From 162b6a28eacd4d53e8f71a9a070e94c4a8be0601 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 5 Jul 2024 15:26:18 -0400 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...ialized-value-in-bpf_core_read_bitfi.patch | 59 ++++ ...ialize-ret-in-scrub_simple_mirror-to.patch | 44 +++ ...last_media_change-check-to-avoid-uni.patch | 71 +++++ ...-cipher-zeroize-key-buffer-after-use.patch | 53 ++++ ...-debugfs-fix-debugfs-uninit-process-.patch | 82 +++++ ...check-index-msg_id-before-read-or-wr.patch | 56 ++++ ...check-pipe-offset-before-setting-vbl.patch | 45 +++ ...ay-fix-uninitialized-variables-in-dm.patch | 86 +++++ ...skip-finding-free-audio-for-unknown-.patch | 44 +++ ...he-warning-about-the-expression-int-.patch | 43 +++ ...ninitialized-scalar-variable-warning.patch | 39 +++ ...-fix-uninitialized-variable-warnings.patch | 52 +++ ...alize-timestamp-for-some-legacy-socs.patch | 46 +++ ...-uninitialized-value-size-when-calli.patch | 43 +++ ...shared-irq-handling-on-driver-remove.patch | 88 ++++++ ...ation-of-fault-attrs-in-f2fs_build_f.patch | 142 +++++++++ ...re-dmi-stop-decoding-on-broken-entry.patch | 46 +++ ...otate-apanel_addr-as-__ro_after_init.patch | 35 ++ ...plement-a-limit-on-umad-receive-list.patch | 125 ++++++++ ...log-entry-using-uninitialized-netdev.patch | 61 ++++ ...efer-struct_size-over-open-coded-ari.patch | 73 +++++ ...ts-remove-bug_on-in-its_vpe_irq_doma.patch | 41 +++ ...ial-illegal-address-access-in-jffs2_.patch | 94 ++++++ queue-6.6/kunit-fix-timeout-message.patch | 52 +++ queue-6.6/kunit-handle-test-faults.patch | 152 +++++++++ ...e-devm_mutex_init-for-mutex-initiali.patch | 69 ++++ ...king-mutex-introduce-devm_mutex_init.patch | 113 +++++++ ...2-fe-fix-as10x_register_addr-packing.patch | 44 +++ ...ntends-tda10048-fix-integer-overflow.patch | 53 ++++ ...nds-tda18271c2dd-remove-casting-duri.patch | 49 +++ ...b0700_devices-add-missing-release_fi.patch | 68 ++++ ...-don-t-translate-i2c-read-into-write.patch | 197 ++++++++++++ ...codec-only-free-buffer-va-that-is-no.patch | 87 +++++ ...refcount_t-instead-of-atomic_t-for-n.patch | 109 +++++++ ...88e6xxx-correct-check-for-empty-list.patch | 50 +++ ...angefs-fix-out-of-bounds-fsid-access.patch | 43 +++ ...io_base-to-poison_pointer_delta-not-.patch | 49 +++ ...i_enter-nmi_exit-in-real-mode-interr.patch | 116 +++++++ ...pc-dexcr-track-the-dexcr-per-process.patch | 95 ++++++ ...check-cpu-id-in-commands-c-dp-and-dx.patch | 61 ++++ ...-fix-the-initial-sample-period-value.patch | 39 +++ ...ve-cip-1200-workaround-to-single-asi.patch | 126 ++++++++ ...-in-__load_psw_mask-as-__unitialized.patch | 47 +++ ...-pkey-wipe-sensitive-data-on-failure.patch | 47 +++ queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch | 50 +++ ...ake-qedf_execute_tmf-non-preemptible.patch | 54 ++++ ...ruct_size-over-open-coded-arithmetic.patch | 74 +++++ ...just-dummy_st_ops_success-to-detect-.patch | 89 ++++++ ...-not-pass-null-for-non-nullable-para.patch | 72 +++++ ...mmy_st_ops-should-reject-0-for-non-n.patch | 68 ++++ ...ests-net-fix-uninitialized-variables.patch | 84 +++++ ...rial-imx-raise-tx-trigger-level-to-8.patch | 45 +++ queue-6.6/series | 60 ++++ ...mediatek-lvts_thermal-check-null-ptr.patch | 35 ++ ...turbostat-remember-global-max_die_id.patch | 65 ++++ ...-potential-failure-in-handle_tx_even.patch | 54 ++++ ...-release-worker-mutex-during-flushes.patch | 133 ++++++++ ...-virtqueue-mutex-for-swapping-worker.patch | 66 ++++ ...e-sigkill-by-flushing-work-and-exiti.patch | 298 ++++++++++++++++++ ...-add-sanity-checks-for-background-ra.patch | 56 ++++ ...76-replace-skb_put-with-skb_put_zero.patch | 83 +++++ 61 files changed, 4520 insertions(+) create mode 100644 queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch create mode 100644 queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch create mode 100644 queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch create mode 100644 queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch create mode 100644 queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch create mode 100644 queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch create mode 100644 queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch create mode 100644 queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch create mode 100644 queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch create mode 100644 queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch create mode 100644 queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch create mode 100644 queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch create mode 100644 queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch create mode 100644 queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch create mode 100644 queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch create mode 100644 queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch create mode 100644 queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch create mode 100644 queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch create mode 100644 queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch create mode 100644 queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch create mode 100644 queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch create mode 100644 queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch create mode 100644 queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch create mode 100644 queue-6.6/kunit-fix-timeout-message.patch create mode 100644 queue-6.6/kunit-handle-test-faults.patch create mode 100644 queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch create mode 100644 queue-6.6/locking-mutex-introduce-devm_mutex_init.patch create mode 100644 queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch create mode 100644 queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch create mode 100644 queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch create mode 100644 queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch create mode 100644 queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch create mode 100644 queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch create mode 100644 queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch create mode 100644 queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch create mode 100644 queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch create mode 100644 queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch create mode 100644 queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch create mode 100644 queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch create mode 100644 queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch create mode 100644 queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch create mode 100644 queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch create mode 100644 queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch create mode 100644 queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch create mode 100644 queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch create mode 100644 queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch create mode 100644 queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch create mode 100644 queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch create mode 100644 queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch create mode 100644 queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch create mode 100644 queue-6.6/selftests-net-fix-uninitialized-variables.patch create mode 100644 queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch create mode 100644 queue-6.6/series create mode 100644 queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch create mode 100644 queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch create mode 100644 queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch create mode 100644 queue-6.6/vhost-release-worker-mutex-during-flushes.patch create mode 100644 queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch create mode 100644 queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch create mode 100644 queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch create mode 100644 queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch diff --git a/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch b/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch new file mode 100644 index 00000000000..746331ad08a --- /dev/null +++ b/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch @@ -0,0 +1,59 @@ +From 93184ddac4ad6c10e253c3537a1d7f286e64b426 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 12:13:13 +0200 +Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD + +From: Jose E. Marchesi + +[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ] + +[Changes from V1: + - Use a default branch in the switch statement to initialize `val'.] + +GCC warns that `val' may be used uninitialized in the +BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: + + [...] + unsigned long long val; \ + [...] \ + switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ + case 1: val = *(const unsigned char *)p; break; \ + case 2: val = *(const unsigned short *)p; break; \ + case 4: val = *(const unsigned int *)p; break; \ + case 8: val = *(const unsigned long long *)p; break; \ + } \ + [...] + val; \ + } \ + +This patch adds a default entry in the switch statement that sets +`val' to zero in order to avoid the warning, and random values to be +used in case __builtin_preserve_field_info returns unexpected values +for BPF_FIELD_BYTE_SIZE. + +Tested in bpf-next master. +No regressions. + +Signed-off-by: Jose E. Marchesi +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_core_read.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h +index 1ac57bb7ac55f..e2b9e8415c044 100644 +--- a/tools/lib/bpf/bpf_core_read.h ++++ b/tools/lib/bpf/bpf_core_read.h +@@ -102,6 +102,7 @@ enum bpf_enum_value_kind { + case 2: val = *(const unsigned short *)p; break; \ + case 4: val = *(const unsigned int *)p; break; \ + case 8: val = *(const unsigned long long *)p; break; \ ++ default: val = 0; break; \ + } \ + val <<= __CORE_RELO(s, field, LSHIFT_U64); \ + if (__CORE_RELO(s, field, SIGNED)) \ +-- +2.43.0 + diff --git a/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch b/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch new file mode 100644 index 00000000000..45c7e11d477 --- /dev/null +++ b/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch @@ -0,0 +1,44 @@ +From 10d23e1cdce6177f78ed707a0931b8f7deb55f62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 10:34:17 +0800 +Subject: btrfs: scrub: initialize ret in scrub_simple_mirror() to fix + compilation warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lu Yao + +[ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ] + +The following error message is displayed: + ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized + in this function [-Werror=maybe-uninitialized]" + +Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110 + +Reviewed-by: Boris Burkov +Signed-off-by: Lu Yao +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 819973c37a148..a2d91d9f8a109 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2020,7 +2020,7 @@ static int scrub_simple_mirror(struct scrub_ctx *sctx, + struct btrfs_fs_info *fs_info = sctx->fs_info; + const u64 logical_end = logical_start + logical_length; + u64 cur_logical = logical_start; +- int ret; ++ int ret = 0; + + /* The range must be inside the bg */ + ASSERT(logical_start >= bg->start && logical_end <= bg->start + bg->length); +-- +2.43.0 + diff --git a/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch b/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch new file mode 100644 index 00000000000..c392e590651 --- /dev/null +++ b/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch @@ -0,0 +1,71 @@ +From 069c10f3a77e3a3490054fd2bc1e573c0c1b6d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 23:25:20 +0100 +Subject: cdrom: rearrange last_media_change check to avoid unintentional + overflow + +From: Justin Stitt + +[ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ] + +When running syzkaller with the newly reintroduced signed integer wrap +sanitizer we encounter this splat: + +[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 +[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long') +[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO +[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 +[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 366.027518] Call Trace: +[ 366.027523] +[ 366.027533] dump_stack_lvl+0x93/0xd0 +[ 366.027899] handle_overflow+0x171/0x1b0 +[ 366.038787] ata1.00: invalid multi_count 32 ignored +[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10 +[ 366.063932] ? __pm_runtime_resume+0xe6/0x130 +[ 366.071923] sr_block_ioctl+0x15d/0x1d0 +[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10 +[ 366.077642] blkdev_ioctl+0x419/0x500 +[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10 +... + +Historically, the signed integer overflow sanitizer did not work in the +kernel due to its interaction with `-fwrapv` but this has since been +changed [1] in the newest version of Clang. It was re-enabled in the +kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow +sanitizer"). + +Let's rearrange the check to not perform any arithmetic, thus not +tripping the sanitizer. + +Link: https://github.com/llvm/llvm-project/pull/82432 [1] +Closes: https://github.com/KSPP/linux/issues/354 +Cc: linux-hardening@vger.kernel.org +Signed-off-by: Justin Stitt +Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com +Reviewed-by: Phillip Potter +Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox +Signed-off-by: Phillip Potter +Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index cc28398059833..01f46caf1f88b 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_timed_media_change(struct cdrom_device_info *cdi, + return -EFAULT; + + tmp_info.media_flags = 0; +- if (tmp_info.last_media_change - cdi->last_media_change_ms < 0) ++ if (cdi->last_media_change_ms > tmp_info.last_media_change) + tmp_info.media_flags |= MEDIA_CHANGED_FLAG; + + tmp_info.last_media_change = cdi->last_media_change_ms; +-- +2.43.0 + diff --git a/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch b/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch new file mode 100644 index 00000000000..86c77f4bc69 --- /dev/null +++ b/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch @@ -0,0 +1,53 @@ +From b38c94e6447459928db74a989aad99cbb1109798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 22:19:15 +0000 +Subject: crypto: aead,cipher - zeroize key buffer after use + +From: Hailey Mothershead + +[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ] + +I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding +cryptographic information should be zeroized once they are no longer +needed. Accomplish this by using kfree_sensitive for buffers that +previously held the private key. + +Signed-off-by: Hailey Mothershead +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/aead.c | 3 +-- + crypto/cipher.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/crypto/aead.c b/crypto/aead.c +index d5ba204ebdbfa..ecab683016b7d 100644 +--- a/crypto/aead.c ++++ b/crypto/aead.c +@@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, + alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); + memcpy(alignbuffer, key, keylen); + ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); +- memset(alignbuffer, 0, keylen); +- kfree(buffer); ++ kfree_sensitive(buffer); + return ret; + } + +diff --git a/crypto/cipher.c b/crypto/cipher.c +index 47c77a3e59783..40cae908788ec 100644 +--- a/crypto/cipher.c ++++ b/crypto/cipher.c +@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key, + alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); + memcpy(alignbuffer, key, keylen); + ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen); +- memset(alignbuffer, 0, keylen); +- kfree(buffer); ++ kfree_sensitive(buffer); + return ret; + + } +-- +2.43.0 + diff --git a/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch b/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch new file mode 100644 index 00000000000..d77254a5de0 --- /dev/null +++ b/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch @@ -0,0 +1,82 @@ +From 1328f0a9c093ccdf1dd690c6155514a1782d5065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 15:59:53 +0800 +Subject: crypto: hisilicon/debugfs - Fix debugfs uninit process issue + +From: Chenghai Huang + +[ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ] + +During the zip probe process, the debugfs failure does not stop +the probe. When debugfs initialization fails, jumping to the +error branch will also release regs, in addition to its own +rollback operation. + +As a result, it may be released repeatedly during the regs +uninit process. Therefore, the null check needs to be added to +the regs uninit process. + +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/debugfs.