From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 15:03:08 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.15.172~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed1aede5c12dcf05bd5373d86d80bf60010d7532;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch --- diff --git a/queue-5.10/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch b/queue-5.10/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch new file mode 100644 index 00000000000..f7ca678dab9 --- /dev/null +++ b/queue-5.10/dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch @@ -0,0 +1,100 @@ +From 235d2e739fcbe964c9ce179b4c991025662dcdb6 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:12:22 +0800 +Subject: dm cache: correct the number of origin blocks to match the target length + +From: Ming-Hung Tsai + +commit 235d2e739fcbe964c9ce179b4c991025662dcdb6 upstream. + +When creating a cache device, the actual size of the cache origin might +be greater than the specified cache target length. In such case, the +number of origin blocks should match the cache target length, not the +full size of the origin device, since access beyond the cache target is +not possible. This issue occurs when reducing the origin device size +using lvm, as lvreduce preloads the new cache table before resuming the +cache origin, which can result in incorrect sizes for the discard bitset +and smq hotspot blocks. + +Reproduce steps: + +1. create a cache device consists of 4096 origin blocks + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +2. reduce the cache origin to 2048 oblocks, in lvreduce's approach + +dmsetup reload corig --table "0 262144 linear /dev/sdc 262144" +dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" +dmsetup suspend cache +dmsetup suspend corig +dmsetup suspend cdata +dmsetup suspend cmeta +dmsetup resume corig +dmsetup resume cdata +dmsetup resume cmeta +dmsetup resume cache + +3. shutdown the cache, and check the number of discard blocks in + superblock. The value is expected to be 2048, but actually is 4096. + +dmsetup remove cache corig cdata cmeta +dd if=/dev/sdc bs=1c count=8 skip=224 2>/dev/null | hexdump -e '1/8 "%u\n"' + +Fix by correcting the origin_blocks initialization in cache_create and +removing the unused origin_sectors from struct cache_args accordingly. + +Signed-off-by: Ming-Hung Tsai +Fixes: c6b4fcbad044 ("dm: add cache target") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2058,7 +2058,6 @@ struct cache_args { + sector_t cache_sectors; + + struct dm_dev *origin_dev; +- sector_t origin_sectors; + + uint32_t block_size; + +@@ -2140,6 +2139,7 @@ static int parse_cache_dev(struct cache_ + static int parse_origin_dev(struct cache_args *ca, struct dm_arg_set *as, + char **error) + { ++ sector_t origin_sectors; + int r; + + if (!at_least_one_arg(as, error)) +@@ -2152,8 +2152,8 @@ static int parse_origin_dev(struct cache + return r; + } + +- ca->origin_sectors = get_dev_size(ca->origin_dev); +- if (ca->ti->len > ca->origin_sectors) { ++ origin_sectors = get_dev_size(ca->origin_dev); ++ if (ca->ti->len > origin_sectors) { + *error = "Device size larger than cached device"; + return -EINVAL; + } +@@ -2462,7 +2462,7 @@ static int cache_create(struct cache_arg + + ca->metadata_dev = ca->origin_dev = ca->cache_dev = NULL; + +- origin_blocks = cache->origin_sectors = ca->origin_sectors; ++ origin_blocks = cache->origin_sectors = ti->len; + origin_blocks = block_div(origin_blocks, ca->block_size); + cache->origin_blocks = to_oblock(origin_blocks); + diff --git a/queue-5.10/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch b/queue-5.10/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch new file mode 100644 index 00000000000..f39e0267ecf --- /dev/null +++ b/queue-5.10/dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch @@ -0,0 +1,80 @@ +From 792227719725497ce10a8039803bec13f89f8910 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:16 +0800 +Subject: dm cache: fix out-of-bounds access to the dirty bitset when resizing + +From: Ming-Hung Tsai + +commit 792227719725497ce10a8039803bec13f89f8910 upstream. + +dm-cache checks the dirty bits of the cache blocks to be dropped when +shrinking the fast device, but an index bug in bitset iteration causes +out-of-bounds access. + +Reproduce steps: + +1. create a cache device of 1024 cache blocks (128 bytes dirty bitset) + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +2. shrink the fast device to 512 cache blocks, triggering out-of-bounds + access to the dirty bitset (offset 0x80) + +dmsetup suspend cache +dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup resume cdata +dmsetup resume cache + +KASAN reports: + + BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 + Read of size 8 at addr ffffc900000f3080 by task dmsetup/131 + + (...snip...) + The buggy address belongs to the virtual mapping at + [ffffc900000f3000, ffffc900000f5000) created by: + cache_ctr+0x176a/0x35f0 + + (...snip...) + Memory state around the buggy address: + ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + +Fix by making the index post-incremented. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2966,13 +2966,13 @@ static bool can_resize(struct cache *cac + * We can't drop a dirty block when shrinking the cache. + */ + while (from_cblock(new_size) < from_cblock(cache->cache_size)) { +- new_size = to_cblock(from_cblock(new_size) + 1); + if (is_dirty(cache, new_size)) { + DMERR("%s: unable to shrink cache; cache block %llu is dirty", + cache_device_name(cache), + (unsigned long long) from_cblock(new_size)); + return false; + } ++ new_size = to_cblock(from_cblock(new_size) + 1); + } + + return true; diff --git a/queue-5.10/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch b/queue-5.10/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch new file mode 100644 index 00000000000..f3b32a5dd52 --- /dev/null +++ b/queue-5.10/dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch @@ -0,0 +1,137 @@ +From c0ade5d98979585d4f5a93e4514c2e9a65afa08d Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:54 +0800 +Subject: dm cache: fix potential out-of-bounds access on the first resume + +From: Ming-Hung Tsai + +commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream. + +Out-of-bounds access occurs if the fast device is expanded unexpectedly +before the first-time resume of the cache table. This happens because +expanding the fast device requires reloading the cache table for +cache_create to allocate new in-core data structures that fit the new +size, and the check in cache_preresume is not performed during the +first resume, leading to the issue. + +Reproduce steps: + +1. prepare component devices: + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct + +2. load a cache table of 512 cache blocks, and deliberately expand the + fast device before resuming the cache, making the in-core data + structures inadequate. + +dmsetup create cache --notable +dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" +dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192" +dmsetup resume cdata +dmsetup resume cache + +3. suspend the cache to write out the in-core dirty bitset and hint + array, leading to out-of-bounds access to the dirty bitset at offset + 0x40: + +dmsetup suspend cache + +KASAN reports: + + BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80 + Read of size 8 at addr ffffc90000085040 by task dmsetup/90 + + (...snip...) + The buggy address belongs to the virtual mapping at + [ffffc90000085000, ffffc90000087000) created by: + cache_ctr+0x176a/0x35f0 + + (...snip...) + Memory state around the buggy address: + ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + +Fix by checking the size change on the first resume. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 37 ++++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2955,24 +2955,24 @@ static dm_cblock_t get_cache_dev_size(st + static bool can_resize(struct cache *cache, dm_cblock_t new_size) + { + if (from_cblock(new_size) > from_cblock(cache->cache_size)) { +- if (cache->sized) { +- DMERR("%s: unable to extend cache due to missing cache table reload", +- cache_device_name(cache)); +- return false; +- } ++ DMERR("%s: unable to extend cache due to missing cache table reload", ++ cache_device_name(cache)); ++ return false; + } + + /* + * We can't drop a dirty block when shrinking the cache. + */ +- new_size = to_cblock(find_next_bit(cache->dirty_bitset, +- from_cblock(cache->cache_size), +- from_cblock(new_size))); +- if (new_size != cache->cache_size) { +- DMERR("%s: unable to shrink cache; cache block %llu is dirty", +- cache_device_name(cache), +- (unsigned long long) from_cblock(new_size)); +- return false; ++ if (cache->loaded_mappings) { ++ new_size = to_cblock(find_next_bit(cache->dirty_bitset, ++ from_cblock(cache->cache_size), ++ from_cblock(new_size))); ++ if (new_size != cache->cache_size) { ++ DMERR("%s: unable to shrink cache; cache block %llu is dirty", ++ cache_device_name(cache), ++ (unsigned long long) from_cblock(new_size)); ++ return false; ++ } + } + + return true; +@@ -3003,20 +3003,15 @@ static int cache_preresume(struct dm_tar + /* + * Check to see if the cache has resized. + */ +- if (!cache->sized) { +- r = resize_cache_dev(cache, csize); +- if (r) +- return r; +- +- cache->sized = true; +- +- } else if (csize != cache->cache_size) { ++ if (!cache->sized || csize != cache->cache_size) { + if (!can_resize(cache, csize)) + return -EINVAL; + + r = resize_cache_dev(cache, csize); + if (r) + return r; ++ ++ cache->sized = true; + } + + if (!cache->loaded_mappings) { diff --git a/queue-5.10/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch b/queue-5.10/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch new file mode 100644 index 00000000000..a2cc0b903fb --- /dev/null +++ b/queue-5.10/dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch @@ -0,0 +1,49 @@ +From f484697e619a83ecc370443a34746379ad99d204 Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:13:39 +0800 +Subject: dm cache: optimize dirty bit checking with find_next_bit when resizing + +From: Ming-Hung Tsai + +commit f484697e619a83ecc370443a34746379ad99d204 upstream. + +When shrinking the fast device, dm-cache iteratively searches for a +dirty bit among the cache blocks to be dropped, which is less efficient. +Use find_next_bit instead, as it is twice as fast as the iterative +approach with test_bit. + +Signed-off-by: Ming-Hung Tsai +Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2965,14 +2965,14 @@ static bool can_resize(struct cache *cac + /* + * We can't drop a dirty block when shrinking the cache. + */ +- while (from_cblock(new_size) < from_cblock(cache->cache_size)) { +- if (is_dirty(cache, new_size)) { +- DMERR("%s: unable to shrink cache; cache block %llu is dirty", +- cache_device_name(cache), +- (unsigned long long) from_cblock(new_size)); +- return false; +- } +- new_size = to_cblock(from_cblock(new_size) + 1); ++ new_size = to_cblock(find_next_bit(cache->dirty_bitset, ++ from_cblock(cache->cache_size), ++ from_cblock(new_size))); ++ if (new_size != cache->cache_size) { ++ DMERR("%s: unable to shrink cache; cache block %llu is dirty", ++ cache_device_name(cache), ++ (unsigned long long) from_cblock(new_size)); ++ return false; + } + + return true; diff --git a/queue-5.10/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch b/queue-5.10/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch new file mode 100644 index 00000000000..2efc594ce07 --- /dev/null +++ b/queue-5.10/dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch @@ -0,0 +1,41 @@ +From 5a4510c762fc04c74cff264cd4d9e9f5bf364bae Mon Sep 17 00:00:00 2001 +From: Zichen Xie +Date: Mon, 21 Oct 2024 14:54:45 -0500 +Subject: dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow + +From: Zichen Xie + +commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream. + +This was found by a static analyzer. +There may be a potential integer overflow issue in +unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are +defined as "sector_t"(uint64_t), while uc->unstripe, +uc->chunk_size and uc->stripes are all defined as "uint32_t". +The result of the calculation will be limited to "uint32_t" +without correct casting. +So, we recommend adding an extra cast to prevent potential +integer overflow. + +Fixes: 18a5bf270532 ("dm: add unstriped target") +Signed-off-by: Zichen Xie +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-unstripe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-unstripe.c ++++ b/drivers/md/dm-unstripe.c +@@ -84,8 +84,8 @@ static int unstripe_ctr(struct dm_target + } + uc->physical_start = start; + +- uc->unstripe_offset = uc->unstripe * uc->chunk_size; +- uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size; ++ uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size; ++ uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size; + uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0; + + tmp_len = ti->len; diff --git a/queue-5.10/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch b/queue-5.10/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch new file mode 100644 index 00000000000..c7f0550154f --- /dev/null +++ b/queue-5.10/drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch @@ -0,0 +1,31 @@ +From 4d75b9468021c73108b4439794d69e892b1d24e3 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 23 Oct 2024 16:52:08 -0400 +Subject: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() + +From: Alex Deucher + +commit 4d75b9468021c73108b4439794d69e892b1d24e3 upstream. + +Avoid a possible buffer overflow if size is larger than 