From: Greg Kroah-Hartman Date: Thu, 13 Jun 2024 10:15:22 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v4.19.316~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efba663bb0bb28044253247bfa45393eb40ccab8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: alsa-ump-don-t-accept-an-invalid-ump-protocol-number.patch alsa-ump-don-t-clear-bank-selection-after-sending-a-program-change.patch arm-dts-samsung-exynos4412-origen-fix-keypad-no-autorepeat.patch arm-dts-samsung-smdk4412-fix-keypad-no-autorepeat.patch arm-dts-samsung-smdkv310-fix-keypad-no-autorepeat.patch asoc-sof-ipc4-topology-fix-input-format-query-of-process-modules-without-base-extension.patch ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch ext4-fixes-len-calculation-in-mpage_journal_page_buffers.patch ext4-set-type-of-ac_groups_linear_remaining-to-__u32-to-avoid-overflow.patch genirq-irqdesc-prevent-use-after-free-in-irq_find_at_or_after.patch hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch i3c-master-svc-fix-invalidate-ibi-type-and-miss-call-client-ibi-handler.patch parisc-define-have_arch_hugetlb_unmapped_area.patch parisc-define-sigset_t-in-parisc-uapi-header.patch riscv-dts-starfive-remove-pmic-interrupt-info-for-visionfive-2-board.patch riscv-enable-have_arch_huge_vmap-for-xip-kernel.patch s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch s390-cpacf-make-use-of-invalid-opcode-produce-a-link-error.patch s390-cpacf-split-and-rework-cpacf-query-functions.patch --- diff --git a/queue-6.9/alsa-ump-don-t-accept-an-invalid-ump-protocol-number.patch b/queue-6.9/alsa-ump-don-t-accept-an-invalid-ump-protocol-number.patch new file mode 100644 index 00000000000..fcc29b28e55 --- /dev/null +++ b/queue-6.9/alsa-ump-don-t-accept-an-invalid-ump-protocol-number.patch @@ -0,0 +1,43 @@ +From ac0d71ee534e67c7e53439e8e9cb45ed40731660 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2024 18:47:16 +0200 +Subject: ALSA: ump: Don't accept an invalid UMP protocol number + +From: Takashi Iwai + +commit ac0d71ee534e67c7e53439e8e9cb45ed40731660 upstream. + +When a UMP Stream Configuration message is received, the driver tries +to switch the protocol, but there was no sanity check of the protocol, +hence it can pass an invalid value. Add the check and bail out if a +wrong value is passed. + +Fixes: a79807683781 ("ALSA: ump: Add helper to change MIDI protocol") +Cc: +Link: https://lore.kernel.org/r/20240529164723.18309-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/ump.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/core/ump.c ++++ b/sound/core/ump.c +@@ -685,10 +685,17 @@ static void seq_notify_protocol(struct s + */ + int snd_ump_switch_protocol(struct snd_ump_endpoint *ump, unsigned int protocol) + { ++ unsigned int type; ++ + protocol &= ump->info.protocol_caps; + if (protocol == ump->info.protocol) + return 0; + ++ type = protocol & SNDRV_UMP_EP_INFO_PROTO_MIDI_MASK; ++ if (type != SNDRV_UMP_EP_INFO_PROTO_MIDI1 && ++ type != SNDRV_UMP_EP_INFO_PROTO_MIDI2) ++ return 0; ++ + ump->info.protocol = protocol; + ump_dbg(ump, "New protocol = %x (caps = %x)\n", + protocol, ump->info.protocol_caps); diff --git a/queue-6.9/alsa-ump-don-t-clear-bank-selection-after-sending-a-program-change.patch b/queue-6.9/alsa-ump-don-t-clear-bank-selection-after-sending-a-program-change.patch new file mode 100644 index 00000000000..ca611e1f42e --- /dev/null +++ b/queue-6.9/alsa-ump-don-t-clear-bank-selection-after-sending-a-program-change.patch @@ -0,0 +1,33 @@ +From fe85f6e607d75b856e7229924c71f55e005f8284 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2024 10:38:21 +0200 +Subject: ALSA: ump: Don't clear bank selection after sending a program change + +From: Takashi Iwai + +commit fe85f6e607d75b856e7229924c71f55e005f8284 upstream. + +The current code clears the bank selection MSB/LSB after sending a +program change, but this can be wrong, as many apps may not send the +full bank selection with both MSB and LSB but sending only one. +Better to keep the previous bank set. + +Fixes: 0b5288f5fe63 ("ALSA: ump: Add legacy raw MIDI support") +Cc: +Link: https://lore.kernel.org/r/20240529083823.5778-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/ump_convert.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/core/ump_convert.c ++++ b/sound/core/ump_convert.c +@@ -404,7 +404,6 @@ static int cvt_legacy_cmd_to_ump(struct + midi2->pg.bank_msb = cc->cc_bank_msb; + midi2->pg.bank_lsb = cc->cc_bank_lsb; + cc->bank_set = 0; +- cc->cc_bank_msb = cc->cc_bank_lsb = 0; + } + break; + case UMP_MSG_STATUS_CHANNEL_PRESSURE: diff --git a/queue-6.9/arm-dts-samsung-exynos4412-origen-fix-keypad-no-autorepeat.patch b/queue-6.9/arm-dts-samsung-exynos4412-origen-fix-keypad-no-autorepeat.patch new file mode 100644 index 00000000000..9c012485943 --- /dev/null +++ b/queue-6.9/arm-dts-samsung-exynos4412-origen-fix-keypad-no-autorepeat.patch @@ -0,0 +1,38 @@ +From 88208d3cd79821117fd3fb80d9bcab618467d37b Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 12 Mar 2024 19:31:03 +0100 +Subject: ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat + +From: Krzysztof Kozlowski + +commit 88208d3cd79821117fd3fb80d9bcab618467d37b upstream. + +Although the Samsung SoC keypad binding defined +linux,keypad-no-autorepeat property, Linux driver never implemented it +and always used linux,input-no-autorepeat. Correct the DTS to use +property actually implemented. + +This also fixes dtbs_check errors like: + + exynos4412-origen.