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/hisilicon/debugfs.c b/drivers/crypto/hisilicon/debugfs.c +index 2cc1591949db7..bd205f1f2279e 100644 +--- a/drivers/crypto/hisilicon/debugfs.c ++++ b/drivers/crypto/hisilicon/debugfs.c +@@ -794,8 +794,14 @@ static void dfx_regs_uninit(struct hisi_qm *qm, + { + int i; + ++ if (!dregs) ++ return; ++ + /* Setting the pointer is NULL to prevent double free */ + for (i = 0; i < reg_len; i++) { ++ if (!dregs[i].regs) ++ continue; ++ + kfree(dregs[i].regs); + dregs[i].regs = NULL; + } +@@ -845,14 +851,21 @@ static struct dfx_diff_registers *dfx_regs_init(struct hisi_qm *qm, + static int qm_diff_regs_init(struct hisi_qm *qm, + struct dfx_diff_registers *dregs, u32 reg_len) + { ++ int ret; ++ + qm->debug.qm_diff_regs = dfx_regs_init(qm, qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); +- if (IS_ERR(qm->debug.qm_diff_regs)) +- return PTR_ERR(qm->debug.qm_diff_regs); ++ if (IS_ERR(qm->debug.qm_diff_regs)) { ++ ret = PTR_ERR(qm->debug.qm_diff_regs); ++ qm->debug.qm_diff_regs = NULL; ++ return ret; ++ } + + qm->debug.acc_diff_regs = dfx_regs_init(qm, dregs, reg_len); + if (IS_ERR(qm->debug.acc_diff_regs)) { + dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); +- return PTR_ERR(qm->debug.acc_diff_regs); ++ ret = PTR_ERR(qm->debug.acc_diff_regs); ++ qm->debug.acc_diff_regs = NULL; ++ return ret; + } + + return 0; +@@ -893,7 +906,9 @@ static int qm_last_regs_init(struct hisi_qm *qm) + static void qm_diff_regs_uninit(struct hisi_qm *qm, u32 reg_len) + { + dfx_regs_uninit(qm, qm->debug.acc_diff_regs, reg_len); ++ qm->debug.acc_diff_regs = NULL; + dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); ++ qm->debug.qm_diff_regs = NULL; + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch b/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch new file mode 100644 index 00000000000..4f262a32870 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch @@ -0,0 +1,56 @@ +From c93023859570f6b4d5c5e31fcf31ba2e03ce4809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 13:27:43 -0600 +Subject: drm/amd/display: Check index msg_id before read or write + +From: Alex Hung + +[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ] + +[WHAT] +msg_id is used as an array index and it cannot be a negative value, and +therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). + +[HOW] +Check whether msg_id is valid before reading and setting. + +This fixes 4 OVERRUN issues reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Wayne Lin +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c +index f7b5583ee609a..8e9caae7c9559 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c +@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, + uint32_t cur_size = 0; + uint32_t data_offset = 0; + ++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ } ++ + if (is_dp_hdcp(hdcp)) { + while (buf_len > 0) { + cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); +@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, + uint32_t cur_size = 0; + uint32_t data_offset = 0; + ++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ } ++ + if (is_dp_hdcp(hdcp)) { + while (buf_len > 0) { + cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch b/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch new file mode 100644 index 00000000000..3c27a9d4d56 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch @@ -0,0 +1,45 @@ +From 11511788ac3090687c5ca44efab656eb2e474655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 18:07:17 -0600 +Subject: drm/amd/display: Check pipe offset before setting vblank + +From: Alex Hung + +[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ] + +pipe_ctx has a size of MAX_PIPES so checking its index before accessing +the array. + +This fixes an OVERRUN issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Wayne Lin +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c +index 44649db5f3e32..5646b7788f02e 100644 +--- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c ++++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c +@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service, + info->ext_id); + uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK; + +- struct timing_generator *tg = +- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; ++ struct timing_generator *tg; ++ ++ if (pipe_offset >= MAX_PIPES) ++ return false; ++ ++ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; + + if (enable) { + if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) { +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch b/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch new file mode 100644 index 00000000000..733ba1a058f --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch @@ -0,0 +1,86 @@ +From 8814661f4351a8f609490a477e0e46652544d969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 19:02:56 -0600 +Subject: drm/amd/display: Fix uninitialized variables in DM + +From: Alex Hung + +[ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ] + +This fixes 11 UNINIT issues reported by Coverity. + +Reviewed-by: Hersen Wu +Acked-by: Wayne Lin +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++---- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 7ed6bb61fe0ad..c1a0fd47802a0 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -264,7 +264,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc) + static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc, + u32 *vbl, u32 *position) + { +- u32 v_blank_start, v_blank_end, h_position, v_position; ++ u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0; + struct amdgpu_crtc *acrtc = NULL; + + if ((crtc < 0) || (crtc >= adev->mode_info.num_crtc)) +@@ -801,7 +801,7 @@ static void dm_handle_hpd_work(struct work_struct *work) + */ + static void dm_dmub_outbox1_low_irq(void *interrupt_params) + { +- struct dmub_notification notify; ++ struct dmub_notification notify = {0}; + struct common_irq_params *irq_params = interrupt_params; + struct amdgpu_device *adev = irq_params->adev; + struct amdgpu_display_manager *dm = &adev->dm; +@@ -6895,7 +6895,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state, + struct amdgpu_dm_connector *aconnector; + struct dm_connector_state *dm_conn_state; + int i, j, ret; +- int vcpi, pbn_div, pbn, slot_num = 0; ++ int vcpi, pbn_div, pbn = 0, slot_num = 0; + + for_each_new_connector_in_state(state, connector, new_con_state, i) { + +@@ -10064,7 +10064,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state; + struct drm_dp_mst_topology_mgr *mgr; + struct drm_dp_mst_topology_state *mst_state; +- struct dsc_mst_fairness_vars vars[MAX_PIPES]; ++ struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0}; + + trace_amdgpu_dm_atomic_check_begin(state); + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +index 2bc37c5a27605..c8609595f324b 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1219,7 +1219,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b + size_t size, loff_t *pos) + { + int r; +- uint8_t data[36]; ++ uint8_t data[36] = {0}; + struct amdgpu_dm_connector *connector = file_inode(f)->i_private; + struct dm_crtc_state *acrtc_state; + uint32_t write_size = 36; +@@ -2929,7 +2929,7 @@ static int psr_read_residency(void *data, u64 *val) + { + struct amdgpu_dm_connector *connector = data; + struct dc_link *link = connector->dc_link; +- u32 residency; ++ u32 residency = 0; + + link->dc->link_srv->edp_get_psr_residency(link, &residency); + +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch b/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch new file mode 100644 index 00000000000..a5143db0d7b --- /dev/null +++ b/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch @@ -0,0 +1,44 @@ +From 2ce9c6ac90a64a199c318bb9655f829e6faf9681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 13:52:27 -0600 +Subject: drm/amd/display: Skip finding free audio for unknown engine_id + +From: Alex Hung + +[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ] + +[WHY] +ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it +also means it is uninitialized and does not need free audio. + +[HOW] +Skip and return NULL. + +This fixes 2 OVERRUN issues reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Wayne Lin +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 8873acfe309c8..84923c5400d32 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -2385,6 +2385,9 @@ static struct audio *find_first_free_audio( + { + int i, available_audio_count; + ++ if (id == ENGINE_ID_UNKNOWN) ++ return NULL; ++ + available_audio_count = pool->audio_count; + + for (i = 0; i < available_audio_count; i++) { +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch b/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch new file mode 100644 index 00000000000..5fa2008ab2b --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch @@ -0,0 +1,43 @@ +From 0d2a07bbac724373f81ab781814b5c4547aed45a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 15:16:40 +0800 +Subject: drm/amdgpu: fix the warning about the expression (int)size - len + +From: Jesse Zhang + +[ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ] + +Converting size from size_t to int may overflow. +v2: keep reverse xmas tree order (Christian) + +Signed-off-by: Jesse Zhang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +index 418ff7cd662da..1c2c9ff9d39df 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -2052,12 +2052,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, + struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; + char reg_offset[11]; + uint32_t *new = NULL, *tmp = NULL; +- int ret, i = 0, len = 0; ++ unsigned int len = 0; ++ int ret, i = 0; + + do { + memset(reg_offset, 0, 11); + if (copy_from_user(reg_offset, buf + len, +- min(10, ((int)size-len)))) { ++ min(10, (size-len)))) { + ret = -EFAULT; + goto error_free; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch b/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch new file mode 100644 index 00000000000..26e1144d8f6 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch @@ -0,0 +1,39 @@ +From 826270c67c8355bddc2a285111d8116e0a7565b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 14:06:28 +0800 +Subject: drm/amdgpu: fix uninitialized scalar variable warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tim Huang + +[ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ] + +Clear warning that uses uninitialized value fw_size. + +Signed-off-by: Tim Huang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +index 053983e9f4aef..0ca51df46cc0d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +@@ -1184,7 +1184,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev, + fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes); + break; + default: +- break; ++ dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id); ++ return; + } + + if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) { +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch b/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch new file mode 100644 index 00000000000..f0e9b81da47 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch @@ -0,0 +1,52 @@ +From d863dde5123c3aea5457acc7a5ae07567a56575c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 14:47:52 +0800 +Subject: drm/amdgpu: Fix uninitialized variable warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +[ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ] + +return 0 to avoid returning an uninitialized variable r + +Signed-off-by: Ma Jun +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +- + drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/aldebaran.c b/drivers/gpu/drm/amd/amdgpu/aldebaran.c +index fa6193535d485..7fea4f0f495a3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/aldebaran.c ++++ b/drivers/gpu/drm/amd/amdgpu/aldebaran.c +@@ -100,7 +100,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev) + adev->ip_blocks[i].status.hw = false; + } + +- return r; ++ return 0; + } + + static int +diff --git a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c +index 8b8086d5c864b..896c7e434d3bc 100644 +--- a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c ++++ b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c +@@ -93,7 +93,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev) + adev->ip_blocks[i].status.hw = false; + } + +- return r; ++ return 0; + } + + static int +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch b/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch new file mode 100644 index 00000000000..09872563b72 --- /dev/null +++ b/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch @@ -0,0 +1,46 @@ +From 29df073b224823929a5022efa1c7a42546922c2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 10:07:51 +0800 +Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ] + +Initialize the interrupt timestamp for some legacy SOCs +to fix the coverity issue "Uninitialized scalar variable" + +Signed-off-by: Ma Jun +Suggested-by: Christian König +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +index fa6d0adcec206..5978edf7ea71e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +@@ -438,6 +438,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, + + entry.ih = ih; + entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; ++ ++ /* ++ * timestamp is not supported on some legacy SOCs (cik, cz, iceland, ++ * si and tonga), so initialize timestamp and timestamp_src to 0 ++ */ ++ entry.timestamp = 0; ++ entry.timestamp_src = 0; ++ + amdgpu_ih_decode_iv(adev, &entry); + + trace_amdgpu_iv(ih - &adev->irq.ih, &entry); +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch b/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch new file mode 100644 index 00000000000..e6b056950dd --- /dev/null +++ b/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch @@ -0,0 +1,43 @@ +From 12f024b8b6c2724ffb59c9c10406f3f085b32cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 17:10:46 +0800 +Subject: drm/amdgpu: Using uninitialized value *size when calling + amdgpu_vce_cs_reloc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesse Zhang + +[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ] + +Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. +V2: To really improve the handling we would actually + need to have a separate value of 0xffffffff.(Christian) + +Signed-off-by: Jesse Zhang +Suggested-by: Christian König +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +index 1904edf684071..88a3aa36b41d7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, + uint32_t created = 0; + uint32_t allocated = 0; + uint32_t tmp, handle = 0; +- uint32_t *size = &tmp; ++ uint32_t dummy = 0xffffffff; ++ uint32_t *size = &dummy; + unsigned int idx; + int i, r = 0; + +-- +2.43.0 + diff --git a/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch b/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch new file mode 100644 index 00000000000..c1532905fa4 --- /dev/null +++ b/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch @@ -0,0 +1,88 @@ +From a40ee90a5de1252188a13b4058970742f0103955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 00:43:28 +0200 +Subject: drm/lima: fix shared irq handling on driver remove + +From: Erico Nunes + +[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ] + +lima uses a shared interrupt, so the interrupt handlers must be prepared +to be called at any time. At driver removal time, the clocks are +disabled early and the interrupts stay registered until the very end of +the remove process due to the devm usage. +This is potentially a bug as the interrupts access device registers +which assumes clocks are enabled. A crash can be triggered by removing +the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. +This patch frees the interrupts at each lima device finishing callback +so that the handlers are already unregistered by the time we fully +disable clocks. + +Signed-off-by: Erico Nunes +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gp.c | 2 ++ + drivers/gpu/drm/lima/lima_mmu.c | 5 +++++ + drivers/gpu/drm/lima/lima_pp.c | 4 ++++ + 3 files changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c +index 6cf46b653e810..ca3842f719842 100644 +--- a/drivers/gpu/drm/lima/lima_gp.c ++++ b/drivers/gpu/drm/lima/lima_gp.c +@@ -324,7 +324,9 @@ int lima_gp_init(struct lima_ip *ip) + + void lima_gp_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + int lima_gp_pipe_init(struct lima_device *dev) +diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c +index a1ae6c252dc2b..8ca7047adbaca 100644 +--- a/drivers/gpu/drm/lima/lima_mmu.c ++++ b/drivers/gpu/drm/lima/lima_mmu.c +@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip) + + void lima_mmu_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; ++ ++ if (ip->id == lima_ip_ppmmu_bcast) ++ return; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + void lima_mmu_flush_tlb(struct lima_ip *ip) +diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c +index 54b208a4a768e..d34c9e8840f45 100644 +--- a/drivers/gpu/drm/lima/lima_pp.c ++++ b/drivers/gpu/drm/lima/lima_pp.c +@@ -266,7 +266,9 @@ int lima_pp_init(struct lima_ip *ip) + + void lima_pp_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + int lima_pp_bcast_resume(struct lima_ip *ip) +@@ -299,7 +301,9 @@ int lima_pp_bcast_init(struct lima_ip *ip) + + void lima_pp_bcast_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + static int lima_pp_task_validate(struct lima_sched_pipe *pipe, +-- +2.43.0 + diff --git a/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch b/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch new file mode 100644 index 00000000000..5bf1a5e137c --- /dev/null +++ b/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch @@ -0,0 +1,142 @@ +From a9f78fdfe2daac1153ddf97bf4bc1960aaa5e573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 11:38:47 +0800 +Subject: f2fs: check validation of fault attrs in f2fs_build_fault_attr() + +From: Chao Yu + +[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ] + +- It missed to check validation of fault attrs in parse_options(), +let's fix to add check condition in f2fs_build_fault_attr(). +- Use f2fs_build_fault_attr() in __sbi_store() to clean up code. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 12 ++++++++---- + fs/f2fs/super.c | 27 ++++++++++++++++++++------- + fs/f2fs/sysfs.c | 14 ++++++++++---- + 3 files changed, 38 insertions(+), 15 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f1fbfa7fb279e..5056af9e0581c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -69,7 +69,7 @@ enum { + + struct f2fs_fault_info { + atomic_t inject_ops; +- unsigned int inject_rate; ++ int inject_rate; + unsigned int inject_type; + }; + +@@ -4593,10 +4593,14 @@ static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx) + } + + #ifdef CONFIG_F2FS_FAULT_INJECTION +-extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, +- unsigned int type); ++extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, ++ unsigned long type); + #else +-#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0) ++static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, ++ unsigned long type) ++{ ++ return 0; ++} + #endif + + static inline bool is_journalled_quota(struct f2fs_sb_info *sbi) +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index ce50d2253dd80..e022d8233c0a5 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -64,21 +64,31 @@ const char *f2fs_fault_name[FAULT_MAX] = { + [FAULT_BLKADDR] = "invalid blkaddr", + }; + +-void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, +- unsigned int type) ++int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, ++ unsigned long type) + { + struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info; + + if (rate) { ++ if (rate > INT_MAX) ++ return -EINVAL; + atomic_set(&ffi->inject_ops, 0); +- ffi->inject_rate = rate; ++ ffi->inject_rate = (int)rate; + } + +- if (type) +- ffi->inject_type = type; ++ if (type) { ++ if (type >= BIT(FAULT_MAX)) ++ return -EINVAL; ++ ffi->inject_type = (unsigned int)type; ++ } + + if (!rate && !type) + memset(ffi, 0, sizeof(struct f2fs_fault_info)); ++ else ++ f2fs_info(sbi, ++ "build fault injection attr: rate: %lu, type: 0x%lx", ++ rate, type); ++ return 0; + } + #endif + +@@ -869,14 +879,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) + case Opt_fault_injection: + if (args->from && match_int(args, &arg)) + return -EINVAL; +- f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE); ++ if (f2fs_build_fault_attr(sbi, arg, ++ F2FS_ALL_FAULT_TYPE)) ++ return -EINVAL; + set_opt(sbi, FAULT_INJECTION); + break; + + case Opt_fault_type: + if (args->from && match_int(args, &arg)) + return -EINVAL; +- f2fs_build_fault_attr(sbi, 0, arg); ++ if (f2fs_build_fault_attr(sbi, 0, arg)) ++ return -EINVAL; + set_opt(sbi, FAULT_INJECTION); + break; + #else +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 6347a55020c6e..180feefc4a9ce 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -457,10 +457,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + if (ret < 0) + return ret; + #ifdef CONFIG_F2FS_FAULT_INJECTION +- if (a->struct_type == FAULT_INFO_TYPE && t >= BIT(FAULT_MAX)) +- return -EINVAL; +- if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX) +- return -EINVAL; ++ if (a->struct_type == FAULT_INFO_TYPE) { ++ if (f2fs_build_fault_attr(sbi, 0, t)) ++ return -EINVAL; ++ return count; ++ } ++ if (a->struct_type == FAULT_INFO_RATE) { ++ if (f2fs_build_fault_attr(sbi, t, 0)) ++ return -EINVAL; ++ return count; ++ } + #endif + if (a->struct_type == RESERVED_BLOCKS) { + spin_lock(&sbi->stat_lock); +-- +2.43.0 + diff --git a/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch b/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch new file mode 100644 index 00000000000..f5b584d8c8d --- /dev/null +++ b/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch @@ -0,0 +1,46 @@ +From 84f6532b5e963c8b27c3d32badca3197fc7a159f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:29:32 +0200 +Subject: firmware: dmi: Stop decoding on broken entry + +From: Jean Delvare + +[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] + +If a DMI table entry is shorter than 4 bytes, it is invalid. Due to +how DMI table parsing works, it is impossible to safely recover from +such an error, so we have to stop decoding the table. + +Signed-off-by: Jean Delvare +Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ +Reviewed-by: Michael Kelley +Signed-off-by: Sasha Levin +--- + drivers/firmware/dmi_scan.