From: Greg Kroah-Hartman Date: Sun, 9 Mar 2025 10:37:26 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.291~107 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8144c0c9b1c028a0c110954202fb8e8f3ae3039;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch alsa-hda-realtek-update-alc222-depop-optimize.patch drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch gpio-rcar-use-raw_spinlock-to-protect-register-access.patch hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch ksmbd-fix-bug-on-trap-in-smb2_lock.patch ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch ksmbd-fix-use-after-free-in-smb2_lock.patch loongarch-convert-unreachable-to-bug.patch mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch --- diff --git a/queue-6.1/alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch b/queue-6.1/alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch new file mode 100644 index 0000000000..e566832ede --- /dev/null +++ b/queue-6.1/alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch @@ -0,0 +1,57 @@ +From 1ee5aa765c22a0577ec552d460bf2035300b4b51 Mon Sep 17 00:00:00 2001 +From: Hoku Ishibe +Date: Sun, 23 Feb 2025 21:05:17 -0500 +Subject: ALSA: hda: intel: Add Dell ALC3271 to power_save denylist + +From: Hoku Ishibe + +commit 1ee5aa765c22a0577ec552d460bf2035300b4b51 upstream. + +Dell XPS 13 7390 with the Realtek ALC3271 codec experiences +persistent humming noise when the power_save mode is enabled. +This issue occurs when the codec enters power saving mode, +leading to unwanted noise from the speakers. + +This patch adds the affected model (PCI ID 0x1028:0x0962) to the +power_save denylist to ensure power_save is disabled by default, +preventing power-off related noise issues. + +Steps to Reproduce +1. Boot the system with `snd_hda_intel` loaded. +2. Verify that `power_save` mode is enabled: +```sh +cat /sys/module/snd_hda_intel/parameters/power_save +```` +output: 10 (default power save timeout) +3. Wait for the power save timeout +4. Observe a persistent humming noise from the speakers +5. Disable `power_save` manually: +```sh +echo 0 | sudo tee /sys/module/snd_hda_intel/parameters/power_save +```` +6. Confirm that the noise disappears immediately. + +This issue has been observed on my system, and this patch +successfully eliminates the unwanted noise. If other users +experience similar issues, additional reports would be helpful. + +Signed-off-by: Hoku Ishibe +Cc: +Link: https://patch.msgid.link/20250224020517.51035-1-me@hokuishi.be +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2217,6 +2217,8 @@ static const struct snd_pci_quirk power_ + SND_PCI_QUIRK(0x1631, 0xe017, "Packard Bell NEC IMEDIA 5204", 0), + /* KONTRON SinglePC may cause a stall at runtime resume */ + SND_PCI_QUIRK(0x1734, 0x1232, "KONTRON SinglePC", 0), ++ /* Dell ALC3271 */ ++ SND_PCI_QUIRK(0x1028, 0x0962, "Dell ALC3271", 0), + {} + }; + #endif /* CONFIG_PM */ diff --git a/queue-6.1/alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch b/queue-6.1/alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch new file mode 100644 index 0000000000..0bdb0b1aea --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch @@ -0,0 +1,68 @@ +From f603b159231b0c58f0c27ab39348534063d38223 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 3 Mar 2025 14:56:10 +0800 +Subject: ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform + +From: Kailang Yang + +commit f603b159231b0c58f0c27ab39348534063d38223 upstream. + +Support Mic Mute LED for ThinkCentre M series. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/c211a2702f1f411e86bd7420d7eebc03@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4915,6 +4915,16 @@ static void alc269_fixup_hp_line1_mic1_l + } + } + ++static void alc233_fixup_lenovo_low_en_micmute_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ spec->micmute_led_polarity = 1; ++ alc233_fixup_lenovo_line2_mic_hotkey(codec, fix, action); ++} ++ + static void alc_hp_mute_disable(struct hda_codec *codec, unsigned int delay) + { + if (delay <= 0) +@@ -7220,6 +7230,7 @@ enum { + ALC275_FIXUP_DELL_XPS, + ALC293_FIXUP_LENOVO_SPK_NOISE, + ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, ++ ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED, + ALC255_FIXUP_DELL_SPK_NOISE, + ALC225_FIXUP_DISABLE_MIC_VREF, + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, +@@ -8180,6 +8191,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc233_fixup_lenovo_line2_mic_hotkey, + }, ++ [ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc233_fixup_lenovo_low_en_micmute_led, ++ }, + [ALC233_FIXUP_INTEL_NUC8_DMIC] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_inv_dmic, +@@ -10170,6 +10185,9 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x3178, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x31af, "ThinkCentre Station", ALC623_FIXUP_LENOVO_THINKSTATION_P340), + SND_PCI_QUIRK(0x17aa, 0x334b, "Lenovo ThinkCentre M70 Gen5", ALC283_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x17aa, 0x3384, "ThinkCentre M90a PRO", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED), ++ SND_PCI_QUIRK(0x17aa, 0x3386, "ThinkCentre M90a Gen6", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED), ++ SND_PCI_QUIRK(0x17aa, 0x3387, "ThinkCentre M70a Gen6", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED), + SND_PCI_QUIRK(0x17aa, 0x3801, "Lenovo Yoga9 14IAP7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3802, "Lenovo Yoga DuetITL 2021", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS), diff --git a/queue-6.1/alsa-hda-realtek-update-alc222-depop-optimize.patch b/queue-6.1/alsa-hda-realtek-update-alc222-depop-optimize.patch new file mode 100644 index 0000000000..79453e394b --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-update-alc222-depop-optimize.patch @@ -0,0 +1,116 @@ +From ca0dedaff92307591f66c9206933fbdfe87add10 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 5 Mar 2025 13:54:34 +0800 +Subject: ALSA: hda/realtek: update ALC222 depop optimize + +From: Kailang Yang + +commit ca0dedaff92307591f66c9206933fbdfe87add10 upstream. + +Add ALC222 its own depop functions for alc_init and alc_shutup. + +[note: this fixes pop noise issues on the models with two headphone + jacks -- tiwai ] + +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 76 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 76 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3831,6 +3831,79 @@ static void alc225_shutup(struct hda_cod + } + } + ++static void alc222_init(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ hda_nid_t hp_pin = alc_get_hp_pin(spec); ++ bool hp1_pin_sense, hp2_pin_sense; ++ ++ if (!hp_pin) ++ return; ++ ++ msleep(30); ++ ++ hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin); ++ hp2_pin_sense = snd_hda_jack_detect(codec, 0x14); ++ ++ if (hp1_pin_sense || hp2_pin_sense) { ++ msleep(2); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x14, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); ++ msleep(75); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x14, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); ++ ++ msleep(75); ++ } ++} ++ ++static void alc222_shutup(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ hda_nid_t hp_pin = alc_get_hp_pin(spec); ++ bool hp1_pin_sense, hp2_pin_sense; ++ ++ if (!hp_pin) ++ hp_pin = 0x21; ++ ++ hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin); ++ hp2_pin_sense = snd_hda_jack_detect(codec, 0x14); ++ ++ if (hp1_pin_sense || hp2_pin_sense) { ++ msleep(2); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x14, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ ++ msleep(75); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x14, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ ++ msleep(75); ++ } ++ alc_auto_setup_eapd(codec, false); ++ alc_shutup_pins(codec); ++} ++ + static void alc_default_init(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; +@@ -11111,8 +11184,11 @@ static int patch_alc269(struct hda_codec + spec->codec_variant = ALC269_TYPE_ALC300; + spec->gen.mixer_nid = 0; /* no loopback on ALC300 */ + break; ++ case 0x10ec0222: + case 0x10ec0623: + spec->codec_variant = ALC269_TYPE_ALC623; ++ spec->shutup = alc222_shutup; ++ spec->init_hook = alc222_init; + break; + case 0x10ec0700: + case 0x10ec0701: diff --git a/queue-6.1/drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch b/queue-6.1/drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch new file mode 100644 index 0000000000..78b7ee1204 --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch @@ -0,0 +1,38 @@ +From 374c9faac5a763a05bc3f68ad9f73dab3c6aec90 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 26 Feb 2025 16:37:31 +0800 +Subject: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params + +From: Ma Ke + +commit 374c9faac5a763a05bc3f68ad9f73dab3c6aec90 upstream. + +Null pointer dereference issue could occur when pipe_ctx->plane_state +is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not +null before accessing. This prevents a null pointer dereference. + +Found by code review. + +Fixes: 3be5262e353b ("drm/amd/display: Rename more dc_surface stuff to plane_state") +Reviewed-by: Alex Hung +Signed-off-by: Ma Ke +Signed-off-by: Alex Deucher +(cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1100,7 +1100,8 @@ bool resource_build_scaling_params(struc + DC_LOGGER_INIT(pipe_ctx->stream->ctx->logger); + + /* Invalid input */ +- if (!plane_state->dst_rect.width || ++ if (!plane_state || ++ !plane_state->dst_rect.width || + !plane_state->dst_rect.height || + !plane_state->src_rect.width || + !plane_state->src_rect.height) { diff --git a/queue-6.1/drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch b/queue-6.1/drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch new file mode 100644 index 0000000000..5d3fad834e --- /dev/null +++ b/queue-6.1/drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch @@ -0,0 +1,78 @@ +From 29ffeb73b216ce3eff10229eb077cf9b7812119d Mon Sep 17 00:00:00 2001 +From: Richard Thier +Date: Mon, 17 Jun 2019 23:46:27 +0200 +Subject: drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Richard Thier + +commit 29ffeb73b216ce3eff10229eb077cf9b7812119d upstream. + +num_gb_pipes was set to a wrong value using r420_pipe_config + +This have lead to HyperZ glitches on fast Z clearing. + +Closes: https://bugs.freedesktop.org/show_bug.cgi?id=110897 +Reviewed-by: Marek Olšák +Signed-off-by: Richard Thier +Signed-off-by: Alex Deucher +(cherry picked from commit 044e59a85c4d84e3c8d004c486e5c479640563a6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/r300.c | 3 ++- + drivers/gpu/drm/radeon/radeon_asic.h | 1 + + drivers/gpu/drm/radeon/rs400.c | 18 ++++++++++++++++-- + 3 files changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/r300.c ++++ b/drivers/gpu/drm/radeon/r300.c +@@ -359,7 +359,8 @@ int r300_mc_wait_for_idle(struct radeon_ + return -1; + } + +-static void r300_gpu_init(struct radeon_device *rdev) ++/* rs400_gpu_init also calls this! */ ++void r300_gpu_init(struct radeon_device *rdev) + { + uint32_t gb_tile_config, tmp; + +--- a/drivers/gpu/drm/radeon/radeon_asic.h ++++ b/drivers/gpu/drm/radeon/radeon_asic.h +@@ -165,6 +165,7 @@ void r200_set_safe_registers(struct rade + */ + extern int r300_init(struct radeon_device *rdev); + extern void r300_fini(struct radeon_device *rdev); ++extern void r300_gpu_init(struct radeon_device *rdev); + extern int r300_suspend(struct radeon_device *rdev); + extern int r300_resume(struct radeon_device *rdev); + extern int r300_asic_reset(struct radeon_device *rdev, bool hard); +--- a/drivers/gpu/drm/radeon/rs400.c ++++ b/drivers/gpu/drm/radeon/rs400.c +@@ -255,8 +255,22 @@ int rs400_mc_wait_for_idle(struct radeon + + static void rs400_gpu_init(struct radeon_device *rdev) + { +- /* FIXME: is this correct ? */ +- r420_pipes_init(rdev); ++ /* Earlier code was calling r420_pipes_init and then ++ * rs400_mc_wait_for_idle(rdev). The problem is that ++ * at least on my Mobility Radeon Xpress 200M RC410 card ++ * that ends up in this code path ends up num_gb_pipes == 3 ++ * while the card seems to have only one pipe. With the ++ * r420 pipe initialization method. ++ * ++ * Problems shown up as HyperZ glitches, see: ++ * https://bugs.freedesktop.org/show_bug.cgi?id=110897 ++ * ++ * Delegating initialization to r300 code seems to work ++ * and results in proper