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+' + +Cc: +Fixes: bd08f6277e44 ("ARM: dts: Add keypad entries to Exynos4412 based Origen") +Link: https://lore.kernel.org/r/20240312183105.715735-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/samsung/exynos4412-origen.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/samsung/exynos4412-origen.dts ++++ b/arch/arm/boot/dts/samsung/exynos4412-origen.dts +@@ -453,7 +453,7 @@ + &keypad { + samsung,keypad-num-rows = <3>; + samsung,keypad-num-columns = <2>; +- linux,keypad-no-autorepeat; ++ linux,input-no-autorepeat; + wakeup-source; + pinctrl-0 = <&keypad_rows &keypad_cols>; + pinctrl-names = "default"; diff --git a/queue-6.9/arm-dts-samsung-smdk4412-fix-keypad-no-autorepeat.patch b/queue-6.9/arm-dts-samsung-smdk4412-fix-keypad-no-autorepeat.patch new file mode 100644 index 00000000000..5854a3ed7d3 --- /dev/null +++ b/queue-6.9/arm-dts-samsung-smdk4412-fix-keypad-no-autorepeat.patch @@ -0,0 +1,38 @@ +From 4ac4c1d794e7ff454d191bbdab7585ed8dbf3758 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 12 Mar 2024 19:31:04 +0100 +Subject: ARM: dts: samsung: smdk4412: fix keypad no-autorepeat + +From: Krzysztof Kozlowski + +commit 4ac4c1d794e7ff454d191bbdab7585ed8dbf3758 upstream. + +Although the Samsung SoC keypad binding defined +linux,keypad-no-autorepeat property, Linux driver never implemented it +and always used linux,input-no-autorepeat. Correct the DTS to use +property actually implemented. + +This also fixes dtbs_check errors like: + + exynos4412-smdk4412.dtb: keypad@100a0000: 'key-A', 'key-B', 'key-C', 'key-D', 'key-E', 'linux,keypad-no-autorepeat' do not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+' + +Cc: +Fixes: c9b92dd70107 ("ARM: dts: Add keypad entries to SMDK4412") +Link: https://lore.kernel.org/r/20240312183105.715735-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/samsung/exynos4412-smdk4412.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/samsung/exynos4412-smdk4412.dts ++++ b/arch/arm/boot/dts/samsung/exynos4412-smdk4412.dts +@@ -69,7 +69,7 @@ + &keypad { + samsung,keypad-num-rows = <3>; + samsung,keypad-num-columns = <8>; +- linux,keypad-no-autorepeat; ++ linux,input-no-autorepeat; + wakeup-source; + pinctrl-0 = <&keypad_rows &keypad_cols>; + pinctrl-names = "default"; diff --git a/queue-6.9/arm-dts-samsung-smdkv310-fix-keypad-no-autorepeat.patch b/queue-6.9/arm-dts-samsung-smdkv310-fix-keypad-no-autorepeat.patch new file mode 100644 index 00000000000..1a1129c8b0b --- /dev/null +++ b/queue-6.9/arm-dts-samsung-smdkv310-fix-keypad-no-autorepeat.patch @@ -0,0 +1,38 @@ +From 87d8e522d6f5a004f0aa06c0def302df65aff296 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 12 Mar 2024 19:31:02 +0100 +Subject: ARM: dts: samsung: smdkv310: fix keypad no-autorepeat + +From: Krzysztof Kozlowski + +commit 87d8e522d6f5a004f0aa06c0def302df65aff296 upstream. + +Although the Samsung SoC keypad binding defined +linux,keypad-no-autorepeat property, Linux driver never implemented it +and always used linux,input-no-autorepeat. Correct the DTS to use +property actually implemented. + +This also fixes dtbs_check errors like: + + exynos4210-smdkv310.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+' + +Cc: +Fixes: 0561ceabd0f1 ("ARM: dts: Add intial dts file for EXYNOS4210 SoC, SMDKV310 and ORIGEN") +Link: https://lore.kernel.org/r/20240312183105.715735-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/samsung/exynos4210-smdkv310.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/samsung/exynos4210-smdkv310.dts ++++ b/arch/arm/boot/dts/samsung/exynos4210-smdkv310.dts +@@ -88,7 +88,7 @@ + &keypad { + samsung,keypad-num-rows = <2>; + samsung,keypad-num-columns = <8>; +- linux,keypad-no-autorepeat; ++ linux,input-no-autorepeat; + wakeup-source; + pinctrl-names = "default"; + pinctrl-0 = <&keypad_rows &keypad_cols>; diff --git a/queue-6.9/asoc-sof-ipc4-topology-fix-input-format-query-of-process-modules-without-base-extension.patch b/queue-6.9/asoc-sof-ipc4-topology-fix-input-format-query-of-process-modules-without-base-extension.patch new file mode 100644 index 00000000000..e10cfe01b8e --- /dev/null +++ b/queue-6.9/asoc-sof-ipc4-topology-fix-input-format-query-of-process-modules-without-base-extension.patch @@ -0,0 +1,44 @@ +From ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 29 May 2024 15:12:01 +0300 +Subject: ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension + +From: Peter Ujfalusi + +commit ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8 upstream. + +If a process module does not have base config extension then the same +format applies to all of it's inputs and the process->base_config_ext is +NULL, causing NULL dereference when specifically crafted topology and +sequences used. + +Fixes: 648fea128476 ("ASoC: SOF: ipc4-topology: set copier output format for process module") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Seppo Ingalsuo +Reviewed-by: Ranjani Sridharan +Cc: stable@vger.kernel.org +Link: https://msgid.link/r/20240529121201.14687-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-topology.