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index 015c95a825d31..ac2a5d2d47463 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf, + (data - buf + sizeof(struct dmi_header)) <= dmi_len) { + const struct dmi_header *dm = (const struct dmi_header *)data; + ++ /* ++ * If a short entry is found (less than 4 bytes), not only it ++ * is invalid, but we cannot reliably locate the next entry. ++ */ ++ if (dm->length < sizeof(struct dmi_header)) { ++ pr_warn(FW_BUG ++ "Corrupted DMI table, offset %zd (only %d entries processed)\n", ++ data - buf, i); ++ break; ++ } ++ + /* + * We want to know the total length (formatted area and + * strings) before decoding to make sure we won't run off the +-- +2.43.0 + diff --git a/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch b/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch new file mode 100644 index 00000000000..f53c7df1de9 --- /dev/null +++ b/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch @@ -0,0 +1,35 @@ +From 9ab1e622423a64727367bae0d4a94fab7de462ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 12:21:58 +0200 +Subject: i2c: i801: Annotate apanel_addr as __ro_after_init + +From: Heiner Kallweit + +[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] + +Annotate this variable as __ro_after_init to protect it from being +overwritten later. + +Signed-off-by: Heiner Kallweit +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index f6bc37f5eb3a3..3410add34aad2 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1052,7 +1052,7 @@ static const struct pci_device_id i801_ids[] = { + MODULE_DEVICE_TABLE(pci, i801_ids); + + #if defined CONFIG_X86 && defined CONFIG_DMI +-static unsigned char apanel_addr; ++static unsigned char apanel_addr __ro_after_init; + + /* Scan the system ROM for the signature "FJKEYINF" */ + static __init const void __iomem *bios_signature(const void __iomem *bios) +-- +2.43.0 + diff --git a/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch b/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch new file mode 100644 index 00000000000..ddf503b87ca --- /dev/null +++ b/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch @@ -0,0 +1,125 @@ +From 58224f11c28c44060c1a630389ba38b13e3c4051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 15:01:44 +0300 +Subject: IB/core: Implement a limit on UMAD receive List + +From: Michael Guralnik + +[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] + +The existing behavior of ib_umad, which maintains received MAD +packets in an unbounded list, poses a risk of uncontrolled growth. +As user-space applications extract packets from this list, the rate +of extraction may not match the rate of incoming packets, leading +to potential list overflow. + +To address this, we introduce a limit to the size of the list. After +considering typical scenarios, such as OpenSM processing, which can +handle approximately 100k packets per second, and the 1-second retry +timeout for most packets, we set the list size limit to 200k. Packets +received beyond this limit are dropped, assuming they are likely timed +out by the time they are handled by user-space. + +Notably, packets queued on the receive list due to reasons like +timed-out sends are preserved even when the list is full. + +Signed-off-by: Michael Guralnik +Reviewed-by: Mark Zhang +Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index f5feca7fa9b9c..2ed749f50a29f 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier"); + MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); + MODULE_LICENSE("Dual BSD/GPL"); + ++#define MAX_UMAD_RECV_LIST_SIZE 200000 ++ + enum { + IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS, + IB_UMAD_MAX_AGENTS = 32, +@@ -113,6 +115,7 @@ struct ib_umad_file { + struct mutex mutex; + struct ib_umad_port *port; + struct list_head recv_list; ++ atomic_t recv_list_size; + struct list_head send_list; + struct list_head port_list; + spinlock_t send_lock; +@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) + return file->agents_dead ? NULL : file->agent[id]; + } + +-static int queue_packet(struct ib_umad_file *file, +- struct ib_mad_agent *agent, +- struct ib_umad_packet *packet) ++static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, ++ struct ib_umad_packet *packet, bool is_recv_mad) + { + int ret = 1; + + mutex_lock(&file->mutex); + ++ if (is_recv_mad && ++ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) ++ goto unlock; ++ + for (packet->mad.hdr.id = 0; + packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; + packet->mad.hdr.id++) + if (agent == __get_agent(file, packet->mad.hdr.id)) { + list_add_tail(&packet->list, &file->recv_list); ++ atomic_inc(&file->recv_list_size); + wake_up_interruptible(&file->recv_wait); + ret = 0; + break; + } +- ++unlock: + mutex_unlock(&file->mutex); + + return ret; +@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent, + if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { + packet->length = IB_MGMT_MAD_HDR; + packet->mad.hdr.status = ETIMEDOUT; +- if (!queue_packet(file, agent, packet)) ++ if (!queue_packet(file, agent, packet, false)) + return; + } + kfree(packet); +@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent, + rdma_destroy_ah_attr(&ah_attr); + } + +- if (queue_packet(file, agent, packet)) ++ if (queue_packet(file, agent, packet, true)) + goto err2; + return; + +@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); + list_del(&packet->list); ++ atomic_dec(&file->recv_list_size); + + mutex_unlock(&file->mutex); + +@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + /* Requeue packet */ + mutex_lock(&file->mutex); + list_add(&packet->list, &file->recv_list); ++ atomic_inc(&file->recv_list_size); + mutex_unlock(&file->mutex); + } else { + if (packet->recv_wc) +-- +2.43.0 + diff --git a/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch b/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch new file mode 100644 index 00000000000..723f1ea482c --- /dev/null +++ b/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch @@ -0,0 +1,61 @@ +From cff4593b348e5fbbca12a0bcf930e8c718f0cbba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 12:24:54 +0200 +Subject: igc: fix a log entry using uninitialized netdev + +From: Corinna Vinschen + +[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ] + +During successful probe, igc logs this: + +[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The reason is that igc_ptp_init() is called very early, even before +register_netdev() has been called. So the netdev_info() call works +on a partially uninitialized netdev. + +Fix this by calling igc_ptp_init() after register_netdev(), right +after the media autosense check, just as in igb. Add a comment, +just as in igb. + +Now the log message is fine: + +[ 5.200987] igc 0000:01:00.0 eth0: PHC added + +Signed-off-by: Corinna Vinschen +Reviewed-by: Hariprasad Kelam +Acked-by: Vinicius Costa Gomes +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index e83700ad7e622..5715fc6779117 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -6908,8 +6908,6 @@ static int igc_probe(struct pci_dev *pdev, + device_set_wakeup_enable(&adapter->pdev->dev, + adapter->flags & IGC_FLAG_WOL_SUPPORTED); + +- igc_ptp_init(adapter); +- + igc_tsn_clear_schedule(adapter); + + /* reset the hardware with the new settings */ +@@ -6931,6 +6929,9 @@ static int igc_probe(struct pci_dev *pdev, + /* Check if Media Autosense is enabled */ + adapter->ei = *ei; + ++ /* do hw tstamp init after resetting */ ++ igc_ptp_init(adapter); ++ + /* print pcie link status and MAC address */ + pcie_print_link_status(pdev); + netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr); +-- +2.43.0 + diff --git a/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch b/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch new file mode 100644 index 00000000000..df86e9517f8 --- /dev/null +++ b/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch @@ -0,0 +1,73 @@ +From 8cbd7579ef4710a91b1dd932dc88e291e29ec4fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 17:05:56 +0200 +Subject: Input: ff-core - prefer struct_size over open coded arithmetic + +From: Erick Archer + +[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1][2]. + +As the "ff" variable is a pointer to "struct ff_device" and this +structure ends in a flexible array: + +struct ff_device { + [...] + struct file *effect_owners[] __counted_by(max_effects); +}; + +the preferred way in the kernel is to use the struct_size() helper to +do the arithmetic instead of the calculation "size + count * size" in +the kzalloc() function. + +The struct_size() helper returns SIZE_MAX on overflow. So, refactor +the comparison to take advantage of this. + +This way, the code is more readable and safer. + +This code was detected with the help of Coccinelle, and audited and +modified manually. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Signed-off-by: Erick Archer +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/ff-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c +index 16231fe080b00..609a5f01761bd 100644 +--- a/drivers/input/ff-core.c ++++ b/drivers/input/ff-core.c +@@ -9,8 +9,10 @@ + /* #define DEBUG */ + + #include ++#include + #include + #include ++#include + #include + #include + +@@ -315,9 +317,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) + return -EINVAL; + } + +- ff_dev_size = sizeof(struct ff_device) + +- max_effects * sizeof(struct file *); +- if (ff_dev_size < max_effects) /* overflow */ ++ ff_dev_size = struct_size(ff, effect_owners, max_effects); ++ if (ff_dev_size == SIZE_MAX) /* overflow */ + return -EINVAL; + + ff = kzalloc(ff_dev_size, GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch new file mode 100644 index 00000000000..84cb8e69922 --- /dev/null +++ b/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -0,0 +1,41 @@ +From 47a92b2b270eaf9db033591d1b38e0bf1a51c11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 14:10:53 +0800 +Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc + +From: Guanrui Huang + +[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] + +This BUG_ON() is useless, because the same effect will be obtained +by letting the code run its course and vm being dereferenced, +triggering an exception. + +So just remove this check. + +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Zenghui Yu +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index c7d6e6987166f..350abbb36e04b 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4501,8 +4501,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + struct page *vprop_page; + int base, nr_ids, i, err = 0; + +- BUG_ON(!vm); +- + bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); + if (!bitmap) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch b/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch new file mode 100644 index 00000000000..b843058b9a5 --- /dev/null +++ b/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch @@ -0,0 +1,94 @@ +From decc5b3a7abff1f5b94ae4ea1e95de5276cd85f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 15:00:46 +0800 +Subject: jffs2: Fix potential illegal address access in jffs2_free_inode + +From: Wang Yong + +[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] + +During the stress testing of the jffs2 file system,the following +abnormal printouts were found: +[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 +[ 2430.649622] Mem abort info: +[ 2430.649829] ESR = 0x96000004 +[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2430.650564] SET = 0, FnV = 0 +[ 2430.650795] EA = 0, S1PTW = 0 +[ 2430.651032] FSC = 0x04: level 0 translation fault +[ 2430.651446] Data abort info: +[ 2430.651683] ISV = 0, ISS = 0x00000004 +[ 2430.652001] CM = 0, WnR = 0 +[ 2430.652558] [0069696969696948] address between user and kernel address ranges +[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 +[ 2430.655008] Hardware name: linux,dummy-virt (DT) +[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 2430.656142] pc : kfree+0x78/0x348 +[ 2430.656630] lr : jffs2_free_inode+0x24/0x48 +[ 2430.657051] sp : ffff800009eebd10 +[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 +[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 +[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 +[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 +[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 +[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 +[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 +[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 +[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 +[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 +[ 2430.664217] Call trace: +[ 2430.664528] kfree+0x78/0x348 +[ 2430.664855] jffs2_free_inode+0x24/0x48 +[ 2430.665233] i_callback+0x24/0x50 +[ 2430.665528] rcu_do_batch+0x1ac/0x448 +[ 2430.665892] rcu_core+0x28c/0x3c8 +[ 2430.666151] rcu_core_si+0x18/0x28 +[ 2430.666473] __do_softirq+0x138/0x3cc +[ 2430.666781] irq_exit+0xf0/0x110 +[ 2430.667065] handle_domain_irq+0x6c/0x98 +[ 2430.667447] gic_handle_irq+0xac/0xe8 +[ 2430.667739] call_on_irq_stack+0x28/0x54 +The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of +the jffs_inode_info structure. It was found that all variables in the jffs_inode_info +structure were 5a5a5a5a, except for the first member sem. It is suspected that these +variables are not initialized because they were set to 5a5a5a5a during memory testing, +which is meant to detect uninitialized memory.The sem variable is initialized in the +function jffs2_i_init_once, while other members are initialized in +the function jffs2_init_inode_info. + +The function jffs2_init_inode_info is called after iget_locked, +but in the iget_locked function, the destroy_inode process is triggered, +which releases the inode and consequently, the target member of the inode +is not initialized.In concurrent high pressure scenarios, iget_locked +may enter the destroy_inode branch as described in the code. + +Since the destroy_inode functionality of jffs2 only releases the target, +the fix method is to set target to NULL in jffs2_i_init_once. + +Signed-off-by: Wang Yong +Reviewed-by: Lu Zhongjun +Reviewed-by: Yang Tao +Cc: Xu Xin +Cc: Yang Yang +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 7ea37f49f1e18..e71f4c94c4483 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo) + struct jffs2_inode_info *f = foo; + + mutex_init(&f->sem); ++ f->target = NULL; + inode_init_once(&f->vfs_inode); + } + +-- +2.43.0 + diff --git a/queue-6.6/kunit-fix-timeout-message.patch b/queue-6.6/kunit-fix-timeout-message.patch new file mode 100644 index 00000000000..60f73fd2c80 --- /dev/null +++ b/queue-6.6/kunit-fix-timeout-message.patch @@ -0,0 +1,52 @@ +From 0a4593db65a2bcbd3fd14ef2e984202b75fb64d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:46:21 +0200 +Subject: kunit: Fix timeout message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ] + +The exit code is always checked, so let's properly handle the -ETIMEDOUT +error code. + +Cc: Brendan Higgins +Cc: Shuah Khan +Reviewed-by: Kees Cook +Reviewed-by: David Gow +Reviewed-by: Rae Moar +Signed-off-by: Mickaël Salaün +Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/try-catch.