pipe numbers. The rs400 cards ++ * are said to be not r400, but r300 kind of cards. ++ */ ++ r300_gpu_init(rdev); ++ + if (rs400_mc_wait_for_idle(rdev)) { + pr_warn("rs400: Failed to wait MC idle while programming pipes. Bad things might happen. %08x\n", + RREG32(RADEON_MC_STATUS)); diff --git a/queue-6.1/gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch b/queue-6.1/gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch new file mode 100644 index 0000000000..fcf5015c42 --- /dev/null +++ b/queue-6.1/gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch @@ -0,0 +1,132 @@ +From 12f65d1203507f7db3ba59930fe29a3b8eee9945 Mon Sep 17 00:00:00 2001 +From: Koichiro Den +Date: Mon, 24 Feb 2025 23:31:26 +0900 +Subject: gpio: aggregator: protect driver attr handlers against module unload + +From: Koichiro Den + +commit 12f65d1203507f7db3ba59930fe29a3b8eee9945 upstream. + +Both new_device_store and delete_device_store touch module global +resources (e.g. gpio_aggregator_lock). To prevent race conditions with +module unload, a reference needs to be held. + +Add try_module_get() in these handlers. + +For new_device_store, this eliminates what appears to be the most dangerous +scenario: if an id is allocated from gpio_aggregator_idr but +platform_device_register has not yet been called or completed, a concurrent +module unload could fail to unregister/delete the device, leaving behind a +dangling platform device/GPIO forwarder. This can result in various issues. +The following simple reproducer demonstrates these problems: + + #!/bin/bash + while :; do + # note: whether 'gpiochip0 0' exists or not does not matter. + echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device + done & + while :; do + modprobe gpio-aggregator + modprobe -r gpio-aggregator + done & + wait + + Starting with the following warning, several kinds of warnings will appear + and the system may become unstable: + + ------------[ cut here ]------------ + list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) + WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 + [...] + RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 + [...] + Call Trace: + + ? __list_del_entry_valid_or_report+0xa3/0x120 + ? __warn.cold+0x93/0xf2 + ? __list_del_entry_valid_or_report+0xa3/0x120 + ? report_bug+0xe6/0x170 + ? __irq_work_queue_local+0x39/0xe0 + ? handle_bug+0x58/0x90 + ? exc_invalid_op+0x13/0x60 + ? asm_exc_invalid_op+0x16/0x20 + ? __list_del_entry_valid_or_report+0xa3/0x120 + gpiod_remove_lookup_table+0x22/0x60 + new_device_store+0x315/0x350 [gpio_aggregator] + kernfs_fop_write_iter+0x137/0x1f0 + vfs_write+0x262/0x430 + ksys_write+0x60/0xd0 + do_syscall_64+0x6c/0x180 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + [...] + + ---[ end trace 0000000000000000 ]--- + +Fixes: 828546e24280 ("gpio: Add GPIO Aggregator") +Cc: stable@vger.kernel.org +Signed-off-by: Koichiro Den +Link: https://lore.kernel.org/r/20250224143134.3024598-2-koichiro.den@canonical.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-aggregator.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/gpio/gpio-aggregator.c ++++ b/drivers/gpio/gpio-aggregator.c +@@ -116,10 +116,15 @@ static ssize_t new_device_store(struct d + struct platform_device *pdev; + int res, id; + ++ if (!try_module_get(THIS_MODULE)) ++ return -ENOENT; ++ + /* kernfs guarantees string termination, so count + 1 is safe */ + aggr = kzalloc(sizeof(*aggr) + count + 1, GFP_KERNEL); +- if (!aggr) +- return -ENOMEM; ++ if (!aggr) { ++ res = -ENOMEM; ++ goto put_module; ++ } + + memcpy(aggr->args, buf, count + 1); + +@@ -158,6 +163,7 @@ static ssize_t new_device_store(struct d + } + + aggr->pdev = pdev; ++ module_put(THIS_MODULE); + return count; + + remove_table: +@@ -172,6 +178,8 @@ free_table: + kfree(aggr->lookups); + free_ga: + kfree(aggr); ++put_module: ++ module_put(THIS_MODULE); + return res; + } + +@@ -200,13 +208,19 @@ static ssize_t delete_device_store(struc + if (error) + return error; + ++ if (!try_module_get(THIS_MODULE)) ++ return -ENOENT; ++ + mutex_lock(&gpio_aggregator_lock); + aggr = idr_remove(&gpio_aggregator_idr, id); + mutex_unlock(&gpio_aggregator_lock); +- if (!aggr) ++ if (!aggr) { ++ module_put(THIS_MODULE); + return -ENOENT; ++ } + + gpio_aggregator_free(aggr); ++ module_put(THIS_MODULE); + return count; + } + static DRIVER_ATTR_WO(delete_device); diff --git a/queue-6.1/gpio-rcar-use-raw_spinlock-to-protect-register-access.patch b/queue-6.1/gpio-rcar-use-raw_spinlock-to-protect-register-access.patch new file mode 100644 index 0000000000..6232cee918 --- /dev/null +++ b/queue-6.1/gpio-rcar-use-raw_spinlock-to-protect-register-access.patch @@ -0,0 +1,186 @@ +From f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + +Date: Tue, 21 Jan 2025 14:58:33 +0100 +Subject: gpio: rcar: Use raw_spinlock to protect register access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +commit f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 upstream. + +Use raw_spinlock in order to fix spurious messages about invalid context +when spinlock debugging is enabled. The lock is only used to serialize +register access. + + [ 4.239592] ============================= + [ 4.239595] [ BUG: Invalid wait context ] + [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted + [ 4.239603] ----------------------------- + [ 4.239606] kworker/u8:5/76 is trying to lock: + [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 + [ 4.239641] other info that might help us debug this: + [ 4.239643] context-{5:5} + [ 4.239646] 5 locks held by kworker/u8:5/76: + [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c + [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. + [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c + [ 4.254109] #2: ffff00000920c8f8 + [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. + [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc + [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 + [ 4.264840] #4: + [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. + [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 + [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz + [ 4.304082] stack backtrace: + [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 + [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) + [ 4.304097] Workqueue: async async_run_entry_fn + [ 4.304106] Call trace: + [ 4.304110] show_stack+0x14/0x20 (C) + [ 4.304122] dump_stack_lvl+0x6c/0x90 + [ 4.304131] dump_stack+0x14/0x1c + [ 4.304138] __lock_acquire+0xdfc/0x1584 + [ 4.426274] lock_acquire+0x1c4/0x33c + [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 + [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 + [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 + [ 4.444422] __irq_set_trigger+0x5c/0x178 + [ 4.448435] __setup_irq+0x2e4/0x690 + [ 4.452012] request_threaded_irq+0xc4/0x190 + [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 + [ 4.459398] ata1: link resume succeeded after 1 retries + [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 + [ 4.470660] mmc_start_host+0x50/0xac + [ 4.474327] mmc_add_host+0x80/0xe4 + [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 + [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 + [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 + [ 4.491509] platform_probe+0x64/0xd8 + [ 4.495178] really_probe+0xb8/0x2a8 + [ 4.498756] __driver_probe_device+0x74/0x118 + [ 4.503116] driver_probe_device+0x3c/0x154 + [ 4.507303] __device_attach_driver+0xd4/0x160 + [ 4.511750] bus_for_each_drv+0x84/0xe0 + [ 4.515588] __device_attach_async_helper+0xb0/0xdc + [ 4.520470] async_run_entry_fn+0x30/0xd8 + [ 4.524481] process_one_work+0x210/0x62c + [ 4.528494] worker_thread+0x1ac/0x340 + [ 4.532245] kthread+0x10c/0x110 + [ 4.535476] ret_from_fork+0x10/0x20 + +Signed-off-by: Niklas Söderlund +Reviewed-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250121135833.3769310-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rcar.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/gpio/gpio-rcar.c ++++ b/drivers/gpio/gpio-rcar.c +@@ -41,7 +41,7 @@ struct gpio_rcar_info { + + struct gpio_rcar_priv { + void __iomem *base; +- spinlock_t lock; ++ raw_spinlock_t lock; + struct device *dev; + struct gpio_chip gpio_chip; + unsigned int irq_parent; +@@ -124,7 +124,7 @@ static void gpio_rcar_config_interrupt_i + * "Setting Level-Sensitive Interrupt Input Mode" + */ + +- spin_lock_irqsave(&p->lock, flags); ++ raw_spin_lock_irqsave(&p->lock, flags); + + /* Configure positive or negative logic in POSNEG */ + gpio_rcar_modify_bit(p, POSNEG, hwirq, !active_high_rising_edge); +@@ -143,7 +143,7 @@ static void gpio_rcar_config_interrupt_i + if (!level_trigger) + gpio_rcar_write(p, INTCLR, BIT(hwirq)); + +- spin_unlock_irqrestore(&p->lock, flags); ++ raw_spin_unlock_irqrestore(&p->lock, flags); + } + + static int gpio_rcar_irq_set_type(struct irq_data *d, unsigned int type) +@@ -247,7 +247,7 @@ static void gpio_rcar_config_general_inp + * "Setting General Input Mode" + */ + +- spin_lock_irqsave(&p->lock, flags); ++ raw_spin_lock_irqsave(&p->lock, flags); + + /* Configure positive logic in POSNEG */ + gpio_rcar_modify_bit(p, POSNEG, gpio, false); +@@ -262,7 +262,7 @@ static void gpio_rcar_config_general_inp + if (p->info.has_outdtsel && output) + gpio_rcar_modify_bit(p, OUTDTSEL, gpio, false); + +- spin_unlock_irqrestore(&p->lock, flags); ++ raw_spin_unlock_irqrestore(&p->lock, flags); + } + + static int gpio_rcar_request(struct gpio_chip *chip, unsigned offset) +@@ -348,7 +348,7 @@ static int gpio_rcar_get_multiple(struct + return 0; + } + +- spin_lock_irqsave(&p->lock, flags); ++ raw_spin_lock_irqsave(&p->lock, flags); + outputs = gpio_rcar_read(p, INOUTSEL); + m = outputs & bankmask; + if (m) +@@ -357,7 +357,7 @@ static int gpio_rcar_get_multiple(struct + m = ~outputs & bankmask; + if (m) + val |= gpio_rcar_read(p, INDT) & m; +- spin_unlock_irqrestore(&p->lock, flags); ++ raw_spin_unlock_irqrestore(&p->lock, flags); + + bits[0] = val; + return 0; +@@ -368,9 +368,9 @@ static void gpio_rcar_set(struct gpio_ch + struct gpio_rcar_priv *p = gpiochip_get_data(chip); + unsigned long flags; + +- spin_lock_irqsave(&p->lock, flags); ++ raw_spin_lock_irqsave(&p->lock, flags); + gpio_rcar_modify_bit(p, OUTDT, offset, value); +- spin_unlock_irqrestore(&p->lock, flags); ++ raw_spin_unlock_irqrestore(&p->lock, flags); + } + + static void gpio_rcar_set_multiple(struct gpio_chip *chip, unsigned long *mask, +@@ -387,12 +387,12 @@ static void gpio_rcar_set_multiple(struc + if (!bankmask) + return; + +- spin_lock_irqsave(&p->lock, flags); ++ raw_spin_lock_irqsave(&p->lock, flags); + val = gpio_rcar_read(p, OUTDT); + val &= ~bankmask; + val |= (bankmask & bits[0]); + gpio_rcar_write(p, OUTDT, val); +- spin_unlock_irqrestore(&p->lock, flags); ++ raw_spin_unlock_irqrestore(&p->lock, flags); + } + + static int gpio_rcar_direction_output(struct gpio_chip *chip, unsigned offset, +@@ -506,7 +506,7 @@ static int gpio_rcar_probe(struct platfo + return -ENOMEM; + + p->dev = dev; +- spin_lock_init(&p->lock); ++ raw_spin_lock_init(&p->lock); + + /* Get device configuration from DT node */ + ret = gpio_rcar_parse_dt(p, &npins); diff --git a/queue-6.1/hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch b/queue-6.1/hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch new file mode 100644 index 0000000000..28b0dd140d --- /dev/null +++ b/queue-6.1/hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch @@ -0,0 +1,100 @@ +From 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 Mon Sep 17 00:00:00 2001 +From: Daniil Dulov +Date: Mon, 24 Feb 2025 20:30:30 +0300 +Subject: HID: appleir: Fix potential NULL dereference at raw event handle + +From: Daniil Dulov + +commit 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 upstream. + +Syzkaller reports a NULL pointer dereference issue in input_event(). + +BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] +BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] +BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] +BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 +Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 + +CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + kasan_report+0xd9/0x110 mm/kasan/report.c:602 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 + instrument_atomic_read include/linux/instrumented.h:68 [inline] + _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] + is_event_supported drivers/input/input.c:67 [inline] + input_event+0x42/0xa0 drivers/input/input.c:395 + input_report_key include/linux/input.h:439 [inline] + key_down drivers/hid/hid-appleir.c:159 [inline] + appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 + __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 + hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 + __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 + usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 + dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 + __run_hrtimer kernel/time/hrtimer.c:1739 [inline] + __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 + hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 + handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 + + + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 + __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 + add_timer+0x62/0x90 kernel/time/timer.c:1295 + schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 + usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 + usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 + hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl fs/ioctl.c:892 [inline] + __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +This happens due to the malformed report items sent by the emulated device +which results in a report, that has no fields, being added to the report list. +Due to this appleir_input_configured() is never called, hidinput_connect() +fails which results in the HID_CLAIMED_INPUT flag is not being set. However, +it does not make appleir_probe() fail and lets the event callback to be +called without the associated input device. + +Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook +early if the driver didn't claim any input_dev for some reason. Moreover, +some other hid drivers accessing input_dev in their event callbacks do have +similar checks, too. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9a4a5574ce42 ("HID: appleir: add support for Apple ir devices") +Cc: stable@vger.kernel.org +Signed-off-by: Daniil Dulov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-appleir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-appleir.c ++++ b/drivers/hid/hid-appleir.c +@@ -188,7 +188,7 @@ static int appleir_raw_event(struct hid_ + static const u8 flatbattery[] = { 0x25, 0x87, 0xe0 }; + unsigned long flags; + +- if (len != 5) ++ if (len != 5 || !(hid->claimed & HID_CLAIMED_INPUT)) + goto out; + + if (!memcmp(data, keydown, sizeof(keydown))) { diff --git a/queue-6.1/ksmbd-fix-bug-on-trap-in-smb2_lock.patch b/queue-6.1/ksmbd-fix-bug-on-trap-in-smb2_lock.patch new file mode 100644 index 0000000000..585fc1685b --- /dev/null +++ b/queue-6.1/ksmbd-fix-bug-on-trap-in-smb2_lock.patch @@ -0,0 +1,35 @@ +From e26e2d2e15daf1ab33e0135caf2304a0cfa2744b Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 27 Feb 2025 15:49:10 +0900 +Subject: ksmbd: fix bug on trap in smb2_lock + +From: Namjae Jeon + +commit e26e2d2e15daf1ab33e0135caf2304a0cfa2744b upstream. + +If lock count is greater than 1, flags could be old value. +It should be checked with flags of smb_lock, not flags. +It will cause bug-on trap from locks_free_lock in error handling +routine. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7134,7 +7134,7 @@ no_check_cl: + retry: + rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); + skip: +- if (flags & SMB2_LOCKFLAG_UNLOCK) { ++ if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) { + if (!rc) { + ksmbd_debug(SMB, "File unlocked\n"); + } else if (rc == -ENOENT) { diff --git a/queue-6.1/ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch b/queue-6.1/ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch new file mode 100644 index 0000000000..4d172e4f1d --- /dev/null +++ b/queue-6.1/ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch @@ -0,0 +1,36 @@ +From e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 21 Feb 2025 14:16:23 +0900 +Subject: ksmbd: fix type confusion via race condition when using ipc_msg_send_request + +From: Namjae Jeon + +commit e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 upstream. + +req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on +ida_alloc. req->handle from ksmbd_ipc_login_request and +FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion +between messages, resulting in access to unexpected parts of memory after +an incorrect delivery. ksmbd check type of ipc response but missing add +continue to check next ipc reponse. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_ipc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -267,6 +267,7 @@ static int handle_response(int type, voi + if (entry->type + 1 != type) { + pr_err("Waiting for IPC type %d, got %d. Ignore.\n", + entry->type + 1, type); ++ continue; + } + + entry->response = kvzalloc(sz, GFP_KERNEL); diff --git a/queue-6.1/ksmbd-fix-use-after-free-in-smb2_lock.patch b/queue-6.1/ksmbd-fix-use-after-free-in-smb2_lock.patch new file mode 100644 index 0000000000..370748599f --- /dev/null +++ b/queue-6.1/ksmbd-fix-use-after-free-in-smb2_lock.patch @@ -0,0 +1,42 @@ +From 84d2d1641b71dec326e8736a749b7ee76a9599fc Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 26 Feb 2025 15:44:02 +0900 +Subject: ksmbd: fix use-after-free in smb2_lock + +From: Namjae Jeon + +commit 84d2d1641b71dec326e8736a749b7ee76a9599fc upstream. + +If smb_lock->zero_len has value, ->llist of smb_lock is not delete and +flock is old one. It will cause use-after-free on error handling +routine. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7124,13 +7124,13 @@ out_check_cl: + } + + no_check_cl: ++ flock = smb_lock->fl; ++ list_del(&smb_lock->llist); ++ + if (smb_lock->zero_len) { + err = 0; + goto skip; + } +- +- flock = smb_lock->fl; +- list_del(&smb_lock->llist); + retry: + rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); + skip: diff --git a/queue-6.1/loongarch-convert-unreachable-to-bug.patch b/queue-6.1/loongarch-convert-unreachable-to-bug.patch new file mode 100644 index 0000000000..5bbf2082d7 --- /dev/null +++ b/queue-6.1/loongarch-convert-unreachable-to-bug.patch @@ -0,0 +1,46 @@ +From da64a2359092ceec4f9dea5b329d0aef20104217 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Sat, 8 Mar 2025 13:50:45 +0800 +Subject: LoongArch: Convert unreachable() to BUG() + +From: Tiezhu Yang + +commit da64a2359092ceec4f9dea5b329d0aef20104217 upstream. + +When compiling on LoongArch, there exists the following objtool warning +in arch/loongarch/kernel/machine_kexec.o: + + kexec_reboot() falls through to next function crash_shutdown_secondary() + +Avoid using unreachable() as it can (and will in the absence of UBSAN) +generate fall-through code. Use BUG() so we get a "break BRK_BUG" trap +(with unreachable annotation). + +Cc: stable@vger.kernel.org # 6.12+ +Acked-by: Josh Poimboeuf +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/machine_kexec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/machine_kexec.c ++++ b/arch/loongarch/kernel/machine_kexec.c +@@ -126,14 +126,14 @@ void kexec_reboot(void) + /* All secondary cpus go to kexec_smp_wait */ + if (smp_processor_id() > 0) { + relocated_kexec_smp_wait(NULL); +- unreachable(); ++ BUG(); + } + #endif + + do_kexec = (void *)reboot_code_buffer; + do_kexec(efi_boot, cmdline_ptr, systable_ptr, start_addr, first_ind_entry); + +- unreachable(); ++ BUG(); + } + + diff --git a/queue-6.1/mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch b/queue-6.1/mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch new file mode 100644 index 0000000000..64346bfd91 --- /dev/null +++ b/queue-6.1/mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch @@ -0,0 +1,134 @@ +From 022bfe24aad8937705704ff2e414b100cf0f2e1a Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Mon, 3 Mar 2025 18:10:13 +0100 +Subject: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr + +From: Krister Johansen + +commit 022bfe24aad8937705704ff2e414b100cf0f2e1a upstream. + +If multiple connection requests attempt to create an implicit mptcp +endpoint in parallel, more than one caller may end up in +mptcp_pm_nl_append_new_local_addr because none found the address in +local_addr_list during their call to mptcp_pm_nl_get_local_id. In this +case, the concurrent new_local_addr calls may delete the address entry +created by the previous caller. These deletes use synchronize_rcu, but +this is not permitted in some of the contexts where this function may be +called. During packet recv, the caller may be in a rcu read critical +section and have preemption disabled. + +An example stack: + + BUG: scheduling while atomic: swapper/2/0/0x00000302 + + Call Trace: + + dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) + dump_stack (lib/dump_stack.c:124) + __schedule_bug (kernel/sched/core.c:5943) + schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) + __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) + schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) + schedule_timeout (kernel/time/timer.c:2160) + wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) + __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) + synchronize_rcu (kernel/rcu/tree.c:3609) + mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) + mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) + mptcp_pm_get_local_id (net/mptcp/pm.c:420) + subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) + subflow_v4_route_req (net/mptcp/subflow.c:305) + tcp_conn_request (net/ipv4/tcp_input.c:7216) + subflow_v4_conn_request (net/mptcp/subflow.c:651) + tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) + tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) + tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) + ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) + ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) + ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) + ip_sublist_rcv (net/ipv4/ip_input.c:640) + ip_list_rcv (net/ipv4/ip_input.c:675) + __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) + netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) + napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) + igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb + __napi_poll (net/core/dev.c:6582) + net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) + handle_softirqs (kernel/softirq.c:553) + __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) + irq_exit_rcu (kernel/softirq.c:651) + common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) + + +This problem seems particularly prevalent if the user advertises an +endpoint that has a different external vs internal address. In the case +where the external address is advertised and multiple connections +already exist, multiple subflow SYNs arrive in parallel which tends to +trigger the race during creation of the first local_addr_list entries +which have the internal address instead. + +Fix by skipping the replacement of an existing implicit local address if +called via mptcp_pm_nl_get_local_id. + +Fixes: d045b9eb95a9 ("mptcp: introduce implicit endpoints") +Cc: stable@vger.kernel.org +Suggested-by: Paolo Abeni +Signed-off-by: Krister Johansen +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250303-net-mptcp-fix-sched-while-atomic-v1-1-f6a216c5a74c@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -969,7 +969,7 @@ static void __mptcp_pm_release_addr_entr + + static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet, + struct mptcp_pm_addr_entry *entry, +- bool needs_id) ++ bool needs_id, bool replace) + { + struct mptcp_pm_addr_entry *cur, *del_entry = NULL; + unsigned int addr_max; +@@ -1003,6 +1003,17 @@ static int mptcp_pm_nl_append_new_local_ + if (entry->addr.id) + goto out; + ++ /* allow callers that only need to look up the local ++ * addr's id to skip replacement. This allows them to ++ * avoid calling synchronize_rcu in the packet recv ++ * path. ++ */ ++ if (!replace) { ++ kfree(entry); ++ ret = cur->addr.id; ++ goto out; ++ } ++ + pernet->addrs--; + entry->addr.id = cur->addr.id; + list_del_rcu(&cur->list); +@@ -1149,7 +1160,7 @@ int mptcp_pm_nl_get_local_id(struct mptc + entry->ifindex = 0; + entry->flags = MPTCP_PM_ADDR_FLAG_IMPLICIT; + entry->lsk = NULL; +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false); + if (ret < 0) + kfree(entry); + +@@ -1444,7 +1455,8 @@ static int mptcp_nl_cmd_add_addr(struct + } + } + ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, +- !mptcp_pm_has_addr_attr_id(attr, info)); ++ !mptcp_pm_has_addr_attr_id(attr, info), ++ true); + if (ret < 0) { + GENL_SET_ERR_MSG(info, "too many addresses or duplicate one"); + goto out_free; diff --git a/queue-6.1/platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch b/queue-6.1/platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch new file mode 100644 index 0000000000..614129e576 --- /dev/null +++ b/queue-6.1/platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch @@ -0,0 +1,43 @@ +From d0d10eaedcb53740883d7e5d53c5e15c879b48fb Mon Sep 17 00:00:00 2001 +From: Mingcong Bai +Date: Sat, 22 Feb 2025 00:48:24 +0800 +Subject: platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mingcong Bai + +commit d0d10eaedcb53740883d7e5d53c5e15c879b48fb upstream. + +Based on the dmesg messages from the original reporter: + +[ 4.964073] ACPI: \_SB_.PCI0.LPCB.EC__.HKEY: BCTG evaluated but flagged as error +[ 4.964083] thinkpad_acpi: Error probing battery 2 + +Lenovo ThinkPad X131e also needs this battery quirk. + +Reported-by: Fan Yang <804284660@qq.com> +Tested-by: Fan Yang <804284660@qq.com> +Co-developed-by: Xi Ruoyao +Signed-off-by: Xi Ruoyao +Signed-off-by: Mingcong Bai +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250221164825.77315-1-jeffbai@aosc.io +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/thinkpad_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -10113,6 +10113,7 @@ static const struct tpacpi_quirk battery + * Individual addressing is broken on models that expose the + * primary battery as BAT1. + */ ++ TPACPI_Q_LNV('G', '8', true), /* ThinkPad X131e */ + TPACPI_Q_LNV('8', 'F', true), /* Thinkpad X120e */ + TPACPI_Q_LNV('J', '7', true), /* B5400 */ + TPACPI_Q_LNV('J', 'I', true), /* Thinkpad 11e */ diff --git a/queue-6.1/revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch b/queue-6.1/revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch new file mode 100644 index 0000000000..353180f018 --- /dev/null +++ b/queue-6.1/revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch @@ -0,0 +1,39 @@ +From 75f1f311d883dfaffb98be3c1da208d6ed5d4df9 Mon Sep 17 00:00:00 2001 +From: "Rob Herring (Arm)" +Date: Wed, 26 Feb 2025 13:38:19 -0600 +Subject: Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'" + +From: Rob Herring (Arm) + +commit 75f1f311d883dfaffb98be3c1da208d6ed5d4df9 upstream. + +This reverts commit 267b21d0bef8e67dbe6c591c9991444e58237ec9. + +Turns out some DTs do depend on this behavior. Specifically, a +downstream Pixel 6 DT. Revert the change at least until we can decide if +the DT spec can be changed instead. + +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/of_reserved_mem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -105,12 +105,12 @@ static int __init __reserved_mem_alloc_s + + prop = of_get_flat_dt_prop(node, "alignment", &len); + if (prop) { +- if (len != dt_root_size_cells * sizeof(__be32)) { ++ if (len != dt_root_addr_cells * sizeof(__be32)) { + pr_err("invalid alignment property in '%s' node.\n", + uname); + return -EINVAL; + } +- align = dt_mem_next_cell(dt_root_size_cells, &prop); ++ align = dt_mem_next_cell(dt_root_addr_cells, &prop); + } + + nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL; diff --git a/queue-6.1/series b/queue-6.1/series index a168963b7f..478e81d164 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -6,3 +6,21 @@ cpuidle-intel_idle-fix-cpuidle_flag_ibrs.patch x86-speculation-add-__update_spec_ctrl-helper.patch efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch x86-amd_nb-use-rdmsr_safe-in-amd_get_mmconfig_range.patch +revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch +loongarch-convert-unreachable-to-bug.patch +hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch +ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch +ksmbd-fix-use-after-free-in-smb2_lock.patch +ksmbd-fix-bug-on-trap-in-smb2_lock.patch +gpio-rcar-use-raw_spinlock-to-protect-register-access.patch +gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch +alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch +alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch +alsa-hda-realtek-update-alc222-depop-optimize.patch +drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch +drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch +platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch +x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch +x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch +x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch +mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch diff --git a/queue-6.1/x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch b/queue-6.1/x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch new file mode 100644 index 0000000000..40ad65e60e --- /dev/null +++ b/queue-6.1/x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch @@ -0,0 +1,44 @@ +From 8177c6bedb7013cf736137da586cf783922309dd Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Tue, 4 Mar 2025 09:51:12 +0100 +Subject: x86/cacheinfo: Validate CPUID leaf 0x2 EDX output + +From: Ahmed S. Darwish + +commit 8177c6bedb7013cf736137da586cf783922309dd upstream. + +CPUID leaf 0x2 emits one-byte descriptors in its four output registers +EAX, EBX, ECX, and EDX. For these descriptors to be valid, the most +significant bit (MSB) of each register must be clear. + +The historical Git commit: + + 019361a20f016 ("- pre6: Intel: start to add Pentium IV specific stuff (128-byte cacheline etc)...") + +introduced leaf 0x2 output parsing. It only validated the MSBs of EAX, +EBX, and ECX, but left EDX unchecked. + +Validate EDX's most-significant bit. + +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: stable@vger.kernel.org +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250304085152.51092-2-darwi@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/cacheinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/cacheinfo.c ++++ b/arch/x86/kernel/cpu/cacheinfo.c +@@ -801,7 +801,7 @@ void init_intel_cacheinfo(struct cpuinfo + cpuid(2, ®s[0], ®s[1], ®s[2], ®s[3]); + + /* If bit 31 is set, this is an unknown format */ +- for (j = 0 ; j < 3 ; j++) ++ for (j = 0 ; j < 4 ; j++) + if (regs[j] & (1 << 31)) + regs[j] = 0; + diff --git a/queue-6.1/x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch b/queue-6.1/x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch new file mode 100644 index 0000000000..fbcbd5efd4 --- /dev/null +++ b/queue-6.1/x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch @@ -0,0 +1,119 @@ +From f6bdaab79ee4228a143ee1b4cb80416d6ffc0c63 Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Tue, 4 Mar 2025 09:51:14 +0100 +Subject: x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 + +From: Ahmed S. Darwish + +commit f6bdaab79ee4228a143ee1b4cb80416d6ffc0c63 upstream. + +CPUID leaf 0x2's one-byte TLB descriptors report the number of entries +for specific TLB types, among other properties. + +Typically, each emitted descriptor implies the same number of entries +for its respective TLB type(s). An emitted 0x63 descriptor is an +exception: it implies 4 data TLB entries for 1GB pages and 32 data TLB +entries for 2MB or 4MB pages. + +For the TLB descriptors parsing code, the entry count for 1GB pages is +encoded at the intel_tlb_table[] mapping, but the 2MB/4MB entry count is +totally ignored. + +Update leaf 0x2's parsing logic 0x2 to account for 32 data TLB entries +for 2MB/4MB pages implied by the 0x63 descriptor. + +Fixes: e0ba94f14f74 ("x86/tlb_info: get last level TLB entry number of CPU") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: stable@kernel.org +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250304085152.51092-4-darwi@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel.c | 60 ++++++++++++++++++++++++++++---------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -784,26 +784,37 @@ static unsigned int intel_size_cache(str + } + #endif + +-#define TLB_INST_4K 0x01 +-#define TLB_INST_4M 0x02 +-#define TLB_INST_2M_4M 0x03 +- +-#define TLB_INST_ALL 0x05 +-#define TLB_INST_1G 0x06 +- +-#define TLB_DATA_4K 0x11 +-#define TLB_DATA_4M 0x12 +-#define TLB_DATA_2M_4M 0x13 +-#define TLB_DATA_4K_4M 0x14 +- +-#define TLB_DATA_1G 0x16 +- +-#define TLB_DATA0_4K 0x21 +-#define TLB_DATA0_4M 0x22 +-#define TLB_DATA0_2M_4M 0x23 +- +-#define STLB_4K 0x41 +-#define STLB_4K_2M 0x42 ++#define TLB_INST_4K 0x01 ++#define TLB_INST_4M 0x02 ++#define TLB_INST_2M_4M 0x03 ++ ++#define TLB_INST_ALL 0x05 ++#define TLB_INST_1G 0x06 ++ ++#define TLB_DATA_4K 0x11 ++#define TLB_DATA_4M 0x12 ++#define TLB_DATA_2M_4M 0x13 ++#define TLB_DATA_4K_4M 0x14 ++ ++#define TLB_DATA_1G 0x16 ++#define TLB_DATA_1G_2M_4M 0x17 ++ ++#define TLB_DATA0_4K 0x21 ++#define TLB_DATA0_4M 0x22 ++#define TLB_DATA0_2M_4M 0x23 ++ ++#define STLB_4K 0x41 ++#define STLB_4K_2M 0x42 ++ ++/* ++ * All of leaf 0x2's one-byte TLB descriptors implies the same number of ++ * entries for their respective TLB types. The 0x63 descriptor is an ++ * exception: it implies 4 dTLB entries for 1GB pages 32 dTLB entries ++ * for 2MB or 4MB pages. Encode descriptor 0x63 dTLB entry count for ++ * 2MB/4MB pages here, as its count for dTLB 1GB pages is already at the ++ * intel_tlb_table[] mapping. ++ */ ++#define TLB_0x63_2M_4M_ENTRIES 32 + + static const struct _tlb_table intel_tlb_table[] = { + { 0x01, TLB_INST_4K, 32, " TLB_INST 4 KByte pages, 4-way set associative" }, +@@ -825,7 +836,8 @@ static const struct _tlb_table intel_tlb + { 0x5c, TLB_DATA_4K_4M, 128, " TLB_DATA 4 KByte and 4 MByte pages" }, + { 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" }, + { 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" }, +- { 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" }, ++ { 0x63, TLB_DATA_1G_2M_4M, 4, " TLB_DATA 1 GByte pages, 4-way set associative" ++ " (plus 32 entries TLB_DATA 2 MByte or 4 MByte pages, not encoded here)" }, + { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" }, + { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" }, + { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" }, +@@ -925,6 +937,12 @@ static void intel_tlb_lookup(const unsig + if (tlb_lld_4m[ENTRIES] < intel_tlb_table[k].entries) + tlb_lld_4m[ENTRIES] = intel_tlb_table[k].entries; + break; ++ case TLB_DATA_1G_2M_4M: ++ if (tlb_lld_2m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES) ++ tlb_lld_2m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES; ++ if (tlb_lld_4m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES) ++ tlb_lld_4m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES; ++ fallthrough; + case TLB_DATA_1G: + if (tlb_lld_1g[ENTRIES] < intel_tlb_table[k].entries) + tlb_lld_1g[ENTRIES] = intel_tlb_table[k].entries; diff --git a/queue-6.1/x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch b/queue-6.1/x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch new file mode 100644 index 0000000000..6a0ec15959 --- /dev/null +++ b/queue-6.1/x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch @@ -0,0 +1,41 @@ +From 1881148215c67151b146450fb89ec22fd92337a7 Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Tue, 4 Mar 2025 09:51:13 +0100 +Subject: x86/cpu: Validate CPUID leaf 0x2 EDX output + +From: Ahmed S. Darwish + +commit 1881148215c67151b146450fb89ec22fd92337a7 upstream. + +CPUID leaf 0x2 emits one-byte descriptors in its four output registers +EAX, EBX, ECX, and EDX. For these descriptors to be valid, the most +significant bit (MSB) of each register must be clear. + +Leaf 0x2 parsing at intel.c only validated the MSBs of EAX, EBX, and +ECX, but left EDX unchecked. + +Validate EDX's most-significant bit as well. + +Fixes: e0ba94f14f74 ("x86/tlb_info: get last level TLB entry number of CPU") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: stable@kernel.org +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250304085152.51092-3-darwi@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -948,7 +948,7 @@ static void intel_detect_tlb(struct cpui + cpuid(2, ®s[0], ®s[1], ®s[2], ®s[3]); + + /* If bit 31 is set, this is an unknown format */ +- for (j = 0 ; j < 3 ; j++) ++ for (j = 0 ; j < 4 ; j++) + if (regs[j] & (1 << 31)) + regs[j] = 0; +