaf1e5ef09d08470d2dd98d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 10:22:01 -0500 +Subject: serial: max310x: fix syntax error in IRQ error message + +From: Hugo Villeneuve + +[ Upstream commit 8ede8c6f474255b2213cccd7997b993272a8e2f9 ] + +Replace g with q. + +Helpful when grepping thru source code or logs for +"request" keyword. + +Fixes: f65444187a66 ("serial: New serial driver MAX310X") +Reviewed-by: Andy Shevchenko +Signed-off-by: Hugo Villeneuve +Link: https://lore.kernel.org/r/20240118152213.2644269-6-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/max310x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index e68dbd13110ba..1c8fd06befec4 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1363,7 +1363,7 @@ static int max310x_probe(struct device *dev, struct max310x_devtype *devtype, + if (!ret) + return 0; + +- dev_err(dev, "Unable to reguest IRQ %i\n", irq); ++ dev_err(dev, "Unable to request IRQ %i\n", irq); + + out_uart: + for (i = 0; i < devtype->nr; i++) { +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 1451d833d77..22fcd69009e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -131,3 +131,20 @@ scsi-bfa-fix-function-pointer-type-mismatch-for-hcb_.patch net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch nfs-fix-an-off-by-one-in-root_nfs_cat.patch clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch +usb-phy-generic-get-the-vbus-supply.patch +serial-max310x-fix-syntax-error-in-irq-error-message.patch +tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch +kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch +rtc-mt6397-select-irq_domain-instead-of-depending-on.patch +serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch +staging-greybus-fix-get_channel_from_mode-failure-pa.patch +usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch +net-hsr-fix-placement-of-logical-operator-in-a-multi.patch +hsr-fix-uninit-value-access-in-hsr_get_node.patch +rds-introduce-acquire-release-ordering-in-acquire-re.patch +hsr-handle-failures-in-module-init.patch +net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch +ice-rework-flex-descriptor-programming.patch +rcu-add-a-helper-to-report-consolidated-flavor-qs.patch +bpf-report-rcu-qs-in-cpumap-kthread.patch +spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch diff --git a/queue-4.19/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch b/queue-4.19/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch new file mode 100644 index 00000000000..9261387097a --- /dev/null +++ b/queue-4.19/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch @@ -0,0 +1,61 @@ +From bf2871fea56f942aab44542980195d4844227556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 15:08:57 +0800 +Subject: spi: spi-mt65xx: Fix NULL pointer access in interrupt handler + +From: Fei Shao + +[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ] + +The TX buffer in spi_transfer can be a NULL pointer, so the interrupt +handler may end up writing to the invalid memory and cause crashes. + +Add a check to trans->tx_buf before using it. + +Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") +Signed-off-by: Fei Shao +Reviewed-by: AngeloGioacchino Del Regno +Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index faca2ab758992..89ec119215371 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -524,17 +524,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) + mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); + mtk_spi_setup_packet(master); + +- cnt = mdata->xfer_len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, +- trans->tx_buf + mdata->num_xfered, cnt); ++ if (trans->tx_buf) { ++ cnt = mdata->xfer_len / 4; ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, ++ trans->tx_buf + mdata->num_xfered, cnt); + +- remainder = mdata->xfer_len % 4; +- if (remainder > 0) { +- reg_val = 0; +- memcpy(®_val, +- trans->tx_buf + (cnt * 4) + mdata->num_xfered, +- remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ remainder = mdata->xfer_len % 4; ++ if (remainder > 0) { ++ reg_val = 0; ++ memcpy(®_val, ++ trans->tx_buf + (cnt * 4) + mdata->num_xfered, ++ remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.43.0 + diff --git a/queue-4.19/staging-greybus-fix-get_channel_from_mode-failure-pa.patch b/queue-4.19/staging-greybus-fix-get_channel_from_mode-failure-pa.patch new file mode 100644 index 00000000000..9b411f0654b --- /dev/null +++ b/queue-4.19/staging-greybus-fix-get_channel_from_mode-failure-pa.patch @@ -0,0 +1,54 @@ +From 639427305cd60733fdef5d2f8a6a38bd8902f6b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 10:04:48 +0300 +Subject: staging: greybus: fix get_channel_from_mode() failure path + +From: Dan Carpenter + +[ Upstream commit 34164202a5827f60a203ca9acaf2d9f7d432aac8 ] + +The get_channel_from_mode() function is supposed to return the channel +which matches the mode. But it has a bug where if it doesn't find a +matching channel then it returns the last channel. It should return +NULL instead. + +Also remove an unnecessary NULL check on "channel". + +Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") +Signed-off-by: Dan Carpenter +Reviewed-by: Rui Miguel Silva +Reviewed-by: Alex Elder +Link: https://lore.kernel.org/r/379c0cb4-39e0-4293-8a18-c7b1298e5420@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/light.