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c +index d9d1df28cc52e..9c9e4dcf06d96 100644 +--- a/lib/kunit/try-catch.c ++++ b/lib/kunit/try-catch.c +@@ -78,7 +78,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + time_remaining = wait_for_completion_timeout(&try_completion, + kunit_test_timeout()); + if (time_remaining == 0) { +- kunit_err(test, "try timed out\n"); + try_catch->try_result = -ETIMEDOUT; + kthread_stop(task_struct); + } +@@ -93,6 +92,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + try_catch->try_result = 0; + else if (exit_code == -EINTR) + kunit_err(test, "wake_up_process() was never called\n"); ++ else if (exit_code == -ETIMEDOUT) ++ kunit_err(test, "try timed out\n"); + else if (exit_code) + kunit_err(test, "Unknown error: %d\n", exit_code); + +-- +2.43.0 + diff --git a/queue-6.6/kunit-handle-test-faults.patch b/queue-6.6/kunit-handle-test-faults.patch new file mode 100644 index 00000000000..a6e8eab61cd --- /dev/null +++ b/queue-6.6/kunit-handle-test-faults.patch @@ -0,0 +1,152 @@ +From 080a463fab2314c87a1878033833405694ca3a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:46:22 +0200 +Subject: kunit: Handle test faults +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit 3a35c13007dea132a65f07de05c26b87837fadc2 ] + +Previously, when a kernel test thread crashed (e.g. NULL pointer +dereference, general protection fault), the KUnit test hanged for 30 +seconds and exited with a timeout error. + +Fix this issue by waiting on task_struct->vfork_done instead of the +custom kunit_try_catch.try_completion, and track the execution state by +initially setting try_result with -EINTR and only setting it to 0 if +the test passed. + +Fix kunit_generic_run_threadfn_adapter() signature by returning 0 +instead of calling kthread_complete_and_exit(). Because thread's exit +code is never checked, always set it to 0 to make it clear. To make +this explicit, export kthread_exit() for KUnit tests built as module. + +Fix the -EINTR error message, which couldn't be reached until now. + +This is tested with a following patch. + +Cc: Brendan Higgins +Cc: Eric W. Biederman +Cc: Shuah Khan +Reviewed-by: Kees Cook +Reviewed-by: David Gow +Tested-by: Rae Moar +Signed-off-by: Mickaël Salaün +Link: https://lore.kernel.org/r/20240408074625.65017-5-mic@digikod.net +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + include/kunit/try-catch.h | 3 --- + kernel/kthread.c | 1 + + lib/kunit/try-catch.c | 19 ++++++++++++------- + 3 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/include/kunit/try-catch.h b/include/kunit/try-catch.h +index c507dd43119d5..7c966a1adbd30 100644 +--- a/include/kunit/try-catch.h ++++ b/include/kunit/try-catch.h +@@ -14,13 +14,11 @@ + + typedef void (*kunit_try_catch_func_t)(void *); + +-struct completion; + struct kunit; + + /** + * struct kunit_try_catch - provides a generic way to run code which might fail. + * @test: The test case that is currently being executed. +- * @try_completion: Completion that the control thread waits on while test runs. + * @try_result: Contains any errno obtained while running test case. + * @try: The function, the test case, to attempt to run. + * @catch: The function called if @try bails out. +@@ -46,7 +44,6 @@ struct kunit; + struct kunit_try_catch { + /* private: internal use only. */ + struct kunit *test; +- struct completion *try_completion; + int try_result; + kunit_try_catch_func_t try; + kunit_try_catch_func_t catch; +diff --git a/kernel/kthread.c b/kernel/kthread.c +index 290cbc845225e..2afdba66b729e 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -315,6 +315,7 @@ void __noreturn kthread_exit(long result) + kthread->result = result; + do_exit(0); + } ++EXPORT_SYMBOL(kthread_exit); + + /** + * kthread_complete_and_exit - Exit the current kthread. +diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c +index 9c9e4dcf06d96..34d30a6f23054 100644 +--- a/lib/kunit/try-catch.c ++++ b/lib/kunit/try-catch.c +@@ -18,7 +18,7 @@ + void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch) + { + try_catch->try_result = -EFAULT; +- kthread_complete_and_exit(try_catch->try_completion, -EFAULT); ++ kthread_exit(0); + } + EXPORT_SYMBOL_GPL(kunit_try_catch_throw); + +@@ -26,9 +26,12 @@ static int kunit_generic_run_threadfn_adapter(void *data) + { + struct kunit_try_catch *try_catch = data; + ++ try_catch->try_result = -EINTR; + try_catch->try(try_catch->context); ++ if (try_catch->try_result == -EINTR) ++ try_catch->try_result = 0; + +- kthread_complete_and_exit(try_catch->try_completion, 0); ++ return 0; + } + + static unsigned long kunit_test_timeout(void) +@@ -58,13 +61,11 @@ static unsigned long kunit_test_timeout(void) + + void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + { +- DECLARE_COMPLETION_ONSTACK(try_completion); + struct kunit *test = try_catch->test; + struct task_struct *task_struct; + int exit_code, time_remaining; + + try_catch->context = context; +- try_catch->try_completion = &try_completion; + try_catch->try_result = 0; + task_struct = kthread_create(kunit_generic_run_threadfn_adapter, + try_catch, "kunit_try_catch_thread"); +@@ -74,8 +75,12 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + } + get_task_struct(task_struct); + wake_up_process(task_struct); +- +- time_remaining = wait_for_completion_timeout(&try_completion, ++ /* ++ * As for a vfork(2), task_struct->vfork_done (pointing to the ++ * underlying kthread->exited) can be used to wait for the end of a ++ * kernel thread. ++ */ ++ time_remaining = wait_for_completion_timeout(task_struct->vfork_done, + kunit_test_timeout()); + if (time_remaining == 0) { + try_catch->try_result = -ETIMEDOUT; +@@ -91,7 +96,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) + if (exit_code == -EFAULT) + try_catch->try_result = 0; + else if (exit_code == -EINTR) +- kunit_err(test, "wake_up_process() was never called\n"); ++ kunit_err(test, "try faulted\n"); + else if (exit_code == -ETIMEDOUT) + kunit_err(test, "try timed out\n"); + else if (exit_code) +-- +2.43.0 + diff --git a/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch b/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch new file mode 100644 index 00000000000..0867e87471f --- /dev/null +++ b/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch @@ -0,0 +1,69 @@ +From 1fc2f94ab93d9bcabbbd77c9cd70f4e0a1d63e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 19:10:32 +0300 +Subject: leds: an30259a: Use devm_mutex_init() for mutex initialization + +From: George Stark + +[ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ] + +In this driver LEDs are registered using devm_led_classdev_register() +so they are automatically unregistered after module's remove() is done. +led_classdev_unregister() calls module's led_set_brightness() to turn off +the LEDs and that callback uses mutex which was destroyed already +in module's remove() so use devm API instead. + +Signed-off-by: George Stark +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-an30259a.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c +index 0216afed3b6e7..decfca447d8a7 100644 +--- a/drivers/leds/leds-an30259a.c ++++ b/drivers/leds/leds-an30259a.c +@@ -283,7 +283,10 @@ static int an30259a_probe(struct i2c_client *client) + if (err < 0) + return err; + +- mutex_init(&chip->mutex); ++ err = devm_mutex_init(&client->dev, &chip->mutex); ++ if (err) ++ return err; ++ + chip->client = client; + i2c_set_clientdata(client, chip); + +@@ -317,17 +320,9 @@ static int an30259a_probe(struct i2c_client *client) + return 0; + + exit: +- mutex_destroy(&chip->mutex); + return err; + } + +-static void an30259a_remove(struct i2c_client *client) +-{ +- struct an30259a *chip = i2c_get_clientdata(client); +- +- mutex_destroy(&chip->mutex); +-} +- + static const struct of_device_id an30259a_match_table[] = { + { .compatible = "panasonic,an30259a", }, + { /* sentinel */ }, +@@ -347,7 +342,6 @@ static struct i2c_driver an30259a_driver = { + .of_match_table = an30259a_match_table, + }, + .probe = an30259a_probe, +- .remove = an30259a_remove, + .id_table = an30259a_id, + }; + +-- +2.43.0 + diff --git a/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch b/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch new file mode 100644 index 00000000000..5127ae9a8d4 --- /dev/null +++ b/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch @@ -0,0 +1,113 @@ +From 13d66adf56ede1c549b0e9016a11cc133b9ffce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 19:10:25 +0300 +Subject: locking/mutex: Introduce devm_mutex_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: George Stark + +[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ] + +Using of devm API leads to a certain order of releasing resources. +So all dependent resources which are not devm-wrapped should be deleted +with respect to devm-release order. Mutex is one of such objects that +often is bound to other resources and has no own devm wrapping. +Since mutex_destroy() actually does nothing in non-debug builds +frequently calling mutex_destroy() is just ignored which is safe for now +but wrong formally and can lead to a problem if mutex_destroy() will be +extended so introduce devm_mutex_init(). + +Suggested-by: Christophe Leroy +Signed-off-by: George Stark +Reviewed-by: Christophe Leroy +Reviewed-by: Andy Shevchenko +Reviewed-by: Marek Behún +Acked-by: Waiman Long +Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + include/linux/mutex.h | 27 +++++++++++++++++++++++++++ + kernel/locking/mutex-debug.c | 12 ++++++++++++ + 2 files changed, 39 insertions(+) + +diff --git a/include/linux/mutex.h b/include/linux/mutex.h +index a33aa9eb9fc3b..5b5630e58407a 100644 +--- a/include/linux/mutex.h ++++ b/include/linux/mutex.h +@@ -21,6 +21,8 @@ + #include + #include + ++struct device; ++ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \ + , .dep_map = { \ +@@ -171,6 +173,31 @@ do { \ + } while (0) + #endif /* CONFIG_PREEMPT_RT */ + ++#ifdef CONFIG_DEBUG_MUTEXES ++ ++int __devm_mutex_init(struct device *dev, struct mutex *lock); ++ ++#else ++ ++static inline int __devm_mutex_init(struct device *dev, struct mutex *lock) ++{ ++ /* ++ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so ++ * no really need to register it in the devm subsystem. ++ */ ++ return 0; ++} ++ ++#endif ++ ++#define devm_mutex_init(dev, mutex) \ ++({ \ ++ typeof(mutex) mutex_ = (mutex); \ ++ \ ++ mutex_init(mutex_); \ ++ __devm_mutex_init(dev, mutex_); \ ++}) ++ + /* + * See kernel/locking/mutex.c for detailed documentation of these APIs. + * Also see Documentation/locking/mutex-design.rst. +diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c +index bc8abb8549d20..6e6f6071cfa27 100644 +--- a/kernel/locking/mutex-debug.c ++++ b/kernel/locking/mutex-debug.c +@@ -12,6 +12,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name, + lock->magic = lock; + } + ++static void devm_mutex_release(void *res) ++{ ++ mutex_destroy(res); ++} ++ ++int __devm_mutex_init(struct device *dev, struct mutex *lock) ++{ ++ return devm_add_action_or_reset(dev, devm_mutex_release, lock); ++} ++EXPORT_SYMBOL_GPL(__devm_mutex_init); ++ + /*** + * mutex_destroy - mark a mutex unusable + * @lock: the mutex to be destroyed +-- +2.43.0 + diff --git a/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch b/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch new file mode 100644 index 00000000000..9a1c55cb783 --- /dev/null +++ b/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch @@ -0,0 +1,44 @@ +From b9b15405056ee9b2a19b67cc25208d465f2a1b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 12:24:37 +0000 +Subject: media: dvb: as102-fe: Fix as10x_register_addr packing + +From: Ricardo Ribalda + +[ Upstream commit 309422d280748c74f57f471559980268ac27732a ] + +This structure is embedded in multiple other structures that are packed, +which conflicts with it being aligned. + +drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] + +Mark it as being packed. + +Marking the inner struct as 'packed' does not change the layout, since the +whole struct is already packed, it just silences the clang warning. See +also this llvm discussion: + +https://github.com/llvm/llvm-project/issues/55520 + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/as102_fe_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h +index 297f9520ebf9d..8a4e392c88965 100644 +--- a/drivers/media/dvb-frontends/as102_fe_types.h ++++ b/drivers/media/dvb-frontends/as102_fe_types.h +@@ -174,6 +174,6 @@ struct as10x_register_addr { + uint32_t addr; + /* register mode access */ + uint8_t mode; +-}; ++} __packed; + + #endif +-- +2.43.0 + diff --git a/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch b/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch new file mode 100644 index 00000000000..3308d1bb715 --- /dev/null +++ b/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch @@ -0,0 +1,53 @@ +From 1f7aad36d2a955ae55a08d6b5508c0dc958df4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:05:04 +0100 +Subject: media: dvb-frontends: tda10048: Fix integer overflow + +From: Ricardo Ribalda + +[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] + +state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer +when multiplied by pll_mfactor. + +Create a new 64 bit variable to hold the calculations. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org +Reported-by: Dan Carpenter +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c +index 5d5e4e9e4422e..3e725cdcc66bd 100644 +--- a/drivers/media/dvb-frontends/tda10048.c ++++ b/drivers/media/dvb-frontends/tda10048.c +@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) + struct tda10048_config *config = &state->config; + int i; + u32 if_freq_khz; ++ u64 sample_freq; + + dprintk(1, "%s(bw = %d)\n", __func__, bw); + +@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) + dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); + + /* Calculate the sample frequency */ +- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); +- state->sample_freq /= (state->pll_nfactor + 1); +- state->sample_freq /= (state->pll_pfactor + 4); ++ sample_freq = state->xtal_hz; ++ sample_freq *= state->pll_mfactor + 45; ++ do_div(sample_freq, state->pll_nfactor + 1); ++ do_div(sample_freq, state->pll_pfactor + 4); ++ state->sample_freq = sample_freq; + dprintk(1, "- sample_freq = %d\n", state->sample_freq); + + /* Update the I/F */ +-- +2.43.0 + diff --git a/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch b/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch new file mode 100644 index 00000000000..76db092ff1d --- /dev/null +++ b/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch @@ -0,0 +1,49 @@ +From 87a87988cdb48371288d2ef1a7d4e7ad56cc42d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:04:47 +0100 +Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div + +From: Ricardo Ribalda + +[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] + +do_div() divides 64 bits by 32. We were adding a casting to the divider +to 64 bits, for a number that fits perfectly in 32 bits. Remove it. + +Found by cocci: +drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. +drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c +index a348344879433..fd928787207ed 100644 +--- a/drivers/media/dvb-frontends/tda18271c2dd.c ++++ b/drivers/media/dvb-frontends/tda18271c2dd.c +@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) + + OscFreq = (u64) freq * (u64) Div; + OscFreq *= (u64) 16384; +- do_div(OscFreq, (u64)16000000); ++ do_div(OscFreq, 16000000); + MainDiv = OscFreq; + + state->m_Regs[MPD] = PostDiv & 0x77; +@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) + OscFreq = (u64)freq * (u64)Div; + /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ + OscFreq *= (u64)16384; +- do_div(OscFreq, (u64)16000000); ++ do_div(OscFreq, 16000000); + CalDiv = OscFreq; + + state->m_Regs[CPD] = PostDiv; +-- +2.43.0 + diff --git a/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch b/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch new file mode 100644 index 00000000000..c2fc2b4f752 --- /dev/null +++ b/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch @@ -0,0 +1,68 @@ +From e12c3a06574796e66faa9ccf0841b03f19be4ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 21:17:56 +0000 +Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware() + +From: Ricardo Ribalda + +[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] + +Add missing release_firmware on the error paths. + +drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. +drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c +index 3af594134a6de..6ddc205133939 100644 +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -2412,7 +2412,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) + + adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); + +- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; ++ if (!adap->fe_adap[0].fe) { ++ release_firmware(state->frontend_firmware); ++ return -ENODEV; ++ } ++ ++ return 0; + } + + static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) +@@ -2485,8 +2490,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) + dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); + adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); + +- if (adap->fe_adap[0].fe == NULL) ++ if (!adap->fe_adap[0].fe) { ++ release_firmware(state->frontend_firmware); + return -ENODEV; ++ } + + i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); + dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); +@@ -2494,7 +2501,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) + fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); + dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); + +- return fe_slave == NULL ? -ENODEV : 0; ++ if (!fe_slave) { ++ release_firmware(state->frontend_firmware); ++ return -ENODEV; ++ } ++ ++ return 0; + } + + static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) +-- +2.43.0 + diff --git a/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch b/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch new file mode 100644 index 00000000000..be4a32956e6 --- /dev/null +++ b/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch @@ -0,0 +1,197 @@ +From dbfe0ce9cbf71c5af89fa726cdd0ee0676fdcede Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jan 2022 11:22:36 +0000 +Subject: media: dw2102: Don't translate i2c read into write + +From: Michael Bunk + +[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] + +The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed +an i2c transaction with a single message must be a write operation and a +transaction with two messages would be a read operation. + +Though this works for the driver code, it leads to problems once the i2c +device is exposed to code not knowing this convention. For example, +I did "insmod i2c-dev" and issued read requests from userspace, which +were translated into write requests and destroyed the EEPROM of my +device. + +So, just check and respect the I2C_M_READ flag, which indicates a read +when set on a message. If it is absent, it is a write message. + +Incidentally, changing from the case statement to a while loop allows +the code to lift the limitation to two i2c messages per transaction. + +There are 4 more *_i2c_transfer functions affected by the same behaviour +and limitation that should be fixed in the same way. + +Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org +Signed-off-by: Michael Bunk +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- + 1 file changed, 73 insertions(+), 47 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index b3bb1805829ad..10351308b0d02 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + { + struct dvb_usb_device *d = i2c_get_adapdata(adap); + struct dw2102_state *state; ++ int j; + + if (!d) + return -ENODEV; +@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + return -EAGAIN; + } + +- switch (num) { +- case 1: +- switch (msg[0].addr) { ++ j = 0; ++ while (j < num) { ++ switch (msg[j].addr) { + case SU3000_STREAM_CTRL: +- state->data[0] = msg[0].buf[0] + 0x36; ++ state->data[0] = msg[j].buf[0] + 0x36; + state->data[1] = 3; + state->data[2] = 0; + if (dvb_usb_generic_rw(d, state->data, 3, +@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + if (dvb_usb_generic_rw(d, state->data, 1, + state->data, 2, 0) < 0) + err("i2c transfer failed."); +- msg[0].buf[1] = state->data[0]; +- msg[0].buf[0] = state->data[1]; ++ msg[j].buf[1] = state->data[0]; ++ msg[j].buf[0] = state->data[1]; + break; + default: +- if (3 + msg[0].len > sizeof(state->data)) { +- warn("i2c wr: len=%d is too big!\n", +- msg[0].len); ++ /* if the current write msg is followed by a another ++ * read msg to/from the same address ++ */ ++ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && ++ (msg[j].addr == msg[j+1].addr)) { ++ /* join both i2c msgs to one usb read command */ ++ if (4 + msg[j].len > sizeof(state->data)) { ++ warn("i2c combined wr/rd: write len=%d is too big!\n", ++ msg[j].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ if (1 + msg[j+1].len > sizeof(state->data)) { ++ warn("i2c combined wr/rd: read len=%d is too big!\n", ++ msg[j+1].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ ++ state->data[0] = 0x09; ++ state->data[1] = msg[j].len; ++ state->data[2] = msg[j+1].len; ++ state->data[3] = msg[j].addr; ++ memcpy(&state->data[4], msg[j].buf, msg[j].len); ++ ++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, ++ state->data, msg[j+1].len + 1, 0) < 0) ++ err("i2c transfer failed."); ++ ++ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); ++ j++; ++ break; ++ } ++ ++ if (msg[j].flags & I2C_M_RD) { ++ /* single read */ ++ if (1 + msg[j].len > sizeof(state->data)) { ++ warn("i2c rd: len=%d is too big!\n", msg[j].