4K. + +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -396,7 +396,7 @@ static ssize_t amdgpu_debugfs_regs_pcie_ + ssize_t result = 0; + int r; + +- if (size & 0x3 || *pos & 0x3) ++ if (size > 4096 || size & 0x3 || *pos & 0x3) + return -EINVAL; + + r = pm_runtime_get_sync(adev_to_drm(adev)->dev); diff --git a/queue-5.10/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch b/queue-5.10/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch new file mode 100644 index 00000000000..b30c8e5aaab --- /dev/null +++ b/queue-5.10/drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch @@ -0,0 +1,46 @@ +From a6dd15981c03f2cdc9a351a278f09b5479d53d2e Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Thu, 31 Oct 2024 16:28:48 +0100 +Subject: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported + +From: Antonio Quartulli + +commit a6dd15981c03f2cdc9a351a278f09b5479d53d2e upstream. + +acpi_evaluate_object() may return AE_NOT_FOUND (failure), which +would result in dereferencing buffer.pointer (obj) while being NULL. + +Although this case may be unrealistic for the current code, it is +still better to protect against possible bugs. + +Bail out also when status is AE_NOT_FOUND. + +This fixes 1 FORWARD_NULL issue reported by Coverity +Report: CID 1600951: Null pointer dereferences (FORWARD_NULL) + +Signed-off-by: Antonio Quartulli +Fixes: c9b7c809b89f ("drm/amd: Guard against bad data for ATIF ACPI method") +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20241031152848.4716-1-antonio@mandelbit.com +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -112,8 +112,8 @@ static union acpi_object *amdgpu_atif_ca + &buffer); + obj = (union acpi_object *)buffer.pointer; + +- /* Fail if calling the method fails and ATIF is supported */ +- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) { ++ /* Fail if calling the method fails */ ++ if (ACPI_FAILURE(status)) { + DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n", + acpi_format_exception(status)); + kfree(obj); diff --git a/queue-5.10/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch b/queue-5.10/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch new file mode 100644 index 00000000000..92822d58946 --- /dev/null +++ b/queue-5.10/pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch @@ -0,0 +1,44 @@ +From cc6a931d1f3b412263d515fd93b21fc0ca5147fe Mon Sep 17 00:00:00 2001 +From: Erik Schumacher +Date: Fri, 25 Oct 2024 08:37:00 +0000 +Subject: pwm: imx-tpm: Use correct MODULO value for EPWM mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Erik Schumacher + +commit cc6a931d1f3b412263d515fd93b21fc0ca5147fe upstream. + +The modulo register defines the period of the edge-aligned PWM mode +(which is the only mode implemented). The reference manual states: +"The EPWM period is determined by (MOD + 0001h) ..." So the value that +is written to the MOD register must therefore be one less than the +calculated period length. Return -EINVAL if the calculated length is +already zero. +A correct MODULO value is particularly relevant if the PWM has to output +a high frequency due to a low period value. + +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Cc: stable@vger.kernel.org +Signed-off-by: Erik Schumacher +Link: https://lore.kernel.org/r/1a3890966d68b9f800d457cbf095746627495e18.camel@iris-sensing.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-imx-tpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -106,7 +106,9 @@ static int pwm_imx_tpm_round_state(struc + p->prescale = prescale; + + period_count = (clock_unit + ((1 << prescale) >> 1)) >> prescale; +- p->mod = period_count; ++ if (period_count == 0) ++ return -EINVAL; ++ p->mod = period_count - 1; + + /* calculate real period HW can support */ + tmp = (u64)period_count << prescale; diff --git a/queue-5.10/series b/queue-5.10/series index 8bb839874ac..4290e0d3436 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -30,3 +30,11 @@ media-s5p-jpeg-prevent-buffer-overflows.patch media-cx24116-prevent-overflows-on-snr-calculus.patch media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch +pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch +drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch +drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch +dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch +dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch +dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch +dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch +dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch