From: Sasha Levin Date: Tue, 10 Dec 2024 20:35:47 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.65~4^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f682dc9e6fa06f6e113911ec35b79ece41239fab;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_packet-avoid-erroring-out-after-sock_init_data-in.patch b/queue-5.10/af_packet-avoid-erroring-out-after-sock_init_data-in.patch new file mode 100644 index 00000000000..c24b16aa362 --- /dev/null +++ b/queue-5.10/af_packet-avoid-erroring-out-after-sock_init_data-in.patch @@ -0,0 +1,67 @@ +From 6185bfe04a762815c6f82b7bc1ff181bdf8245cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:00 +0100 +Subject: af_packet: avoid erroring out after sock_init_data() in + packet_create() + +From: Ignat Korchagin + +[ Upstream commit 46f2a11cb82b657fd15bab1c47821b635e03838b ] + +After sock_init_data() the allocated sk object is attached to the provided +sock object. On error, packet_create() frees the sk object leaving the +dangling pointer in the sock object on return. Some other code may try +to use this pointer and cause use-after-free. + +Suggested-by: Eric Dumazet +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-2-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index ce3e20bcde4ab..01a191c8194b4 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3386,18 +3386,18 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + if (sock->type == SOCK_PACKET) + sock->ops = &packet_ops_spkt; + ++ po = pkt_sk(sk); ++ err = packet_alloc_pending(po); ++ if (err) ++ goto out_sk_free; ++ + sock_init_data(sock, sk); + +- po = pkt_sk(sk); + init_completion(&po->skb_completion); + sk->sk_family = PF_PACKET; + po->num = proto; + po->xmit = dev_queue_xmit; + +- err = packet_alloc_pending(po); +- if (err) +- goto out2; +- + packet_cached_dev_reset(po); + + sk->sk_destruct = packet_sock_destruct; +@@ -3432,7 +3432,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + preempt_enable(); + + return 0; +-out2: ++out_sk_free: + sk_free(sk); + out: + return err; +-- +2.43.0 + diff --git a/queue-5.10/asoc-hdmi-codec-reorder-channel-allocation-list.patch b/queue-5.10/asoc-hdmi-codec-reorder-channel-allocation-list.patch new file mode 100644 index 00000000000..208d748f6b8 --- /dev/null +++ b/queue-5.10/asoc-hdmi-codec-reorder-channel-allocation-list.patch @@ -0,0 +1,210 @@ +From fcadf2ec6f59b1c0a0ec242cc12e01fa37740544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 04:43:44 +0000 +Subject: ASoC: hdmi-codec: reorder channel allocation list + +From: Jonas Karlman + +[ Upstream commit 82ff5abc2edcfba0c0f1a1be807795e2876f46e9 ] + +The ordering in hdmi_codec_get_ch_alloc_table_idx() results in +wrong channel allocation for a number of cases, e.g. when ELD +reports FL|FR|LFE|FC|RL|RR or FL|FR|LFE|FC|RL|RR|RC|RLC|RRC: + +ca_id 0x01 with speaker mask FL|FR|LFE is selected instead of +ca_id 0x03 with speaker mask FL|FR|LFE|FC for 4 channels + +and + +ca_id 0x04 with speaker mask FL|FR|RC gets selected instead of +ca_id 0x0b with speaker mask FL|FR|LFE|FC|RL|RR for 6 channels + +Fix this by reordering the channel allocation list with most +specific speaker masks at the top. + +Signed-off-by: Jonas Karlman +Signed-off-by: Christian Hewitt +Link: https://patch.msgid.link/20241115044344.3510979-1-christianshewitt@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdmi-codec.c | 140 +++++++++++++++++++--------------- + 1 file changed, 77 insertions(+), 63 deletions(-) + +diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c +index 403d4c6a49a80..522bfec892d5b 100644 +--- a/sound/soc/codecs/hdmi-codec.c ++++ b/sound/soc/codecs/hdmi-codec.c +@@ -189,84 +189,97 @@ static const struct snd_pcm_chmap_elem hdmi_codec_8ch_chmaps[] = { + /* + * hdmi_codec_channel_alloc: speaker configuration available for CEA + * +- * This is an ordered list that must match with hdmi_codec_8ch_chmaps struct ++ * This is an ordered list where ca_id must exist in hdmi_codec_8ch_chmaps + * The preceding ones have better chances to be selected by + * hdmi_codec_get_ch_alloc_table_idx(). + */ + static const struct hdmi_codec_cea_spk_alloc hdmi_codec_channel_alloc[] = { + { .ca_id = 0x00, .n_ch = 2, +- .mask = FL | FR}, +- /* 2.1 */ +- { .ca_id = 0x01, .n_ch = 4, +- .mask = FL | FR | LFE}, +- /* Dolby Surround */ ++ .mask = FL | FR }, ++ { .ca_id = 0x03, .n_ch = 4, ++ .mask = FL | FR | LFE | FC }, + { .ca_id = 0x02, .n_ch = 4, + .mask = FL | FR | FC }, +- /* surround51 */ ++ { .ca_id = 0x01, .n_ch = 4, ++ .mask = FL | FR | LFE }, + { .ca_id = 0x0b, .n_ch = 6, +- .mask = FL | FR | LFE | FC | RL | RR}, +- /* surround40 */ +- { .ca_id = 0x08, .n_ch = 6, +- .mask = FL | FR | RL | RR }, +- /* surround41 */ +- { .ca_id = 0x09, .n_ch = 6, +- .mask = FL | FR | LFE | RL | RR }, +- /* surround50 */ ++ .mask = FL | FR | LFE | FC | RL | RR }, + { .ca_id = 0x0a, .n_ch = 6, + .mask = FL | FR | FC | RL | RR }, +- /* 6.1 */ +- { .ca_id = 0x0f, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RL | RR | RC }, +- /* surround71 */ ++ { .ca_id = 0x09, .n_ch = 6, ++ .mask = FL | FR | LFE | RL | RR }, ++ { .ca_id = 0x08, .n_ch = 6, ++ .mask = FL | FR | RL | RR }, ++ { .ca_id = 0x07, .n_ch = 6, ++ .mask = FL | FR | LFE | FC | RC }, ++ { .ca_id = 0x06, .n_ch = 6, ++ .mask = FL | FR | FC | RC }, ++ { .ca_id = 0x05, .n_ch = 6, ++ .mask = FL | FR | LFE | RC }, ++ { .ca_id = 0x04, .n_ch = 6, ++ .mask = FL | FR | RC }, + { .ca_id = 0x13, .n_ch = 8, + .mask = FL | FR | LFE | FC | RL | RR | RLC | RRC }, +- /* others */ +- { .ca_id = 0x03, .n_ch = 8, +- .mask = FL | FR | LFE | FC }, +- { .ca_id = 0x04, .n_ch = 8, +- .mask = FL | FR | RC}, +- { .ca_id = 0x05, .n_ch = 8, +- .mask = FL | FR | LFE | RC }, +- { .ca_id = 0x06, .n_ch = 8, +- .mask = FL | FR | FC | RC }, +- { .ca_id = 0x07, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RC }, +- { .ca_id = 0x0c, .n_ch = 8, +- .mask = FL | FR | RC | RL | RR }, +- { .ca_id = 0x0d, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | RC }, +- { .ca_id = 0x0e, .n_ch = 8, +- .mask = FL | FR | FC | RL | RR | RC }, +- { .ca_id = 0x10, .n_ch = 8, +- .mask = FL | FR | RL | RR | RLC | RRC }, +- { .ca_id = 0x11, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1f, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC }, + { .ca_id = 0x12, .n_ch = 8, + .mask = FL | FR | FC | RL | RR | RLC | RRC }, +- { .ca_id = 0x14, .n_ch = 8, +- .mask = FL | FR | FLC | FRC }, +- { .ca_id = 0x15, .n_ch = 8, +- .mask = FL | FR | LFE | FLC | FRC }, +- { .ca_id = 0x16, .n_ch = 8, +- .mask = FL | FR | FC | FLC | FRC }, +- { .ca_id = 0x17, .n_ch = 8, +- .mask = FL | FR | LFE | FC | FLC | FRC }, +- { .ca_id = 0x18, .n_ch = 8, +- .mask = FL | FR | RC | FLC | FRC }, +- { .ca_id = 0x19, .n_ch = 8, +- .mask = FL | FR | LFE | RC | FLC | FRC }, +- { .ca_id = 0x1a, .n_ch = 8, +- .mask = FL | FR | RC | FC | FLC | FRC }, +- { .ca_id = 0x1b, .n_ch = 8, +- .mask = FL | FR | LFE | RC | FC | FLC | FRC }, +- { .ca_id = 0x1c, .n_ch = 8, +- .mask = FL | FR | RL | RR | FLC | FRC }, +- { .ca_id = 0x1d, .n_ch = 8, +- .mask = FL | FR | LFE | RL | RR | FLC | FRC }, + { .ca_id = 0x1e, .n_ch = 8, + .mask = FL | FR | FC | RL | RR | FLC | FRC }, +- { .ca_id = 0x1f, .n_ch = 8, +- .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC }, ++ { .ca_id = 0x11, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1d, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | FLC | FRC }, ++ { .ca_id = 0x10, .n_ch = 8, ++ .mask = FL | FR | RL | RR | RLC | RRC }, ++ { .ca_id = 0x1c, .n_ch = 8, ++ .mask = FL | FR | RL | RR | FLC | FRC }, ++ { .ca_id = 0x0f, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR | RC }, ++ { .ca_id = 0x1b, .n_ch = 8, ++ .mask = FL | FR | LFE | RC | FC | FLC | FRC }, ++ { .ca_id = 0x0e, .n_ch = 8, ++ .mask = FL | FR | FC | RL | RR | RC }, ++ { .ca_id = 0x1a, .n_ch = 8, ++ .mask = FL | FR | RC | FC | FLC | FRC }, ++ { .ca_id = 0x0d, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR | RC }, ++ { .ca_id = 0x19, .n_ch = 8, ++ .mask = FL | FR | LFE | RC | FLC | FRC }, ++ { .ca_id = 0x0c, .n_ch = 8, ++ .mask = FL | FR | RC | RL | RR }, ++ { .ca_id = 0x18, .n_ch = 8, ++ .mask = FL | FR | RC | FLC | FRC }, ++ { .ca_id = 0x17, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | FLC | FRC }, ++ { .ca_id = 0x16, .n_ch = 8, ++ .mask = FL | FR | FC | FLC | FRC }, ++ { .ca_id = 0x15, .n_ch = 8, ++ .mask = FL | FR | LFE | FLC | FRC }, ++ { .ca_id = 0x14, .n_ch = 8, ++ .mask = FL | FR | FLC | FRC }, ++ { .ca_id = 0x0b, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RL | RR }, ++ { .ca_id = 0x0a, .n_ch = 8, ++ .mask = FL | FR | FC | RL | RR }, ++ { .ca_id = 0x09, .n_ch = 8, ++ .mask = FL | FR | LFE | RL | RR }, ++ { .ca_id = 0x08, .n_ch = 8, ++ .mask = FL | FR | RL | RR }, ++ { .ca_id = 0x07, .n_ch = 8, ++ .mask = FL | FR | LFE | FC | RC }, ++ { .ca_id = 0x06, .n_ch = 8, ++ .mask = FL | FR | FC | RC }, ++ { .ca_id = 0x05, .n_ch = 8, ++ .mask = FL | FR | LFE | RC }, ++ { .ca_id = 0x04, .n_ch = 8, ++ .mask = FL | FR | RC }, ++ { .ca_id = 0x03, .n_ch = 8, ++ .mask = FL | FR | LFE | FC }, ++ { .ca_id = 0x02, .n_ch = 8, ++ .mask = FL | FR | FC }, ++ { .ca_id = 0x01, .n_ch = 8, ++ .mask = FL | FR | LFE }, + }; + + struct hdmi_codec_priv { +@@ -373,7 +386,8 @@ static int hdmi_codec_chmap_ctl_get(struct snd_kcontrol *kcontrol, + struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol); + struct hdmi_codec_priv *hcp = info->private_data; + +- map = info->chmap[hcp->chmap_idx].map; ++ if (hcp->chmap_idx != HDMI_CODEC_CHMAP_IDX_UNKNOWN) ++ map = info->chmap[hcp->chmap_idx].map; + + for (i = 0; i < info->max_channels; i++) { + if (hcp->chmap_idx == HDMI_CODEC_CHMAP_IDX_UNKNOWN) +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch b/queue-5.10/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch new file mode 100644 index 00000000000..3097af11fcc --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch @@ -0,0 +1,67 @@ +From b995309301509db4a758aeb516b15a40dbb9b904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 16:37:29 +0800 +Subject: Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables + +From: Hilda Wu + +[ Upstream commit 69b84ffce260ff13826dc10aeb3c3e5c2288a552 ] + +Add the support ID 0489:e123 to usb_device_id table for +Realtek RTL8852B chip. + +The device info from /sys/kernel/debug/usb/devices as below. + +T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 7 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e123 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Hilda Wu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index d34c7758b93de..cf0a0b3eaf886 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -430,6 +430,8 @@ static const struct usb_device_id blacklist_table[] = { + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0489, 0xe123), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch b/queue-5.10/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch new file mode 100644 index 00000000000..c4776976b1c --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch @@ -0,0 +1,40 @@ +From 4cc191913f7d369b308b09c865574aeecdcc3987 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:01 +0100 +Subject: Bluetooth: L2CAP: do not leave dangling sk pointer on error in + l2cap_sock_create() + +From: Ignat Korchagin + +[ Upstream commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 ] + +bt_sock_alloc() allocates the sk object and attaches it to the provided +sock object. On error l2cap_sock_alloc() frees the sk object, but the +dangling pointer is still attached to the sock object, which may create +use-after-free in other code. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-3-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 93afa52c04660..cbaefbba6f4db 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1864,6 +1864,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); ++ sock->sk = NULL; + return NULL; + } + +-- +2.43.0 + diff --git a/queue-5.10/btrfs-avoid-unnecessary-device-path-update-for-the-s.patch b/queue-5.10/btrfs-avoid-unnecessary-device-path-update-for-the-s.patch new file mode 100644 index 00000000000..ba11b8fb02b --- /dev/null +++ b/queue-5.10/btrfs-avoid-unnecessary-device-path-update-for-the-s.patch @@ -0,0 +1,126 @@ +From fe8dfe8976c5eff638a13754b946a9724ede079d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 12:52:17 +0930 +Subject: btrfs: avoid unnecessary device path update for the same device + +From: Qu Wenruo + +[ Upstream commit 2e8b6bc0ab41ce41e6dfcc204b6cc01d5abbc952 ] + +[PROBLEM] +It is very common for udev to trigger device scan, and every time a +mounted btrfs device got re-scan from different soft links, we will get +some of unnecessary device path updates, this is especially common +for LVM based storage: + + # lvs + scratch1 test -wi-ao---- 10.00g + scratch2 test -wi-a----- 10.00g + scratch3 test -wi-a----- 10.00g + scratch4 test -wi-a----- 10.00g + scratch5 test -wi-a----- 10.00g + test test -wi-a----- 10.00g + + # mkfs.btrfs -f /dev/test/scratch1 + # mount /dev/test/scratch1 /mnt/btrfs + # dmesg -c + [ 205.705234] BTRFS: device fsid 7be2602f-9e35-4ecf-a6ff-9e91d2c182c9 devid 1 transid 6 /dev/mapper/test-scratch1 (253:4) scanned by mount (1154) + [ 205.710864] BTRFS info (device dm-4): first mount of filesystem 7be2602f-9e35-4ecf-a6ff-9e91d2c182c9 + [ 205.711923] BTRFS info (device dm-4): using crc32c (crc32c-intel) checksum algorithm + [ 205.713856] BTRFS info (device dm-4): using free-space-tree + [ 205.722324] BTRFS info (device dm-4): checking UUID tree + +So far so good, but even if we just touched any soft link of +"dm-4", we will get quite some unnecessary device path updates. + + # touch /dev/mapper/test-scratch1 + # dmesg -c + [ 469.295796] BTRFS info: devid 1 device path /dev/mapper/test-scratch1 changed to /dev/dm-4 scanned by (udev-worker) (1221) + [ 469.300494] BTRFS info: devid 1 device path /dev/dm-4 changed to /dev/mapper/test-scratch1 scanned by (udev-worker) (1221) + +Such device path rename is unnecessary and can lead to random path +change due to the udev race. + +[CAUSE] +Inside device_list_add(), we are using a very primitive way checking if +the device has changed, strcmp(). + +Which can never handle links well, no matter if it's hard or soft links. + +So every different link of the same device will be treated as a different +device, causing the unnecessary device path update. + +[FIX] +Introduce a helper, is_same_device(), and use path_equal() to properly +detect the same block device. +So that the different soft links won't trigger the rename race. + +Reviewed-by: Filipe Manana +Link: https://bugzilla.suse.com/show_bug.cgi?id=1230641 +Reported-by: Fabian Vogt +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 209eb85b6c270..9524588346b8e 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -726,6 +726,42 @@ u8 *btrfs_sb_fsid_ptr(struct btrfs_super_block *sb) + return has_metadata_uuid ? sb->metadata_uuid : sb->fsid; + } + ++static bool is_same_device(struct btrfs_device *device, const char *new_path) ++{ ++ struct path old = { .mnt = NULL, .dentry = NULL }; ++ struct path new = { .mnt = NULL, .dentry = NULL }; ++ char *old_path = NULL; ++ bool is_same = false; ++ int ret; ++ ++ if (!device->name) ++ goto out; ++ ++ old_path = kzalloc(PATH_MAX, GFP_NOFS); ++ if (!old_path) ++ goto out; ++ ++ rcu_read_lock(); ++ ret = strscpy(old_path, rcu_str_deref(device->name), PATH_MAX); ++ rcu_read_unlock(); ++ if (ret < 0) ++ goto out; ++ ++ ret = kern_path(old_path, LOOKUP_FOLLOW, &old); ++ if (ret) ++ goto out; ++ ret = kern_path(new_path, LOOKUP_FOLLOW, &new); ++ if (ret) ++ goto out; ++ if (path_equal(&old, &new)) ++ is_same = true; ++out: ++ kfree(old_path); ++ path_put(&old); ++ path_put(&new); ++ return is_same; ++} ++ + /* + * Handle scanned device having its CHANGING_FSID_V2 flag set and the fs_devices + * being created with a disk that has already completed its fsid change. Such +@@ -927,7 +963,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, + disk_super->fsid, devid, found_transid, path, + current->comm, task_pid_nr(current)); + +- } else if (!device->name || strcmp(device->name->str, path)) { ++ } else if (!device->name || !is_same_device(device, path)) { + /* + * When FS is already mounted. + * 1. If you are here and if the device->name is NULL that +-- +2.43.0 + diff --git a/queue-5.10/dma-debug-fix-a-possible-deadlock-on-radix_lock.patch b/queue-5.10/dma-debug-fix-a-possible-deadlock-on-radix_lock.patch new file mode 100644 index 00000000000..1a25f98adea --- /dev/null +++ b/queue-5.10/dma-debug-fix-a-possible-deadlock-on-radix_lock.patch @@ -0,0 +1,68 @@ +From 8d0421592e9ec3afa3ac780aea294fb5331cf260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 11:06:00 +0100 +Subject: dma-debug: fix a possible deadlock on radix_lock + +From: Levi Yun + +[ Upstream commit 7543c3e3b9b88212fcd0aaf5cab5588797bdc7de ] + +radix_lock() shouldn't be held while holding dma_hash_entry[idx].lock +otherwise, there's a possible deadlock scenario when +dma debug API is called holding rq_lock(): + +CPU0 CPU1 CPU2 +dma_free_attrs() +check_unmap() add_dma_entry() __schedule() //out + (A) rq_lock() +get_hash_bucket() +(A) dma_entry_hash + check_sync() + (A) radix_lock() (W) dma_entry_hash +dma_entry_free() +(W) radix_lock() + // CPU2's one + (W) rq_lock() + +CPU1 situation can happen when it extending radix tree and +it tries to wake up kswapd via wake_all_kswapd(). + +CPU2 situation can happen while perf_event_task_sched_out() +(i.e. dma sync operation is called while deleting perf_event using + etm and etr tmc which are Arm Coresight hwtracing driver backends). + +To remove this possible situation, call dma_entry_free() after +put_hash_bucket() in check_unmap(). + +Reported-by: Denis Nikitin +Closes: https://lists.linaro.org/archives/list/coresight@lists.linaro.org/thread/2WMS7BBSF5OZYB63VT44U5YWLFP5HL6U/#RWM6MLQX5ANBTEQ2PRM7OXCBGCE6NPWU +Signed-off-by: Levi Yun +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 654b039dfc335..d19f610c9eef8 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -1047,9 +1047,13 @@ static void check_unmap(struct dma_debug_entry *ref) + } + + hash_bucket_del(entry); +- dma_entry_free(entry); +- + put_hash_bucket(bucket, flags); ++ ++ /* ++ * Free the entry outside of bucket_lock to avoid ABBA deadlocks ++ * between that and radix_lock. ++ */ ++ dma_entry_free(entry); + } + + static void check_for_stack(struct device *dev, +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-refine-error-handling-in-amdgpu_ttm_tt_pi.patch b/queue-5.10/drm-amdgpu-refine-error-handling-in-amdgpu_ttm_tt_pi.patch new file mode 100644 index 00000000000..3f297be000d --- /dev/null +++ b/queue-5.10/drm-amdgpu-refine-error-handling-in-amdgpu_ttm_tt_pi.patch @@ -0,0 +1,44 @@ +From d4e9fa834f9c465a972c6349bf69e73b8a64d9a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2024 17:21:09 +0800 +Subject: drm/amdgpu: refine error handling in amdgpu_ttm_tt_pin_userptr + +From: Lang Yu + +[ Upstream commit 46186667f98fb7158c98f4ff5da62c427761ffcd ] + +Free sg table when dma_map_sgtable() failed to avoid memory leak. + +Signed-off-by: Lang Yu +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 0b162928a248b..8196a8e253266 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1006,7 +1006,7 @@ static int amdgpu_ttm_tt_pin_userptr(struct ttm_bo_device *bdev, + /* Map SG to device */ + r = dma_map_sgtable(adev->dev, ttm->sg, direction, 0); + if (r) +- goto release_sg; ++ goto release_sg_table; + + /* convert SG to linear array of pages and dma addresses */ + drm_prime_sg_to_page_addr_arrays(ttm->sg, ttm->pages, +@@ -1014,6 +1014,8 @@ static int amdgpu_ttm_tt_pin_userptr(struct ttm_bo_device *bdev, + + return 0; + ++release_sg_table: ++ sg_free_table(ttm->sg); + release_sg: + kfree(ttm->sg); + ttm->sg = NULL; +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch b/queue-5.10/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch new file mode 100644 index 00000000000..506875bf35a --- /dev/null +++ b/queue-5.10/drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch @@ -0,0 +1,85 @@ +From dd69d829c46e5867a114d2806ed0c534b27121b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 10:59:17 +0800 +Subject: drm/amdgpu: set the right AMDGPU sg segment limitation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prike Liang + +[ Upstream commit e2e97435783979124ba92d6870415c57ecfef6a5 ] + +The driver needs to set the correct max_segment_size; +otherwise debug_dma_map_sg() will complain about the +over-mapping of the AMDGPU sg length as following: + +WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370 +[ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd +[ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii +[ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492 +[ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 +[ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370 +[ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05 +[ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286 +[ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027 +[ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680 +[ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930 +[ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000 +[ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800 +[ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000 +[ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0 +[ 364.049605] Call Trace: +[ 364.049607] +[ 364.049609] ? show_regs+0x6d/0x80 +[ 364.049614] ? __warn+0x8c/0x140 +[ 364.049618] ? debug_dma_map_sg+0x2dc/0x370 +[ 364.049621] ? report_bug+0x193/0x1a0 +[ 364.049627] ? handle_bug+0x46/0x80 +[ 364.049631] ? exc_invalid_op+0x1d/0x80 +[ 364.049635] ? asm_exc_invalid_op+0x1f/0x30 +[ 364.049642] ? debug_dma_map_sg+0x2dc/0x370 +[ 364.049647] __dma_map_sg_attrs+0x90/0xe0 +[ 364.049651] dma_map_sgtable+0x25/0x40 +[ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu] +[ 364.049935] ? srso_return_thunk+0x5/0x5f +[ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu] +[ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm] +[ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm] +[ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu] +[ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu] +[ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu] +[ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu] +[ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu] +[ 364.051054] ? srso_return_thunk+0x5/0x5f +[ 364.051057] ? tomoyo_file_ioctl+0x20/0x30 +[ 364.051063] __x64_sys_ioctl+0x9c/0xd0 +[ 364.051068] x64_sys_call+0x1219/0x20d0 +[ 364.051073] do_syscall_64+0x51/0x120 +[ 364.051077] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 364.051081] RIP: 0033:0x7fb2d2f1a94f + +Signed-off-by: Prike Liang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 8196a8e253266..02fdee7820a92 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1886,6 +1886,7 @@ int amdgpu_ttm_init(struct amdgpu_device *adev) + + mutex_init(&adev->mman.gtt_window_lock); + ++ dma_set_max_seg_size(adev->dev, UINT_MAX); + /* No others user of address space so set it to 0 */ + r = ttm_bo_device_init(&adev->mman.bdev, + &amdgpu_bo_driver, +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-skip-amdgpu_device_cache_pci_state-under-.patch b/queue-5.10/drm-amdgpu-skip-amdgpu_device_cache_pci_state-under-.patch new file mode 100644 index 00000000000..f01e42db731 --- /dev/null +++ b/queue-5.10/drm-amdgpu-skip-amdgpu_device_cache_pci_state-under-.patch @@ -0,0 +1,41 @@ +From 7df9b3b1299c26cc67872f4ef1e5bc7451cb44c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 13:40:39 +0800 +Subject: drm/amdgpu: skip amdgpu_device_cache_pci_state under sriov + +From: Victor Zhao + +[ Upstream commit afe260df55ac280cd56306248cb6d8a6b0db095c ] + +Under sriov, host driver will save and restore vf pci cfg space during +reset. And during device init, under sriov, pci_restore_state happens after +fullaccess released, and it can have race condition with mmio protection +enable from host side leading to missing interrupts. + +So skip amdgpu_device_cache_pci_state for sriov. + +Signed-off-by: Victor Zhao +Acked-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index e833c02fabff3..2f42471e578ad 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5088,6 +5088,9 @@ bool amdgpu_device_cache_pci_state(struct pci_dev *pdev) + struct amdgpu_device *adev = drm_to_adev(dev); + int r; + ++ if (amdgpu_sriov_vf(adev)) ++ return false; ++ + r = pci_save_state(pdev); + if (!r) { + kfree(adev->pci_state); +-- +2.43.0 + diff --git a/queue-5.10/drm-mcde-enable-module-autoloading.patch b/queue-5.10/drm-mcde-enable-module-autoloading.patch new file mode 100644 index 00000000000..1f25b5b7c08 --- /dev/null +++ b/queue-5.10/drm-mcde-enable-module-autoloading.patch @@ -0,0 +1,36 @@ +From b0de36c87633d9b998320e6f5bb41d59e9e3a952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 11:33:20 +0000 +Subject: drm/mcde: Enable module autoloading + +From: Liao Chen + +[ Upstream commit 8a16b5cdae26207ff4c22834559384ad3d7bc970 ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based +on the alias from of_device_id table. + +Signed-off-by: Liao Chen +Reviewed-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20240902113320.903147-4-liaochen4@huawei.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mcde/mcde_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mcde/mcde_drv.c b/drivers/gpu/drm/mcde/mcde_drv.c +index 210f5e1630081..eb1c87fe65e6c 100644 +--- a/drivers/gpu/drm/mcde/mcde_drv.c ++++ b/drivers/gpu/drm/mcde/mcde_drv.c +@@ -453,6 +453,7 @@ static const struct of_device_id mcde_of_match[] = { + }, + {}, + }; ++MODULE_DEVICE_TABLE(of, mcde_of_match); + + static struct platform_driver mcde_driver = { + .driver = { +-- +2.43.0 + diff --git a/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch new file mode 100644 index 00000000000..7105aad2310 --- /dev/null +++ b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch @@ -0,0 +1,51 @@ +From 9f47bf8caa034d56ac8444c218ce9d20dce466ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 15:18:51 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joaquín Ignacio Aramendía + +[ Upstream commit 361ebf5ef843b0aa1704c72eb26b91cf76c3c5b7 ] + +Add quirk orientation for AYA NEO 2. The name appears without spaces in +DMI strings. That made it difficult to reuse the 2021 match. Also the +display is larger in resolution. + +Tested by the JELOS team that has been patching their own kernel for a +while now and confirmed by users in the AYA NEO and ChimeraOS discord +servers. + +Signed-off-by: Joaquín Ignacio Aramendía +Signed-off-by: Tobias Jakobi +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/2b35545b77a9fd8c9699b751ca282226dcecb1dd.1726492131.git.tjakobi@math.uni-bielefeld.de +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index f1091cb87de0c..bf90a5be956fe 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -166,6 +166,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* AYA NEO AYANEO 2 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* AYA NEO 2021 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYADEVICE"), +-- +2.43.0 + diff --git a/queue-5.10/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch b/queue-5.10/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch new file mode 100644 index 00000000000..6d4a0ab1a23 --- /dev/null +++ b/queue-5.10/drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch @@ -0,0 +1,40 @@ +From 7ae05f3ba13e706685d029d1513eefba4274b086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 18:07:19 +0300 +Subject: drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() + +From: Igor Artemiev + +[ Upstream commit a1e2da6a5072f8abe5b0feaa91a5bcd9dc544a04 ] + +It is possible, although unlikely, that an integer overflow will occur +when the result of radeon_get_ib_value() is shifted to the left. + +Avoid it by casting one of the operands to larger data type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Signed-off-by: Igor Artemiev +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r600_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c +index 1e6ad9daff534..c738740f8b19e 100644 +--- a/drivers/gpu/drm/radeon/r600_cs.c ++++ b/drivers/gpu/drm/radeon/r600_cs.c +@@ -2102,7 +2102,7 @@ static int r600_packet3_check(struct radeon_cs_parser *p, + return -EINVAL; + } + +- offset = radeon_get_ib_value(p, idx+1) << 8; ++ offset = (u64)radeon_get_ib_value(p, idx+1) << 8; + if (offset != track->vgt_strmout_bo_offset[idx_value]) { + DRM_ERROR("bad STRMOUT_BASE_UPDATE, bo offset does not match: 0x%llx, 0x%x\n", + offset, track->vgt_strmout_bo_offset[idx_value]); +-- +2.43.0 + diff --git a/queue-5.10/drm-vc4-hvs-set-axi-panic-modes-for-the-hvs.patch b/queue-5.10/drm-vc4-hvs-set-axi-panic-modes-for-the-hvs.patch new file mode 100644 index 00000000000..e96adb11304 --- /dev/null +++ b/queue-5.10/drm-vc4-hvs-set-axi-panic-modes-for-the-hvs.patch @@ -0,0 +1,51 @@ +From dd11e4b2398c4f25fef173a59bc2640dfa1dd0e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 16:20:30 +0100 +Subject: drm/vc4: hvs: Set AXI panic modes for the HVS + +From: Dave Stevenson + +[ Upstream commit 014eccc9da7bfc76a3107fceea37dd60f1d63630 ] + +The HVS can change AXI request mode based on how full the COB +FIFOs are. +Until now the vc4 driver has been relying on the firmware to +have set these to sensible values. + +With HVS channel 2 now being used for live video, change the +panic mode for all channels to be explicitly set by the driver, +and the same for all channels. + +Reviewed-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-7-dave.stevenson@raspberrypi.com +Signed-off-by: Dave Stevenson +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hvs.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c +index f8f2fc3d15f73..64a02e29b7cb1 100644 +--- a/drivers/gpu/drm/vc4/vc4_hvs.c ++++ b/drivers/gpu/drm/vc4/vc4_hvs.c +@@ -688,6 +688,17 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); + ++ /* Set AXI panic mode. ++ * VC4 panics when < 2 lines in FIFO. ++ * VC5 panics when less than 1 line in the FIFO. ++ */ ++ dispctrl &= ~(SCALER_DISPCTRL_PANIC0_MASK | ++ SCALER_DISPCTRL_PANIC1_MASK | ++ SCALER_DISPCTRL_PANIC2_MASK); ++ dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC0); ++ dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); ++ dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); ++ + HVS_WRITE(SCALER_DISPCTRL, dispctrl); + + ret = devm_request_irq(dev, platform_get_irq(pdev, 0), +-- +2.43.0 + diff --git a/queue-5.10/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch b/queue-5.10/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch new file mode 100644 index 00000000000..0cab3b1e385 --- /dev/null +++ b/queue-5.10/f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch @@ -0,0 +1,85 @@ +From 203b6ce7134cbc8b2a340e8792b232f3b04fb43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 02:44:00 -0600 +Subject: f2fs: fix f2fs_bug_on when uninstalling filesystem call + f2fs_evict_inode. + +From: Qi Han + +[ Upstream commit d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca ] + +creating a large files during checkpoint disable until it runs out of +space and then delete it, then remount to enable checkpoint again, and +then unmount the filesystem triggers the f2fs_bug_on as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/inode.c:896! +CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360 +Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +RIP: 0010:f2fs_evict_inode+0x58c/0x610 +Call Trace: + __die_body+0x15/0x60 + die+0x33/0x50 + do_trap+0x10a/0x120 + f2fs_evict_inode+0x58c/0x610 + do_error_trap+0x60/0x80 + f2fs_evict_inode+0x58c/0x610 + exc_invalid_op+0x53/0x60 + f2fs_evict_inode+0x58c/0x610 + asm_exc_invalid_op+0x16/0x20 + f2fs_evict_inode+0x58c/0x610 + evict+0x101/0x260 + dispose_list+0x30/0x50 + evict_inodes+0x140/0x190 + generic_shutdown_super+0x2f/0x150 + kill_block_super+0x11/0x40 + kill_f2fs_super+0x7d/0x140 + deactivate_locked_super+0x2a/0x70 + cleanup_mnt+0xb3/0x140 + task_work_run+0x61/0x90 + +The root cause is: creating large files during disable checkpoint +period results in not enough free segments, so when writing back root +inode will failed in f2fs_enable_checkpoint. When umount the file +system after enabling checkpoint, the root inode is dirty in +f2fs_evict_inode function, which triggers BUG_ON. The steps to +reproduce are as follows: + +dd if=/dev/zero of=f2fs.img bs=1M count=55 +mount f2fs.img f2fs_dir -o checkpoint=disable:10% +dd if=/dev/zero of=big bs=1M count=50 +sync +rm big +mount -o remount,checkpoint=enable f2fs_dir +umount f2fs_dir + +Let's redirty inode when there is not free segments during checkpoint +is disable. + +Signed-off-by: Qi Han +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index b23e6a848e9b7..452c0240cc11e 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -701,8 +701,10 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc) + !is_inode_flag_set(inode, FI_DIRTY_INODE)) + return 0; + +- if (!f2fs_is_checkpoint_ready(sbi)) ++ if (!f2fs_is_checkpoint_ready(sbi)) { ++ f2fs_mark_inode_dirty_sync(inode, true); + return -ENOSPC; ++ } + + /* + * We need to balance fs here to prevent from producing dirty node pages +-- +2.43.0 + diff --git a/queue-5.10/hid-bpf-fix-nkro-on-mistel-md770.patch b/queue-5.10/hid-bpf-fix-nkro-on-mistel-md770.patch new file mode 100644 index 00000000000..e6ea2fb939e --- /dev/null +++ b/queue-5.10/hid-bpf-fix-nkro-on-mistel-md770.patch @@ -0,0 +1,191 @@ +From 6a88aee0a4644ce4b15bbaadb7d1f1ce2c0e0c6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2024 18:34:58 +0200 +Subject: HID: bpf: Fix NKRO on Mistel MD770 + +From: Benjamin Tissoires + +[ Upstream commit 9bc089307e8dff7797233308372b4a90ce8f79be ] + +Mistel MD770 keyboard (using Holtek Semiconductor, Inc. controller) has +a quirk in report descriptor in one of its interfaces (more detail in +the source file). Fix up the descriptor to allow NKRO to work again. + +Tested by loading the BPF program and confirming that 8 simultaneous +keypresses work. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218495 +Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/122 +Signed-off-by: Tatsuyuki Ishi +Acked-by: Jiri Kosina +Link: https://patch.msgid.link/20241017-import_bpf_6-13-v2-1-6a7acb89a97f@kernel.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/bpf/progs/Mistel__MD770.bpf.c | 154 ++++++++++++++++++++++ + 1 file changed, 154 insertions(+) + create mode 100644 drivers/hid/bpf/progs/Mistel__MD770.bpf.c + +diff --git a/drivers/hid/bpf/progs/Mistel__MD770.bpf.c b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c +new file mode 100644 +index 0000000000000..fb8b5a6968b12 +--- /dev/null ++++ b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c +@@ -0,0 +1,154 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* Copyright (c) 2024 Tatsuyuki Ishi ++ */ ++ ++#include "vmlinux.h" ++#include "hid_bpf.h" ++#include "hid_bpf_helpers.h" ++#include ++ ++#define VID_HOLTEK 0x04D9 ++#define PID_MD770 0x0339 ++#define RDESC_SIZE 203 ++ ++HID_BPF_CONFIG( ++ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, VID_HOLTEK, PID_MD770) ++); ++ ++/* ++ * The Mistel MD770 keyboard reports the first 6 simultaneous key presses ++ * through the first interface, and anything beyond that through a second ++ * interface. Unfortunately, the second interface's report descriptor has an ++ * error, causing events to be malformed and ignored. This HID-BPF driver ++ * fixes the descriptor to allow NKRO to work again. ++ * ++ * For reference, this is the original report descriptor: ++ * ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 0 ++ * 0x09, 0x80, // Usage (System Control) 2 ++ * 0xa1, 0x01, // Collection (Application) 4 ++ * 0x85, 0x01, // Report ID (1) 6 ++ * 0x19, 0x81, // Usage Minimum (129) 8 ++ * 0x29, 0x83, // Usage Maximum (131) 10 ++ * 0x15, 0x00, // Logical Minimum (0) 12 ++ * 0x25, 0x01, // Logical Maximum (1) 14 ++ * 0x95, 0x03, // Report Count (3) 16 ++ * 0x75, 0x01, // Report Size (1) 18 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 20 ++ * 0x95, 0x01, // Report Count (1) 22 ++ * 0x75, 0x05, // Report Size (5) 24 ++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 26 ++ * 0xc0, // End Collection 28 ++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 29 ++ * 0x09, 0x01, // Usage (Consumer Control) 31 ++ * 0xa1, 0x01, // Collection (Application) 33 ++ * 0x85, 0x02, // Report ID (2) 35 ++ * 0x15, 0x00, // Logical Minimum (0) 37 ++ * 0x25, 0x01, // Logical Maximum (1) 39 ++ * 0x95, 0x12, // Report Count (18) 41 ++ * 0x75, 0x01, // Report Size (1) 43 ++ * 0x0a, 0x83, 0x01, // Usage (AL Consumer Control Config) 45 ++ * 0x0a, 0x8a, 0x01, // Usage (AL Email Reader) 48 ++ * 0x0a, 0x92, 0x01, // Usage (AL Calculator) 51 ++ * 0x0a, 0x94, 0x01, // Usage (AL Local Machine Browser) 54 ++ * 0x09, 0xcd, // Usage (Play/Pause) 57 ++ * 0x09, 0xb7, // Usage (Stop) 59 ++ * 0x09, 0xb6, // Usage (Scan Previous Track) 61 ++ * 0x09, 0xb5, // Usage (Scan Next Track) 63 ++ * 0x09, 0xe2, // Usage (Mute) 65 ++ * 0x09, 0xea, // Usage (Volume Down) 67 ++ * 0x09, 0xe9, // Usage (Volume Up) 69 ++ * 0x0a, 0x21, 0x02, // Usage (AC Search) 71 ++ * 0x0a, 0x23, 0x02, // Usage (AC Home) 74 ++ * 0x0a, 0x24, 0x02, // Usage (AC Back) 77 ++ * 0x0a, 0x25, 0x02, // Usage (AC Forward) 80 ++ * 0x0a, 0x26, 0x02, // Usage (AC Stop) 83 ++ * 0x0a, 0x27, 0x02, // Usage (AC Refresh) 86 ++ * 0x0a, 0x2a, 0x02, // Usage (AC Bookmarks) 89 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 92 ++ * 0x95, 0x01, // Report Count (1) 94 ++ * 0x75, 0x0e, // Report Size (14) 96 ++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 98 ++ * 0xc0, // End Collection 100 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 101 ++ * 0x09, 0x02, // Usage (Mouse) 103 ++ * 0xa1, 0x01, // Collection (Application) 105 ++ * 0x09, 0x01, // Usage (Pointer) 107 ++ * 0xa1, 0x00, // Collection (Physical) 109 ++ * 0x85, 0x03, // Report ID (3) 111 ++ * 0x05, 0x09, // Usage Page (Button) 113 ++ * 0x19, 0x01, // Usage Minimum (1) 115 ++ * 0x29, 0x08, // Usage Maximum (8) 117 ++ * 0x15, 0x00, // Logical Minimum (0) 119 ++ * 0x25, 0x01, // Logical Maximum (1) 121 ++ * 0x75, 0x01, // Report Size (1) 123 ++ * 0x95, 0x08, // Report Count (8) 125 ++ * 0x81, 0x02, // Input (Data,Var,Abs) 127 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 129 ++ * 0x09, 0x30, // Usage (X) 131 ++ * 0x09, 0x31, // Usage (Y) 133 ++ * 0x16, 0x01, 0x80, // Logical Minimum (-32767) 135 ++ * 0x26, 0xff, 0x7f, // Logical Maximum (32767) 138 ++ * 0x75, 0x10, // Report Size (16) 141 ++ * 0x95, 0x02, // Report Count (2) 143 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 145 ++ * 0x09, 0x38, // Usage (Wheel) 147 ++ * 0x15, 0x81, // Logical Minimum (-127) 149 ++ * 0x25, 0x7f, // Logical Maximum (127) 151 ++ * 0x75, 0x08, // Report Size (8) 153 ++ * 0x95, 0x01, // Report Count (1) 155 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 157 ++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 159 ++ * 0x0a, 0x38, 0x02, // Usage (AC Pan) 161 ++ * 0x95, 0x01, // Report Count (1) 164 ++ * 0x81, 0x06, // Input (Data,Var,Rel) 166 ++ * 0xc0, // End Collection 168 ++ * 0xc0, // End Collection 169 ++ * 0x05, 0x01, // Usage Page (Generic Desktop) 170 ++ * 0x09, 0x06, // Usage (Keyboard) 172 ++ * 0xa1, 0x01, // Collection (Application) 174 ++ * 0x85, 0x04, // Report ID (4) 176 ++ * 0x05, 0x07, // Usage Page (Keyboard) 178 ++ * 0x95, 0x01, // Report Count (1) 180 ++ * 0x75, 0x08, // Report Size (8) 182 ++ * 0x81, 0x03, // Input (Cnst,Var,Abs) 184 ++ * 0x95, 0xe8, // Report Count (232) 186 ++ * 0x75, 0x01, // Report Size (1) 188 ++ * 0x15, 0x00, // Logical Minimum (0) 190 ++ * 0x25, 0x01, // Logical Maximum (1) 192 ++ * 0x05, 0x07, // Usage Page (Keyboard) 194 ++ * 0x19, 0x00, // Usage Minimum (0) 196 ++ * 0x29, 0xe7, // Usage Maximum (231) 198 ++ * 0x81, 0x00, // Input (Data,Arr,Abs) 200 <- change to 0x81, 0x02 (Data,Var,Abs) ++ * 0xc0, // End Collection 202 ++ */ ++ ++SEC(HID_BPF_RDESC_FIXUP) ++int BPF_PROG(hid_rdesc_fixup_mistel_md770, struct hid_bpf_ctx *hctx) ++{ ++ __u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE); ++ ++ if (!data) ++ return 0; /* EPERM check */ ++ ++ if (data[201] == 0x00) ++ data[201] = 0x02; ++ ++ return 0; ++} ++ ++HID_BPF_OPS(mistel_md770) = { ++ .hid_rdesc_fixup = (void *)hid_rdesc_fixup_mistel_md770, ++}; ++ ++SEC("syscall") ++int probe(struct hid_bpf_probe_args *ctx) ++{ ++ ctx->retval = ctx->rdesc_size != RDESC_SIZE; ++ if (ctx->retval) ++ ctx->retval = -EINVAL; ++ ++ return 0; ++} ++ ++char _license[] SEC("license") = "GPL"; +-- +2.43.0 + diff --git a/queue-5.10/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch b/queue-5.10/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch new file mode 100644 index 00000000000..49246a14a56 --- /dev/null +++ b/queue-5.10/i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch @@ -0,0 +1,113 @@ +From deb8c10ce1b75737b51fd116e1658b2c6fcd0b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 21:25:39 +0800 +Subject: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() + to avoid deadlock + +From: Defa Li + +[ Upstream commit 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 ] + +A deadlock may happen since the i3c_master_register() acquires +&i3cbus->lock twice. See the log below. +Use i3cdev->desc->info instead of calling i3c_device_info() to +avoid acquiring the lock twice. + +v2: + - Modified the title and commit message + +============================================ +WARNING: possible recursive locking detected +6.11.0-mainline +-------------------------------------------- +init/1 is trying to acquire lock: +f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock + +but task is already holding lock: +f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&i3cbus->lock); + lock(&i3cbus->lock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +2 locks held by init/1: + #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach + #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register + +stack backtrace: +CPU: 6 UID: 0 PID: 1 Comm: init +Call trace: + dump_backtrace+0xfc/0x17c + show_stack+0x18/0x28 + dump_stack_lvl+0x40/0xc0 + dump_stack+0x18/0x24 + print_deadlock_bug+0x388/0x390 + __lock_acquire+0x18bc/0x32ec + lock_acquire+0x134/0x2b0 + down_read+0x50/0x19c + i3c_bus_normaluse_lock+0x14/0x24 + i3c_device_get_info+0x24/0x58 + i3c_device_uevent+0x34/0xa4 + dev_uevent+0x310/0x384 + kobject_uevent_env+0x244/0x414 + kobject_uevent+0x14/0x20 + device_add+0x278/0x460 + device_register+0x20/0x34 + i3c_master_register_new_i3c_devs+0x78/0x154 + i3c_master_register+0x6a0/0x6d4 + mtk_i3c_master_probe+0x3b8/0x4d8 + platform_probe+0xa0/0xe0 + really_probe+0x114/0x454 + __driver_probe_device+0xa0/0x15c + driver_probe_device+0x3c/0x1ac + __driver_attach+0xc4/0x1f0 + bus_for_each_dev+0x104/0x160 + driver_attach+0x24/0x34 + bus_add_driver+0x14c/0x294 + driver_register+0x68/0x104 + __platform_driver_register+0x20/0x30 + init_module+0x20/0xfe4 + do_one_initcall+0x184/0x464 + do_init_module+0x58/0x1ec + load_module+0xefc/0x10c8 + __arm64_sys_finit_module+0x238/0x33c + invoke_syscall+0x58/0x10c + el0_svc_common+0xa8/0xdc + do_el0_svc+0x1c/0x28 + el0_svc+0x50/0xac + el0t_64_sync_handler+0x70/0xbc + el0t_64_sync+0x1a8/0x1ac + +Signed-off-by: Defa Li +Link: https://lore.kernel.org/r/20241107132549.25439-1-defa.li@mediatek.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 0ade1ce2bbc89..0d8210f40ff63 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -279,7 +279,8 @@ static int i3c_device_uevent(struct device *dev, struct kobj_uevent_env *env) + struct i3c_device_info devinfo; + u16 manuf, part, ext; + +- i3c_device_get_info(i3cdev, &devinfo); ++ if (i3cdev->desc) ++ devinfo = i3cdev->desc->info; + manuf = I3C_PID_MANUF_ID(devinfo.pid); + part = I3C_PID_PART_ID(devinfo.pid); + ext = I3C_PID_EXTRA_INFO(devinfo.pid); +-- +2.43.0 + diff --git a/queue-5.10/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch b/queue-5.10/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..3053dcf7920 --- /dev/null +++ b/queue-5.10/jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch @@ -0,0 +1,39 @@ +From b8479184bb4e818e4b6bf892da6525d19495c5cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 01:51:38 +0530 +Subject: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree + +From: Nihar Chaithanya + +[ Upstream commit a174706ba4dad895c40b1d2277bade16dfacdcd9 ] + +When the value of lp is 0 at the beginning of the for loop, it will +become negative in the next assignment and we should bail out. + +Reported-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 +Tested-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com +Signed-off-by: Nihar Chaithanya +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index c61fcf0e88d29..ef220709c7f51 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2953,6 +2953,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + /* bubble the new value up the tree as required. + */ + for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { ++ if (lp == 0) ++ break; ++ + /* get the index of the first leaf of the 4 leaf + * group containing the specified leaf (leafno). + */ +-- +2.43.0 + diff --git a/queue-5.10/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch b/queue-5.10/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch new file mode 100644 index 00000000000..818ba8280c8 --- /dev/null +++ b/queue-5.10/jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch @@ -0,0 +1,43 @@ +From fc27a83c3a533e30305c0e40b69e5ad830b6173f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2024 14:07:22 +0530 +Subject: jfs: array-index-out-of-bounds fix in dtReadFirst + +From: Ghanshyam Agrawal + +[ Upstream commit ca84a2c9be482836b86d780244f0357e5a778c46 ] + +The value of stbl can be sometimes out of bounds due +to a bad filesystem. Added a check with appopriate return +of error code in that case. + +Reported-by: syzbot+65fa06e29859e41a83f3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=65fa06e29859e41a83f3 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index a222a9d71887f..8f7ce1bea44c5 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3382,6 +3382,13 @@ static int dtReadFirst(struct inode *ip, struct btstack * btstack) + + /* get the leftmost entry */ + stbl = DT_GETSTBL(p); ++ ++ if (stbl[0] < 0 || stbl[0] > 127) { ++ DT_PUTPAGE(mp); ++ jfs_error(ip->i_sb, "stbl[0] out of bound\n"); ++ return -EIO; ++ } ++ + xd = (pxd_t *) & p->slot[stbl[0]]; + + /* get the child page block address */ +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch new file mode 100644 index 00000000000..8b4da236253 --- /dev/null +++ b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch @@ -0,0 +1,43 @@ +From 542bdfc9607232d58318932b871f4a3a6caf4ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 11:35:47 +0530 +Subject: jfs: fix array-index-out-of-bounds in jfs_readdir + +From: Ghanshyam Agrawal + +[ Upstream commit 839f102efb168f02dfdd46717b7c6dddb26b015e ] + +The stbl might contain some invalid values. Added a check to +return error code in that case. + +Reported-by: syzbot+0315f8fe99120601ba88@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0315f8fe99120601ba88 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 8f7ce1bea44c5..a3d1d560f4c86 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -3187,6 +3187,14 @@ int jfs_readdir(struct file *file, struct dir_context *ctx) + stbl = DT_GETSTBL(p); + + for (i = index; i < p->header.nextindex; i++) { ++ if (stbl[i] < 0 || stbl[i] > 127) { ++ jfs_err("JFS: Invalid stbl[%d] = %d for inode %ld, block = %lld", ++ i, stbl[i], (long)ip->i_ino, (long long)bn); ++ free_page(dirent_buf); ++ DT_PUTPAGE(mp); ++ return -EIO; ++ } ++ + d = (struct ldtentry *) & p->slot[stbl[i]]; + + if (((long) jfs_dirent + d->namlen + 1) > +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbsplit.patch b/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbsplit.patch new file mode 100644 index 00000000000..57a1c596350 --- /dev/null +++ b/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbsplit.patch @@ -0,0 +1,39 @@ +From 82ff0de1f37c16c36b80a8772bb0863223623543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 13:42:18 +0530 +Subject: jfs: fix shift-out-of-bounds in dbSplit + +From: Ghanshyam Agrawal + +[ Upstream commit a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ] + +When dmt_budmin is less than zero, it causes errors +in the later stages. Added a check to return an error beforehand +in dbAllocCtl itself. + +Reported-by: syzbot+b5ca8a249162c4b9a7d0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b5ca8a249162c4b9a7d0 +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 559f6ebebfc0c..c61fcf0e88d29 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1886,6 +1886,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results) + return -EIO; + dp = (struct dmap *) mp->data; + ++ if (dp->tree.budmin < 0) ++ return -EIO; ++ + /* try to allocate the blocks. + */ + rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results); +-- +2.43.0 + diff --git a/queue-5.10/kcsan-turn-report_filterlist_lock-into-a-raw_spinloc.patch b/queue-5.10/kcsan-turn-report_filterlist_lock-into-a-raw_spinloc.patch new file mode 100644 index 00000000000..4a96cca07b4 --- /dev/null +++ b/queue-5.10/kcsan-turn-report_filterlist_lock-into-a-raw_spinloc.patch @@ -0,0 +1,212 @@ +From a6c83a1493f0a8337371e21ddd0d606e15399339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 16:00:45 +0200 +Subject: kcsan: Turn report_filterlist_lock into a raw_spinlock + +From: Marco Elver + +[ Upstream commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0 ] + +Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see +splats like: + +| BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 +| preempt_count: 10002, expected: 0 +| RCU nest depth: 0, expected: 0 +| no locks held by swapper/1/0. +| irq event stamp: 156674 +| hardirqs last enabled at (156673): [] do_idle+0x1f9/0x240 +| hardirqs last disabled at (156674): [] sysvec_apic_timer_interrupt+0x14/0xc0 +| softirqs last enabled at (0): [] copy_process+0xfc7/0x4b60 +| softirqs last disabled at (0): [<0000000000000000>] 0x0 +| Preemption disabled at: +| [] paint_ptr+0x2a/0x90 +| CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 +| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 +| Call Trace: +| +| dump_stack_lvl+0x7e/0xc0 +| dump_stack+0x1d/0x30 +| __might_resched+0x1a2/0x270 +| rt_spin_lock+0x68/0x170 +| kcsan_skip_report_debugfs+0x43/0xe0 +| print_report+0xb5/0x590 +| kcsan_report_known_origin+0x1b1/0x1d0 +| kcsan_setup_watchpoint+0x348/0x650 +| __tsan_unaligned_write1+0x16d/0x1d0 +| hrtimer_interrupt+0x3d6/0x430 +| __sysvec_apic_timer_interrupt+0xe8/0x3a0 +| sysvec_apic_timer_interrupt+0x97/0xc0 +| + +On a detected data race, KCSAN's reporting logic checks if it should +filter the report. That list is protected by the report_filterlist_lock +*non-raw* spinlock which may sleep on RT kernels. + +Since KCSAN may report data races in any context, convert it to a +raw_spinlock. + +This requires being careful about when to allocate memory for the filter +list itself which can be done via KCSAN's debugfs interface. Concurrent +modification of the filter list via debugfs should be rare: the chosen +strategy is to optimistically pre-allocate memory before the critical +section and discard if unused. + +Link: https://lore.kernel.org/all/20240925143154.2322926-1-ranxiaokai627@163.com/ +Reported-by: Ran Xiaokai +Tested-by: Ran Xiaokai +Signed-off-by: Marco Elver +Signed-off-by: Sasha Levin +--- + kernel/kcsan/debugfs.c | 74 ++++++++++++++++++++---------------------- + 1 file changed, 36 insertions(+), 38 deletions(-) + +diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c +index 62a52be8f6ba9..6a4ecd1a6fa5b 100644 +--- a/kernel/kcsan/debugfs.c ++++ b/kernel/kcsan/debugfs.c +@@ -41,14 +41,8 @@ static struct { + int used; /* number of elements used */ + bool sorted; /* if elements are sorted */ + bool whitelist; /* if list is a blacklist or whitelist */ +-} report_filterlist = { +- .addrs = NULL, +- .size = 8, /* small initial size */ +- .used = 0, +- .sorted = false, +- .whitelist = false, /* default is blacklist */ +-}; +-static DEFINE_SPINLOCK(report_filterlist_lock); ++} report_filterlist; ++static DEFINE_RAW_SPINLOCK(report_filterlist_lock); + + /* + * The microbenchmark allows benchmarking KCSAN core runtime only. To run +@@ -105,7 +99,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) + return false; + func_addr -= offset; /* Get function start */ + +- spin_lock_irqsave(&report_filterlist_lock, flags); ++ raw_spin_lock_irqsave(&report_filterlist_lock, flags); + if (report_filterlist.used == 0) + goto out; + +@@ -122,7 +116,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) + ret = !ret; + + out: +- spin_unlock_irqrestore(&report_filterlist_lock, flags); ++ raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + return ret; + } + +@@ -130,9 +124,9 @@ static void set_report_filterlist_whitelist(bool whitelist) + { + unsigned long flags; + +- spin_lock_irqsave(&report_filterlist_lock, flags); ++ raw_spin_lock_irqsave(&report_filterlist_lock, flags); + report_filterlist.whitelist = whitelist; +- spin_unlock_irqrestore(&report_filterlist_lock, flags); ++ raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + } + + /* Returns 0 on success, error-code otherwise. */ +@@ -140,6 +134,9 @@ static ssize_t insert_report_filterlist(const char *func) + { + unsigned long flags; + unsigned long addr = kallsyms_lookup_name(func); ++ unsigned long *delay_free = NULL; ++ unsigned long *new_addrs = NULL; ++ size_t new_size = 0; + ssize_t ret = 0; + + if (!addr) { +@@ -147,32 +144,33 @@ static ssize_t insert_report_filterlist(const char *func) + return -ENOENT; + } + +- spin_lock_irqsave(&report_filterlist_lock, flags); ++retry_alloc: ++ /* ++ * Check if we need an allocation, and re-validate under the lock. Since ++ * the report_filterlist_lock is a raw, cannot allocate under the lock. ++ */ ++ if (data_race(report_filterlist.used == report_filterlist.size)) { ++ new_size = (report_filterlist.size ?: 4) * 2; ++ delay_free = new_addrs = kmalloc_array(new_size, sizeof(unsigned long), GFP_KERNEL); ++ if (!new_addrs) ++ return -ENOMEM; ++ } + +- if (report_filterlist.addrs == NULL) { +- /* initial allocation */ +- report_filterlist.addrs = +- kmalloc_array(report_filterlist.size, +- sizeof(unsigned long), GFP_ATOMIC); +- if (report_filterlist.addrs == NULL) { +- ret = -ENOMEM; +- goto out; +- } +- } else if (report_filterlist.used == report_filterlist.size) { +- /* resize filterlist */ +- size_t new_size = report_filterlist.size * 2; +- unsigned long *new_addrs = +- krealloc(report_filterlist.addrs, +- new_size * sizeof(unsigned long), GFP_ATOMIC); +- +- if (new_addrs == NULL) { +- /* leave filterlist itself untouched */ +- ret = -ENOMEM; +- goto out; ++ raw_spin_lock_irqsave(&report_filterlist_lock, flags); ++ if (report_filterlist.used == report_filterlist.size) { ++ /* Check we pre-allocated enough, and retry if not. */ ++ if (report_filterlist.used >= new_size) { ++ raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); ++ kfree(new_addrs); /* kfree(NULL) is safe */ ++ delay_free = new_addrs = NULL; ++ goto retry_alloc; + } + ++ if (report_filterlist.used) ++ memcpy(new_addrs, report_filterlist.addrs, report_filterlist.used * sizeof(unsigned long)); ++ delay_free = report_filterlist.addrs; /* free the old list */ ++ report_filterlist.addrs = new_addrs; /* switch to the new list */ + report_filterlist.size = new_size; +- report_filterlist.addrs = new_addrs; + } + + /* Note: deduplicating should be done in userspace. */ +@@ -180,9 +178,9 @@ static ssize_t insert_report_filterlist(const char *func) + kallsyms_lookup_name(func); + report_filterlist.sorted = false; + +-out: +- spin_unlock_irqrestore(&report_filterlist_lock, flags); ++ raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + ++ kfree(delay_free); + return ret; + } + +@@ -199,13 +197,13 @@ static int show_info(struct seq_file *file, void *v) + } + + /* show filter functions, and filter type */ +- spin_lock_irqsave(&report_filterlist_lock, flags); ++ raw_spin_lock_irqsave(&report_filterlist_lock, flags); + seq_printf(file, "\n%s functions: %s\n", + report_filterlist.whitelist ? "whitelisted" : "blacklisted", + report_filterlist.used == 0 ? "none" : ""); + for (i = 0; i < report_filterlist.used; ++i) + seq_printf(file, " %ps\n", (void *)report_filterlist.addrs[i]); +- spin_unlock_irqrestore(&report_filterlist_lock, flags); ++ raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/kselftest-arm64-don-t-leak-pipe-fds-in-pac.exec_sign.patch b/queue-5.10/kselftest-arm64-don-t-leak-pipe-fds-in-pac.exec_sign.patch new file mode 100644 index 00000000000..33dba6e103f --- /dev/null +++ b/queue-5.10/kselftest-arm64-don-t-leak-pipe-fds-in-pac.exec_sign.patch @@ -0,0 +1,39 @@ +From 3a29364f6f1d04f2bf74ffffff92efd9ea88bdd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 16:18:55 +0000 +Subject: kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() + +From: Mark Brown + +[ Upstream commit 27141b690547da5650a420f26ec369ba142a9ebb ] + +The PAC exec_sign_all() test spawns some child processes, creating pipes +to be stdin and stdout for the child. It cleans up most of the file +descriptors that are created as part of this but neglects to clean up the +parent end of the child stdin and stdout. Add the missing close() calls. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20241111-arm64-pac-test-collisions-v1-1-171875f37e44@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/pauth/pac.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/testing/selftests/arm64/pauth/pac.c b/tools/testing/selftests/arm64/pauth/pac.c +index b743daa772f55..5a07b3958fbf2 100644 +--- a/tools/testing/selftests/arm64/pauth/pac.c ++++ b/tools/testing/selftests/arm64/pauth/pac.c +@@ -182,6 +182,9 @@ int exec_sign_all(struct signatures *signed_vals, size_t val) + return -1; + } + ++ close(new_stdin[1]); ++ close(new_stdout[0]); ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.10/leds-class-protect-brightness_show-with-led_cdev-led.patch b/queue-5.10/leds-class-protect-brightness_show-with-led_cdev-led.patch new file mode 100644 index 00000000000..94186ac174c --- /dev/null +++ b/queue-5.10/leds-class-protect-brightness_show-with-led_cdev-led.patch @@ -0,0 +1,174 @@ +From 63a923c46dfa5f2d670494a93ef3f8afa35bea29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2024 21:35:27 +0530 +Subject: leds: class: Protect brightness_show() with led_cdev->led_access + mutex + +From: Mukesh Ojha + +[ Upstream commit 4ca7cd938725a4050dcd62ae9472e931d603118d ] + +There is NULL pointer issue observed if from Process A where hid device +being added which results in adding a led_cdev addition and later a +another call to access of led_cdev attribute from Process B can result +in NULL pointer issue. + +Use mutex led_cdev->led_access to protect access to led->cdev and its +attribute inside brightness_show() and max_brightness_show() and also +update the comment for mutex that it should be used to protect the led +class device fields. + + Process A Process B + + kthread+0x114 + worker_thread+0x244 + process_scheduled_works+0x248 + uhid_device_add_worker+0x24 + hid_add_device+0x120 + device_add+0x268 + bus_probe_device+0x94 + device_initial_probe+0x14 + __device_attach+0xfc + bus_for_each_drv+0x10c + __device_attach_driver+0x14c + driver_probe_device+0x3c + __driver_probe_device+0xa0 + really_probe+0x190 + hid_device_probe+0x130 + ps_probe+0x990 + ps_led_register+0x94 + devm_led_classdev_register_ext+0x58 + led_classdev_register_ext+0x1f8 + device_create_with_groups+0x48 + device_create_groups_vargs+0xc8 + device_add+0x244 + kobject_uevent+0x14 + kobject_uevent_env[jt]+0x224 + mutex_unlock[jt]+0xc4 + __mutex_unlock_slowpath+0xd4 + wake_up_q+0x70 + try_to_wake_up[jt]+0x48c + preempt_schedule_common+0x28 + __schedule+0x628 + __switch_to+0x174 + el0t_64_sync+0x1a8/0x1ac + el0t_64_sync_handler+0x68/0xbc + el0_svc+0x38/0x68 + do_el0_svc+0x1c/0x28 + el0_svc_common+0x80/0xe0 + invoke_syscall+0x58/0x114 + __arm64_sys_read+0x1c/0x2c + ksys_read+0x78/0xe8 + vfs_read+0x1e0/0x2c8 + kernfs_fop_read_iter+0x68/0x1b4 + seq_read_iter+0x158/0x4ec + kernfs_seq_show+0x44/0x54 + sysfs_kf_seq_show+0xb4/0x130 + dev_attr_show+0x38/0x74 + brightness_show+0x20/0x4c + dualshock4_led_get_brightness+0xc/0x74 + +[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 +[ 3313.874301][ T4013] Mem abort info: +[ 3313.874303][ T4013] ESR = 0x0000000096000006 +[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits +[ 3313.874307][ T4013] SET = 0, FnV = 0 +[ 3313.874309][ T4013] EA = 0, S1PTW = 0 +[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault +[ 3313.874313][ T4013] Data abort info: +[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 +[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000 +.. + +[ 3313.874332][ T4013] Dumping ftrace buffer: +[ 3313.874334][ T4013] (ftrace buffer empty) +.. +.. +[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader +[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74 +[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60 +[ 3313.874656][ T4013] sp : ffffffc0b910bbd0 +.. +.. +[ 3313.874685][ T4013] Call trace: +[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74 +[ 3313.874690][ T4013] brightness_show+0x20/0x4c +[ 3313.874692][ T4013] dev_attr_show+0x38/0x74 +[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130 +[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54 +[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec +[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4 +[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8 +[ 3313.874711][ T4013] ksys_read+0x78/0xe8 +[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c +[ 3313.874718][ T4013] invoke_syscall+0x58/0x114 +[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0 +[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28 +[ 3313.874727][ T4013] el0_svc+0x38/0x68 +[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc +[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac + +Signed-off-by: Mukesh Ojha +Reviewed-by: Anish Kumar +Link: https://lore.kernel.org/r/20241103160527.82487-1-quic_mojha@quicinc.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class.c | 14 +++++++++++--- + include/linux/leds.h | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index e28a4bb716032..d7c1f2263a57a 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -28,11 +28,14 @@ static ssize_t brightness_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct led_classdev *led_cdev = dev_get_drvdata(dev); ++ unsigned int brightness; + +- /* no lock needed for this */ ++ mutex_lock(&led_cdev->led_access); + led_update_brightness(led_cdev); ++ brightness = led_cdev->brightness; ++ mutex_unlock(&led_cdev->led_access); + +- return sprintf(buf, "%u\n", led_cdev->brightness); ++ return sprintf(buf, "%u\n", brightness); + } + + static ssize_t brightness_store(struct device *dev, +@@ -69,8 +72,13 @@ static ssize_t max_brightness_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct led_classdev *led_cdev = dev_get_drvdata(dev); ++ unsigned int max_brightness; ++ ++ mutex_lock(&led_cdev->led_access); ++ max_brightness = led_cdev->max_brightness; ++ mutex_unlock(&led_cdev->led_access); + +- return sprintf(buf, "%u\n", led_cdev->max_brightness); ++ return sprintf(buf, "%u\n", max_brightness); + } + static DEVICE_ATTR_RO(max_brightness); + +diff --git a/include/linux/leds.h b/include/linux/leds.h +index 6a8d6409c993e..d8b4a73454e96 100644 +--- a/include/linux/leds.h ++++ b/include/linux/leds.h +@@ -155,7 +155,7 @@ struct led_classdev { + struct kernfs_node *brightness_hw_changed_kn; + #endif + +- /* Ensures consistent access to the LED Flash Class device */ ++ /* Ensures consistent access to the LED class device */ + struct mutex led_access; + }; + +-- +2.43.0 + diff --git a/queue-5.10/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch b/queue-5.10/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch new file mode 100644 index 00000000000..59ee848f46a --- /dev/null +++ b/queue-5.10/media-cx231xx-add-support-for-dexatek-usb-video-grab.patch @@ -0,0 +1,50 @@ +From 18618ab33662880091e2a79e83fdd43fd3698a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 19:40:40 +1000 +Subject: media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108 + +From: Rohan Barar + +[ Upstream commit 61a830bc0ea69a05d8a4534f825c6aa618263649 ] + +Add Dexatek Technology Ltd USB Video Grabber 1d19:6108 to the cx231xx +driver. This device is sold under the name "BAUHN DVD Maker (DK8723)" by +ALDI in Australia. + +This device is similar to 1d19:6109, which is already included in cx231xx. + +Both video and audio capture function correctly after installing the +patched cx231xx driver. + +Patch Changelog +v1: + - Initial submission. +v2: + - Fix SoB + Improve subject. +v3: + - Rephrase message to not exceed 75 characters per line. + - Removed reference to external GitHub URL. + +Signed-off-by: Rohan Barar +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index 92efe6c1f47ba..bda729b42d05f 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -994,6 +994,8 @@ const unsigned int cx231xx_bcount = ARRAY_SIZE(cx231xx_boards); + + /* table of devices that work with this driver */ + struct usb_device_id cx231xx_id_table[] = { ++ {USB_DEVICE(0x1D19, 0x6108), ++ .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB}, + {USB_DEVICE(0x1D19, 0x6109), + .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB}, + {USB_DEVICE(0x0572, 0x5A3C), +-- +2.43.0 + diff --git a/queue-5.10/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch b/queue-5.10/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch new file mode 100644 index 00000000000..ec26f2d5012 --- /dev/null +++ b/queue-5.10/media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch @@ -0,0 +1,245 @@ +From 4bf3cb9a4541b4b912583fc1ed516a7796898912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 20:05:40 +0200 +Subject: media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera + +From: David Given + +[ Upstream commit b2ec92bb5605452d539a7aa1e42345b95acd8583 ] + +Adds a quirk to make the NXP Semiconductors 1fc9:009b chipset work. + +lsusb for the device reports: + +Bus 003 Device 011: ID 1fc9:009b NXP Semiconductors IR VIDEO +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 [unknown] + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x1fc9 NXP Semiconductors + idProduct 0x009b IR VIDEO + bcdDevice 1.01 + iManufacturer 1 Guide sensmart + iProduct 2 IR VIDEO + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x00c2 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0xc0 + Self Powered + MaxPower 100mA + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 0 + bInterfaceCount 2 + bFunctionClass 14 Video + bFunctionSubClass 3 Video Interface Collection + bFunctionProtocol 0 + iFunction 3 IR Camera + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 14 Video + bInterfaceSubClass 1 Video Control + bInterfaceProtocol 0 + iInterface 0 + VideoControl Interface Descriptor: + bLength 13 + bDescriptorType 36 + bDescriptorSubtype 1 (HEADER) + bcdUVC 1.00 + wTotalLength 0x0033 + dwClockFrequency 6.000000MHz + bInCollection 1 + baInterfaceNr( 0) 1 + VideoControl Interface Descriptor: + bLength 18 + bDescriptorType 36 + bDescriptorSubtype 2 (INPUT_TERMINAL) + bTerminalID 1 + wTerminalType 0x0201 Camera Sensor + bAssocTerminal 0 + iTerminal 0 + wObjectiveFocalLengthMin 0 + wObjectiveFocalLengthMax 0 + wOcularFocalLength 0 + bControlSize 3 + bmControls 0x00000000 + VideoControl Interface Descriptor: + bLength 9 + bDescriptorType 36 + bDescriptorSubtype 3 (OUTPUT_TERMINAL) + bTerminalID 2 + wTerminalType 0x0101 USB Streaming + bAssocTerminal 0 + bSourceID 1 + iTerminal 0 + VideoControl Interface Descriptor: + bLength 11 + bDescriptorType 36 + bDescriptorSubtype 5 (PROCESSING_UNIT) + Warning: Descriptor too short + bUnitID 3 + bSourceID 1 + wMaxMultiplier 0 + bControlSize 2 + bmControls 0x00000000 + iProcessing 0 + bmVideoStandards 0x62 + NTSC - 525/60 + PAL - 525/60 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 1 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 0 + bInterfaceClass 14 Video + bInterfaceSubClass 2 Video Streaming + bInterfaceProtocol 0 + iInterface 0 + VideoStreaming Interface Descriptor: + bLength 14 + bDescriptorType 36 + bDescriptorSubtype 1 (INPUT_HEADER) + bNumFormats 1 + wTotalLength 0x0055 + bEndpointAddress 0x82 EP 2 IN + bmInfo 0 + bTerminalLink 2 + bStillCaptureMethod 2 + bTriggerSupport 0 + bTriggerUsage 0 + bControlSize 1 + bmaControls( 0) 0 + VideoStreaming Interface Descriptor: + bLength 27 + bDescriptorType 36 + bDescriptorSubtype 4 (FORMAT_UNCOMPRESSED) + bFormatIndex 1 + bNumFrameDescriptors 1 + guidFormat {e436eb7b-524f-11ce-9f53-0020af0ba770} + bBitsPerPixel 16 + bDefaultFrameIndex 1 + bAspectRatioX 0 + bAspectRatioY 0 + bmInterlaceFlags 0x00 + Interlaced stream or variable: No + Fields per frame: 2 fields + Field 1 first: No + Field pattern: Field 1 only + bCopyProtect 0 + VideoStreaming Interface Descriptor: + bLength 34 + bDescriptorType 36 + bDescriptorSubtype 5 (FRAME_UNCOMPRESSED) + bFrameIndex 1 + bmCapabilities 0x00 + Still image unsupported + wWidth 240 + wHeight 322 + dwMinBitRate 12364800 + dwMaxBitRate 30912000 + dwMaxVideoFrameBufferSize 154560 + dwDefaultFrameInterval 400000 + bFrameIntervalType 2 + dwFrameInterval( 0) 400000 + dwFrameInterval( 1) 1000000 + VideoStreaming Interface Descriptor: + bLength 10 + bDescriptorType 36 + bDescriptorSubtype 3 (STILL_IMAGE_FRAME) + bEndpointAddress 0x00 EP 0 OUT + bNumImageSizePatterns 1 + wWidth( 0) 240 + wHeight( 0) 322 + bNumCompressionPatterns 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 1 + bNumEndpoints 1 + bInterfaceClass 14 Video + bInterfaceSubClass 2 Video Streaming + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 5 + Transfer Type Isochronous + Synch Type Asynchronous + Usage Type Data + wMaxPacketSize 0x0400 1x 1024 bytes + bInterval 1 +Device Status: 0x0001 + Self Powered + +Signed-off-by: David Given +Reviewed-by: Laurent Pinchart +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20240918180540.10830-2-dg@cowlark.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index da1bccaab1319..f3f91635d67b6 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2548,6 +2548,8 @@ static const struct uvc_device_info uvc_quirk_force_y8 = { + * The Logitech cameras listed below have their interface class set to + * VENDOR_SPEC because they don't announce themselves as UVC devices, even + * though they are compliant. ++ * ++ * Sort these by vendor/product ID. + */ + static const struct usb_device_id uvc_ids[] = { + /* LogiLink Wireless Webcam */ +@@ -3016,6 +3018,15 @@ static const struct usb_device_id uvc_ids[] = { + .bInterfaceProtocol = 0, + .