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -217,6 +217,14 @@ sof_ipc4_get_input_pin_audio_fmt(struct + } + + process = swidget->private; ++ ++ /* ++ * For process modules without base config extension, base module config ++ * format is used for all input pins ++ */ ++ if (process->init_config != SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) ++ return &process->base_config.audio_fmt; ++ + base_cfg_ext = process->base_config_ext; + + /* diff --git a/queue-6.9/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch b/queue-6.9/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch new file mode 100644 index 00000000000..201f553e138 --- /dev/null +++ b/queue-6.9/ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch @@ -0,0 +1,59 @@ +From 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Sat, 4 May 2024 15:55:25 +0800 +Subject: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() + +From: Baokun Li + +commit 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 upstream. + +Syzbot reports a warning as follows: + +============================================ +WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 +Modules linked in: +CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 +RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 +Call Trace: + + ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375 + generic_shutdown_super+0x136/0x2d0 fs/super.c:641 + kill_block_super+0x44/0x90 fs/super.c:1675 + ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 +[...] +============================================ + +This is because when finding an entry in ext4_xattr_block_cache_find(), if +ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown +in the __entry_find(), won't be put away, and eventually trigger the above +issue in mb_cache_destroy() due to reference count leakage. + +So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix. + +Reported-by: syzbot+dd43bd0f7474512edc47@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47 +Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240504075526.2254349-2-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -3113,8 +3113,10 @@ ext4_xattr_block_cache_find(struct inode + + bh = ext4_sb_bread(inode->i_sb, ce->e_value, REQ_PRIO); + if (IS_ERR(bh)) { +- if (PTR_ERR(bh) == -ENOMEM) ++ if (PTR_ERR(bh) == -ENOMEM) { ++ mb_cache_entry_put(ea_block_cache, ce); + return NULL; ++ } + bh = NULL; + EXT4_ERROR_INODE(inode, "block %lu read error", + (unsigned long)ce->e_value); diff --git a/queue-6.9/ext4-fixes-len-calculation-in-mpage_journal_page_buffers.patch b/queue-6.9/ext4-fixes-len-calculation-in-mpage_journal_page_buffers.patch new file mode 100644 index 00000000000..b4870fd08f3 --- /dev/null +++ b/queue-6.9/ext4-fixes-len-calculation-in-mpage_journal_page_buffers.patch @@ -0,0 +1,36 @@ +From c2a09f3d782de952f09a3962d03b939e7fa7ffa4 Mon Sep 17 00:00:00 2001 +From: "Ritesh Harjani (IBM)" +Date: Thu, 29 Feb 2024 11:40:13 +0530 +Subject: ext4: Fixes len calculation in mpage_journal_page_buffers + +From: Ritesh Harjani (IBM) + +commit c2a09f3d782de952f09a3962d03b939e7fa7ffa4 upstream. + +Truncate operation can race with writeback, in which inode->i_size can get +truncated and therefore size - folio_pos() can be negative. This fixes the +len calculation. However this path doesn't get easily triggered even +with data journaling. + +Cc: stable@kernel.org # v6.5 +Fixes: 80be8c5cc925 ("Fixes: ext4: Make mpage_journal_page_buffers use folio") +Signed-off-by: Ritesh Harjani (IBM) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/cff4953b5c9306aba71e944ab176a5d396b9a1b7.1709182250.git.ritesh.list@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2334,7 +2334,7 @@ static int mpage_journal_page_buffers(ha + + if (folio_pos(folio) + len > size && + !ext4_verity_in_progress(inode)) +- len = size - folio_pos(folio); ++ len = size & (len - 1); + + return ext4_journal_folio_buffers(handle, folio, len); + } diff --git a/queue-6.9/ext4-set-type-of-ac_groups_linear_remaining-to-__u32-to-avoid-overflow.patch b/queue-6.9/ext4-set-type-of-ac_groups_linear_remaining-to-__u32-to-avoid-overflow.patch new file mode 100644 index 00000000000..9d92d2a01ff --- /dev/null +++ b/queue-6.9/ext4-set-type-of-ac_groups_linear_remaining-to-__u32-to-avoid-overflow.patch @@ -0,0 +1,38 @@ +From 9a9f3a9842927e4af7ca10c19c94dad83bebd713 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 19 Mar 2024 19:33:23 +0800 +Subject: ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow + +From: Baokun Li + +commit 9a9f3a9842927e4af7ca10c19c94dad83bebd713 upstream. + +Now ac_groups_linear_remaining is of type __u16 and s_mb_max_linear_groups +is of type unsigned int, so an overflow occurs when