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ ++ state->data[0] = 0x09; ++ state->data[1] = 0; ++ state->data[2] = msg[j].len; ++ state->data[3] = msg[j].addr; ++ memcpy(&state->data[4], msg[j].buf, msg[j].len); ++ ++ if (dvb_usb_generic_rw(d, state->data, 4, ++ state->data, msg[j].len + 1, 0) < 0) ++ err("i2c transfer failed."); ++ ++ memcpy(msg[j].buf, &state->data[1], msg[j].len); ++ break; ++ } ++ ++ /* single write */ ++ if (3 + msg[j].len > sizeof(state->data)) { ++ warn("i2c wr: len=%d is too big!\n", msg[j].len); + num = -EOPNOTSUPP; + break; + } + +- /* always i2c write*/ + state->data[0] = 0x08; +- state->data[1] = msg[0].addr; +- state->data[2] = msg[0].len; ++ state->data[1] = msg[j].addr; ++ state->data[2] = msg[j].len; + +- memcpy(&state->data[3], msg[0].buf, msg[0].len); ++ memcpy(&state->data[3], msg[j].buf, msg[j].len); + +- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, ++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, + state->data, 1, 0) < 0) + err("i2c transfer failed."); ++ } // switch ++ j++; + +- } +- break; +- case 2: +- /* always i2c read */ +- if (4 + msg[0].len > sizeof(state->data)) { +- warn("i2c rd: len=%d is too big!\n", +- msg[0].len); +- num = -EOPNOTSUPP; +- break; +- } +- if (1 + msg[1].len > sizeof(state->data)) { +- warn("i2c rd: len=%d is too big!\n", +- msg[1].len); +- num = -EOPNOTSUPP; +- break; +- } +- +- state->data[0] = 0x09; +- state->data[1] = msg[0].len; +- state->data[2] = msg[1].len; +- state->data[3] = msg[0].addr; +- memcpy(&state->data[4], msg[0].buf, msg[0].len); +- +- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, +- state->data, msg[1].len + 1, 0) < 0) +- err("i2c transfer failed."); +- +- memcpy(msg[1].buf, &state->data[1], msg[1].len); +- break; +- default: +- warn("more than 2 i2c messages at a time is not handled yet."); +- break; +- } ++ } // while + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return num; +-- +2.43.0 + diff --git a/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch b/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch new file mode 100644 index 00000000000..a5a05b86f00 --- /dev/null +++ b/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch @@ -0,0 +1,87 @@ +From 3cc1eec738a065fda77a5ca59b4e9e2506a91b83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 09:17:46 +0000 +Subject: media: mediatek: vcodec: Only free buffer VA that is not NULL + +From: Fei Shao + +[ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ] + +In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly +called only when the buffer to free exists, there are some instances +that didn't do the check and triggered warnings in practice. + +We believe those checks were forgotten unintentionally. Add the checks +back to fix the warnings. + +Signed-off-by: Fei Shao +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Sebastian Fricke +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 +++++++++++++------ + .../vcodec/encoder/venc/venc_h264_if.c | 5 +++-- + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c +index 2b6a5adbc4199..b0e2e59f61b5d 100644 +--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c ++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c +@@ -1023,18 +1023,26 @@ static void vdec_av1_slice_free_working_buffer(struct vdec_av1_slice_instance *i + int i; + + for (i = 0; i < ARRAY_SIZE(instance->mv); i++) +- mtk_vcodec_mem_free(ctx, &instance->mv[i]); ++ if (instance->mv[i].va) ++ mtk_vcodec_mem_free(ctx, &instance->mv[i]); + + for (i = 0; i < ARRAY_SIZE(instance->seg); i++) +- mtk_vcodec_mem_free(ctx, &instance->seg[i]); ++ if (instance->seg[i].va) ++ mtk_vcodec_mem_free(ctx, &instance->seg[i]); + + for (i = 0; i < ARRAY_SIZE(instance->cdf); i++) +- mtk_vcodec_mem_free(ctx, &instance->cdf[i]); ++ if (instance->cdf[i].va) ++ mtk_vcodec_mem_free(ctx, &instance->cdf[i]); ++ + +- mtk_vcodec_mem_free(ctx, &instance->tile); +- mtk_vcodec_mem_free(ctx, &instance->cdf_temp); +- mtk_vcodec_mem_free(ctx, &instance->cdf_table); +- mtk_vcodec_mem_free(ctx, &instance->iq_table); ++ if (instance->tile.va) ++ mtk_vcodec_mem_free(ctx, &instance->tile); ++ if (instance->cdf_temp.va) ++ mtk_vcodec_mem_free(ctx, &instance->cdf_temp); ++ if (instance->cdf_table.va) ++ mtk_vcodec_mem_free(ctx, &instance->cdf_table); ++ if (instance->iq_table.va) ++ mtk_vcodec_mem_free(ctx, &instance->iq_table); + + instance->level = AV1_RES_NONE; + } +diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +index a68dac72c4e42..f8145998fcaf7 100644 +--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c ++++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +@@ -301,11 +301,12 @@ static void h264_enc_free_work_buf(struct venc_h264_inst *inst) + * other buffers need to be freed by AP. + */ + for (i = 0; i < VENC_H264_VPU_WORK_BUF_MAX; i++) { +- if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME) ++ if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME && inst->work_bufs[i].va) + mtk_vcodec_mem_free(inst->ctx, &inst->work_bufs[i]); + } + +- mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); ++ if (inst->pps_buf.va) ++ mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); + } + + static int h264_enc_alloc_work_buf(struct venc_h264_inst *inst, bool is_34bit) +-- +2.43.0 + diff --git a/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch b/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch new file mode 100644 index 00000000000..70cb8eee350 --- /dev/null +++ b/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch @@ -0,0 +1,109 @@ +From 1fa7c616013d0be13e867f03e480ffd0905211f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:04:50 +0100 +Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels + +From: Ricardo Ribalda + +[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] + +Use an API that resembles more the actual use of num_channels. + +Found by cocci: +drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. +drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c +index 3c2627712fe9d..6f78be3c42d6a 100644 +--- a/drivers/media/usb/s2255/s2255drv.c ++++ b/drivers/media/usb/s2255/s2255drv.c +@@ -247,7 +247,7 @@ struct s2255_vc { + struct s2255_dev { + struct s2255_vc vc[MAX_CHANNELS]; + struct v4l2_device v4l2_dev; +- atomic_t num_channels; ++ refcount_t num_channels; + int frames; + struct mutex lock; /* channels[].vdev.lock */ + struct mutex cmdlock; /* protects cmdbuf */ +@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev) + container_of(vdev, struct s2255_vc, vdev); + + dprintk(dev, 4, "%s, chnls: %d\n", __func__, +- atomic_read(&dev->num_channels)); ++ refcount_read(&dev->num_channels)); + + v4l2_ctrl_handler_free(&vc->hdl); + +- if (atomic_dec_and_test(&dev->num_channels)) ++ if (refcount_dec_and_test(&dev->num_channels)) + s2255_destroy(dev); + return; + } +@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) + "failed to register video device!\n"); + break; + } +- atomic_inc(&dev->num_channels); ++ refcount_inc(&dev->num_channels); + v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", + video_device_node_name(&vc->vdev)); + +@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) + pr_info("Sensoray 2255 V4L driver Revision: %s\n", + S2255_VERSION); + /* if no channels registered, return error and probe will fail*/ +- if (atomic_read(&dev->num_channels) == 0) { ++ if (refcount_read(&dev->num_channels) == 0) { + v4l2_device_unregister(&dev->v4l2_dev); + return ret; + } +- if (atomic_read(&dev->num_channels) != MAX_CHANNELS) ++ if (refcount_read(&dev->num_channels) != MAX_CHANNELS) + pr_warn("s2255: Not all channels available.\n"); + return 0; + } +@@ -2220,7 +2220,7 @@ static int s2255_probe(struct usb_interface *interface, + goto errorFWDATA1; + } + +- atomic_set(&dev->num_channels, 0); ++ refcount_set(&dev->num_channels, 0); + dev->pid = id->idProduct; + dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); + if (!dev->fw_data) +@@ -2340,12 +2340,12 @@ static void s2255_disconnect(struct usb_interface *interface) + { + struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); + int i; +- int channels = atomic_read(&dev->num_channels); ++ int channels = refcount_read(&dev->num_channels); + mutex_lock(&dev->lock); + v4l2_device_disconnect(&dev->v4l2_dev); + mutex_unlock(&dev->lock); + /*see comments in the uvc_driver.c usb disconnect function */ +- atomic_inc(&dev->num_channels); ++ refcount_inc(&dev->num_channels); + /* unregister each video device. */ + for (i = 0; i < channels; i++) + video_unregister_device(&dev->vc[i].vdev); +@@ -2358,7 +2358,7 @@ static void s2255_disconnect(struct usb_interface *interface) + dev->vc[i].vidstatus_ready = 1; + wake_up(&dev->vc[i].wait_vidstatus); + } +- if (atomic_dec_and_test(&dev->num_channels)) ++ if (refcount_dec_and_test(&dev->num_channels)) + s2255_destroy(dev); + dev_info(&interface->dev, "%s\n", __func__); + } +-- +2.43.0 + diff --git a/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch b/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch new file mode 100644 index 00000000000..339a53c1cd8 --- /dev/null +++ b/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch @@ -0,0 +1,50 @@ +From f2443039b3205e6d8a3eadbb4cf29d3f70f5d265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:46:45 +0100 +Subject: net: dsa: mv88e6xxx: Correct check for empty list + +From: Simon Horman + +[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] + +Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO +busses") mv88e6xxx_default_mdio_bus() has checked that the +return value of list_first_entry() is non-NULL. + +This appears to be intended to guard against the list chip->mdios being +empty. However, it is not the correct check as the implementation of +list_first_entry is not designed to return NULL for empty lists. + +Instead, use list_first_entry_or_null() which does return NULL if the +list is empty. + +Flagged by Smatch. +Compile tested only. + +Reviewed-by: Andrew Lunn +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 9571e1b1e59ef..354d4af134562 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -131,8 +131,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) + { + struct mv88e6xxx_mdio_bus *mdio_bus; + +- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, +- list); ++ mdio_bus = list_first_entry_or_null(&chip->mdios, ++ struct mv88e6xxx_mdio_bus, list); + if (!mdio_bus) + return NULL; + +-- +2.43.0 + diff --git a/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch b/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch new file mode 100644 index 00000000000..c3f438bb4fd --- /dev/null +++ b/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch @@ -0,0 +1,43 @@ +From 22316d648820c0066c5e412a5e25de7beea38749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 16:20:36 -0400 +Subject: orangefs: fix out-of-bounds fsid access + +From: Mike Marshall + +[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] + +Arnd Bergmann sent a patch to fsdevel, he says: + +"orangefs_statfs() copies two consecutive fields of the superblock into +the statfs structure, which triggers a warning from the string fortification +helpers" + +Jan Kara suggested an alternate way to do the patch to make it more readable. + +I ran both ideas through xfstests and both seem fine. This patch +is based on Jan Kara's suggestion. + +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c +index 4ca8ed410c3cf..24e028c119c1b 100644 +--- a/fs/orangefs/super.c ++++ b/fs/orangefs/super.c +@@ -201,7 +201,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) + (long)new_op->downcall.resp.statfs.files_avail); + + buf->f_type = sb->s_magic; +- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); ++ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; ++ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; + buf->f_bsize = new_op->downcall.resp.statfs.block_size; + buf->f_namelen = ORANGEFS_NAME_MAX; + +-- +2.43.0 + diff --git a/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch b/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch new file mode 100644 index 00000000000..3e9014e2f41 --- /dev/null +++ b/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch @@ -0,0 +1,49 @@ +From 99f4ce38b01ed2b1a184693eaa98026813ca76e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 17:56:19 +1000 +Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for + CONFIG_PCI=n + +From: Michael Ellerman + +[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] + +There is code that builds with calls to IO accessors even when +CONFIG_PCI=n, but the actual calls are guarded by runtime checks. + +If not those calls would be faulting, because the page at virtual +address zero is (usually) not mapped into the kernel. As Arnd pointed +out, it is possible a large port value could cause the address to be +above mmap_min_addr which would then access userspace, which would be +a bug. + +To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That +is a value chosen to point into unmapped space between the kernel and +userspace, so any access will always fault. + +Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an +effect on 64-bit. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/io.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h +index 59cc25cb4578e..99419e87f5556 100644 +--- a/arch/powerpc/include/asm/io.h ++++ b/arch/powerpc/include/asm/io.h +@@ -37,7 +37,7 @@ extern struct pci_dev *isa_bridge_pcidev; + * define properly based on the platform + */ + #ifndef CONFIG_PCI +-#define _IO_BASE 0 ++#define _IO_BASE POISON_POINTER_DELTA + #define _ISA_MEM_BASE 0 + #define PCI_DRAM_OFFSET 0 + #elif defined(CONFIG_PPC32) +-- +2.43.0 + diff --git a/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch b/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch new file mode 100644 index 00000000000..831b75b9f7c --- /dev/null +++ b/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch @@ -0,0 +1,116 @@ +From 0aa6be87450e9562cb55c81d0b001b7aa2e5b5be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 10:00:06 +0530 +Subject: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. + +From: Mahesh Salgaonkar + +[ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ] + +nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel +crash when invoked during real mode interrupt handling (e.g. early HMI/MCE +interrupt handler) if percpu allocation comes from vmalloc area. + +Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() +wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when +percpu allocation is from the embedded first chunk. However with +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu +allocation can come from the vmalloc area. + +With kernel command line "percpu_alloc=page" we can force percpu allocation +to come from vmalloc area and can see kernel crash in machine_check_early: + +[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 +[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 +[ 1.215719] --- interrupt: 200 +[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) +[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 +[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 + +Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu +first chunk is not embedded. + +Reviewed-by: Christophe Leroy +Tested-by: Shirisha Ganta +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/interrupt.h | 10 ++++++++++ + arch/powerpc/include/asm/percpu.h | 10 ++++++++++ + arch/powerpc/kernel/setup_64.c | 2 ++ + 3 files changed, 22 insertions(+) + +diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h +index a4196ab1d0167..5f9d61b2159cc 100644 +--- a/arch/powerpc/include/asm/interrupt.h ++++ b/arch/powerpc/include/asm/interrupt.h +@@ -336,6 +336,14 @@ static inline void interrupt_nmi_enter_prepare(struct pt_regs *regs, struct inte + if (IS_ENABLED(CONFIG_KASAN)) + return; + ++ /* ++ * Likewise, do not use it in real mode if percpu first chunk is not ++ * embedded. With CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there ++ * are chances where percpu allocation can come from vmalloc area. ++ */ ++ if (percpu_first_chunk_is_paged) ++ return; ++ + /* Otherwise, it should be safe to call it */ + nmi_enter(); + } +@@ -351,6 +359,8 @@ static inline void interrupt_nmi_exit_prepare(struct pt_regs *regs, struct inter + // no nmi_exit for a pseries hash guest taking a real mode exception + } else if (IS_ENABLED(CONFIG_KASAN)) { + // no nmi_exit for KASAN in real mode ++ } else if (percpu_first_chunk_is_paged) { ++ // no nmi_exit if percpu first chunk is not embedded + } else { + nmi_exit(); + } +diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h +index 8e5b7d0b851c6..634970ce13c6b 100644 +--- a/arch/powerpc/include/asm/percpu.h ++++ b/arch/powerpc/include/asm/percpu.h +@@ -15,6 +15,16 @@ + #endif /* CONFIG_SMP */ + #endif /* __powerpc64__ */ + ++#if defined(CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK) && defined(CONFIG_SMP) ++#include ++DECLARE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); ++ ++#define percpu_first_chunk_is_paged \ ++ (static_key_enabled(&__percpu_first_chunk_is_paged.key)) ++#else ++#define percpu_first_chunk_is_paged false ++#endif /* CONFIG_PPC64 && CONFIG_SMP */ ++ + #include + + #include +diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c +index 246201d0d879e..394f209536cee 100644 +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -834,6 +834,7 @@ static __init int pcpu_cpu_to_node(int cpu) + + unsigned long __per_cpu_offset[NR_CPUS] __read_mostly; + EXPORT_SYMBOL(__per_cpu_offset); ++DEFINE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); + + void __init setup_per_cpu_areas(void) + { +@@ -876,6 +877,7 @@ void __init setup_per_cpu_areas(void) + if (rc < 0) + panic("cannot initialize percpu area (err=%d)", rc); + ++ static_key_enable(&__percpu_first_chunk_is_paged.key); + delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; + for_each_possible_cpu(cpu) { + __per_cpu_offset[cpu] = delta + pcpu_unit_offsets[cpu]; +-- +2.43.0 + diff --git a/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch b/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch new file mode 100644 index 00000000000..0b82c3a9961 --- /dev/null +++ b/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch @@ -0,0 +1,95 @@ +From 5236722cd74a1f92589c43b268044b1ae1be1d86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 21:23:18 +1000 +Subject: powerpc/dexcr: Track the DEXCR per-process + +From: Benjamin Gray + +[ Upstream commit 75171f06c4507c3b6b5a69d793879fb20d108bb1 ] + +Add capability to make the DEXCR act as a per-process SPR. + +We do not yet have an interface for changing the values per task. We +also expect the kernel to use a single DEXCR value across all tasks +while in privileged state, so there is no need to synchronize after +changing it (the userspace aspects will synchronize upon returning to +userspace). + +Signed-off-by: Benjamin Gray +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240417112325.728010-3-bgray@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/processor.h | 1 + + arch/powerpc/kernel/process.c | 10 ++++++++++ + arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +------ + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h +index b2c51d337e60c..882e31296ea6b 100644 +--- a/arch/powerpc/include/asm/processor.h ++++ b/arch/powerpc/include/asm/processor.h +@@ -260,6 +260,7 @@ struct thread_struct { + unsigned long sier2; + unsigned long sier3; + unsigned long hashkeyr; ++ unsigned long dexcr; + + #endif + }; +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 9452a54d356c9..d482c3fd81d7a 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1185,6 +1185,9 @@ static inline void save_sprs(struct thread_struct *t) + + if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) + t->hashkeyr = mfspr(SPRN_HASHKEYR); ++ ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) ++ t->dexcr = mfspr(SPRN_DEXCR); + #endif + } + +@@ -1267,6 +1270,10 @@ static inline void restore_sprs(struct thread_struct *old_thread, + if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) && + old_thread->hashkeyr != new_thread->hashkeyr) + mtspr(SPRN_HASHKEYR, new_thread->hashkeyr); ++ ++ if (cpu_has_feature(CPU_FTR_ARCH_31) && ++ old_thread->dexcr != new_thread->dexcr) ++ mtspr(SPRN_DEXCR, new_thread->dexcr); + #endif + + } +@@ -1878,6 +1885,9 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) + #ifdef CONFIG_PPC_BOOK3S_64 + if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) + p->thread.hashkeyr = current->thread.hashkeyr; ++ ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) ++ p->thread.dexcr = mfspr(SPRN_DEXCR); + #endif + return 0; + } +diff --git a/arch/powerpc/kernel/ptrace/ptrace-view.c b/arch/powerpc/kernel/ptrace/ptrace-view.c +index 584cf5c3df509..c1819e0a66842 100644 +--- a/arch/powerpc/kernel/ptrace/ptrace-view.