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_PROBE_MINMAX + | UVC_QUIRK_IGNORE_SELECTOR_UNIT) }, ++ /* NXP Semiconductors IR VIDEO */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x1fc9, ++ .idProduct = 0x009b, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax }, + /* Oculus VR Positional Tracker DK2 */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +-- +2.43.0 + diff --git a/queue-5.10/mips-loongson64-dts-really-fix-pcie-port-nodes-for-l.patch b/queue-5.10/mips-loongson64-dts-really-fix-pcie-port-nodes-for-l.patch new file mode 100644 index 00000000000..82a4fd0e87a --- /dev/null +++ b/queue-5.10/mips-loongson64-dts-really-fix-pcie-port-nodes-for-l.patch @@ -0,0 +1,268 @@ +From dc568d6b6c0ac79c78791877a3d0d6c109e40cb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Nov 2024 11:57:37 +0800 +Subject: MIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a + +From: Xi Ruoyao + +[ Upstream commit 4fbd66d8254cedfd1218393f39d83b6c07a01917 ] + +Fix the dtc warnings: + + arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider + arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider + arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' + +And a runtime warning introduced in commit 045b14ca5c36 ("of: WARN on +deprecated #address-cells/#size-cells handling"): + + WARNING: CPU: 0 PID: 1 at drivers/of/base.c:106 of_bus_n_addr_cells+0x9c/0xe0 + Missing '#address-cells' in /bus@10000000/pci@1a000000/pci_bridge@9,0 + +The fix is similar to commit d89a415ff8d5 ("MIPS: Loongson64: DTS: Fix PCIe +port nodes for ls7a"), which has fixed the issue for ls2k (despite its +subject mentions ls7a). + +Signed-off-by: Xi Ruoyao +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/loongson/ls7a-pch.dtsi | 73 +++++++++++++++++++---- + 1 file changed, 60 insertions(+), 13 deletions(-) + +diff --git a/arch/mips/boot/dts/loongson/ls7a-pch.dtsi b/arch/mips/boot/dts/loongson/ls7a-pch.dtsi +index f99a7a11fded8..cdb1c40b4fd14 100644 +--- a/arch/mips/boot/dts/loongson/ls7a-pch.dtsi ++++ b/arch/mips/boot/dts/loongson/ls7a-pch.dtsi +@@ -63,7 +63,6 @@ pci@1a000000 { + device_type = "pci"; + #address-cells = <3>; + #size-cells = <2>; +- #interrupt-cells = <2>; + msi-parent = <&msi>; + + reg = <0 0x1a000000 0 0x02000000>, +@@ -226,7 +225,7 @@ phy1: ethernet-phy@1 { + }; + }; + +- pci_bridge@9,0 { ++ pcie@9,0 { + compatible = "pci0014,7a19.1", + "pci0014,7a19", + "pciclass060400", +@@ -236,12 +235,16 @@ pci_bridge@9,0 { + interrupts = <32 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 32 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@a,0 { ++ pcie@a,0 { + compatible = "pci0014,7a09.1", + "pci0014,7a09", + "pciclass060400", +@@ -251,12 +254,16 @@ pci_bridge@a,0 { + interrupts = <33 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 33 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@b,0 { ++ pcie@b,0 { + compatible = "pci0014,7a09.1", + "pci0014,7a09", + "pciclass060400", +@@ -266,12 +273,16 @@ pci_bridge@b,0 { + interrupts = <34 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 34 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@c,0 { ++ pcie@c,0 { + compatible = "pci0014,7a09.1", + "pci0014,7a09", + "pciclass060400", +@@ -281,12 +292,16 @@ pci_bridge@c,0 { + interrupts = <35 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 35 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@d,0 { ++ pcie@d,0 { + compatible = "pci0014,7a19.1", + "pci0014,7a19", + "pciclass060400", +@@ -296,12 +311,16 @@ pci_bridge@d,0 { + interrupts = <36 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 36 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@e,0 { ++ pcie@e,0 { + compatible = "pci0014,7a09.1", + "pci0014,7a09", + "pciclass060400", +@@ -311,12 +330,16 @@ pci_bridge@e,0 { + interrupts = <37 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 37 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@f,0 { ++ pcie@f,0 { + compatible = "pci0014,7a29.1", + "pci0014,7a29", + "pciclass060400", +@@ -326,12 +349,16 @@ pci_bridge@f,0 { + interrupts = <40 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 40 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@10,0 { ++ pcie@10,0 { + compatible = "pci0014,7a19.1", + "pci0014,7a19", + "pciclass060400", +@@ -341,12 +368,16 @@ pci_bridge@10,0 { + interrupts = <41 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 41 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@11,0 { ++ pcie@11,0 { + compatible = "pci0014,7a29.1", + "pci0014,7a29", + "pciclass060400", +@@ -356,12 +387,16 @@ pci_bridge@11,0 { + interrupts = <42 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 42 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@12,0 { ++ pcie@12,0 { + compatible = "pci0014,7a19.1", + "pci0014,7a19", + "pciclass060400", +@@ -371,12 +406,16 @@ pci_bridge@12,0 { + interrupts = <43 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 43 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@13,0 { ++ pcie@13,0 { + compatible = "pci0014,7a29.1", + "pci0014,7a29", + "pciclass060400", +@@ -386,12 +425,16 @@ pci_bridge@13,0 { + interrupts = <38 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 38 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + +- pci_bridge@14,0 { ++ pcie@14,0 { + compatible = "pci0014,7a19.1", + "pci0014,7a19", + "pciclass060400", +@@ -401,9 +444,13 @@ pci_bridge@14,0 { + interrupts = <39 IRQ_TYPE_LEVEL_HIGH>; + interrupt-parent = <&pic>; + ++ #address-cells = <3>; ++ #size-cells = <2>; ++ device_type = "pci"; + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; + interrupt-map = <0 0 0 0 &pic 39 IRQ_TYPE_LEVEL_HIGH>; ++ ranges; + }; + }; + +-- +2.43.0 + diff --git a/queue-5.10/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch b/queue-5.10/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch new file mode 100644 index 00000000000..7ffbe9353cb --- /dev/null +++ b/queue-5.10/misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch @@ -0,0 +1,119 @@ +From 341312c0155f71b2c9e017b082016169169900b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 11:12:33 -0400 +Subject: misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle + +From: Parker Newman + +[ Upstream commit 7738a7ab9d12c5371ed97114ee2132d4512e9fd5 ] + +Add a quirk similar to eeprom_93xx46 to add an extra clock cycle before +reading data from the EEPROM. + +The 93Cx6 family of EEPROMs output a "dummy 0 bit" between the writing +of the op-code/address from the host to the EEPROM and the reading of +the actual data from the EEPROM. + +More info can be found on page 6 of the AT93C46 datasheet (linked below). +Similar notes are found in other 93xx6 datasheets. + +In summary the read operation for a 93Cx6 EEPROM is: +Write to EEPROM: 110[A5-A0] (9 bits) +Read from EEPROM: 0[D15-D0] (17 bits) + +Where: + 110 is the start bit and READ OpCode + [A5-A0] is the address to read from + 0 is a "dummy bit" preceding the actual data + [D15-D0] is the actual data. + +Looking at the READ timing diagrams in the 93Cx6 datasheets the dummy +bit should be clocked out on the last address bit clock cycle meaning it +should be discarded naturally. + +However, depending on the hardware configuration sometimes this dummy +bit is not discarded. This is the case with Exar PCI UARTs which require +an extra clock cycle between sending the address and reading the data. + +Datasheet: https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-5193-SEEPROM-AT93C46D-Datasheet.pdf +Reviewed-by: Andy Shevchenko +Signed-off-by: Parker Newman +Link: https://lore.kernel.org/r/0f23973efefccd2544705a0480b4ad4c2353e407.1727880931.git.pnewman@connecttech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93cx6.c | 10 ++++++++++ + include/linux/eeprom_93cx6.h | 11 +++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/misc/eeprom/eeprom_93cx6.c b/drivers/misc/eeprom/eeprom_93cx6.c +index 9627294fe3e95..4c9827fe92173 100644 +--- a/drivers/misc/eeprom/eeprom_93cx6.c ++++ b/drivers/misc/eeprom/eeprom_93cx6.c +@@ -186,6 +186,11 @@ void eeprom_93cx6_read(struct eeprom_93cx6 *eeprom, const u8 word, + eeprom_93cx6_write_bits(eeprom, command, + PCI_EEPROM_WIDTH_OPCODE + eeprom->width); + ++ if (has_quirk_extra_read_cycle(eeprom)) { ++ eeprom_93cx6_pulse_high(eeprom); ++ eeprom_93cx6_pulse_low(eeprom); ++ } ++ + /* + * Read the requested 16 bits. + */ +@@ -252,6 +257,11 @@ void eeprom_93cx6_readb(struct eeprom_93cx6 *eeprom, const u8 byte, + eeprom_93cx6_write_bits(eeprom, command, + PCI_EEPROM_WIDTH_OPCODE + eeprom->width + 1); + ++ if (has_quirk_extra_read_cycle(eeprom)) { ++ eeprom_93cx6_pulse_high(eeprom); ++ eeprom_93cx6_pulse_low(eeprom); ++ } ++ + /* + * Read the requested 8 bits. + */ +diff --git a/include/linux/eeprom_93cx6.h b/include/linux/eeprom_93cx6.h +index c860c72a921d0..3a485cc0e0fa0 100644 +--- a/include/linux/eeprom_93cx6.h ++++ b/include/linux/eeprom_93cx6.h +@@ -11,6 +11,8 @@ + Supported chipsets: 93c46, 93c56 and 93c66. + */ + ++#include ++ + /* + * EEPROM operation defines. + */ +@@ -34,6 +36,7 @@ + * @register_write(struct eeprom_93cx6 *eeprom): handler to + * write to the eeprom register by using all reg_* fields. + * @width: eeprom width, should be one of the PCI_EEPROM_WIDTH_* defines ++ * @quirks: eeprom or controller quirks + * @drive_data: Set if we're driving the data line. + * @reg_data_in: register field to indicate data input + * @reg_data_out: register field to indicate data output +@@ -50,6 +53,9 @@ struct eeprom_93cx6 { + void (*register_write)(struct eeprom_93cx6 *eeprom); + + int width; ++ unsigned int quirks; ++/* Some EEPROMs require an extra clock cycle before reading */ ++#define PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE BIT(0) + + char drive_data; + char reg_data_in; +@@ -71,3 +77,8 @@ extern void eeprom_93cx6_wren(struct eeprom_93cx6 *eeprom, bool enable); + + extern void eeprom_93cx6_write(struct eeprom_93cx6 *eeprom, + u8 addr, u16 data); ++ ++static inline bool has_quirk_extra_read_cycle(struct eeprom_93cx6 *eeprom) ++{ ++ return eeprom->quirks & PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE; ++} +-- +2.43.0 + diff --git a/queue-5.10/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch b/queue-5.10/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch new file mode 100644 index 00000000000..c26ecd6d883 --- /dev/null +++ b/queue-5.10/net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch @@ -0,0 +1,39 @@ +From 5dd396f7883a651d70d6fc46ff781c09673574e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:03 +0100 +Subject: net: af_can: do not leave a dangling sk pointer in can_create() + +From: Ignat Korchagin + +[ Upstream commit 811a7ca7320c062e15d0f5b171fe6ad8592d1434 ] + +On error can_create() frees the allocated sk object, but sock_init_data() +has already attached it to the provided sock object. This will leave a +dangling sk pointer in the sock object and may cause use-after-free later. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Vincent Mailhol +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Marc Kleine-Budde +Link: https://patch.msgid.link/20241014153808.51894-5-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 79f24c6f43c8c..de47c16b134bf 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, + /* release sk on errors */ + sock_orphan(sk); + sock_put(sk); ++ sock->sk = NULL; + } + + errout: +-- +2.43.0 + diff --git a/queue-5.10/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch b/queue-5.10/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch new file mode 100644 index 00000000000..f3ff1574a4c --- /dev/null +++ b/queue-5.10/net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch @@ -0,0 +1,57 @@ +From b7b243558542fec1d01ef0f0095be48900e1d1ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 11:48:08 +0100 +Subject: net: ethernet: fs_enet: Use %pa to format resource_size_t + +From: Simon Horman + +[ Upstream commit 45fe45fada261e1e83fce2a07fa22835aec1cf0a ] + +The correct format string for resource_size_t is %pa which +acts on the address of the variable to be formatted [1]. + +[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229 + +Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string") + +Flagged by gcc-14 as: + +drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c: In function 'fs_mii_bitbang_init': +drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c:126:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=] + 126 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); + | ~^ ~~~~~~~~~ + | | | + | | resource_size_t {aka long long unsigned int} + | unsigned int + | %llx + +No functional change intended. +Compile tested only. + +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/ +Signed-off-by: Simon Horman +Reviewed-by: Daniel Machon +Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-2-dcc9afb8858b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c +index 21de56345503f..f743112730194 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c ++++ b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c +@@ -126,7 +126,7 @@ static int fs_mii_bitbang_init(struct mii_bus *bus, struct device_node *np) + * we get is an int, and the odds of multiple bitbang mdio buses + * is low enough that it's not worth going too crazy. + */ +- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); ++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start); + + data = of_get_property(np, "fsl,mdio-pin", &len); + if (!data || len != 4) +-- +2.43.0 + diff --git a/queue-5.10/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch b/queue-5.10/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch new file mode 100644 index 00000000000..b9bbc9de4db --- /dev/null +++ b/queue-5.10/net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch @@ -0,0 +1,57 @@ +From c9bf39ac597bdd89a94bf74f441c0d1587d365a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 11:48:07 +0100 +Subject: net: fec_mpc52xx_phy: Use %pa to format resource_size_t + +From: Simon Horman + +[ Upstream commit 020bfdc4ed94be472138c891bde4d14241cf00fd ] + +The correct format string for resource_size_t is %pa which +acts on the address of the variable to be formatted [1]. + +[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229 + +Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string") + +Flagged by gcc-14 as: + +drivers/net/ethernet/freescale/fec_mpc52xx_phy.c: In function 'mpc52xx_fec_mdio_probe': +drivers/net/ethernet/freescale/fec_mpc52xx_phy.c:97:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=] + 97 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); + | ~^ ~~~~~~~~~ + | | | + | | resource_size_t {aka long long unsigned int} + | unsigned int + | %llx + +No functional change intended. +Compile tested only. + +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/ +Signed-off-by: Simon Horman +Reviewed-by: Daniel Machon +Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-1-dcc9afb8858b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_mpc52xx_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c +index b5497e3083020..7e631e2f710fb 100644 +--- a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c ++++ b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c +@@ -92,7 +92,7 @@ static int mpc52xx_fec_mdio_probe(struct platform_device *of) + goto out_free; + } + +- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start); ++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start); + bus->priv = priv; + + bus->parent = dev; +-- +2.43.0 + diff --git a/queue-5.10/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch b/queue-5.10/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch new file mode 100644 index 00000000000..1c080cd12af --- /dev/null +++ b/queue-5.10/net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch @@ -0,0 +1,62 @@ +From 7976d57969b8bddf2008437b75da3930f3f1d78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:04 +0100 +Subject: net: ieee802154: do not leave a dangling sk pointer in + ieee802154_create() + +From: Ignat Korchagin + +[ Upstream commit b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d ] + +sock_init_data() attaches the allocated sk object to the provided sock +object. If ieee802154_create() fails later, the allocated sk object is +freed, but the dangling pointer remains in the provided sock object, which +may allow use-after-free. + +Clear the sk pointer in the sock object on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Miquel Raynal +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-6-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ieee802154/socket.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index d4c275e56d825..c8b9efc92b45a 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1047,19 +1047,21 @@ static int ieee802154_create(struct net *net, struct socket *sock, + + if (sk->sk_prot->hash) { + rc = sk->sk_prot->hash(sk); +- if (rc) { +- sk_common_release(sk); +- goto out; +- } ++ if (rc) ++ goto out_sk_release; + } + + if (sk->sk_prot->init) { + rc = sk->sk_prot->init(sk); + if (rc) +- sk_common_release(sk); ++ goto out_sk_release; + } + out: + return rc; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + static const struct net_proto_family ieee802154_family_ops = { +-- +2.43.0 + diff --git a/queue-5.10/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch b/queue-5.10/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch new file mode 100644 index 00000000000..2f9ed8f526f --- /dev/null +++ b/queue-5.10/net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch @@ -0,0 +1,76 @@ +From a73b9ccf94c4f3e3835e0739747b3f9cf062edbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:05 +0100 +Subject: net: inet: do not leave a dangling sk pointer in inet_create() + +From: Ignat Korchagin + +[ Upstream commit 9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff ] + +sock_init_data() attaches the allocated sk object to the provided sock +object. If inet_create() fails later, the sk object is freed, but the +sock object retains the dangling pointer, which may create use-after-free +later. + +Clear the sk pointer in the sock object on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-7-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 58dfca09093c2..c64a52b30ddc9 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -373,32 +373,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + inet->inet_sport = htons(inet->inet_num); + /* Add to protocol hash chains. */ + err = sk->sk_prot->hash(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (sk->sk_prot->init) { + err = sk->sk_prot->init(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (!kern) { + err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + out: + return err; + out_rcu_unlock: + rcu_read_unlock(); + goto out; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + +-- +2.43.0 + diff --git a/queue-5.10/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch b/queue-5.10/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch new file mode 100644 index 00000000000..55201cd121f --- /dev/null +++ b/queue-5.10/net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch @@ -0,0 +1,75 @@ +From 2f73bc2133fa7f7398990a3d1553ecb64fa80cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 16:38:06 +0100 +Subject: net: inet6: do not leave a dangling sk pointer in inet6_create() + +From: Ignat Korchagin + +[ Upstream commit 9df99c395d0f55fb444ef39f4d6f194ca437d884 ] + +sock_init_data() attaches the allocated sk pointer to the provided sock +object. If inet6_create() fails later, the sk object is released, but the +sock object retains the dangling sk pointer, which may cause use-after-free +later. + +Clear the sock sk pointer on error. + +Signed-off-by: Ignat Korchagin +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241014153808.51894-8-ignat@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/af_inet6.