From: Greg Kroah-Hartman Date: Tue, 20 May 2025 11:34:56 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.15.184~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f488def3e3dc65a2dfbad4313ed037d4a9d33685;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch drm-amdgpu-fix-pm-notifier-handling.patch ipv4-fix-uninit-value-access-in-__ip_make_skb.patch ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch --- diff --git a/queue-6.1/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch b/queue-6.1/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch new file mode 100644 index 0000000000..d640b08712 --- /dev/null +++ b/queue-6.1/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch @@ -0,0 +1,43 @@ +From dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 15 Jan 2024 20:15:46 +0000 +Subject: arm64/sme: Always exit sme_alloc() early with existing storage + +From: Mark Brown + +commit dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 upstream. + +When sme_alloc() is called with existing storage and we are not flushing we +will always allocate new storage, both leaking the existing storage and +corrupting the state. Fix this by separating the checks for flushing and +for existing storage as we do for SVE. + +Callers that reallocate (eg, due to changing the vector length) should +call sme_free() themselves. + +Fixes: 5d0a8d2fba50 ("arm64/ptrace: Ensure that SME is set up for target when writing SSVE state") +Signed-off-by: Mark Brown +Cc: +Link: https://lore.kernel.org/r/20240115-arm64-sme-flush-v1-1-7472bd3459b7@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/fpsimd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1259,8 +1259,10 @@ void fpsimd_release_task(struct task_str + */ + void sme_alloc(struct task_struct *task, bool flush) + { +- if (task->thread.za_state && flush) { +- memset(task->thread.za_state, 0, za_state_size(task)); ++ if (task->thread.za_state) { ++ if (flush) ++ memset(task->thread.za_state, 0, ++ za_state_size(task)); + return; + } + diff --git a/queue-6.1/bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch b/queue-6.1/bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch new file mode 100644 index 0000000000..522b2c0c0f --- /dev/null +++ b/queue-6.1/bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch @@ -0,0 +1,87 @@ +From 3051a77a09dfe3022aa012071346937fdf059033 Mon Sep 17 00:00:00 2001 +From: Shravya KN +Date: Fri, 22 Nov 2024 14:45:44 -0800 +Subject: bnxt_en: Fix receive ring space parameters when XDP is active + +From: Shravya KN + +commit 3051a77a09dfe3022aa012071346937fdf059033 upstream. + +The MTU setting at the time an XDP multi-buffer is attached +determines whether the aggregation ring will be used and the +rx_skb_func handler. This is done in bnxt_set_rx_skb_mode(). + +If the MTU is later changed, the aggregation ring setting may need +to be changed and it may become out-of-sync with the settings +initially done in bnxt_set_rx_skb_mode(). This may result in +random memory corruption and crashes as the HW may DMA data larger +than the allocated buffer size, such as: + +BUG: kernel NULL pointer dereference, address: 00000000000003c0 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 +Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 +RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] +Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f +RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 +RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff +RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 +RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf +R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 +R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 +FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] + +To address the issue, we now call bnxt_set_rx_skb_mode() within +bnxt_change_mtu() to properly set the AGG rings configuration and +update rx_skb_func based on the new MTU value. +Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of +bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on +the current MTU. + +Fixes: 08450ea98ae9 ("bnxt_en: Fix max_mtu setting for multi-buf XDP") +Co-developed-by: Somnath Kotur +Signed-off-by: Somnath Kotur +Signed-off-by: Shravya KN +Signed-off-by: Michael Chan +Signed-off-by: Paolo Abeni +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4041,7 +4041,7 @@ int bnxt_set_rx_skb_mode(struct bnxt *bp + struct net_device *dev = bp->dev; + + if (page_mode) { +- bp->flags &= ~BNXT_FLAG_AGG_RINGS; ++ bp->flags &= ~(BNXT_FLAG_AGG_RINGS | BNXT_FLAG_NO_AGG_RINGS); + bp->flags |= BNXT_FLAG_RX_PAGE_MODE; + + if (bp->xdp_prog->aux->xdp_has_frags) +@@ -12799,6 +12799,14 @@ static int bnxt_change_mtu(struct net_de + bnxt_close_nic(bp, true, false); + + dev->mtu = new_mtu; ++ ++ /* MTU change may change the AGG ring settings if an XDP multi-buffer ++ * program is attached. We need to set the AGG rings settings and ++ * rx_skb_func accordingly. ++ */ ++ if (READ_ONCE(bp->xdp_prog)) ++ bnxt_set_rx_skb_mode(bp, true); ++ + bnxt_set_ring_params(bp); + + if (netif_running(dev)) diff --git a/queue-6.1/drm-amdgpu-fix-pm-notifier-handling.patch b/queue-6.1/drm-amdgpu-fix-pm-notifier-handling.patch new file mode 100644 index 0000000000..e804479ddc --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-pm-notifier-handling.patch @@ -0,0 +1,94 @@ +From 4aaffc85751da5722e858e4333e8cf0aa4b6c78f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 1 May 2025 13:46:46 -0400 +Subject: drm/amdgpu: fix pm notifier handling + +From: Alex Deucher + +commit 4aaffc85751da5722e858e4333e8cf0aa4b6c78f upstream. + +Set the s3/s0ix and s4 flags in the pm notifier so that we can skip +the resource evictions properly in pm prepare based on whether +we are suspending or hibernating. Drop the eviction as processes +are not frozen at this time, we we can end up getting stuck trying +to evict VRAM while applications continue to submit work which +causes the buffers to get pulled back into VRAM. + +v2: Move suspend flags out of pm notifier (Mario) + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4178 +Fixes: 2965e6355dcd ("drm/amd: Add Suspend/Hibernate notification callback support") +Cc: Mario Limonciello +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 06f2dcc241e7e5c681f81fbc46cacdf4bfd7d6d7) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 18 +++++------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 +--------- + 2 files changed, 6 insertions(+), 22 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4199,28 +4199,20 @@ static int amdgpu_device_evict_resources + * @data: data + * + * This function is called when the system is about to suspend or hibernate. +- * It is used to evict resources from the device before the system goes to +- * sleep while there is still access to swap. ++ * It is used to set the appropriate flags so that eviction can be optimized ++ * in the pm prepare callback. + */ + static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode, + void *data) + { + struct amdgpu_device *adev = container_of(nb, struct amdgpu_device, pm_nb); +- int r; + + switch (mode) { + case PM_HIBERNATION_PREPARE: + adev->in_s4 = true; +- fallthrough; +- case PM_SUSPEND_PREPARE: +- r = amdgpu_device_evict_resources(adev); +- /* +- * This is considered non-fatal at this time because +- * amdgpu_device_prepare() will also fatally evict resources. +- * See https://gitlab.freedesktop.org/drm/amd/-/issues/3781 +- */ +- if (r) +- drm_warn(adev_to_drm(adev), "Failed to evict resources, freeze active processes if problems occur: %d\n", r); ++ break; ++ case PM_POST_HIBERNATION: ++ adev->in_s4 = false; + break; + } + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2480,13 +2480,8 @@ static int amdgpu_pmops_freeze(struct de + static int amdgpu_pmops_thaw(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); +- struct amdgpu_device *adev = drm_to_adev(drm_dev); +- int r; + +- r = amdgpu_device_resume(drm_dev, true); +- adev->in_s4 = false; +- +- return r; ++ return amdgpu_device_resume(drm_dev, true); + } + + static int amdgpu_pmops_poweroff(struct device *dev) +@@ -2499,9 +2494,6 @@ static int amdgpu_pmops_poweroff(struct + static int amdgpu_pmops_restore(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); +- struct amdgpu_device *adev = drm_to_adev(drm_dev); +- +- adev->in_s4 = false; + + return amdgpu_device_resume(drm_dev, true); + } diff --git a/queue-6.1/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch b/queue-6.1/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch new file mode 100644 index 0000000000..eb42868a5b --- /dev/null +++ b/queue-6.1/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch @@ -0,0 +1,99 @@ +From fc1092f51567277509563800a3c56732070b6aa4 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Tue, 30 Apr 2024 21:39:45 +0900 +Subject: ipv4: Fix uninit-value access in __ip_make_skb() + +From: Shigeru Yoshida + +commit fc1092f51567277509563800a3c56732070b6aa4 upstream. + +KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() +tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a +race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL +while __ip_make_skb() is running, the function will access icmphdr in the +skb even if it is not included. This causes the issue reported by KMSAN. + +Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL +on the socket. + +Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These +are union in struct flowi4 and are implicitly initialized by +flowi4_init_output(), but we should not rely on specific union layout. + +Initialize these explicitly in raw_sendmsg(). + +[1] +BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 + __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 + ip_finish_skb include/net/ip.h:243 [inline] + ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 + raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 + inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x274/0x3c0 net/socket.c:745 + __sys_sendto+0x62c/0x7b0 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x130/0x200 net/socket.c:2199 + do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1318 [inline] + __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 + ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 + raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 + inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x274/0x3c0 net/socket.c:745 + __sys_sendto+0x62c/0x7b0 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x130/0x200 net/socket.c:2199 + do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + +Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()") +Reported-by: syzkaller +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + net/ipv4/raw.c | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1580,7 +1580,8 @@ struct sk_buff *__ip_make_skb(struct soc + * so icmphdr does not in skb linear region and can not get icmp_type + * by icmp_hdr(skb)->type. + */ +- if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ if (sk->sk_type == SOCK_RAW && ++ !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH)) + icmp_type = fl4->fl4_icmp_type; + else + icmp_type = icmp_hdr(skb)->type; +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -608,6 +608,9 @@ static int raw_sendmsg(struct sock *sk, + (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); + ++ fl4.fl4_icmp_type = 0; ++ fl4.fl4_icmp_code = 0; ++ + if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; diff --git a/queue-6.1/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch b/queue-6.1/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch new file mode 100644 index 0000000000..03e489efff --- /dev/null +++ b/queue-6.1/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch @@ -0,0 +1,35 @@ +From 4e13d3a9c25b7080f8a619f961e943fe08c2672c Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Mon, 6 May 2024 23:11:29 +0900 +Subject: ipv6: Fix potential uninit-value access in __ip6_make_skb() + +From: Shigeru Yoshida + +commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c upstream. + +As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in +__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags +instead of testing HDRINCL on the socket to avoid a race condition which +causes uninit-value access. + +Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()") +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1985,7 +1985,8 @@ struct sk_buff *__ip6_make_skb(struct so + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); + u8 icmp6_type; + +- if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ if (sk->sk_socket->type == SOCK_RAW && ++ !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH)) + icmp6_type = fl6->fl6_icmp_type; + else + icmp6_type = icmp6_hdr(skb)->icmp6_type; diff --git a/queue-6.1/platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch b/queue-6.1/platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch new file mode 100644 index 0000000000..eb748fe452 --- /dev/null +++ b/queue-6.1/platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch @@ -0,0 +1,70 @@ +From dd410d784402c5775f66faf8b624e85e41c38aaf Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Mon, 6 Jan 2025 18:40:34 +0100 +Subject: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej S. Szmigiero + +commit dd410d784402c5775f66faf8b624e85e41c38aaf upstream. + +Wakeup for IRQ1 should be disabled only in cases where i8042 had +actually enabled it, otherwise "wake_depth" for this IRQ will try to +drop below zero and there will be an unpleasant WARN() logged: + +kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug +kernel: ------------[ cut here ]------------ +kernel: Unbalanced IRQ 1 wake disable +kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 + +The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops +which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and +.poweroff handlers. i8042_pm_suspend(), however, is only set as +the .suspend handler. + +Fix the issue by call PMC suspend handler only from the same set of +dev_pm_ops handlers as i8042_pm_suspend(), which currently means just +the .suspend handler. + +To reproduce this issue try hibernating (S4) the machine after a fresh boot +without putting it into s2idle first. + +Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") +Reviewed-by: Mario Limonciello +Signed-off-by: Maciej S. Szmigiero +Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.1736184606.git.mail@maciej.szmigiero.name +[ij: edited the commit message.] +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/amd/pmc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/amd/pmc.c ++++ b/drivers/platform/x86/amd/pmc.c +@@ -834,6 +834,10 @@ static int __maybe_unused amd_pmc_suspen + { + struct amd_pmc_dev *pdev = dev_get_drvdata(dev); + ++ /* ++ * Must be called only from the same set of dev_pm_ops handlers ++ * as i8042_pm_suspend() is called: currently just from .suspend. ++ */ + if (pdev->cpu_id == AMD_CPU_ID_CZN) { + int rc = amd_pmc_czn_wa_irq1(pdev); + +@@ -846,7 +850,9 @@ static int __maybe_unused amd_pmc_suspen + return 0; + } + +-static SIMPLE_DEV_PM_OPS(amd_pmc_pm, amd_pmc_suspend_handler, NULL); ++static const struct dev_pm_ops amd_pmc_pm = { ++ .suspend = amd_pmc_suspend_handler, ++}; + + #endif + diff --git a/queue-6.1/series b/queue-6.1/series index eb8666f086..93c280704c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -88,3 +88,10 @@ btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch netfilter-nf_tables-pass-nft_chain-to-destroy-function-not-nft_ctx.patch netfilter-nf_tables-wait-for-rcu-grace-period-on-net_device-removal.patch netfilter-nf_tables-do-not-defer-rule-destruction-via-call_rcu.patch +arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch +platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch +bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch +ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch +ipv4-fix-uninit-value-access-in-__ip_make_skb.patch +spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch +drm-amdgpu-fix-pm-notifier-handling.patch diff --git a/queue-6.1/spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch b/queue-6.1/spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch new file mode 100644 index 0000000000..e7d2a0bd71 --- /dev/null +++ b/queue-6.1/spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch @@ -0,0 +1,61 @@ +From 32ce3bb57b6b402de2aec1012511e7ac4e7449dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Th=C3=A9o=20Lebrun?= +Date: Thu, 22 Feb 2024 11:12:29 +0100 +Subject: spi: cadence-qspi: fix pointer reference in runtime PM hooks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Théo Lebrun + +commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc upstream. + +dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI +controller. Neither embed the other; this lead to memory corruption. + +On a given platform (Mobileye EyeQ5) the memory corruption is hidden +inside cqspi->f_pdata. Also, this uninitialised memory is used as a +mutex (ctlr->bus_lock_mutex) by spi_controller_suspend(). + +Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations") +Reviewed-by: Dhruva Gole +Signed-off-by: Théo Lebrun +Link: https://msgid.link/r/20240222-cdns-qspi-pm-fix-v4-1-6b6af8bcbf59@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1775,10 +1775,9 @@ static int cqspi_remove(struct platform_ + static int cqspi_suspend(struct device *dev) + { + struct cqspi_st *cqspi = dev_get_drvdata(dev); +- struct spi_master *master = dev_get_drvdata(dev); + int ret; + +- ret = spi_master_suspend(master); ++ ret = spi_master_suspend(cqspi->master); + cqspi_controller_enable(cqspi, 0); + + clk_disable_unprepare(cqspi->clk); +@@ -1789,7 +1788,6 @@ static int cqspi_suspend(struct device * + static int cqspi_resume(struct device *dev) + { + struct cqspi_st *cqspi = dev_get_drvdata(dev); +- struct spi_master *master = dev_get_drvdata(dev); + + clk_prepare_enable(cqspi->clk); + cqspi_wait_idle(cqspi); +@@ -1798,7 +1796,7 @@ static int cqspi_resume(struct device *d + cqspi->current_cs = -1; + cqspi->sclk = 0; + +- return spi_master_resume(master); ++ return spi_master_resume(cqspi->master); + } + + static DEFINE_SIMPLE_DEV_PM_OPS(cqspi_dev_pm_ops, cqspi_suspend, cqspi_resume);