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-view.c +@@ -469,12 +469,7 @@ static int dexcr_get(struct task_struct *target, const struct user_regset *regse + if (!cpu_has_feature(CPU_FTR_ARCH_31)) + return -ENODEV; + +- /* +- * The DEXCR is currently static across all CPUs, so we don't +- * store the target's value anywhere, but the static value +- * will also be correct. +- */ +- membuf_store(&to, (u64)lower_32_bits(DEXCR_INIT)); ++ membuf_store(&to, (u64)lower_32_bits(target->thread.dexcr)); + + /* + * Technically the HDEXCR is per-cpu, but a hypervisor can't reasonably +-- +2.43.0 + diff --git a/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch b/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch new file mode 100644 index 00000000000..4b41913eb2a --- /dev/null +++ b/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch @@ -0,0 +1,61 @@ +From 6870dfd22be6156c2f6522c2ccb72380c1b61e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 19:11:10 +0100 +Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] + +All these commands end up peeking into the PACA using the user +originated cpu id as an index. Check the cpu id is valid in order +to prevent xmon to crash. Instead of printing an error, this follows +the same behavior as the "lp s #" command : ignore the buggy cpu id +parameter and fall back to the #-less version of the command. + +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/xmon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index b3b94cd377137..1d815405a3b4f 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -1352,7 +1352,7 @@ static int cpu_cmd(void) + } + termch = cpu; + +- if (!scanhex(&cpu)) { ++ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { + /* print cpus waiting or in xmon */ + printf("cpus stopped:"); + last_cpu = first_cpu = NR_CPUS; +@@ -2774,7 +2774,7 @@ static void dump_pacas(void) + + termch = c; /* Put c back, it wasn't 'a' */ + +- if (scanhex(&num)) ++ if (scanhex(&num) && num < num_possible_cpus()) + dump_one_paca(num); + else + dump_one_paca(xmon_owner); +@@ -2847,7 +2847,7 @@ static void dump_xives(void) + + termch = c; /* Put c back, it wasn't 'a' */ + +- if (scanhex(&num)) ++ if (scanhex(&num) && num < num_possible_cpus()) + dump_one_xive(num); + else + dump_one_xive(xmon_owner); +-- +2.43.0 + diff --git a/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch b/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch new file mode 100644 index 00000000000..9b3b7cb9aea --- /dev/null +++ b/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch @@ -0,0 +1,39 @@ +From 28e6d912a51d2c24234461dc4cd12093a0a2f9f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Apr 2024 08:17:26 -0700 +Subject: RISC-V: KVM: Fix the initial sample period value + +From: Atish Patra + +[ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ] + +The initial sample period value when counter value is not assigned +should be set to maximum value supported by the counter width. +Otherwise, it may result in spurious interrupts. + +Reviewed-by: Andrew Jones +Signed-off-by: Atish Patra +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c +index 86391a5061dda..cee1b9ca4ec48 100644 +--- a/arch/riscv/kvm/vcpu_pmu.c ++++ b/arch/riscv/kvm/vcpu_pmu.c +@@ -39,7 +39,7 @@ static u64 kvm_pmu_get_sample_period(struct kvm_pmc *pmc) + u64 sample_period; + + if (!pmc->counter_val) +- sample_period = counter_val_mask + 1; ++ sample_period = counter_val_mask; + else + sample_period = (-pmc->counter_val) & counter_val_mask; + +-- +2.43.0 + diff --git a/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch b/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch new file mode 100644 index 00000000000..119225ab7f8 --- /dev/null +++ b/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch @@ -0,0 +1,126 @@ +From d0a1c5c14b31a142957239809fe302b103ec680c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:49:48 -0700 +Subject: riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma + +From: Samuel Holland + +[ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ] + +commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added +calls to the sfence.vma instruction with rs2 != x0. These single-ASID +instruction variants are also affected by SiFive errata CIP-1200. + +Until now, the errata workaround was not needed for the single-ASID +sfence.vma variants, because they were only used when the ASID allocator +was enabled, and the affected SiFive platforms do not support multiple +ASIDs. However, we are going to start using those sfence.vma variants +regardless of ASID support, so now we need alternatives covering them. + +Signed-off-by: Samuel Holland +Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/errata_list.h | 12 +++++++++++- + arch/riscv/include/asm/tlbflush.h | 19 ++++++++++++++++++- + arch/riscv/mm/tlbflush.c | 23 ----------------------- + 3 files changed, 29 insertions(+), 25 deletions(-) + +diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h +index b55b434f00591..d3f3c237adad7 100644 +--- a/arch/riscv/include/asm/errata_list.h ++++ b/arch/riscv/include/asm/errata_list.h +@@ -44,11 +44,21 @@ ALTERNATIVE(__stringify(RISCV_PTR do_page_fault), \ + CONFIG_ERRATA_SIFIVE_CIP_453) + #else /* !__ASSEMBLY__ */ + +-#define ALT_FLUSH_TLB_PAGE(x) \ ++#define ALT_SFENCE_VMA_ASID(asid) \ ++asm(ALTERNATIVE("sfence.vma x0, %0", "sfence.vma", SIFIVE_VENDOR_ID, \ ++ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ ++ : : "r" (asid) : "memory") ++ ++#define ALT_SFENCE_VMA_ADDR(addr) \ + asm(ALTERNATIVE("sfence.vma %0", "sfence.vma", SIFIVE_VENDOR_ID, \ + ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ + : : "r" (addr) : "memory") + ++#define ALT_SFENCE_VMA_ADDR_ASID(addr, asid) \ ++asm(ALTERNATIVE("sfence.vma %0, %1", "sfence.vma", SIFIVE_VENDOR_ID, \ ++ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ ++ : : "r" (addr), "r" (asid) : "memory") ++ + /* + * _val is marked as "will be overwritten", so need to set it to 0 + * in the default case. +diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h +index 51664ae4852e7..97711d5bd8ef9 100644 +--- a/arch/riscv/include/asm/tlbflush.h ++++ b/arch/riscv/include/asm/tlbflush.h +@@ -22,10 +22,27 @@ static inline void local_flush_tlb_all(void) + __asm__ __volatile__ ("sfence.vma" : : : "memory"); + } + ++static inline void local_flush_tlb_all_asid(unsigned long asid) ++{ ++ if (asid != FLUSH_TLB_NO_ASID) ++ ALT_SFENCE_VMA_ASID(asid); ++ else ++ local_flush_tlb_all(); ++} ++ + /* Flush one page from local TLB */ + static inline void local_flush_tlb_page(unsigned long addr) + { +- ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory")); ++ ALT_SFENCE_VMA_ADDR(addr); ++} ++ ++static inline void local_flush_tlb_page_asid(unsigned long addr, ++ unsigned long asid) ++{ ++ if (asid != FLUSH_TLB_NO_ASID) ++ ALT_SFENCE_VMA_ADDR_ASID(addr, asid); ++ else ++ local_flush_tlb_page(addr); + } + #else /* CONFIG_MMU */ + #define local_flush_tlb_all() do { } while (0) +diff --git a/arch/riscv/mm/tlbflush.c b/arch/riscv/mm/tlbflush.c +index bdee5de918e06..324e8cd9b5022 100644 +--- a/arch/riscv/mm/tlbflush.c ++++ b/arch/riscv/mm/tlbflush.c +@@ -6,29 +6,6 @@ + #include + #include + +-static inline void local_flush_tlb_all_asid(unsigned long asid) +-{ +- if (asid != FLUSH_TLB_NO_ASID) +- __asm__ __volatile__ ("sfence.vma x0, %0" +- : +- : "r" (asid) +- : "memory"); +- else +- local_flush_tlb_all(); +-} +- +-static inline void local_flush_tlb_page_asid(unsigned long addr, +- unsigned long asid) +-{ +- if (asid != FLUSH_TLB_NO_ASID) +- __asm__ __volatile__ ("sfence.vma %0, %1" +- : +- : "r" (addr), "r" (asid) +- : "memory"); +- else +- local_flush_tlb_page(addr); +-} +- + /* + * Flush entire TLB if number of entries to be flushed is greater + * than the threshold below. +-- +2.43.0 + diff --git a/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch new file mode 100644 index 00000000000..712892d6baf --- /dev/null +++ b/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch @@ -0,0 +1,47 @@ +From 33f1611303b098b8b8c53ef0ca8b458126fbccbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:30:01 +0200 +Subject: s390: Mark psw in __load_psw_mask() as __unitialized + +From: Sven Schnelle + +[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] + +Without __unitialized, the following code is generated when +INIT_STACK_ALL_ZERO is enabled: + +86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) +8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) +92: c0 10 00 00 00 08 larl %r1, 0xa2 +98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) +9e: b2 b2 f0 a0 lpswe 160(%r15) + +The xc is not adding any security because psw is fully initialized +with the following instructions. Add __unitialized to the psw +definitiation to avoid the superfluous clearing of psw. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h +index dc17896a001a9..e7338ed540d8f 100644 +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -308,8 +308,8 @@ static inline void __load_psw(psw_t psw) + */ + static __always_inline void __load_psw_mask(unsigned long mask) + { ++ psw_t psw __uninitialized; + unsigned long addr; +- psw_t psw; + + psw.mask = mask; + +-- +2.43.0 + diff --git a/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch b/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch new file mode 100644 index 00000000000..08ea328b30c --- /dev/null +++ b/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch @@ -0,0 +1,47 @@ +From 5f37f359696c20da25dca0fe4eb32760eb98ec4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 17:03:18 +0200 +Subject: s390/pkey: Wipe sensitive data on failure + +From: Holger Dengler + +[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] + +Wipe sensitive data from stack also if the copy_to_user() fails. + +Suggested-by: Heiko Carstens +Reviewed-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Acked-by: Heiko Carstens +Signed-off-by: Holger Dengler +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 6cfb6b2340c99..d2ffdf2491da0 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -1369,7 +1369,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (rc) + break; + if (copy_to_user(ucs, &kcs, sizeof(kcs))) +- return -EFAULT; ++ rc = -EFAULT; + memzero_explicit(&kcs, sizeof(kcs)); + break; + } +@@ -1404,7 +1404,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (rc) + break; + if (copy_to_user(ucp, &kcp, sizeof(kcp))) +- return -EFAULT; ++ rc = -EFAULT; + memzero_explicit(&kcp, sizeof(kcp)); + break; + } +-- +2.43.0 + diff --git a/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch b/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch new file mode 100644 index 00000000000..81b96ae232d --- /dev/null +++ b/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch @@ -0,0 +1,50 @@ +From 8a4645aac3bc24d2f81ad6f8d6696935a24d2419 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 16:10:13 +0100 +Subject: scsi: mpi3mr: Sanitise num_phys + +From: Tomas Henzl + +[ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ] + +Information is stored in mr_sas_port->phy_mask, values larger then size of +this field shouldn't be allowed. + +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c +index 82b55e9557304..91c2f667a4c0b 100644 +--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c +@@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, + mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, + mr_sas_port->remote_identify.sas_address, hba_port); + ++ if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8) ++ ioc_info(mrioc, "max port count %u could be too high\n", ++ mr_sas_node->num_phys); ++ + for (i = 0; i < mr_sas_node->num_phys; i++) { + if ((mr_sas_node->phy[i].remote_identify.sas_address != + mr_sas_port->remote_identify.sas_address) || + (mr_sas_node->phy[i].hba_port != hba_port)) + continue; ++ ++ if (i > sizeof(mr_sas_port->phy_mask) * 8) { ++ ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n", ++ i, sizeof(mr_sas_port->phy_mask) * 8); ++ goto out_fail; ++ } + list_add_tail(&mr_sas_node->phy[i].port_siblings, + &mr_sas_port->phy_list); + mr_sas_port->num_phys++; +-- +2.43.0 + diff --git a/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch b/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch new file mode 100644 index 00000000000..0b0542a45b7 --- /dev/null +++ b/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch @@ -0,0 +1,54 @@ +From a755209e89f277ced9547a165734f2dc78bed26c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 11:01:55 -0400 +Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible + +From: John Meneghini + +[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ] + +Stop calling smp_processor_id() from preemptible code in +qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. + +[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 +[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] + +Tested-by: Guangwu Zhang +Cc: Saurav Kashyap +Cc: Nilesh Javali +Signed-off-by: John Meneghini +Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_io.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c +index 10fe3383855c0..031e605b3f427 100644 +--- a/drivers/scsi/qedf/qedf_io.c ++++ b/drivers/scsi/qedf/qedf_io.c +@@ -2331,9 +2331,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, + io_req->fcport = fcport; + io_req->cmd_type = QEDF_TASK_MGMT_CMD; + +- /* Record which cpu this request is associated with */ +- io_req->cpu = smp_processor_id(); +- + /* Set TM flags */ + io_req->io_req_flags = QEDF_READ; + io_req->data_xfer_len = 0; +@@ -2355,6 +2352,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, + + spin_lock_irqsave(&fcport->rport_lock, flags); + ++ /* Record which cpu this request is associated with */ ++ io_req->cpu = smp_processor_id(); ++ + sqe_idx = qedf_get_sqe_idx(fcport); + sqe = &fcport->sq[sqe_idx]; + memset(sqe, 0, sizeof(struct fcoe_wqe)); +-- +2.43.0 + diff --git a/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch b/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch new file mode 100644 index 00000000000..42bb6393f23 --- /dev/null +++ b/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch @@ -0,0 +1,74 @@ +From 8a5ecad43aa11c09a3127f15452e19f81e951152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 19:23:36 +0200 +Subject: sctp: prefer struct_size over open coded arithmetic + +From: Erick Archer + +[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1][2]. + +As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this +structure ends in a flexible array: + +struct sctp_assoc_ids { + [...] + sctp_assoc_t gaids_assoc_id[]; +}; + +the preferred way in the kernel is to use the struct_size() helper to +do the arithmetic instead of the calculation "size + size * count" in +the kmalloc() function. + +Also, refactor the code adding the "ids_size" variable to avoid sizing +twice. + +This way, the code is more readable and safer. + +This code was detected with the help of Coccinelle, and audited and +modified manually. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Signed-off-by: Erick Archer +Acked-by: Xin Long +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 6b9fcdb0952a0..225dfacfd233f 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7118,6 +7118,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, + struct sctp_sock *sp = sctp_sk(sk); + struct sctp_association *asoc; + struct sctp_assoc_ids *ids; ++ size_t ids_size; + u32 num = 0; + + if (sctp_style(sk, TCP)) +@@ -7130,11 +7131,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, + num++; + } + +- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) ++ ids_size = struct_size(ids, gaids_assoc_id, num); ++ if (len < ids_size) + return -EINVAL; + +- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; +- ++ len = ids_size; + ids = kmalloc(len, GFP_USER | __GFP_NOWARN); + if (unlikely(!ids)) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch b/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch new file mode 100644 index 00000000000..c75fe0ea4da --- /dev/null +++ b/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch @@ -0,0 +1,89 @@ +From 7f3124b6b8dd4f59a711e7699e7689237d01344a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 18:28:18 -0700 +Subject: selftests/bpf: adjust dummy_st_ops_success to detect additional error + +From: Eduard Zingerman + +[ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ] + +As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM +generate slightly different code for dummy_st_ops_success/test_1(): + + SEC("struct_ops/test_1") + int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) + { + int ret; + + if (!state) + return 0xf2f3f4f5; + + ret = state->val; + state->val = 0x5a; + return ret; + } + + GCC-generated LLVM-generated + ---------------------------- --------------------------- + 0: r1 = *(u64 *)(r1 + 0x0) 0: w0 = -0xd0c0b0b + 1: if r1 == 0x0 goto 5f 1: r1 = *(u64 *)(r1 + 0x0) + 2: r0 = *(s32 *)(r1 + 0x0) 2: if r1 == 0x0 goto 6f + 3: *(u32 *)(r1 + 0x0) = 0x5a 3: r0 = *(u32 *)(r1 + 0x0) + 4: exit 4: w2 = 0x5a + 5: r0 = -0xd0c0b0b 5: *(u32 *)(r1 + 0x0) = r2 + 6: exit 6: exit + +If the 'state' argument is not marked as nullable in +net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that +'r1 == 0x0' is never true: +- for the GCC version, this means that instructions #5-6 would be + marked as dead and removed; +- for the LLVM version, all instructions would be marked as live. + +The test dummy_st_ops/dummy_init_ret_value actually sets the 'state' +parameter to NULL. + +Therefore, when the 'state' argument is not marked as nullable, +the GCC-generated version of the code would trigger a NULL pointer +dereference at instruction #3. + +This patch updates the test_1() test case to always follow a shape +similar to the GCC-generated version above, in order to verify whether +the 'state' nullability is marked correctly. + +Reported-by: Jose E. Marchesi +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/progs/dummy_st_ops_success.