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 32da2b66fa2fb..5fd203ddc0757 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -257,31 +257,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + */ + inet->inet_sport = htons(inet->inet_num); + err = sk->sk_prot->hash(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + if (sk->sk_prot->init) { + err = sk->sk_prot->init(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + + if (!kern) { + err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); +- if (err) { +- sk_common_release(sk); +- goto out; +- } ++ if (err) ++ goto out_sk_release; + } + out: + return err; + out_rcu_unlock: + rcu_read_unlock(); + goto out; ++out_sk_release: ++ sk_common_release(sk); ++ sock->sk = NULL; ++ goto out; + } + + static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, +-- +2.43.0 + diff --git a/queue-5.10/net-neighbor-clear-error-in-case-strict-check-is-not.patch b/queue-5.10/net-neighbor-clear-error-in-case-strict-check-is-not.patch new file mode 100644 index 00000000000..7eacdcadb3e --- /dev/null +++ b/queue-5.10/net-neighbor-clear-error-in-case-strict-check-is-not.patch @@ -0,0 +1,42 @@ +From be724c958413341e0756b011b104545199025578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 16:32:21 -0800 +Subject: net/neighbor: clear error in case strict check is not set + +From: Jakub Kicinski + +[ Upstream commit 0de6a472c3b38432b2f184bd64eb70d9ea36d107 ] + +Commit 51183d233b5a ("net/neighbor: Update neigh_dump_info for strict +data checking") added strict checking. The err variable is not cleared, +so if we find no table to dump we will return the validation error even +if user did not want strict checking. + +I think the only way to hit this is to send an buggy request, and ask +for a table which doesn't exist, so there's no point treating this +as a real fix. I only noticed it because a syzbot repro depended on it +to trigger another bug. + +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241115003221.733593-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 432e3a64dc4a5..c187eb951083b 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2739,6 +2739,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) + err = neigh_valid_dump_req(nlh, cb->strict_check, &filter, cb->extack); + if (err < 0 && cb->strict_check) + return err; ++ err = 0; + + s_t = cb->args[0]; + +-- +2.43.0 + diff --git a/queue-5.10/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch b/queue-5.10/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch new file mode 100644 index 00000000000..7d20cee062c --- /dev/null +++ b/queue-5.10/net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch @@ -0,0 +1,40 @@ +From 13fd248bb0ff26bbf51e2f822809ee9f60bcc40c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2024 15:45:29 +0300 +Subject: net/sched: cbs: Fix integer overflow in cbs_set_port_rate() + +From: Elena Salomatkina + +[ Upstream commit 397006ba5d918f9b74e734867e8fddbc36dc2282 ] + +The subsequent calculation of port_rate = speed * 1000 * BYTES_PER_KBIT, +where the BYTES_PER_KBIT is of type LL, may cause an overflow. +At least when speed = SPEED_20000, the expression to the left of port_rate +will be greater than INT_MAX. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Elena Salomatkina +Link: https://patch.msgid.link/20241013124529.1043-1-esalomatkina@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_cbs.c b/net/sched/sch_cbs.c +index 2eaac2ff380fa..db92ae819fd28 100644 +--- a/net/sched/sch_cbs.c ++++ b/net/sched/sch_cbs.c +@@ -309,7 +309,7 @@ static void cbs_set_port_rate(struct net_device *dev, struct cbs_sched_data *q) + { + struct ethtool_link_ksettings ecmd; + int speed = SPEED_10; +- int port_rate; ++ s64 port_rate; + int err; + + err = __ethtool_get_link_ksettings(dev, &ecmd); +-- +2.43.0 + diff --git a/queue-5.10/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch b/queue-5.10/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch new file mode 100644 index 00000000000..c671663f486 --- /dev/null +++ b/queue-5.10/netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch @@ -0,0 +1,44 @@ +From 9baffba5531dfd8765f3f0821401b92fe71b3ddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 03:15:17 -0800 +Subject: netpoll: Use rcu_access_pointer() in __netpoll_setup + +From: Breno Leitao + +[ Upstream commit c69c5e10adb903ae2438d4f9c16eccf43d1fcbc1 ] + +The ndev->npinfo pointer in __netpoll_setup() is RCU-protected but is being +accessed directly for a NULL check. While no RCU read lock is held in this +context, we should still use proper RCU primitives for consistency and +correctness. + +Replace the direct NULL check with rcu_access_pointer(), which is the +appropriate primitive when only checking for NULL without dereferencing +the pointer. This function provides the necessary ordering guarantees +without requiring RCU read-side protection. + +Reviewed-by: Michal Kubiak +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-1-a1888dcb4a02@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index f76afab9fd8bd..4475b2174bcc4 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -635,7 +635,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev) + goto out; + } + +- if (!ndev->npinfo) { ++ if (!rcu_access_pointer(ndev->npinfo)) { + npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL); + if (!npinfo) { + err = -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.10/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch b/queue-5.10/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch new file mode 100644 index 00000000000..33225f6eefb --- /dev/null +++ b/queue-5.10/nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch @@ -0,0 +1,65 @@ +From aae6504c15d88861dce53848eef71783c83bc1e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 08:55:26 +0000 +Subject: nvdimm: rectify the illogical code within nd_dax_probe() + +From: Yi Yang + +[ Upstream commit b61352101470f8b68c98af674e187cfaa7c43504 ] + +When nd_dax is NULL, nd_pfn is consequently NULL as well. Nevertheless, +it is inadvisable to perform pointer arithmetic or address-taking on a +NULL pointer. +Introduce the nd_dax_devinit() function to enhance the code's logic and +improve its readability. + +Signed-off-by: Yi Yang +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20241108085526.527957-1-yiyang13@huawei.com +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/dax_devs.c | 4 ++-- + drivers/nvdimm/nd.h | 7 +++++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c +index 99965077bac4f..e7b8211c19cc6 100644 +--- a/drivers/nvdimm/dax_devs.c ++++ b/drivers/nvdimm/dax_devs.c +@@ -106,12 +106,12 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns) + + nvdimm_bus_lock(&ndns->dev); + nd_dax = nd_dax_alloc(nd_region); +- nd_pfn = &nd_dax->nd_pfn; +- dax_dev = nd_pfn_devinit(nd_pfn, ndns); ++ dax_dev = nd_dax_devinit(nd_dax, ndns); + nvdimm_bus_unlock(&ndns->dev); + if (!dax_dev) + return -ENOMEM; + pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL); ++ nd_pfn = &nd_dax->nd_pfn; + nd_pfn->pfn_sb = pfn_sb; + rc = nd_pfn_validate(nd_pfn, DAX_SIG); + dev_dbg(dev, "dax: %s\n", rc == 0 ? dev_name(dax_dev) : ""); +diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h +index 696b55556d4d2..12c2be3cdf5cc 100644 +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -335,6 +335,13 @@ struct nd_dax *to_nd_dax(struct device *dev); + int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns); + bool is_nd_dax(struct device *dev); + struct device *nd_dax_create(struct nd_region *nd_region); ++static inline struct device *nd_dax_devinit(struct nd_dax *nd_dax, ++ struct nd_namespace_common *ndns) ++{ ++ if (!nd_dax) ++ return NULL; ++ return nd_pfn_devinit(&nd_dax->nd_pfn, ndns); ++} + #else + static inline int nd_dax_probe(struct device *dev, + struct nd_namespace_common *ndns) +-- +2.43.0 + diff --git a/queue-5.10/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch b/queue-5.10/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch new file mode 100644 index 00000000000..6ab1d07ea78 --- /dev/null +++ b/queue-5.10/pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch @@ -0,0 +1,63 @@ +From f21d9b841252f0228f5976650f266ed521615a81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 10:46:04 +0800 +Subject: PCI: Add ACS quirk for Wangxun FF5xxx NICs + +From: Mengyuan Lou + +[ Upstream commit aa46a3736afcb7b0793766d22479b8b99fc1b322 ] + +Wangxun FF5xxx NICs are similar to SFxxx, RP1000 and RP2000 NICs. They may +be multi-function devices, but they do not advertise an ACS capability. + +But the hardware does isolate FF5xxx functions as though it had an ACS +capability and PCI_ACS_RR and PCI_ACS_CR were set in the ACS Control +register, i.e., all peer-to-peer traffic is directed upstream instead of +being routed internally. + +Add ACS quirk for FF5xxx NICs in pci_quirk_wangxun_nic_acs() so the +functions can be in independent IOMMU groups. + +Link: https://lore.kernel.org/r/E16053DB2B80E9A5+20241115024604.30493-1-mengyuanlou@net-swift.com +Signed-off-by: Mengyuan Lou +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 86b91f8da1caa..37cc08d706367 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4829,18 +4829,21 @@ static int pci_quirk_brcm_acs(struct pci_dev *dev, u16 acs_flags) + } + + /* +- * Wangxun 10G/1G NICs have no ACS capability, and on multi-function +- * devices, peer-to-peer transactions are not be used between the functions. +- * So add an ACS quirk for below devices to isolate functions. ++ * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on ++ * multi-function devices, the hardware isolates the functions by ++ * directing all peer-to-peer traffic upstream as though PCI_ACS_RR and ++ * PCI_ACS_CR were set. + * SFxxx 1G NICs(em). + * RP1000/RP2000 10G NICs(sp). ++ * FF5xxx 40G/25G/10G NICs(aml). + */ + static int pci_quirk_wangxun_nic_acs(struct pci_dev *dev, u16 acs_flags) + { + switch (dev->device) { +- case 0x0100 ... 0x010F: +- case 0x1001: +- case 0x2001: ++ case 0x0100 ... 0x010F: /* EM */ ++ case 0x1001: case 0x2001: /* SP */ ++ case 0x5010: case 0x5025: case 0x5040: /* AML */ ++ case 0x5110: case 0x5125: case 0x5140: /* AML */ + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } +-- +2.43.0 + diff --git a/queue-5.10/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch b/queue-5.10/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch new file mode 100644 index 00000000000..129ec5a4749 --- /dev/null +++ b/queue-5.10/pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch @@ -0,0 +1,130 @@ +From 3affdda7d90c218b0986a02903f98cffdac54a46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 15:27:54 -0700 +Subject: PCI: Add 'reset_subordinate' to reset hierarchy below bridge + +From: Keith Busch + +[ Upstream commit 2fa046449a82a7d0f6d9721dd83e348816038444 ] + +The "bus" and "cxl_bus" reset methods reset a device by asserting Secondary +Bus Reset on the bridge leading to the device. These only work if the +device is the only device below the bridge. + +Add a sysfs 'reset_subordinate' attribute on bridges that can assert +Secondary Bus Reset regardless of how many devices are below the bridge. + +This resets all the devices below a bridge in a single command, including +the locking and config space save/restore that reset methods normally do. + +This may be the only way to reset devices that don't support other reset +methods (ACPI, FLR, PM reset, etc). + +Link: https://lore.kernel.org/r/20241025222755.3756162-1-kbusch@meta.com +Signed-off-by: Keith Busch +[bhelgaas: commit log, add capable(CAP_SYS_ADMIN) check] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Alex Williamson +Reviewed-by: Amey Narkhede +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-pci | 11 +++++++++++ + drivers/pci/pci-sysfs.c | 26 +++++++++++++++++++++++++ + drivers/pci/pci.c | 2 +- + drivers/pci/pci.h | 1 + + 4 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci +index 77ad9ec3c8019..da33ab66ddfe7 100644 +--- a/Documentation/ABI/testing/sysfs-bus-pci ++++ b/Documentation/ABI/testing/sysfs-bus-pci +@@ -131,6 +131,17 @@ Description: + will be present in sysfs. Writing 1 to this file + will perform reset. + ++What: /sys/bus/pci/devices/.../reset_subordinate ++Date: October 2024 ++Contact: linux-pci@vger.kernel.org ++Description: ++ This is visible only for bridge devices. If you want to reset ++ all devices attached through the subordinate bus of a specific ++ bridge device, writing 1 to this will try to do it. This will ++ affect all devices attached to the system through this bridge ++ similiar to writing 1 to their individual "reset" file, so use ++ with caution. ++ + What: /sys/bus/pci/devices/.../vpd + Date: February 2008 + Contact: Ben Hutchings +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index e14c83f59b48a..d27bc5a5d2f86 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -488,6 +488,31 @@ static ssize_t bus_rescan_store(struct device *dev, + static struct device_attribute dev_attr_bus_rescan = __ATTR(rescan, 0200, NULL, + bus_rescan_store); + ++static ssize_t reset_subordinate_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct pci_bus *bus = pdev->subordinate; ++ unsigned long val; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (kstrtoul(buf, 0, &val) < 0) ++ return -EINVAL; ++ ++ if (val) { ++ int ret = __pci_reset_bus(bus); ++ ++ if (ret) ++ return ret; ++ } ++ ++ return count; ++} ++static DEVICE_ATTR_WO(reset_subordinate); ++ + #if defined(CONFIG_PM) && defined(CONFIG_ACPI) + static ssize_t d3cold_allowed_store(struct device *dev, + struct device_attribute *attr, +@@ -611,6 +636,7 @@ static struct attribute *pci_dev_attrs[] = { + static struct attribute *pci_bridge_attrs[] = { + &dev_attr_subordinate_bus_number.attr, + &dev_attr_secondary_bus_number.attr, ++ &dev_attr_reset_subordinate.attr, + NULL, + }; + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 800df0f1417d8..1d4585b07de3b 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5598,7 +5598,7 @@ EXPORT_SYMBOL_GPL(pci_probe_reset_bus); + * + * Same as above except return -EAGAIN if the bus cannot be locked + */ +-static int __pci_reset_bus(struct pci_bus *bus) ++int __pci_reset_bus(struct pci_bus *bus) + { + int rc; + +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index da40f29036d65..c2fd92a9ee1ad 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -42,6 +42,7 @@ int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vmai, + int pci_probe_reset_function(struct pci_dev *dev); + int pci_bridge_secondary_bus_reset(struct pci_dev *dev); + int pci_bus_error_reset(struct pci_dev *dev); ++int __pci_reset_bus(struct pci_bus *bus); + + #define PCI_PM_D2_DELAY 200 /* usec; see PCIe r4.0, sec 5.9.1 */ + #define PCI_PM_D3HOT_WAIT 10 /* msec */ +-- +2.43.0 + diff --git a/queue-5.10/pinctrl-freescale-fix-compile_test-error-with-pinctr.patch b/queue-5.10/pinctrl-freescale-fix-compile_test-error-with-pinctr.patch new file mode 100644 index 00000000000..64f770ec351 --- /dev/null +++ b/queue-5.10/pinctrl-freescale-fix-compile_test-error-with-pinctr.patch @@ -0,0 +1,40 @@ +From 24ea79b8a84743f41260306bface2b5b214f8e2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 11:23:09 +0200 +Subject: pinctrl: freescale: fix COMPILE_TEST error with PINCTRL_IMX_SCU + +From: Esben Haabendal + +[ Upstream commit 58414a31c5713afb5449fd74a26a843d34cc62e8 ] + +When PINCTRL_IMX_SCU was selected by PINCTRL_IMX8DXL or PINCTRL_IMX8QM +combined with COMPILE_TEST on a non-arm platforms, the IMX_SCU +dependency could not be enabled. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202410031439.GyTSa0kX-lkp@intel.com/ +Closes: https://lore.kernel.org/oe-kbuild-all/202410030852.q0Hukplf-lkp@intel.com/ +Signed-off-by: Esben Haabendal +Link: https://lore.kernel.org/20241003-imx-pinctrl-compile-test-fix-v1-1-145ca1948cc3@geanix.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/freescale/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/freescale/Kconfig b/drivers/pinctrl/freescale/Kconfig +index a1fbb3b9ae346..eefc786d08b45 100644 +--- a/drivers/pinctrl/freescale/Kconfig ++++ b/drivers/pinctrl/freescale/Kconfig +@@ -9,7 +9,7 @@ config PINCTRL_IMX + + config PINCTRL_IMX_SCU + tristate +- depends on IMX_SCU ++ depends on IMX_SCU || COMPILE_TEST + select PINCTRL_IMX + + config PINCTRL_IMX1_CORE +-- +2.43.0 + diff --git a/queue-5.10/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch b/queue-5.10/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch new file mode 100644 index 00000000000..5bbda464fb8 --- /dev/null +++ b/queue-5.10/pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch @@ -0,0 +1,39 @@ +From 1ae715528b53b6336f1b55b346a456f834681dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 02:19:43 +0100 +Subject: pinctrl: qcom-pmic-gpio: add support for PM8937 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +[ Upstream commit 89265a58ff24e3885c2c9ca722bc3aaa47018be9 ] + +PM8937 has 8 GPIO-s with holes on GPIO3, GPIO4 and GPIO6. + +Signed-off-by: Barnabás Czémán +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/20241031-msm8917-v2-2-8a075faa89b1@mainlining.