setting a value above +65535 through the mb_max_linear_groups sysfs interface. Therefore, the +type of ac_groups_linear_remaining is set to __u32 to avoid overflow. + +Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") +CC: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240319113325.3110393-8-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.h ++++ b/fs/ext4/mballoc.h +@@ -193,8 +193,8 @@ struct ext4_allocation_context { + ext4_grpblk_t ac_orig_goal_len; + + __u32 ac_flags; /* allocation hints */ ++ __u32 ac_groups_linear_remaining; + __u16 ac_groups_scanned; +- __u16 ac_groups_linear_remaining; + __u16 ac_found; + __u16 ac_cX_found[EXT4_MB_NUM_CRS]; + __u16 ac_tail; diff --git a/queue-6.9/genirq-irqdesc-prevent-use-after-free-in-irq_find_at_or_after.patch b/queue-6.9/genirq-irqdesc-prevent-use-after-free-in-irq_find_at_or_after.patch new file mode 100644 index 00000000000..a8fc2e6c0b5 --- /dev/null +++ b/queue-6.9/genirq-irqdesc-prevent-use-after-free-in-irq_find_at_or_after.patch @@ -0,0 +1,63 @@ +From b84a8aba806261d2f759ccedf4a2a6a80a5e55ba Mon Sep 17 00:00:00 2001 +From: "dicken.ding" +Date: Fri, 24 May 2024 17:17:39 +0800 +Subject: genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() + +From: dicken.ding + +commit b84a8aba806261d2f759ccedf4a2a6a80a5e55ba upstream. + +irq_find_at_or_after() dereferences the interrupt descriptor which is +returned by mt_find() while neither holding sparse_irq_lock nor RCU read +lock, which means the descriptor can be freed between mt_find() and the +dereference: + + CPU0 CPU1 + desc = mt_find() + delayed_free_desc(desc) + irq_desc_get_irq(desc) + +The use-after-free is reported by KASAN: + + Call trace: + irq_get_next_irq+0x58/0x84 + show_stat+0x638/0x824 + seq_read_iter+0x158/0x4ec + proc_reg_read_iter+0x94/0x12c + vfs_read+0x1e0/0x2c8 + + Freed by task 4471: + slab_free_freelist_hook+0x174/0x1e0 + __kmem_cache_free+0xa4/0x1dc + kfree+0x64/0x128 + irq_kobj_release+0x28/0x3c + kobject_put+0xcc/0x1e0 + delayed_free_desc+0x14/0x2c + rcu_do_batch+0x214/0x720 + +Guard the access with a RCU read lock section. + +Fixes: 721255b9826b ("genirq: Use a maple tree for interrupt descriptor management") +Signed-off-by: dicken.ding +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240524091739.31611-1-dicken.ding@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/irqdesc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -160,7 +160,10 @@ static int irq_find_free_area(unsigned i + static unsigned int irq_find_at_or_after(unsigned int offset) + { + unsigned long index = offset; +- struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs); ++ struct irq_desc *desc; ++ ++ guard(rcu)(); ++ desc = mt_find(&sparse_irqs, &index, nr_irqs); + + return desc ? irq_desc_get_irq(desc) : nr_irqs; + } diff --git a/queue-6.9/hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch b/queue-6.9/hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch new file mode 100644 index 00000000000..4683903f092 --- /dev/null +++ b/queue-6.9/hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch @@ -0,0 +1,41 @@ +From a94ff8e50c20bde6d50864849a98b106e45d30c6 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 23 May 2024 17:47:14 +0200 +Subject: hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() + +From: Javier Carrasco + +commit a94ff8e50c20bde6d50864849a98b106e45d30c6 upstream. + +A new error path was added to the fwnode_for_each_available_node() loop +in ltc2992_parse_dt(), which leads to an early return that requires a +call to fwnode_handle_put() to avoid a memory leak in that case. + +Add the missing fwnode_handle_put() in the error path from a zero value +shunt resistor. + +Cc: stable@vger.kernel.org +Fixes: 10b029020487 ("hwmon: (ltc2992) Avoid division by zero") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20240523-fwnode_for_each_available_child_node_scoped-v2-1-701f3a03f2fb@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/ltc2992.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/ltc2992.c ++++ b/drivers/hwmon/ltc2992.c +@@ -876,9 +876,11 @@ static int ltc2992_parse_dt(struct ltc29 + + ret = fwnode_property_read_u32(child, "shunt-resistor-micro-ohms", &val); + if (!ret) { +- if (!val) ++ if (!val) { ++ fwnode_handle_put(child); + return dev_err_probe(&st->client->dev, -EINVAL, + "shunt resistor value cannot be zero\n"); ++ } + st->r_sense_uohm[addr] = val; + } + } diff --git a/queue-6.9/i3c-master-svc-fix-invalidate-ibi-type-and-miss-call-client-ibi-handler.patch b/queue-6.9/i3c-master-svc-fix-invalidate-ibi-type-and-miss-call-client-ibi-handler.patch new file mode 100644 index 00000000000..a2e8e8191a5 --- /dev/null +++ b/queue-6.9/i3c-master-svc-fix-invalidate-ibi-type-and-miss-call-client-ibi-handler.patch @@ -0,0 +1,74 @@ +From 38baed9b8600008e5d7bc8cb9ceccc1af3dd54b7 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 6 May 2024 12:40:09 -0400 +Subject: i3c: master: svc: fix invalidate IBI type and miss call client IBI handler + +From: Frank Li + +commit 38baed9b8600008e5d7bc8cb9ceccc1af3dd54b7 upstream. + +In an In-Band Interrupt (IBI) handle, the code logic is as follows: + +1: writel(SVC_I3C_MCTRL_REQUEST_AUTO_IBI | SVC_I3C_MCTRL_IBIRESP_AUTO, + master->regs + SVC_I3C_MCTRL); + +2: ret = readl_relaxed_poll_timeout(master->regs + SVC_I3C_MSTATUS, val, + SVC_I3C_MSTATUS_IBIWON(val), 0, 1000); + ... +3: ibitype = SVC_I3C_MSTATUS_IBITYPE(status); + ibiaddr = SVC_I3C_MSTATUS_IBIADDR(status); + +SVC_I3C_MSTATUS_IBIWON may be set before step 1. Thus, step 2 will return +immediately, and the I3C controller has not sent out the 9th SCL yet. +Consequently, ibitype and ibiaddr are 0, resulting in an unknown IBI type +occurrence and missing call I3C client driver's IBI handler. + +A typical case is that SVC_I3C_MSTATUS_IBIWON is set when an IBI occurs +during the controller send start frame in svc_i3c_master_xfer(). + +Clear SVC_I3C_MSTATUS_IBIWON before issue SVC_I3C_MCTRL_REQUEST_AUTO_IBI +to fix this issue. + +Cc: stable@vger.kernel.org +Fixes: 5e5e3c92e748 ("i3c: master: svc: fix wrong data return when IBI happen during start frame") +Signed-off-by: Frank Li +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20240506164009.21375-3-Frank.Li@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master/svc-i3c-master.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -415,6 +415,19 @@ static void svc_i3c_master_ibi_work(stru + int ret; + + mutex_lock(&master->lock); ++ /* ++ * IBIWON may be set before SVC_I3C_MCTRL_REQUEST_AUTO_IBI, causing ++ * readl_relaxed_poll_timeout() to return immediately. Consequently, ++ * ibitype will be 0 since it was last updated only after the 8th SCL ++ * cycle, leading to missed client IBI handlers. ++ * ++ * A typical scenario is when IBIWON occurs and bus arbitration is lost ++ * at svc_i3c_master_priv_xfers(). ++ * ++ * Clear SVC_I3C_MINT_IBIWON before sending SVC_I3C_MCTRL_REQUEST_AUTO_IBI. ++ */ ++ writel(SVC_I3C_MINT_IBIWON, master->regs + SVC_I3C_MSTATUS); ++ + /* Acknowledge the incoming interrupt with the AUTOIBI mechanism */ + writel(SVC_I3C_MCTRL_REQUEST_AUTO_IBI | + SVC_I3C_MCTRL_IBIRESP_AUTO, +@@ -429,9 +442,6 @@ static void svc_i3c_master_ibi_work(stru + goto reenable_ibis; + } + +- /* Clear the interrupt status */ +- writel(SVC_I3C_MINT_IBIWON, master->regs + SVC_I3C_MSTATUS); +- + status = readl(master->regs + SVC_I3C_MSTATUS); + ibitype = SVC_I3C_MSTATUS_IBITYPE(status); + ibiaddr = SVC_I3C_MSTATUS_IBIADDR(status); diff --git a/queue-6.9/parisc-define-have_arch_hugetlb_unmapped_area.patch b/queue-6.9/parisc-define-have_arch_hugetlb_unmapped_area.patch new file mode 100644 index 00000000000..5888e16d9f0 --- /dev/null +++ b/queue-6.9/parisc-define-have_arch_hugetlb_unmapped_area.patch @@ -0,0 +1,32 @@ +From d4a599910193b85f76c100e30d8551c8794f8c2a Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 15 May 2024 14:53:25 +0200 +Subject: parisc: Define HAVE_ARCH_HUGETLB_UNMAPPED_AREA + +From: Helge Deller + +commit d4a599910193b85f76c100e30d8551c8794f8c2a upstream. + +Define the HAVE_ARCH_HUGETLB_UNMAPPED_AREA macro like other platforms do in +their page.h files to avoid this compile warning: +arch/parisc/mm/hugetlbpage.c:25:1: warning: no previous prototype for 'hugetlb_get_unmapped_area' [-Wmissing-prototypes] + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # 6.0+ +Reported-by: John David Anglin +Tested-by: John David Anglin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/page.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -8,6 +8,7 @@ + #define PAGE_SIZE (_AC(1,UL) << PAGE_SHIFT) + #define PAGE_MASK (~(PAGE_SIZE-1)) + ++#define HAVE_ARCH_HUGETLB_UNMAPPED_AREA + + #ifndef __ASSEMBLY__ + diff --git a/queue-6.9/parisc-define-sigset_t-in-parisc-uapi-header.patch b/queue-6.9/parisc-define-sigset_t-in-parisc-uapi-header.patch new file mode 100644 index 00000000000..f82f4b1d786 --- /dev/null +++ b/queue-6.9/parisc-define-sigset_t-in-parisc-uapi-header.patch @@ -0,0 +1,72 @@ +From 487fa28fa8b60417642ac58e8beda6e2509d18f9 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 27 Apr 2024 19:43:51 +0200 +Subject: parisc: Define sigset_t in parisc uapi header + +From: Helge Deller + +commit 487fa28fa8b60417642ac58e8beda6e2509d18f9 upstream. + +The util-linux debian package fails to build on parisc, because +sigset_t isn't defined in asm/signal.h when included from userspace. +Move the sigset_t type from internal header to the uapi header to fix the +build. + +Link: https://buildd.debian.org/status/fetch.php?pkg=util-linux&arch=hppa&ver=2.40-7&stamp=1714163443&raw=0 +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/signal.h | 12 ------------ + arch/parisc/include/uapi/asm/signal.h | 10 ++++++++++ + 2 files changed, 10 insertions(+), 12 deletions(-) + +--- a/arch/parisc/include/asm/signal.h ++++ b/arch/parisc/include/asm/signal.h +@@ -4,23 +4,11 @@ + + #include + +-#define _NSIG 64 +-/* bits-per-word, where word apparently means 'long' not 'int' */ +-#define _NSIG_BPW BITS_PER_LONG +-#define _NSIG_WORDS (_NSIG / _NSIG_BPW) +- + # ifndef __ASSEMBLY__ + + /* Most things should be clean enough to redefine this at will, if care + is taken to make libc match. */ + +-typedef unsigned long old_sigset_t; /* at least 32 bits */ +- +-typedef struct { +- /* next_signal() assumes this is a long - no choice */ +- unsigned long sig[_NSIG_WORDS]; +-} sigset_t; +- + #include + + #endif /* !