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c +index 1efa746c25dc7..cc7b69b001aae 100644 +--- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c ++++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c +@@ -11,8 +11,17 @@ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) + { + int ret; + +- if (!state) +- return 0xf2f3f4f5; ++ /* Check that 'state' nullable status is detected correctly. ++ * If 'state' argument would be assumed non-null by verifier ++ * the code below would be deleted as dead (which it shouldn't). ++ * Hide it from the compiler behind 'asm' block to avoid ++ * unnecessary optimizations. ++ */ ++ asm volatile ( ++ "if %[state] != 0 goto +2;" ++ "r0 = 0xf2f3f4f5;" ++ "exit;" ++ ::[state]"p"(state)); + + ret = state->val; + state->val = 0x5a; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch b/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch new file mode 100644 index 00000000000..dacf0b0e0cb --- /dev/null +++ b/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch @@ -0,0 +1,72 @@ +From c14f512c409137f8c2325aa2612034da6d597e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 18:28:19 -0700 +Subject: selftests/bpf: do not pass NULL for non-nullable params in + dummy_st_ops + +From: Eduard Zingerman + +[ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ] + +dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their +'state' parameter marked as nullable. Update dummy_st_ops.c to avoid +passing NULL for such parameters, as the next patch would allow kernel +to enforce this restriction. + +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 7 +++++-- + tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c +index f43fcb13d2c46..dd926c00f4146 100644 +--- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c ++++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c +@@ -98,7 +98,8 @@ static void test_dummy_init_ptr_arg(void) + + static void test_dummy_multiple_args(void) + { +- __u64 args[5] = {0, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; ++ struct bpf_dummy_ops_state st = { 7 }; ++ __u64 args[5] = {(__u64)&st, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; + LIBBPF_OPTS(bpf_test_run_opts, attr, + .ctx_in = args, + .ctx_size_in = sizeof(args), +@@ -115,6 +116,7 @@ static void test_dummy_multiple_args(void) + fd = bpf_program__fd(skel->progs.test_2); + err = bpf_prog_test_run_opts(fd, &attr); + ASSERT_OK(err, "test_run"); ++ args[0] = 7; + for (i = 0; i < ARRAY_SIZE(args); i++) { + snprintf(name, sizeof(name), "arg %zu", i); + ASSERT_EQ(skel->bss->test_2_args[i], args[i], name); +@@ -125,7 +127,8 @@ static void test_dummy_multiple_args(void) + + static void test_dummy_sleepable(void) + { +- __u64 args[1] = {0}; ++ struct bpf_dummy_ops_state st; ++ __u64 args[1] = {(__u64)&st}; + LIBBPF_OPTS(bpf_test_run_opts, attr, + .ctx_in = args, + .ctx_size_in = sizeof(args), +diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c +index cc7b69b001aae..ec0c595d47af8 100644 +--- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c ++++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c +@@ -34,7 +34,7 @@ SEC("struct_ops/test_2") + int BPF_PROG(test_2, struct bpf_dummy_ops_state *state, int a1, unsigned short a2, + char a3, unsigned long a4) + { +- test_2_args[0] = (unsigned long)state; ++ test_2_args[0] = state->val; + test_2_args[1] = a1; + test_2_args[2] = a2; + test_2_args[3] = a3; +-- +2.43.0 + diff --git a/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch b/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch new file mode 100644 index 00000000000..cd0310d504b --- /dev/null +++ b/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch @@ -0,0 +1,68 @@ +From 92b1112788cca8fa202ccc17e4f166a2c104bfd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 18:28:21 -0700 +Subject: selftests/bpf: dummy_st_ops should reject 0 for non-nullable params + +From: Eduard Zingerman + +[ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ] + +Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs +rejects execution if NULL is passed for non-nullable parameter. + +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c +index dd926c00f4146..d3d94596ab79c 100644 +--- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c ++++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c +@@ -147,6 +147,31 @@ static void test_dummy_sleepable(void) + dummy_st_ops_success__destroy(skel); + } + ++/* dummy_st_ops.test_sleepable() parameter is not marked as nullable, ++ * thus bpf_prog_test_run_opts() below should be rejected as it tries ++ * to pass NULL for this parameter. ++ */ ++static void test_dummy_sleepable_reject_null(void) ++{ ++ __u64 args[1] = {0}; ++ LIBBPF_OPTS(bpf_test_run_opts, attr, ++ .ctx_in = args, ++ .ctx_size_in = sizeof(args), ++ ); ++ struct dummy_st_ops_success *skel; ++ int fd, err; ++ ++ skel = dummy_st_ops_success__open_and_load(); ++ if (!ASSERT_OK_PTR(skel, "dummy_st_ops_load")) ++ return; ++ ++ fd = bpf_program__fd(skel->progs.test_sleepable); ++ err = bpf_prog_test_run_opts(fd, &attr); ++ ASSERT_EQ(err, -EINVAL, "test_run"); ++ ++ dummy_st_ops_success__destroy(skel); ++} ++ + void test_dummy_st_ops(void) + { + if (test__start_subtest("dummy_st_ops_attach")) +@@ -159,6 +184,8 @@ void test_dummy_st_ops(void) + test_dummy_multiple_args(); + if (test__start_subtest("dummy_sleepable")) + test_dummy_sleepable(); ++ if (test__start_subtest("dummy_sleepable_reject_null")) ++ test_dummy_sleepable_reject_null(); + + RUN_TESTS(dummy_st_ops_fail); + } +-- +2.43.0 + diff --git a/queue-6.6/selftests-net-fix-uninitialized-variables.patch b/queue-6.6/selftests-net-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..d44d6ad9968 --- /dev/null +++ b/queue-6.6/selftests-net-fix-uninitialized-variables.patch @@ -0,0 +1,84 @@ +From ce04211a15ceefb11abc8917b13da4845b6bca37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 12:02:04 -0700 +Subject: selftests/net: fix uninitialized variables + +From: John Hubbard + +[ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ] + +When building with clang, via: + + make LLVM=1 -C tools/testing/selftest + +...clang warns about three variables that are not initialized in all +cases: + +1) The opt_ipproto_off variable is used uninitialized if "testname" is +not "ip". Willem de Bruijn pointed out that this is an actual bug, and +suggested the fix that I'm using here (thanks!). + +2) The addr_len is used uninitialized, but only in the assert case, + which bails out, so this is harmless. + +3) The family variable in add_listener() is only used uninitialized in + the error case (neither IPv4 nor IPv6 is specified), so it's also + harmless. + +Fix by initializing each variable. + +Signed-off-by: John Hubbard +Reviewed-by: Willem de Bruijn +Acked-by: Mat Martineau +Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 3 +++ + tools/testing/selftests/net/ip_local_port_range.c | 2 +- + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 30024d0ed3739..b204df4f33322 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -113,6 +113,9 @@ static void setup_sock_filter(int fd) + next_off = offsetof(struct ipv6hdr, nexthdr); + ipproto_off = ETH_HLEN + next_off; + ++ /* Overridden later if exthdrs are used: */ ++ opt_ipproto_off = ipproto_off; ++ + if (strcmp(testname, "ip") == 0) { + if (proto == PF_INET) + optlen = sizeof(struct ip_timestamp); +diff --git a/tools/testing/selftests/net/ip_local_port_range.c b/tools/testing/selftests/net/ip_local_port_range.c +index 75e3fdacdf735..2465ff5bb3a8e 100644 +--- a/tools/testing/selftests/net/ip_local_port_range.c ++++ b/tools/testing/selftests/net/ip_local_port_range.c +@@ -343,7 +343,7 @@ TEST_F(ip_local_port_range, late_bind) + struct sockaddr_in v4; + struct sockaddr_in6 v6; + } addr; +- socklen_t addr_len; ++ socklen_t addr_len = 0; + const int one = 1; + int fd, err; + __u32 range; +diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +index 49369c4a5f261..763402dd17742 100644 +--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c ++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +@@ -1239,7 +1239,7 @@ int add_listener(int argc, char *argv[]) + struct sockaddr_storage addr; + struct sockaddr_in6 *a6; + struct sockaddr_in *a4; +- u_int16_t family; ++ u_int16_t family = AF_UNSPEC; + int enable = 1; + int sock; + int err; +-- +2.43.0 + diff --git a/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch b/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch new file mode 100644 index 00000000000..d8e75b2cae6 --- /dev/null +++ b/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch @@ -0,0 +1,45 @@ +From 1f756a46d19240f0a913e0b96e3eb93f9155e17f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 15:37:44 +0200 +Subject: serial: imx: Raise TX trigger level to 8 + +From: Matthias Schiffer + +[ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ] + +At the default TX trigger level of 2 in non-DMA mode (meaning that an +interrupt is generated when less than 2 characters are left in the +FIFO), we have observed frequent buffer underruns at 115200 Baud on an +i.MX8M Nano. This can cause communication issues if the receiving side +expects a continuous transfer. + +Increasing the level to 8 makes the UART trigger an interrupt earlier, +giving the kernel enough time to refill the FIFO, at the cost of +triggering one interrupt per ~24 instead of ~30 bytes of transmitted +data (as the i.MX UART has a 32 byte FIFO). + +Signed-off-by: Michael Krummsdorf +Signed-off-by: Matthias Schiffer +Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 285e0e1144c4c..a5d0df2ba5c55 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -1320,7 +1320,7 @@ static void imx_uart_clear_rx_errors(struct imx_port *sport) + + } + +-#define TXTL_DEFAULT 2 /* reset default */ ++#define TXTL_DEFAULT 8 + #define RXTL_DEFAULT 8 /* 8 characters or aging timer */ + #define TXTL_DMA 8 /* DMA burst setting */ + #define RXTL_DMA 9 /* DMA burst setting */ +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 00000000000..f0d70b831c0 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,60 @@ +locking-mutex-introduce-devm_mutex_init.patch +leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch +crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch +drm-lima-fix-shared-irq-handling-on-driver-remove.patch +powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch +media-dvb-as102-fe-fix-as10x_register_addr-packing.patch +media-dvb-usb-dib0700_devices-add-missing-release_fi.patch +ib-core-implement-a-limit-on-umad-receive-list.patch +scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch +irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch +selftests-bpf-do-not-pass-null-for-non-nullable-para.patch +selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch +risc-v-kvm-fix-the-initial-sample-period-value.patch +crypto-aead-cipher-zeroize-key-buffer-after-use.patch +media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch +drm-amdgpu-fix-uninitialized-variable-warnings.patch +drm-amdgpu-using-uninitialized-value-size-when-calli.patch +drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch +drm-amd-display-check-index-msg_id-before-read-or-wr.patch +drm-amd-display-check-pipe-offset-before-setting-vbl.patch +drm-amd-display-skip-finding-free-audio-for-unknown-.patch +drm-amd-display-fix-uninitialized-variables-in-dm.patch +drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch +drm-amdgpu-fix-the-warning-about-the-expression-int-.patch +media-dw2102-don-t-translate-i2c-read-into-write.patch +riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch +sctp-prefer-struct_size-over-open-coded-arithmetic.patch +firmware-dmi-stop-decoding-on-broken-entry.patch +input-ff-core-prefer-struct_size-over-open-coded-ari.patch +usb-xhci-prevent-potential-failure-in-handle_tx_even.patch +wifi-mt76-replace-skb_put-with-skb_put_zero.patch +wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch +thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch +net-dsa-mv88e6xxx-correct-check-for-empty-list.patch +media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch +media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch +media-dvb-frontends-tda10048-fix-integer-overflow.patch +powerpc-dexcr-track-the-dexcr-per-process.patch +i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch +powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch +orangefs-fix-out-of-bounds-fsid-access.patch +kunit-fix-timeout-message.patch +kunit-handle-test-faults.patch +powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch +selftests-net-fix-uninitialized-variables.patch +igc-fix-a-log-entry-using-uninitialized-netdev.patch +bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch +f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch +scsi-mpi3mr-sanitise-num_phys.patch +serial-imx-raise-tx-trigger-level-to-8.patch +jffs2-fix-potential-illegal-address-access-in-jffs2_.patch +s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +s390-pkey-wipe-sensitive-data-on-failure.patch +btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch +cdrom-rearrange-last_media_change-check-to-avoid-uni.patch +tools-power-turbostat-remember-global-max_die_id.patch +vhost-use-virtqueue-mutex-for-swapping-worker.patch +vhost-release-worker-mutex-during-flushes.patch +vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch diff --git a/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch b/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch new file mode 100644 index 00000000000..35d320b524a --- /dev/null +++ b/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch @@ -0,0 +1,35 @@ +From 2432e0ca0e7c5ff60b9dafe0fe308603a770d8e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 15:46:03 +0200 +Subject: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data + +From: Julien Panis + +[ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ] + +Verify that lvts_data is not NULL before using it. + +Signed-off-by: Julien Panis +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/mediatek/lvts_thermal.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c +index 666f440b66631..8d0ccf494ba22 100644 +--- a/drivers/thermal/mediatek/lvts_thermal.c ++++ b/drivers/thermal/mediatek/lvts_thermal.c +@@ -1208,6 +1208,8 @@ static int lvts_probe(struct platform_device *pdev) + return -ENOMEM; + + lvts_data = of_device_get_match_data(dev); ++ if (!lvts_data) ++ return -ENODEV; + + lvts_td->clk = devm_clk_get_enabled(dev, NULL); + if (IS_ERR(lvts_td->clk)) +-- +2.43.0 + diff --git a/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch b/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch new file mode 100644 index 00000000000..655c8636792 --- /dev/null +++ b/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch @@ -0,0 +1,65 @@ +From 9b0b3ee5b856e1cdd4bd3ada1405f7f0c036af70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Apr 2024 11:56:48 -0400 +Subject: tools/power turbostat: Remember global max_die_id + +From: Len Brown + +[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ] + +This is necessary to gracefully handle sparse die_id's. + +no functional change + +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index ffa964ddbacef..6fad5fbfb0f96 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -566,6 +566,7 @@ struct topo_params { + int num_cpus; + int num_cores; + int max_cpu_num; ++ int max_die_id; + int max_node_num; + int nodes_per_pkg; + int cores_per_node; +@@ -5871,7 +5872,6 @@ void topology_probe() + int i; + int max_core_id = 0; + int max_package_id = 0; +- int max_die_id = 0; + int max_siblings = 0; + + /* Initialize num_cpus, max_cpu_num */ +@@ -5940,8 +5940,8 @@ void topology_probe() + + /* get die information */ + cpus[i].die_id = get_die_id(i); +- if (cpus[i].die_id > max_die_id) +- max_die_id = cpus[i].die_id; ++ if (cpus[i].die_id > topo.max_die_id) ++ topo.max_die_id = cpus[i].die_id; + + /* get numa node information */ + cpus[i].physical_node_id = get_physical_node_id(&cpus[i]); +@@ -5967,9 +5967,9 @@ void topology_probe() + if (!summary_only && topo.cores_per_node > 1) + BIC_PRESENT(BIC_Core); + +- topo.num_die = max_die_id + 1; ++ topo.num_die = topo.max_die_id + 1; + if (debug > 1) +- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die); ++ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die); + if (!summary_only && topo.num_die > 1) + BIC_PRESENT(BIC_Die); + +-- +2.43.0 + diff --git a/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch b/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch new file mode 100644 index 00000000000..b71b35b42e3 --- /dev/null +++ b/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch @@ -0,0 +1,54 @@ +From cb97fc8e85b58525ba4557ae61e5e4ed21731989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 17:02:37 +0300 +Subject: usb: xhci: prevent potential failure in handle_tx_event() for + Transfer events without TRB + +From: Niklas Neronin + +[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ] + +Some transfer events don't always point to a TRB, and consequently don't +have a endpoint ring. In these cases, function handle_tx_event() should +not proceed, because if 'ep->skip' is set, the pointer to the endpoint +ring is used. + +To prevent a potential failure and make the code logical, return after +checking the completion code for a Transfer event without TRBs. + +Signed-off-by: Niklas Neronin +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 8dd85221cd927..592dabc785152 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2649,16 +2649,17 @@ static int handle_tx_event(struct xhci_hcd *xhci, + else + xhci_handle_halted_endpoint(xhci, ep, NULL, + EP_SOFT_RESET); +- goto cleanup; ++ break; + case COMP_RING_UNDERRUN: + case COMP_RING_OVERRUN: + case COMP_STOPPED_LENGTH_INVALID: +- goto cleanup; ++ break; + default: + xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n", + slot_id, ep_index); + goto err_out; + } ++ return 0; + } + + /* Count current td numbers if ep->skip is set */ +-- +2.43.0 + diff --git a/queue-6.6/vhost-release-worker-mutex-during-flushes.patch b/queue-6.6/vhost-release-worker-mutex-during-flushes.patch new file mode 100644 index 00000000000..c7dba45ba33 --- /dev/null +++ b/queue-6.6/vhost-release-worker-mutex-during-flushes.patch @@ -0,0 +1,133 @@ +From 2a02a05871008c96f9a4078b3c575d28e9c5bedf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 19:47:05 -0500 +Subject: vhost: Release worker mutex during flushes + +From: Mike Christie + +[ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ] + +In the next patches where the worker can be killed while in use, we +need to be able to take the worker mutex and kill queued works for +new IO and flushes, and set some new flags to prevent new +__vhost_vq_attach_worker