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +index 17441388ce8f5..fd1e4fb176c79 100644 +--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +@@ -1106,6 +1106,8 @@ static int pmic_gpio_remove(struct platform_device *pdev) + static const struct of_device_id pmic_gpio_of_match[] = { + { .compatible = "qcom,pm8005-gpio", .data = (void *) 4 }, + { .compatible = "qcom,pm8916-gpio", .data = (void *) 4 }, ++ /* pm8937 has 8 GPIOs with holes on 3, 4 and 6 */ ++ { .compatible = "qcom,pm8937-gpio", .data = (void *) 8 }, + { .compatible = "qcom,pm8941-gpio", .data = (void *) 36 }, + /* pm8950 has 8 GPIOs with holes on 3 */ + { .compatible = "qcom,pm8950-gpio", .data = (void *) 8 }, +-- +2.43.0 + diff --git a/queue-5.10/powerpc-prom_init-fixup-missing-powermac-size-cells.patch b/queue-5.10/powerpc-prom_init-fixup-missing-powermac-size-cells.patch new file mode 100644 index 00000000000..d2fa5e99b71 --- /dev/null +++ b/queue-5.10/powerpc-prom_init-fixup-missing-powermac-size-cells.patch @@ -0,0 +1,103 @@ +From 67a2f5aaa31d838813e4d969a762f70d8c53547d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 13:57:10 +1100 +Subject: powerpc/prom_init: Fixup missing powermac #size-cells + +From: Michael Ellerman + +[ Upstream commit cf89c9434af122f28a3552e6f9cc5158c33ce50a ] + +On some powermacs `escc` nodes are missing `#size-cells` properties, +which is deprecated and now triggers a warning at boot since commit +045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells +handling"). + +For example: + + Missing '#size-cells' in /pci@f2000000/mac-io@c/escc@13000 + WARNING: CPU: 0 PID: 0 at drivers/of/base.c:133 of_bus_n_size_cells+0x98/0x108 + Hardware name: PowerMac3,1 7400 0xc0209 PowerMac + ... + Call Trace: + of_bus_n_size_cells+0x98/0x108 (unreliable) + of_bus_default_count_cells+0x40/0x60 + __of_get_address+0xc8/0x21c + __of_address_to_resource+0x5c/0x228 + pmz_init_port+0x5c/0x2ec + pmz_probe.isra.0+0x144/0x1e4 + pmz_console_init+0x10/0x48 + console_init+0xcc/0x138 + start_kernel+0x5c4/0x694 + +As powermacs boot via prom_init it's possible to add the missing +properties to the device tree during boot, avoiding the warning. Note +that `escc-legacy` nodes are also missing `#size-cells` properties, but +they are skipped by the macio driver, so leave them alone. + +Depends-on: 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling") +Signed-off-by: Michael Ellerman +Reviewed-by: Rob Herring +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20241126025710.591683-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom_init.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 6f7ad80763159..9a753c4dafab6 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2894,7 +2894,7 @@ static void __init fixup_device_tree_chrp(void) + #endif + + #if defined(CONFIG_PPC64) && defined(CONFIG_PPC_PMAC) +-static void __init fixup_device_tree_pmac(void) ++static void __init fixup_device_tree_pmac64(void) + { + phandle u3, i2c, mpic; + u32 u3_rev; +@@ -2934,7 +2934,31 @@ static void __init fixup_device_tree_pmac(void) + &parent, sizeof(parent)); + } + #else +-#define fixup_device_tree_pmac() ++#define fixup_device_tree_pmac64() ++#endif ++ ++#ifdef CONFIG_PPC_PMAC ++static void __init fixup_device_tree_pmac(void) ++{ ++ __be32 val = 1; ++ char type[8]; ++ phandle node; ++ ++ // Some pmacs are missing #size-cells on escc nodes ++ for (node = 0; prom_next_node(&node); ) { ++ type[0] = '\0'; ++ prom_getprop(node, "device_type", type, sizeof(type)); ++ if (prom_strcmp(type, "escc")) ++ continue; ++ ++ if (prom_getproplen(node, "#size-cells") != PROM_ERROR) ++ continue; ++ ++ prom_setprop(node, NULL, "#size-cells", &val, sizeof(val)); ++ } ++} ++#else ++static inline void fixup_device_tree_pmac(void) { } + #endif + + #ifdef CONFIG_PPC_EFIKA +@@ -3159,6 +3183,7 @@ static void __init fixup_device_tree(void) + fixup_device_tree_maple_memory_controller(); + fixup_device_tree_chrp(); + fixup_device_tree_pmac(); ++ fixup_device_tree_pmac64(); + fixup_device_tree_efika(); + fixup_device_tree_pasemi(); + } +-- +2.43.0 + diff --git a/queue-5.10/r8169-don-t-apply-udp-padding-quirk-on-rtl8126a.patch b/queue-5.10/r8169-don-t-apply-udp-padding-quirk-on-rtl8126a.patch new file mode 100644 index 00000000000..d65e55ff6bd --- /dev/null +++ b/queue-5.10/r8169-don-t-apply-udp-padding-quirk-on-rtl8126a.patch @@ -0,0 +1,57 @@ +From a2a323dd4205b6c6ec070272e201e075ebdeb59b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 07:44:23 +0200 +Subject: r8169: don't apply UDP padding quirk on RTL8126A + +From: Heiner Kallweit + +[ Upstream commit 87e26448dbda4523b73a894d96f0f788506d3795 ] + +Vendor drivers r8125/r8126 indicate that this quirk isn't needed +any longer for RTL8126A. Mimic this in r8169. + +Signed-off-by: Heiner Kallweit +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/d1317187-aa81-4a69-b831-678436e4de62@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 3aa1dda3406cd..b60add52f4497 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4155,8 +4155,8 @@ static unsigned int rtl8125_quirk_udp_padto(struct rtl8169_private *tp, + { + unsigned int padto = 0, len = skb->len; + +- if (rtl_is_8125(tp) && len < 128 + RTL_MIN_PATCH_LEN && +- rtl_skb_is_udp(skb) && skb_transport_header_was_set(skb)) { ++ if (len < 128 + RTL_MIN_PATCH_LEN && rtl_skb_is_udp(skb) && ++ skb_transport_header_was_set(skb)) { + unsigned int trans_data_len = skb_tail_pointer(skb) - + skb_transport_header(skb); + +@@ -4180,9 +4180,15 @@ static unsigned int rtl8125_quirk_udp_padto(struct rtl8169_private *tp, + static unsigned int rtl_quirk_packet_padto(struct rtl8169_private *tp, + struct sk_buff *skb) + { +- unsigned int padto; ++ unsigned int padto = 0; + +- padto = rtl8125_quirk_udp_padto(tp, skb); ++ switch (tp->mac_version) { ++ case RTL_GIGA_MAC_VER_61 ... RTL_GIGA_MAC_VER_63: ++ padto = rtl8125_quirk_udp_padto(tp, skb); ++ break; ++ default: ++ break; ++ } + + switch (tp->mac_version) { + case RTL_GIGA_MAC_VER_34: +-- +2.43.0 + diff --git a/queue-5.10/rocker-fix-link-status-detection-in-rocker_carrier_i.patch b/queue-5.10/rocker-fix-link-status-detection-in-rocker_carrier_i.patch new file mode 100644 index 00000000000..a1e10d0d530 --- /dev/null +++ b/queue-5.10/rocker-fix-link-status-detection-in-rocker_carrier_i.patch @@ -0,0 +1,39 @@ +From 1249e9b470979a9624231c8686786e0ccd5cebc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 18:19:46 +0300 +Subject: rocker: fix link status detection in rocker_carrier_init() + +From: Dmitry Antipov + +[ Upstream commit e64285ff41bb7a934bd815bd38f31119be62ac37 ] + +Since '1 << rocker_port->pport' may be undefined for port >= 32, +cast the left operand to 'unsigned long long' like it's done in +'rocker_port_set_enable()' above. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20241114151946.519047-1-dmantipov@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index dd0bc7f0aaeee..ec90f75289dbe 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2542,7 +2542,7 @@ static void rocker_carrier_init(const struct rocker_port *rocker_port) + u64 link_status = rocker_read64(rocker, PORT_PHYS_LINK_STATUS); + bool link_up; + +- link_up = link_status & (1 << rocker_port->pport); ++ link_up = link_status & (1ULL << rocker_port->pport); + if (link_up) + netif_carrier_on(rocker_port->dev); + else +-- +2.43.0 + diff --git a/queue-5.10/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch b/queue-5.10/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch new file mode 100644 index 00000000000..8d9f3deba1a --- /dev/null +++ b/queue-5.10/s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch @@ -0,0 +1,80 @@ +From 25be562e3fcaa41d4521b7a956a384f2cc65d65a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 12:27:53 +0200 +Subject: s390/cpum_sf: Handle CPU hotplug remove during sampling + +From: Thomas Richter + +[ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ] + +CPU hotplug remove handling triggers the following function +call sequence: + + CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() + ... + CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() + +The s390 CPUMF sampling CPU hotplug handler invokes: + + s390_pmu_sf_offline_cpu() + +--> cpusf_pmu_setup() + +--> setup_pmc_cpu() + +--> deallocate_buffers() + +This function de-allocates all sampling data buffers (SDBs) allocated +for that CPU at event initialization. It also clears the +PMU_F_RESERVED bit. The CPU is gone and can not be sampled. + +With the event still being active on the removed CPU, the CPU event +hotplug support in kernel performance subsystem triggers the +following function calls on the removed CPU: + + perf_event_exit_cpu() + +--> perf_event_exit_cpu_context() + +--> __perf_event_exit_context() + +--> __perf_remove_from_context() + +--> event_sched_out() + +--> cpumsf_pmu_del() + +--> cpumsf_pmu_stop() + +--> hw_perf_event_update() + +to stop and remove the event. During removal of the event, the +sampling device driver tries to read out the remaining samples from +the sample data buffers (SDBs). But they have already been freed +(and may have been re-assigned). This may lead to a use after free +situation in which case the samples are most likely invalid. In the +best case the memory has not been reassigned and still contains +valid data. + +Remedy this situation and check if the CPU is still in reserved +state (bit PMU_F_RESERVED set). In this case the SDBs have not been +released an contain valid data. This is always the case when +the event is removed (and no CPU hotplug off occured). +If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index a9e05f4d0a483..fc45f123f3bdc 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1896,7 +1896,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags) + event->hw.state |= PERF_HES_STOPPED; + + if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) { +- hw_perf_event_update(event, 1); ++ /* CPU hotplug off removes SDBs. No samples to extract. */ ++ if (cpuhw->flags & PMU_F_RESERVED) ++ hw_perf_event_update(event, 1); + event->hw.state |= PERF_HES_UPTODATE; + } + perf_pmu_enable(event->pmu); +-- +2.43.0 + diff --git a/queue-5.10/samples-bpf-fix-a-resource-leak.patch b/queue-5.10/samples-bpf-fix-a-resource-leak.patch new file mode 100644 index 00000000000..7ae79357407 --- /dev/null +++ b/queue-5.10/samples-bpf-fix-a-resource-leak.patch @@ -0,0 +1,39 @@ +From 9491619711f90c90ea035f182ae86fe03741cd61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 18:41:26 -0700 +Subject: samples/bpf: Fix a resource leak + +From: Zhu Jun + +[ Upstream commit f3ef53174b23246fe9bc2bbc2542f3a3856fa1e2 ] + +The opened file should be closed in show_sockopts(), otherwise resource +leak will occur that this problem was discovered by reading code + +Signed-off-by: Zhu Jun +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241010014126.2573-1-zhujun2@cmss.chinamobile.com +Signed-off-by: Sasha Levin +--- + samples/bpf/test_cgrp2_sock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/samples/bpf/test_cgrp2_sock.c b/samples/bpf/test_cgrp2_sock.c +index b0811da5a00f3..3f56519a1ccd7 100644 +--- a/samples/bpf/test_cgrp2_sock.c ++++ b/samples/bpf/test_cgrp2_sock.c +@@ -174,8 +174,10 @@ static int show_sockopts(int family) + return 1; + } + +- if (get_bind_to_device(sd, name, sizeof(name)) < 0) ++ if (get_bind_to_device(sd, name, sizeof(name)) < 0) { ++ close(sd); + return 1; ++ } + + mark = get_somark(sd); + prio = get_priority(sd); +-- +2.43.0 + diff --git a/queue-5.10/scsi-hisi_sas-add-cond_resched-for-no-forced-preempt.patch b/queue-5.10/scsi-hisi_sas-add-cond_resched-for-no-forced-preempt.patch new file mode 100644 index 00000000000..857ab53a14e --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-add-cond_resched-for-no-forced-preempt.patch @@ -0,0 +1,87 @@ +From ea1414255e94323964a6a29be231dbede90d2c20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 10:18:16 +0800 +Subject: scsi: hisi_sas: Add cond_resched() for no forced preemption model + +From: Yihang Li + +[ Upstream commit 2233c4a0b948211743659b24c13d6bd059fa75fc ] + +For no forced preemption model kernel, in the scenario where the +expander is connected to 12 high performance SAS SSDs, the following +call trace may occur: + +[ 214.409199][ C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211] +[ 214.568533][ C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) +[ 214.575224][ C240] pc : fput_many+0x8c/0xdc +[ 214.579480][ C240] lr : fput+0x1c/0xf0 +[ 214.583302][ C240] sp : ffff80002de2b900 +[ 214.587298][ C240] x29: ffff80002de2b900 x28: ffff1082aa412000 +[ 214.593291][ C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000 +[ 214.599284][ C240] x25: ffff1062bbac5c40 x24: 0000000000001000 +[ 214.605277][ C240] x23: 000000000000000a x22: 0000000000000001 +[ 214.611270][ C240] x21: 0000000000001000 x20: 0000000000000000 +[ 214.617262][ C240] x19: ffff3062a41ae580 x18: 0000000000010000 +[ 214.623255][ C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0 +[ 214.629248][ C240] x15: ffffffffffffffff x14: 0000000003ffffff +[ 214.635241][ C240] x13: 000000000000ffff x12: 000000000000029c +[ 214.641234][ C240] x11: 0000000000000006 x10: ffff80003a9f7fd0 +[ 214.647226][ C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001 +[ 214.653219][ C240] x7 : 0000000000000002 x6 : 0000000000000080 +[ 214.659212][ C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554 +[ 214.665205][ C240] x3 : 0000000000000002 x2 : 0000000000000020 +[ 214.671198][ C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8 +[ 214.677191][ C240] Call trace: +[ 214.680320][ C240] fput_many+0x8c/0xdc +[ 214.684230][ C240] fput+0x1c/0xf0 +[ 214.687707][ C240] aio_complete_rw+0xd8/0x1fc +[ 214.692225][ C240] blkdev_bio_end_io+0x98/0x140 +[ 214.696917][ C240] bio_endio+0x160/0x1bc +[ 214.701001][ C240] blk_update_request+0x1c8/0x3bc +[ 214.705867][ C240] scsi_end_request+0x3c/0x1f0 +[ 214.710471][ C240] scsi_io_completion+0x7c/0x1a0 +[ 214.715249][ C240] scsi_finish_command+0x104/0x140 +[ 214.720200][ C240] scsi_softirq_done+0x90/0x180 +[ 214.724892][ C240] blk_mq_complete_request+0x5c/0x70 +[ 214.730016][ C240] scsi_mq_done+0x48/0xac +[ 214.734194][ C240] sas_scsi_task_done+0xbc/0x16c [libsas] +[ 214.739758][ C240] slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw] +[ 214.746185][ C240] cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw] +[ 214.752179][ C240] irq_thread_fn+0x34/0xa4 +[ 214.756435][ C240] irq_thread+0xc4/0x130 +[ 214.760520][ C240] kthread+0x108/0x13c +[ 214.764430][ C240] ret_from_fork+0x10/0x18 + +This is because in the hisi_sas driver, both the hardware interrupt +handler and the interrupt thread are executed on the same CPU. In the +performance test scenario, function irq_wait_for_interrupt() will always +return 0 if lots of interrupts occurs and the CPU will be continuously +consumed. As a result, the CPU cannot run the watchdog thread. When the +watchdog time exceeds the specified time, call trace occurs. + +To fix it, add cond_resched() to execute the watchdog thread. + +Signed-off-by: Yihang Li +Link: https://lore.kernel.org/r/20241008021822.2617339-8-liyihang9@huawei.com +Reviewed-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index f03a09c9e865e..fdd765d41f190 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2381,6 +2381,7 @@ static irqreturn_t cq_thread_v3_hw(int irq_no, void *p) + /* update rd_point */ + cq->rd_point = rd_point; + hisi_sas_write32(hisi_hba, COMPL_Q_0_RD_PTR + (0x14 * queue), rd_point); ++ cond_resched(); + + return IRQ_HANDLED; + } +-- +2.43.0 + diff --git a/queue-5.10/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch b/queue-5.10/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch new file mode 100644 index 00000000000..b4f13738a2f --- /dev/null +++ b/queue-5.10/scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch @@ -0,0 +1,90 @@ +From a4d4bc3fac4366ea6728ae9d78d39eb8b3e3ecfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 11:57:22 +0200 +Subject: scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device + reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +[ Upstream commit 0b120edb37dc9dd8ca82893d386922eb6b16f860 ] + +Most drives rewind the tape when the device is reset. Reading and writing +are not allowed until something is done to make the tape position match the +user's expectation (e.g., rewind the tape). Add MTIOCGET and MTLOAD to +operations allowed after reset. MTIOCGET is modified to not touch the tape +if pos_unknown is non-zero. The tape location is known after MTLOAD. + +Signed-off-by: Kai Mäkisara +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14 +Link: https://lore.kernel.org/r/20241106095723.63254-3-Kai.Makisara@kolumbus.fi +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index c08518258f001..3b819c6b15a56 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -3505,6 +3505,7 @@ static long st_ioctl_common(struct file *file, unsigned int cmd_in, void __user + int i, cmd_nr, cmd_type, bt; + int retval = 0; + unsigned int blk; ++ bool cmd_mtiocget; + struct scsi_tape *STp = file->private_data; + struct st_modedef *STm; + struct st_partstat *STps; +@@ -3618,6 +3619,7 @@ static long st_ioctl_common(struct file *file, unsigned int cmd_in, void __user + */ + if (mtc.mt_op != MTREW && + mtc.mt_op != MTOFFL && ++ mtc.mt_op != MTLOAD && + mtc.mt_op != MTRETEN && + mtc.mt_op != MTERASE && + mtc.mt_op != MTSEEK && +@@ -3731,17 +3733,28 @@ static long st_ioctl_common(struct file *file, unsigned int cmd_in, void __user + goto out; + } + ++ cmd_mtiocget = cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET); ++ + if ((i = flush_buffer(STp, 0)) < 0) { +- retval = i; +- goto out; +- } +- if (STp->can_partitions && +- (i = switch_partition(STp)) < 0) { +- retval = i; +- goto out; ++ if (cmd_mtiocget && STp->pos_unknown) { ++ /* flush fails -> modify status accordingly */ ++ reset_state(STp); ++ STp->pos_unknown = 1; ++ } else { /* return error */ ++ retval = i; ++ goto out; ++ } ++ } else { /* flush_buffer succeeds */ ++ if (STp->can_partitions) { ++ i = switch_partition(STp); ++ if (i < 0) { ++ retval = i; ++ goto out; ++ } ++ } + } + +- if (cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET)) { ++ if (cmd_mtiocget) { + struct mtget mt_status; + + if (_IOC_SIZE(cmd_in) != sizeof(struct mtget)) { +-- +2.43.0 + diff --git a/queue-5.10/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch b/queue-5.10/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch new file mode 100644 index 00000000000..37e251e4008 --- /dev/null +++ b/queue-5.10/scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch @@ -0,0 +1,42 @@ +From ecd4abc6f50f3cfad590a151e4c8888cb1c79ae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 11:57:21 +0200 +Subject: scsi: st: Don't modify unknown block number in MTIOCGET +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +[ Upstream commit 5bb2d6179d1a8039236237e1e94cfbda3be1ed9e ] + +Struct mtget field mt_blkno -1 means it is unknown. Don't add anything to +it. + +Signed-off-by: Kai Mäkisara +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14 +Link: https://lore.kernel.org/r/20241106095723.63254-2-Kai.Makisara@kolumbus.fi +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 19bc8c923fce5..c08518258f001 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -3755,7 +3755,7 @@ static long st_ioctl_common(struct file *file, unsigned int cmd_in, void __user + ((STp->density << MT_ST_DENSITY_SHIFT) & MT_ST_DENSITY_MASK); + mt_status.mt_blkno = STps->drv_block; + mt_status.mt_fileno = STps->drv_file; +- if (STp->block_size != 0) { ++ if (STp->block_size != 0 && mt_status.mt_blkno >= 0) { + if (STps->rw == ST_WRITING) + mt_status.mt_blkno += + (STp->buffer)->buffer_bytes / STp->block_size; +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index b479180a4a6..bbbd6c1d5b0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -378,3 +378,59 @@ mmc-sdhci-pci-add-dmi-quirk-for-missing-cd-gpio-on-vexia-edu-atla-10-tablet.patc mmc-core-further-prevent-card-detect-during-shutdown.patch ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch +s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch +btrfs-avoid-unnecessary-device-path-update-for-the-s.patch +kselftest-arm64-don-t-leak-pipe-fds-in-pac.exec_sign.patch +kcsan-turn-report_filterlist_lock-into-a-raw_spinloc.patch +timekeeping-always-check-for-negative-motion.patch +media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch +media-cx231xx-add-support-for-dexatek-usb-video-grab.patch +hid-bpf-fix-nkro-on-mistel-md770.patch +drm-vc4-hvs-set-axi-panic-modes-for-the-hvs.patch +drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch +drm-mcde-enable-module-autoloading.patch +drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch +r8169-don-t-apply-udp-padding-quirk-on-rtl8126a.patch +samples-bpf-fix-a-resource-leak.patch +net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch +net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch +net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch +af_packet-avoid-erroring-out-after-sock_init_data-in.patch +bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch +net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch +net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch +net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch +net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch +wifi-ath5k-add-pci-id-for-sx76x.patch +wifi-ath5k-add-pci-id-for-arcadyan-devices.patch +drm-amdgpu-refine-error-handling-in-amdgpu_ttm_tt_pi.patch +dma-debug-fix-a-possible-deadlock-on-radix_lock.patch +jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch +jfs-fix-shift-out-of-bounds-in-dbsplit.patch +jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch +jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch +drm-amdgpu-skip-amdgpu_device_cache_pci_state-under-.patch +drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch +wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch +wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch +bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch +asoc-hdmi-codec-reorder-channel-allocation-list.patch +rocker-fix-link-status-detection-in-rocker_carrier_i.patch +net-neighbor-clear-error-in-case-strict-check-is-not.patch +netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch +pinctrl-freescale-fix-compile_test-error-with-pinctr.patch +tracing-use-atomic64_inc_return-in-trace_clock_count.patch +scsi-hisi_sas-add-cond_resched-for-no-forced-preempt.patch +leds-class-protect-brightness_show-with-led_cdev-led.patch +scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch +scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch +pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch +nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch +f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch +pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch +pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch +i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch +usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch +mips-loongson64-dts-really-fix-pcie-port-nodes-for-l.patch +powerpc-prom_init-fixup-missing-powermac-size-cells.patch +misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch diff --git a/queue-5.10/timekeeping-always-check-for-negative-motion.patch b/queue-5.10/timekeeping-always-check-for-negative-motion.patch new file mode 100644 index 00000000000..140e0ced548 --- /dev/null +++ b/queue-5.10/timekeeping-always-check-for-negative-motion.patch @@ -0,0 +1,88 @@ +From 59ad16489d20ac31cf65b9e39cd6541a102f9643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 13:04:08 +0100 +Subject: timekeeping: Always check for negative motion + +From: Thomas Gleixner + +[ Upstream commit c163e40af9b2331b2c629fd4ec8b703ed4d4ae39 ] + +clocksource_delta() has two variants. One with a check for negative motion, +which is only selected by x86. This is a historic leftover as this function +was previously used in the time getter hot paths. + +Since 135225a363ae timekeeping_cycles_to_ns() has unconditional protection +against this as a by-product of the protection against 64bit math overflow. + +clocksource_delta() is only used in the clocksource watchdog and in +timekeeping_advance(). The extra conditional there is not hurting anyone. + +Remove the config option and unconditionally prevent negative motion of the +readout. + +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://lore.kernel.org/all/20241031120328.599430157@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 1 - + kernel/time/Kconfig | 5 ----- + kernel/time/timekeeping_internal.h | 7 ------- + 3 files changed, 13 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 0c802ade80406..e71101ced756e 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -107,7 +107,6 @@ config X86 + select ARCH_WANTS_THP_SWAP if X86_64 + select BUILDTIME_TABLE_SORT + select CLKEVT_I8253 +- select CLOCKSOURCE_VALIDATE_LAST_CYCLE + select CLOCKSOURCE_WATCHDOG + select DCACHE_WORD_ACCESS + select EDAC_ATOMIC_SCRUB +diff --git a/kernel/time/Kconfig b/kernel/time/Kconfig +index a09b1d61df6a5..5cbedc0a06efc 100644 +--- a/kernel/time/Kconfig ++++ b/kernel/time/Kconfig +@@ -17,11 +17,6 @@ config ARCH_CLOCKSOURCE_DATA + config ARCH_CLOCKSOURCE_INIT + bool + +-# Clocksources require validation of the clocksource against the last +-# cycle update - x86/TSC misfeature +-config CLOCKSOURCE_VALIDATE_LAST_CYCLE +- bool +- + # Timekeeping vsyscall support + config GENERIC_TIME_VSYSCALL + bool +diff --git a/kernel/time/timekeeping_internal.h b/kernel/time/timekeeping_internal.h +index 4ca2787d1642e..1d4854d5c386e 100644 +--- a/kernel/time/timekeeping_internal.h ++++ b/kernel/time/timekeeping_internal.h +@@ -15,7 +15,6 @@ extern void tk_debug_account_sleep_time(const struct timespec64 *t); + #define tk_debug_account_sleep_time(x) + #endif + +-#ifdef CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE + static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) + { + u64 ret = (now - last) & mask; +@@ -26,12 +25,6 @@ static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) + */ + return ret & ~(mask >> 1) ? 0 : ret; + } +-#else +-static inline u64 clocksource_delta(u64 now, u64 last, u64 mask) +-{ +- return (now - last) & mask; +-} +-#endif + + /* Semi public for serialization of non timekeeper VDSO updates. */ + extern raw_spinlock_t timekeeper_lock; +-- +2.43.0 + diff --git a/queue-5.10/tracing-use-atomic64_inc_return-in-trace_clock_count.patch b/queue-5.10/tracing-use-atomic64_inc_return-in-trace_clock_count.patch new file mode 100644 index 00000000000..089bf424941 --- /dev/null +++ b/queue-5.10/tracing-use-atomic64_inc_return-in-trace_clock_count.patch @@ -0,0 +1,38 @@ +From c55bb291ab8e16ebcd2d5019665928c3ffb38e27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 10:56:28 +0200 +Subject: tracing: Use atomic64_inc_return() in trace_clock_counter() + +From: Uros Bizjak + +[ Upstream commit eb887c4567d1b0e7684c026fe7df44afa96589e6 ] + +Use atomic64_inc_return(&ref) instead of atomic64_add_return(1, &ref) +to use optimized implementation and ease register pressure around +the primitive for targets that implement optimized variant. + +Cc: Steven Rostedt +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241007085651.48544-1-ubizjak@gmail.com +Signed-off-by: Uros Bizjak +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c +index 4702efb00ff21..4cb2ebc439be6 100644 +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -154,5 +154,5 @@ static atomic64_t trace_counter; + */ + u64 notrace trace_clock_counter(void) + { +- return atomic64_add_return(1, &trace_counter); ++ return atomic64_inc_return(&trace_counter); + } +-- +2.43.0 + diff --git a/queue-5.10/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch b/queue-5.10/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch new file mode 100644 index 00000000000..46d9cdc5352 --- /dev/null +++ b/queue-5.10/usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch @@ -0,0 +1,44 @@ +From 065f3491f3e082714a62194a29b05a1076865a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 10:29:04 +0800 +Subject: usb: chipidea: udc: handle USB Error Interrupt if IOC not set + +From: Xu Yang + +[ Upstream commit 548f48b66c0c5d4b9795a55f304b7298cde2a025 ] + +As per USBSTS register description about UEI: + + When completion of a USB transaction results in an error condition, this + bit is set by the Host/Device Controller. This bit is set along with the + USBINT bit, if the TD on which the error interrupt occurred also had its + interrupt on complete (IOC) bit set. + +UI is set only when IOC set. Add checking UEI to fix miss call +isr_tr_complete_handler() when IOC have not set and transfer error happen. + +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20240926022906.473319-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c +index 5cdf03534c0c7..1c7af91bf03af 100644 +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -2024,7 +2024,7 @@ static irqreturn_t udc_irq(struct ci_hdrc *ci) + } + } + +- if (USBi_UI & intr) ++ if ((USBi_UI | USBi_UEI) & intr) + isr_tr_complete_handler(ci); + + if ((USBi_SLI & intr) && !(ci->suspended)) { +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch b/queue-5.10/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch new file mode 100644 index 00000000000..350e77218ae --- /dev/null +++ b/queue-5.10/wifi-ath5k-add-pci-id-for-arcadyan-devices.patch @@ -0,0 +1,34 @@ +From c9bbe00dc2346dfc959ce76bbfbc498adb35c737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 11:07:16 -0700 +Subject: wifi: ath5k: add PCI ID for Arcadyan devices + +From: Rosen Penev + +[ Upstream commit f3ced9bb90b0a287a1fa6184d16b0f104a78fa90 ] + +Arcadyan made routers with this PCI ID containing an AR2417. + +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20240930180716.139894-3-rosenp@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c +index 0892970a99637..e8f557423ac2d 100644 +--- a/drivers/net/wireless/ath/ath5k/pci.c ++++ b/drivers/net/wireless/ath/ath5k/pci.c +@@ -47,6 +47,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = { + { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */ + { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */ + { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */ ++ { PCI_VDEVICE(ATHEROS, 0xff1a) }, /* Arcadyan ARV45XX AR2417 */ + { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */ + { 0 } + }; +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath5k-add-pci-id-for-sx76x.patch b/queue-5.10/wifi-ath5k-add-pci-id-for-sx76x.patch new file mode 100644 index 00000000000..3888e0ff9fd --- /dev/null +++ b/queue-5.10/wifi-ath5k-add-pci-id-for-sx76x.patch @@ -0,0 +1,34 @@ +From d254f71ec77ed238d46f9d950637f2b770e467b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 11:07:15 -0700 +Subject: wifi: ath5k: add PCI ID for SX76X + +From: Rosen Penev + +[ Upstream commit da0474012402d4729b98799d71a54c35dc5c5de3 ] + +This is in two devices made by Gigaset, SX762 and SX763. + +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20240930180716.139894-2-rosenp@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c +index 43b4ae86e5fb2..0892970a99637 100644 +--- a/drivers/net/wireless/ath/ath5k/pci.c ++++ b/drivers/net/wireless/ath/ath5k/pci.c +@@ -46,6 +46,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = { + { PCI_VDEVICE(ATHEROS, 0x001b) }, /* 5413 Eagle */ + { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */ + { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */ ++ { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */ + { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */ + { 0 } + }; +-- +2.43.0 + diff --git a/queue-5.10/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch b/queue-5.10/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch new file mode 100644 index 00000000000..125c85df7ad --- /dev/null +++ b/queue-5.10/wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch @@ -0,0 +1,52 @@ +From 6c99fdff864d4f15f58d48dec3c1395fb1ea9019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 14:28:13 +0100 +Subject: wifi: brcmfmac: Fix oops due to NULL pointer dereference in + brcmf_sdiod_sglist_rw() + +From: Norbert van Bolhuis + +[ Upstream commit 857282b819cbaa0675aaab1e7542e2c0579f52d7 ] + +This patch fixes a NULL pointer dereference bug in brcmfmac that occurs +when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs +are sent from the pkt queue. + +The problem is the number of entries in the pre-allocated sgtable, it is +nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. +Given the default [rt]xglom_size=32 it's actually 35 which is too small. +Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB +is added for each original SKB if tailroom isn't enough to hold tail_pad. +At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" +in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return +NULL and this causes the oops. + +The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle +the worst-case. +Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 +additional bytes of memory. + +Signed-off-by: Norbert van Bolhuis +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241107132903.13513-1-nvbolhuis@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +index b6d0bc73923fc..75dc7904a4bd6 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -769,7 +769,7 @@ void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev) + + nents = max_t(uint, BRCMF_DEFAULT_RXGLOM_SIZE, + sdiodev->settings->bus.sdio.txglomsz); +- nents += (nents >> 4) + 1; ++ nents *= 2; + + WARN_ON(nents > sdiodev->max_segment_count); + +-- +2.43.0 + diff --git a/queue-5.10/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch b/queue-5.10/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch new file mode 100644 index 00000000000..516763b1d83 --- /dev/null +++ b/queue-5.10/wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch @@ -0,0 +1,53 @@ +From 39f23fc7d283e23124bd641424fe90257ee2a8bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 14:07:25 +0800 +Subject: wifi: ipw2x00: libipw_rx_any(): fix bad alignment + +From: Jiapeng Chong + +[ Upstream commit 4fa4f049dc0d9741b16c96bcbf0108c85368a2b9 ] + +This patch fixes incorrect code alignment. + +./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:871:2-3: code aligned with following code on line 882. +./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:886:2-3: code aligned with following code on line 900. + +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11381 +Signed-off-by: Jiapeng Chong +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241101060725.54640-1-jiapeng.chong@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +index 5a2a723e480b0..4c6e742c56958 100644 +--- a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c ++++ b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +@@ -870,8 +870,8 @@ void libipw_rx_any(struct libipw_device *ieee, + switch (ieee->iw_mode) { + case IW_MODE_ADHOC: + /* our BSS and not from/to DS */ +- if (ether_addr_equal(hdr->addr3, ieee->bssid)) +- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == 0) { ++ if (ether_addr_equal(hdr->addr3, ieee->bssid) && ++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == 0)) { + /* promisc: get all */ + if (ieee->dev->flags & IFF_PROMISC) + is_packet_for_us = 1; +@@ -885,8 +885,8 @@ void libipw_rx_any(struct libipw_device *ieee, + break; + case IW_MODE_INFRA: + /* our BSS (== from our AP) and from DS */ +- if (ether_addr_equal(hdr->addr2, ieee->bssid)) +- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS) { ++ if (ether_addr_equal(hdr->addr2, ieee->bssid) && ++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS)) { + /* promisc: get all */ + if (ieee->dev->flags & IFF_PROMISC) + is_packet_for_us = 1; +-- +2.43.0 +