__ASSEMBLY */ +--- a/arch/parisc/include/uapi/asm/signal.h ++++ b/arch/parisc/include/uapi/asm/signal.h +@@ -57,10 +57,20 @@ + + #include + ++#define _NSIG 64 ++#define _NSIG_BPW (sizeof(unsigned long) * 8) ++#define _NSIG_WORDS (_NSIG / _NSIG_BPW) ++ + # ifndef __ASSEMBLY__ + + # include + ++typedef unsigned long old_sigset_t; /* at least 32 bits */ ++ ++typedef struct { ++ unsigned long sig[_NSIG_WORDS]; ++} sigset_t; ++ + /* Avoid too many header ordering problems. */ + struct siginfo; + diff --git a/queue-6.9/riscv-dts-starfive-remove-pmic-interrupt-info-for-visionfive-2-board.patch b/queue-6.9/riscv-dts-starfive-remove-pmic-interrupt-info-for-visionfive-2-board.patch new file mode 100644 index 00000000000..025c1e149dc --- /dev/null +++ b/queue-6.9/riscv-dts-starfive-remove-pmic-interrupt-info-for-visionfive-2-board.patch @@ -0,0 +1,43 @@ +From 0f74c64f0a9f6e1e7cf17bea3d4350fa6581e0d7 Mon Sep 17 00:00:00 2001 +From: Shengyu Qu +Date: Thu, 7 Mar 2024 20:21:12 +0800 +Subject: riscv: dts: starfive: Remove PMIC interrupt info for Visionfive 2 board + +From: Shengyu Qu + +commit 0f74c64f0a9f6e1e7cf17bea3d4350fa6581e0d7 upstream. + +Interrupt line number of the AXP15060 PMIC is not a necessary part of +its device tree. Originally the binding required one, so the dts patch +added an invalid interrupt that the driver ignored (0) as the interrupt +line of the PMIC is not actually connected on this platform. This went +unnoticed during review as it would have been a valid interrupt for a +GPIO controller, but it is not for the PLIC. The PLIC, on this platform +at least, silently ignores the enablement of interrupt 0. Bo Gan is +running a modified version of OpenSBI that faults if writes are done to +reserved fields, so their kernel runs into problems. + +Delete the invalid interrupt from the device tree. + +Cc: stable@vger.kernel.org +Reported-by: Bo Gan +Link: https://lore.kernel.org/all/c8b6e960-2459-130f-e4e4-7c9c2ebaa6d3@gmail.com/ +Signed-off-by: Shengyu Qu +Fixes: 2378341504de ("riscv: dts: starfive: Enable axp15060 pmic for cpufreq") +[conor: rewrite the commit message to add more detail] +Signed-off-by: Conor Dooley +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/boot/dts/starfive/jh7110-starfive-visionfive-2.dtsi | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/riscv/boot/dts/starfive/jh7110-starfive-visionfive-2.dtsi ++++ b/arch/riscv/boot/dts/starfive/jh7110-starfive-visionfive-2.dtsi +@@ -238,7 +238,6 @@ + axp15060: pmic@36 { + compatible = "x-powers,axp15060"; + reg = <0x36>; +- interrupts = <0>; + interrupt-controller; + #interrupt-cells = <1>; + diff --git a/queue-6.9/riscv-enable-have_arch_huge_vmap-for-xip-kernel.patch b/queue-6.9/riscv-enable-have_arch_huge_vmap-for-xip-kernel.patch new file mode 100644 index 00000000000..111fb38f761 --- /dev/null +++ b/queue-6.9/riscv-enable-have_arch_huge_vmap-for-xip-kernel.patch @@ -0,0 +1,38 @@ +From 7bed51617401dab2be930b13ed5aacf581f7c8ef Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Sun, 26 May 2024 13:01:04 +0200 +Subject: riscv: enable HAVE_ARCH_HUGE_VMAP for XIP kernel + +From: Nam Cao + +commit 7bed51617401dab2be930b13ed5aacf581f7c8ef upstream. + +HAVE_ARCH_HUGE_VMAP also works on XIP kernel, so remove its dependency on +!XIP_KERNEL. + +This also fixes a boot problem for XIP kernel introduced by the commit in +"Fixes:". This commit used huge page mapping for vmemmap, but huge page +vmap was not enabled for XIP kernel. + +Fixes: ff172d4818ad ("riscv: Use hugepage mappings for vmemmap") +Signed-off-by: Nam Cao +Cc: +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240526110104.470429-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -103,7 +103,7 @@ config RISCV + select HAS_IOPORT if MMU + select HAVE_ARCH_AUDITSYSCALL + select HAVE_ARCH_HUGE_VMALLOC if HAVE_ARCH_HUGE_VMAP +- select HAVE_ARCH_HUGE_VMAP if MMU && 64BIT && !XIP_KERNEL ++ select HAVE_ARCH_HUGE_VMAP if MMU && 64BIT + select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL + select HAVE_ARCH_JUMP_LABEL_RELATIVE if !XIP_KERNEL + select HAVE_ARCH_KASAN if MMU && 64BIT diff --git a/queue-6.9/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch b/queue-6.9/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch new file mode 100644 index 00000000000..c50127afba4 --- /dev/null +++ b/queue-6.9/s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch @@ -0,0 +1,75 @@ +From d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 13 May 2024 14:49:13 +0200 +Subject: s390/ap: Fix crash in AP internal function modify_bitmap() + +From: Harald Freudenberger + +commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 upstream. + +A system crash like this + + Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 + Fault in home space mode while using kernel ASCE. + AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d + Oops: 0038 ilc:3 [#1] PREEMPT SMP + Modules linked in: mlx5_ib ... + CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 + Hardware name: IBM 3931 A01 704 (LPAR) + Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 + Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 + 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 + 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff + 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 + Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a + 0000014b75e7b600: 18b2 lr %r11,%r2 + #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 + >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) + 0000014b75e7b60c: a7680001 lhi %r6,1 + 0000014b75e7b610: 187b lr %r7,%r11 + 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 + 0000014b75e7b616: 18e9 lr %r14,%r9 + Call Trace: + [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 + ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) + [<0000014b75e7b758>] apmask_store+0x68/0x140 + [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 + [<0000014b75598524>] vfs_write+0x1b4/0x448 + [<0000014b7559894c>] ksys_write+0x74/0x100 + [<0000014b7618a440>] __do_syscall+0x268/0x328 + [<0000014b761a3558>] system_call+0x70/0x98 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value +(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. + +The fix is simple: use unsigned long values for the internal variables. The +correct checks are already in place in the function but a simple int for +the internal variables was used with the possibility to overflow. + +Reported-by: Marc Hartmayer +Signed-off-by: Harald Freudenberger +Tested-by: Marc Hartmayer +Reviewed-by: Holger Dengler +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/ap_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -1129,7 +1129,7 @@ static int hex2bitmap(const char *str, u + */ + static int modify_bitmap(const char *str, unsigned long *bitmap, int bits) + { +- int a, i, z; ++ unsigned long a, i, z; + char *np, sign; + + /* bits needs to be a multiple of 8 */ diff --git a/queue-6.9/s390-cpacf-make-use-of-invalid-opcode-produce-a-link-error.patch b/queue-6.9/s390-cpacf-make-use-of-invalid-opcode-produce-a-link-error.patch new file mode 100644 index 00000000000..0352e8abd00 --- /dev/null +++ b/queue-6.9/s390-cpacf-make-use-of-invalid-opcode-produce-a-link-error.patch @@ -0,0 +1,60 @@ +From 32e8bd6423fc127d2b37bdcf804fd76af3bbec79 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Tue, 14 May 2024 10:09:32 +0200 +Subject: s390/cpacf: Make use of invalid opcode produce a link error + +From: Harald Freudenberger + +commit 32e8bd6423fc127d2b37bdcf804fd76af3bbec79 upstream. + +Instead of calling BUG() at runtime introduce and use a prototype for a +non-existing function to produce a link error during compile when a not +supported opcode is used with the __cpacf_query() or __cpacf_check_opcode() +inline functions. + +Suggested-by: Heiko Carstens +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Reviewed-by: Juergen Christ +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpacf.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/cpacf.h ++++ b/arch/s390/include/asm/cpacf.h +@@ -166,6 +166,13 @@ + + typedef struct { unsigned char bytes[16]; } cpacf_mask_t; + ++/* ++ * Prototype for a not existing function to produce a link ++ * error if __cpacf_query() or __cpacf_check_opcode() is used ++ * with an invalid compile time const opcode. ++ */ ++void __cpacf_bad_opcode(void); ++ + static __always_inline void __cpacf_query_rre(u32 opc, u8 r1, u8 r2, + cpacf_mask_t *mask) + { +@@ -237,7 +244,7 @@ static __always_inline void __cpacf_quer + __cpacf_query_rre(CPACF_PRNO, 2, 4, mask); + break; + default: +- BUG(); ++ __cpacf_bad_opcode(); + } + } + +@@ -262,7 +269,8 @@ static __always_inline int __cpacf_check + case CPACF_KMA: + return test_facility(146); /* check for MSA8 */ + default: +- BUG(); ++ __cpacf_bad_opcode(); ++ return 0; + } + } + diff --git a/queue-6.9/s390-cpacf-split-and-rework-cpacf-query-functions.patch b/queue-6.9/s390-cpacf-split-and-rework-cpacf-query-functions.patch new file mode 100644 index 00000000000..c3c9c8f2559 --- /dev/null +++ b/queue-6.9/s390-cpacf-split-and-rework-cpacf-query-functions.patch @@ -0,0 +1,147 @@ +From 830999bd7e72f4128b9dfa37090d9fa8120ce323 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Fri, 3 May 2024 11:31:42 +0200 +Subject: s390/cpacf: Split and rework cpacf query functions + +From: Harald Freudenberger + +commit 830999bd7e72f4128b9dfa37090d9fa8120ce323 upstream. + +Rework the cpacf query functions to use the correct RRE +or RRF instruction formats and set register fields within +instructions correctly. + +Fixes: 1afd43e0fbba ("s390/crypto: allow to query all known cpacf functions") +Reported-by: Nina Schoetterl-Glausch +Suggested-by: Heiko Carstens +Suggested-by: Juergen Christ +Suggested-by: Holger Dengler +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Reviewed-by: Juergen Christ +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpacf.h | 101 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 81 insertions(+), 20 