calls from swapping in/out killed workers. + +If we are holding the worker mutex during a flush and the flush's work +is still in the queue, the worker code that will handle the SIGKILL +cleanup won't be able to take the mutex and perform it's cleanup. So +this patch has us drop the worker mutex while waiting for the flush +to complete. + +Signed-off-by: Mike Christie +Message-Id: <20240316004707.45557-8-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 44 +++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 67bd947cc556d..069c8a23bff9e 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -276,21 +276,36 @@ void vhost_vq_flush(struct vhost_virtqueue *vq) + EXPORT_SYMBOL_GPL(vhost_vq_flush); + + /** +- * vhost_worker_flush - flush a worker ++ * __vhost_worker_flush - flush a worker + * @worker: worker to flush + * +- * This does not use RCU to protect the worker, so the device or worker +- * mutex must be held. ++ * The worker's flush_mutex must be held. + */ +-static void vhost_worker_flush(struct vhost_worker *worker) ++static void __vhost_worker_flush(struct vhost_worker *worker) + { + struct vhost_flush_struct flush; + ++ if (!worker->attachment_cnt) ++ return; ++ + init_completion(&flush.wait_event); + vhost_work_init(&flush.work, vhost_flush_work); + + vhost_worker_queue(worker, &flush.work); ++ /* ++ * Drop mutex in case our worker is killed and it needs to take the ++ * mutex to force cleanup. ++ */ ++ mutex_unlock(&worker->mutex); + wait_for_completion(&flush.wait_event); ++ mutex_lock(&worker->mutex); ++} ++ ++static void vhost_worker_flush(struct vhost_worker *worker) ++{ ++ mutex_lock(&worker->mutex); ++ __vhost_worker_flush(worker); ++ mutex_unlock(&worker->mutex); + } + + void vhost_dev_flush(struct vhost_dev *dev) +@@ -298,15 +313,8 @@ void vhost_dev_flush(struct vhost_dev *dev) + struct vhost_worker *worker; + unsigned long i; + +- xa_for_each(&dev->worker_xa, i, worker) { +- mutex_lock(&worker->mutex); +- if (!worker->attachment_cnt) { +- mutex_unlock(&worker->mutex); +- continue; +- } ++ xa_for_each(&dev->worker_xa, i, worker) + vhost_worker_flush(worker); +- mutex_unlock(&worker->mutex); +- } + } + EXPORT_SYMBOL_GPL(vhost_dev_flush); + +@@ -685,7 +693,6 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + * device wide flushes which doesn't use RCU for execution. + */ + mutex_lock(&old_worker->mutex); +- old_worker->attachment_cnt--; + /* + * We don't want to call synchronize_rcu for every vq during setup + * because it will slow down VM startup. If we haven't done +@@ -696,6 +703,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + mutex_lock(&vq->mutex); + if (!vhost_vq_get_backend(vq) && !vq->kick) { + mutex_unlock(&vq->mutex); ++ ++ old_worker->attachment_cnt--; + mutex_unlock(&old_worker->mutex); + /* + * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID. +@@ -711,7 +720,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + /* Make sure new vq queue/flush/poll calls see the new worker */ + synchronize_rcu(); + /* Make sure whatever was queued gets run */ +- vhost_worker_flush(old_worker); ++ __vhost_worker_flush(old_worker); ++ old_worker->attachment_cnt--; + mutex_unlock(&old_worker->mutex); + } + +@@ -764,6 +774,12 @@ static int vhost_free_worker(struct vhost_dev *dev, + mutex_unlock(&worker->mutex); + return -EBUSY; + } ++ /* ++ * A flush might have raced and snuck in before attachment_cnt was set ++ * to zero. Make sure flushes are flushed from the queue before ++ * freeing. ++ */ ++ __vhost_worker_flush(worker); + mutex_unlock(&worker->mutex); + + vhost_worker_destroy(dev, worker); +-- +2.43.0 + diff --git a/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch b/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch new file mode 100644 index 00000000000..709f9ec646c --- /dev/null +++ b/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch @@ -0,0 +1,66 @@ +From 8c96758e5a7097581d2df95f2db42be293f0f52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 19:47:04 -0500 +Subject: vhost: Use virtqueue mutex for swapping worker + +From: Mike Christie + +[ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ] + +__vhost_vq_attach_worker uses the vhost_dev mutex to serialize the +swapping of a virtqueue's worker. This was done for simplicity because +we are already holding that mutex. + +In the next patches where the worker can be killed while in use, we need +finer grained locking because some drivers will hold the vhost_dev mutex +while flushing. However in the SIGKILL handler in the next patches, we +will need to be able to swap workers (set current one to NULL), kill +queued works and stop new flushes while flushes are in progress. + +To prepare us, this has us use the virtqueue mutex for swapping workers +instead of the vhost_dev one. + +Signed-off-by: Mike Christie +Message-Id: <20240316004707.45557-7-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 88362c0afe452..67bd947cc556d 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -664,16 +664,22 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + { + struct vhost_worker *old_worker; + +- old_worker = rcu_dereference_check(vq->worker, +- lockdep_is_held(&vq->dev->mutex)); +- + mutex_lock(&worker->mutex); +- worker->attachment_cnt++; +- mutex_unlock(&worker->mutex); ++ mutex_lock(&vq->mutex); ++ ++ old_worker = rcu_dereference_check(vq->worker, ++ lockdep_is_held(&vq->mutex)); + rcu_assign_pointer(vq->worker, worker); ++ worker->attachment_cnt++; + +- if (!old_worker) ++ if (!old_worker) { ++ mutex_unlock(&vq->mutex); ++ mutex_unlock(&worker->mutex); + return; ++ } ++ mutex_unlock(&vq->mutex); ++ mutex_unlock(&worker->mutex); ++ + /* + * Take the worker mutex to make sure we see the work queued from + * device wide flushes which doesn't use RCU for execution. +-- +2.43.0 + diff --git a/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch b/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch new file mode 100644 index 00000000000..1d2be3a95b6 --- /dev/null +++ b/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch @@ -0,0 +1,298 @@ +From 72b5a8f65fba9475393e3e70d25c0ecf97b77c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 19:47:06 -0500 +Subject: vhost_task: Handle SIGKILL by flushing work and exiting + +From: Mike Christie + +[ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ] + +Instead of lingering until the device is closed, this has us handle +SIGKILL by: + +1. marking the worker as killed so we no longer try to use it with + new virtqueues and new flush operations. +2. setting the virtqueue to worker mapping so no new works are queued. +3. running all the exiting works. + +Suggested-by: Edward Adam Davis +Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com +Message-Id: +Signed-off-by: Mike Christie +Message-Id: <20240316004707.45557-9-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 54 +++++++++++++++++++++++++++++--- + drivers/vhost/vhost.h | 2 ++ + include/linux/sched/vhost_task.h | 3 +- + kernel/vhost_task.c | 53 ++++++++++++++++++++----------- + 4 files changed, 88 insertions(+), 24 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 069c8a23bff9e..d0238bd741b08 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -285,7 +285,7 @@ static void __vhost_worker_flush(struct vhost_worker *worker) + { + struct vhost_flush_struct flush; + +- if (!worker->attachment_cnt) ++ if (!worker->attachment_cnt || worker->killed) + return; + + init_completion(&flush.wait_event); +@@ -400,7 +400,7 @@ static void vhost_vq_reset(struct vhost_dev *dev, + __vhost_vq_meta_reset(vq); + } + +-static bool vhost_worker(void *data) ++static bool vhost_run_work_list(void *data) + { + struct vhost_worker *worker = data; + struct vhost_work *work, *work_next; +@@ -425,6 +425,40 @@ static bool vhost_worker(void *data) + return !!node; + } + ++static void vhost_worker_killed(void *data) ++{ ++ struct vhost_worker *worker = data; ++ struct vhost_dev *dev = worker->dev; ++ struct vhost_virtqueue *vq; ++ int i, attach_cnt = 0; ++ ++ mutex_lock(&worker->mutex); ++ worker->killed = true; ++ ++ for (i = 0; i < dev->nvqs; i++) { ++ vq = dev->vqs[i]; ++ ++ mutex_lock(&vq->mutex); ++ if (worker == ++ rcu_dereference_check(vq->worker, ++ lockdep_is_held(&vq->mutex))) { ++ rcu_assign_pointer(vq->worker, NULL); ++ attach_cnt++; ++ } ++ mutex_unlock(&vq->mutex); ++ } ++ ++ worker->attachment_cnt -= attach_cnt; ++ if (attach_cnt) ++ synchronize_rcu(); ++ /* ++ * Finish vhost_worker_flush calls and any other works that snuck in ++ * before the synchronize_rcu. ++ */ ++ vhost_run_work_list(worker); ++ mutex_unlock(&worker->mutex); ++} ++ + static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq) + { + kfree(vq->indirect); +@@ -639,9 +673,11 @@ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev) + if (!worker) + return NULL; + ++ worker->dev = dev; + snprintf(name, sizeof(name), "vhost-%d", current->pid); + +- vtsk = vhost_task_create(vhost_worker, worker, name); ++ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed, ++ worker, name); + if (!vtsk) + goto free_worker; + +@@ -673,6 +709,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + struct vhost_worker *old_worker; + + mutex_lock(&worker->mutex); ++ if (worker->killed) { ++ mutex_unlock(&worker->mutex); ++ return; ++ } ++ + mutex_lock(&vq->mutex); + + old_worker = rcu_dereference_check(vq->worker, +@@ -693,6 +734,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, + * device wide flushes which doesn't use RCU for execution. + */ + mutex_lock(&old_worker->mutex); ++ if (old_worker->killed) { ++ mutex_unlock(&old_worker->mutex); ++ return; ++ } ++ + /* + * We don't want to call synchronize_rcu for every vq during setup + * because it will slow down VM startup. If we haven't done +@@ -770,7 +816,7 @@ static int vhost_free_worker(struct vhost_dev *dev, + return -ENODEV; + + mutex_lock(&worker->mutex); +- if (worker->attachment_cnt) { ++ if (worker->attachment_cnt || worker->killed) { + mutex_unlock(&worker->mutex); + return -EBUSY; + } +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index f60d5f7bef944..8014d2b359503 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -28,12 +28,14 @@ struct vhost_work { + + struct vhost_worker { + struct vhost_task *vtsk; ++ struct vhost_dev *dev; + /* Used to serialize device wide flushing with worker swapping. */ + struct mutex mutex; + struct llist_head work_list; + u64 kcov_handle; + u32 id; + int attachment_cnt; ++ bool killed; + }; + + /* Poll a file (eventfd or socket) */ +diff --git a/include/linux/sched/vhost_task.h b/include/linux/sched/vhost_task.h +index 837a23624a66a..3612de6ea1c5d 100644 +--- a/include/linux/sched/vhost_task.h ++++ b/include/linux/sched/vhost_task.h +@@ -5,7 +5,8 @@ + + struct vhost_task; + +-struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, ++struct vhost_task *vhost_task_create(bool (*fn)(void *), ++ void (*handle_kill)(void *), void *arg, + const char *name); + void vhost_task_start(struct vhost_task *vtsk); + void vhost_task_stop(struct vhost_task *vtsk); +diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c +index da35e5b7f0473..8800f5acc0071 100644 +--- a/kernel/vhost_task.c ++++ b/kernel/vhost_task.c +@@ -10,38 +10,32 @@ + + enum vhost_task_flags { + VHOST_TASK_FLAGS_STOP, ++ VHOST_TASK_FLAGS_KILLED, + }; + + struct vhost_task { + bool (*fn)(void *data); ++ void (*handle_sigkill)(void *data); + void *data; + struct completion exited; + unsigned long flags; + struct task_struct *task; ++ /* serialize SIGKILL and vhost_task_stop calls */ ++ struct mutex exit_mutex; + }; + + static int vhost_task_fn(void *data) + { + struct vhost_task *vtsk = data; +- bool dead = false; + + for (;;) { + bool did_work; + +- if (!dead && signal_pending(current)) { ++ if (signal_pending(current)) { + struct ksignal ksig; +- /* +- * Calling get_signal will block in SIGSTOP, +- * or clear fatal_signal_pending, but remember +- * what was set. +- * +- * This thread won't actually exit until all +- * of the file descriptors are closed, and +- * the release function is called. +- */ +- dead = get_signal(&ksig); +- if (dead) +- clear_thread_flag(TIF_SIGPENDING); ++ ++ if (get_signal(&ksig)) ++ break; + } + + /* mb paired w/ vhost_task_stop */ +@@ -57,7 +51,19 @@ static int vhost_task_fn(void *data) + schedule(); + } + ++ mutex_lock(&vtsk->exit_mutex); ++ /* ++ * If a vhost_task_stop and SIGKILL race, we can ignore the SIGKILL. ++ * When the vhost layer has called vhost_task_stop it's already stopped ++ * new work and flushed. ++ */ ++ if (!test_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags)) { ++ set_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags); ++ vtsk->handle_sigkill(vtsk->data); ++ } ++ mutex_unlock(&vtsk->exit_mutex); + complete(&vtsk->exited); ++ + do_exit(0); + } + +@@ -78,12 +84,17 @@ EXPORT_SYMBOL_GPL(vhost_task_wake); + * @vtsk: vhost_task to stop + * + * vhost_task_fn ensures the worker thread exits after +- * VHOST_TASK_FLAGS_SOP becomes true. ++ * VHOST_TASK_FLAGS_STOP becomes true. + */ + void vhost_task_stop(struct vhost_task *vtsk) + { +- set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); +- vhost_task_wake(vtsk); ++ mutex_lock(&vtsk->exit_mutex); ++ if (!test_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags)) { ++ set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); ++ vhost_task_wake(vtsk); ++ } ++ mutex_unlock(&vtsk->exit_mutex); ++ + /* + * Make sure vhost_task_fn is no longer accessing the vhost_task before + * freeing it below. +@@ -96,14 +107,16 @@ EXPORT_SYMBOL_GPL(vhost_task_stop); + /** + * vhost_task_create - create a copy of a task to be used by the kernel + * @fn: vhost worker function +- * @arg: data to be passed to fn ++ * @handle_sigkill: vhost function to handle when we are killed ++ * @arg: data to be passed to fn and handled_kill + * @name: the thread's name + * + * This returns a specialized task for use by the vhost layer or NULL on + * failure. The returned task is inactive, and the caller must fire it up + * through vhost_task_start(). + */ +-struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, ++struct vhost_task *vhost_task_create(bool (*fn)(void *), ++ void (*handle_sigkill)(void *), void *arg, + const char *name) + { + struct kernel_clone_args args = { +@@ -122,8 +135,10 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, + if (!vtsk) + return NULL; + init_completion(&vtsk->exited); ++ mutex_init(&vtsk->exit_mutex); + vtsk->data = arg; + vtsk->fn = fn; ++ vtsk->handle_sigkill = handle_sigkill; + + args.fn_arg = vtsk; + +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch b/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch new file mode 100644 index 00000000000..a4849adccf9 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch @@ -0,0 +1,56 @@ +From 6fd9ecad936d7ac3d1e482279b0c7bbde0b59ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 19:09:16 +0800 +Subject: wifi: mt76: mt7996: add sanity checks for background radar trigger + +From: StanleyYP Wang + +[ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ] + +Check if background radar is enabled or not before manually triggering it, +and also add more checks in radar detected event. + +Signed-off-by: StanleyYP Wang +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 +++++ + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c +index 4d40ec7ff57f5..630520c21a47f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c +@@ -225,6 +225,11 @@ mt7996_radar_trigger(void *data, u64 val) + if (val > MT_RX_SEL2) + return -EINVAL; + ++ if (val == MT_RX_SEL2 && !dev->rdd2_phy) { ++ dev_err(dev->mt76.dev, "Background radar is not enabled\n"); ++ return -EINVAL; ++ } ++ + return mt7996_mcu_rdd_cmd(dev, RDD_RADAR_EMULATE, + val, 0, 0); + } +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index b4ea7d0a7f5a0..b66f712e1b17b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -339,7 +339,10 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb) + if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys)) + return; + +- if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2) ++ if (r->band_idx == MT_RX_SEL2 && !dev->rdd2_phy) ++ return; ++ ++ if (r->band_idx == MT_RX_SEL2) + mphy = dev->rdd2_phy->mt76; + else + mphy = dev->mt76.phys[r->band_idx]; +-- +2.43.0 + diff --git a/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch b/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch new file mode 100644 index 00000000000..b63dcde7998 --- /dev/null +++ b/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch @@ -0,0 +1,83 @@ +From 6993158ac33c4f1aec28971b25f94e38b3ee3ac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 17:02:52 +0100 +Subject: wifi: mt76: replace skb_put with skb_put_zero + +From: Felix Fietkau + +[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ] + +Avoid potentially reusing uninitialized data + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++----- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index dc4fbab1e1b75..998cfd73764a9 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -255,7 +255,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len, + }; + u16 ntlv; + +- ptlv = skb_put(skb, len); ++ ptlv = skb_put_zero(skb, len); + memcpy(ptlv, &tlv, sizeof(tlv)); + + ntlv = le16_to_cpu(ntlv_hdr->tlv_num); +@@ -1654,7 +1654,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, + set_bit(MT76_HW_SCANNING, &phy->state); + mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; + +- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req)); ++ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req)); + + req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; + req->bss_idx = mvif->idx; +@@ -1782,7 +1782,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy, + + mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; + +- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req)); ++ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req)); + req->version = 1; + req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; + +@@ -2416,7 +2416,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw, + return -ENOMEM; + + skb_put_data(skb, &hdr, sizeof(hdr)); +- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb, ++ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb, + sizeof(*gtk_tlv)); + gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY); + gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv)); +@@ -2539,7 +2539,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev, + return -ENOMEM; + + skb_put_data(skb, &hdr, sizeof(hdr)); +- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv)); ++ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv)); + ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN); + ptlv->len = cpu_to_le16(sizeof(*ptlv)); + ptlv->data_len = pattern->pattern_len; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 5d8e985cd7d45..272e55ef8e2d2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -422,7 +422,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len, + .len = cpu_to_le16(sub_len), + }; + +- ptlv = skb_put(skb, sub_len); ++ ptlv = skb_put_zero(skb, sub_len); + memcpy(ptlv, &tlv, sizeof(tlv)); + + le16_add_cpu(sub_ntlv, 1); +-- +2.43.0 + -- 2.47.3