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c +index db06cd544af58..8c5819d1e1abe 100644 +--- a/drivers/staging/greybus/light.c ++++ b/drivers/staging/greybus/light.c +@@ -102,15 +102,15 @@ static struct led_classdev *get_channel_cdev(struct gb_channel *channel) + static struct gb_channel *get_channel_from_mode(struct gb_light *light, + u32 mode) + { +- struct gb_channel *channel = NULL; ++ struct gb_channel *channel; + int i; + + for (i = 0; i < light->channels_count; i++) { + channel = &light->channels[i]; +- if (channel && channel->mode == mode) +- break; ++ if (channel->mode == mode) ++ return channel; + } +- return channel; ++ return NULL; + } + + static int __gb_lights_flash_intensity_set(struct gb_channel *channel, +-- +2.43.0 + diff --git a/queue-4.19/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch b/queue-4.19/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch new file mode 100644 index 00000000000..1037539ec2e --- /dev/null +++ b/queue-4.19/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch @@ -0,0 +1,45 @@ +From 342e4cb30122e00a183d135ab843b78c2e47b18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 10:45:08 +0000 +Subject: tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT + +From: Tudor Ambarus + +[ Upstream commit 314c2b399288f0058a8c5b6683292cbde5f1531b ] + +The core expects for tx_empty() either TIOCSER_TEMT when the tx is +empty or 0 otherwise. s3c24xx_serial_txempty_nofifo() might return +0x4, and at least uart_get_lsr_info() tries to clear exactly +TIOCSER_TEMT (BIT(1)). Fix tx_empty() to return TIOCSER_TEMT. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tudor Ambarus +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20240119104526.1221243-2-tudor.ambarus@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 5f1f52cc63951..c76bf1c11e6fd 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -800,11 +800,10 @@ static unsigned int s3c24xx_serial_tx_empty(struct uart_port *port) + if ((ufstat & info->tx_fifomask) != 0 || + (ufstat & info->tx_fifofull)) + return 0; +- +- return 1; ++ return TIOCSER_TEMT; + } + +- return s3c24xx_serial_txempty_nofifo(port); ++ return s3c24xx_serial_txempty_nofifo(port) ? TIOCSER_TEMT : 0; + } + + /* no modem control lines */ +-- +2.43.0 + diff --git a/queue-4.19/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch b/queue-4.19/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch new file mode 100644 index 00000000000..09ceb7c0592 --- /dev/null +++ b/queue-4.19/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch @@ -0,0 +1,47 @@ +From c30ee767556eff77753a428889e08b34538b62d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 18:17:34 +0000 +Subject: usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Colin Ian King + +[ Upstream commit 600556809f04eb3bbccd05218215dcd7b285a9a9 ] + +Currently the variable irqflags is being set but is not being used, +it appears it should be used in the call to net2272_probe_fin +rather than IRQF_TRIGGER_LOW being used. Kudos to Uwe Kleine-König +for suggesting the fix. + +Cleans up clang scan build warning: +drivers/usb/gadget/udc/net2272.c:2610:15: warning: variable 'irqflags' +set but not used [-Wunused-but-set-variable] + +Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller") +Signed-off-by: Colin Ian King +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20240307181734.2034407-1-colin.i.king@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/net2272.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 077fa9304618d..2004442d791cf 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -2638,7 +2638,7 @@ net2272_plat_probe(struct platform_device *pdev) + goto err_req; + } + +- ret = net2272_probe_fin(dev, IRQF_TRIGGER_LOW); ++ ret = net2272_probe_fin(dev, irqflags); + if (ret) + goto err_io; + +-- +2.43.0 + diff --git a/queue-4.19/usb-phy-generic-get-the-vbus-supply.patch b/queue-4.19/usb-phy-generic-get-the-vbus-supply.patch new file mode 100644 index 00000000000..f2c1632a726 --- /dev/null +++ b/queue-4.19/usb-phy-generic-get-the-vbus-supply.patch @@ -0,0 +1,44 @@ +From 506472a209a7a1d611415b39a853973d0f81b8d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 13:14:09 -0400 +Subject: usb: phy: generic: Get the vbus supply + +From: Sean Anderson + +[ Upstream commit 03e607cbb2931374db1825f371e9c7f28526d3f4 ] + +While support for working with a vbus was added, the regulator was never +actually gotten (despite what was documented). Fix this by actually +getting the supply from the device tree. + +Fixes: 7acc9973e3c4 ("usb: phy: generic: add vbus support") +Cc: stable +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220425171412.1188485-3-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-generic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/phy/phy-generic.c b/drivers/usb/phy/phy-generic.c +index a53b89be53248..8a04b157f19f3 100644 +--- a/drivers/usb/phy/phy-generic.c ++++ b/drivers/usb/phy/phy-generic.c +@@ -283,6 +283,13 @@ int usb_phy_gen_create_phy(struct device *dev, struct usb_phy_generic *nop, + return -EPROBE_DEFER; + } + ++ nop->vbus_draw = devm_regulator_get_exclusive(dev, "vbus"); ++ if (PTR_ERR(nop->vbus_draw) == -ENODEV) ++ nop->vbus_draw = NULL; ++ if (IS_ERR(nop->vbus_draw)) ++ return dev_err_probe(dev, PTR_ERR(nop->vbus_draw), ++ "could not get vbus regulator\n"); ++ + nop->dev = dev; + nop->phy.dev = nop->dev; + nop->phy.label = "nop-xceiv"; +-- +2.43.0 +