deletions(-) + +--- a/arch/s390/include/asm/cpacf.h ++++ b/arch/s390/include/asm/cpacf.h +@@ -166,28 +166,79 @@ + + typedef struct { unsigned char bytes[16]; } cpacf_mask_t; + +-/** +- * cpacf_query() - check if a specific CPACF function is available +- * @opcode: the opcode of the crypto instruction +- * @func: the function code to test for +- * +- * Executes the query function for the given crypto instruction @opcode +- * and checks if @func is available +- * +- * Returns 1 if @func is available for @opcode, 0 otherwise +- */ +-static __always_inline void __cpacf_query(unsigned int opcode, cpacf_mask_t *mask) ++static __always_inline void __cpacf_query_rre(u32 opc, u8 r1, u8 r2, ++ cpacf_mask_t *mask) ++{ ++ asm volatile( ++ " la %%r1,%[mask]\n" ++ " xgr %%r0,%%r0\n" ++ " .insn rre,%[opc] << 16,%[r1],%[r2]\n" ++ : [mask] "=R" (*mask) ++ : [opc] "i" (opc), ++ [r1] "i" (r1), [r2] "i" (r2) ++ : "cc", "r0", "r1"); ++} ++ ++static __always_inline void __cpacf_query_rrf(u32 opc, ++ u8 r1, u8 r2, u8 r3, u8 m4, ++ cpacf_mask_t *mask) + { + asm volatile( +- " lghi 0,0\n" /* query function */ +- " lgr 1,%[mask]\n" +- " spm 0\n" /* pckmo doesn't change the cc */ +- /* Parameter regs are ignored, but must be nonzero and unique */ +- "0: .insn rrf,%[opc] << 16,2,4,6,0\n" +- " brc 1,0b\n" /* handle partial completion */ +- : "=m" (*mask) +- : [mask] "d" ((unsigned long)mask), [opc] "i" (opcode) +- : "cc", "0", "1"); ++ " la %%r1,%[mask]\n" ++ " xgr %%r0,%%r0\n" ++ " .insn rrf,%[opc] << 16,%[r1],%[r2],%[r3],%[m4]\n" ++ : [mask] "=R" (*mask) ++ : [opc] "i" (opc), [r1] "i" (r1), [r2] "i" (r2), ++ [r3] "i" (r3), [m4] "i" (m4) ++ : "cc", "r0", "r1"); ++} ++ ++static __always_inline void __cpacf_query(unsigned int opcode, ++ cpacf_mask_t *mask) ++{ ++ switch (opcode) { ++ case CPACF_KDSA: ++ __cpacf_query_rre(CPACF_KDSA, 0, 2, mask); ++ break; ++ case CPACF_KIMD: ++ __cpacf_query_rre(CPACF_KIMD, 0, 2, mask); ++ break; ++ case CPACF_KLMD: ++ __cpacf_query_rre(CPACF_KLMD, 0, 2, mask); ++ break; ++ case CPACF_KM: ++ __cpacf_query_rre(CPACF_KM, 2, 4, mask); ++ break; ++ case CPACF_KMA: ++ __cpacf_query_rrf(CPACF_KMA, 2, 4, 6, 0, mask); ++ break; ++ case CPACF_KMAC: ++ __cpacf_query_rre(CPACF_KMAC, 0, 2, mask); ++ break; ++ case CPACF_KMC: ++ __cpacf_query_rre(CPACF_KMC, 2, 4, mask); ++ break; ++ case CPACF_KMCTR: ++ __cpacf_query_rrf(CPACF_KMCTR, 2, 4, 6, 0, mask); ++ break; ++ case CPACF_KMF: ++ __cpacf_query_rre(CPACF_KMF, 2, 4, mask); ++ break; ++ case CPACF_KMO: ++ __cpacf_query_rre(CPACF_KMO, 2, 4, mask); ++ break; ++ case CPACF_PCC: ++ __cpacf_query_rre(CPACF_PCC, 0, 0, mask); ++ break; ++ case CPACF_PCKMO: ++ __cpacf_query_rre(CPACF_PCKMO, 0, 0, mask); ++ break; ++ case CPACF_PRNO: ++ __cpacf_query_rre(CPACF_PRNO, 2, 4, mask); ++ break; ++ default: ++ BUG(); ++ } + } + + static __always_inline int __cpacf_check_opcode(unsigned int opcode) +@@ -215,6 +266,16 @@ static __always_inline int __cpacf_check + } + } + ++/** ++ * cpacf_query() - check if a specific CPACF function is available ++ * @opcode: the opcode of the crypto instruction ++ * @func: the function code to test for ++ * ++ * Executes the query function for the given crypto instruction @opcode ++ * and checks if @func is available ++ * ++ * Returns 1 if @func is available for @opcode, 0 otherwise ++ */ + static __always_inline int cpacf_query(unsigned int opcode, cpacf_mask_t *mask) + { + if (__cpacf_check_opcode(opcode)) { diff --git a/queue-6.9/series b/queue-6.9/series index 68c083ae7b9..ac6b0e0a17d 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -115,3 +115,22 @@ revert-xsk-document-ability-to-redirect-to-any-socket-bound-to-the-same-umem.pat revert-perf-record-reduce-memory-for-recording-perf_record_lost_samples-event.patch e1000e-move-force-smbus-near-the-end-of-enable_ulp-function.patch sparc-move-struct-termio-to-asm-termios.h.patch +ext4-fixes-len-calculation-in-mpage_journal_page_buffers.patch +ext4-set-type-of-ac_groups_linear_remaining-to-__u32-to-avoid-overflow.patch +ext4-fix-mb_cache_entry-s-e_refcnt-leak-in-ext4_xattr_block_cache_find.patch +riscv-dts-starfive-remove-pmic-interrupt-info-for-visionfive-2-board.patch +arm-dts-samsung-smdkv310-fix-keypad-no-autorepeat.patch +arm-dts-samsung-smdk4412-fix-keypad-no-autorepeat.patch +arm-dts-samsung-exynos4412-origen-fix-keypad-no-autorepeat.patch +parisc-define-have_arch_hugetlb_unmapped_area.patch +parisc-define-sigset_t-in-parisc-uapi-header.patch +s390-ap-fix-crash-in-ap-internal-function-modify_bitmap.patch +s390-cpacf-split-and-rework-cpacf-query-functions.patch +s390-cpacf-make-use-of-invalid-opcode-produce-a-link-error.patch +i3c-master-svc-fix-invalidate-ibi-type-and-miss-call-client-ibi-handler.patch +genirq-irqdesc-prevent-use-after-free-in-irq_find_at_or_after.patch +hwmon-ltc2992-fix-memory-leak-in-ltc2992_parse_dt.patch +riscv-enable-have_arch_huge_vmap-for-xip-kernel.patch +asoc-sof-ipc4-topology-fix-input-format-query-of-process-modules-without-base-extension.patch +alsa-ump-don-t-clear-bank-selection-after-sending-a-program-change.patch +alsa-ump-don-t-accept-an-invalid-ump-protocol-number.patch