From 29dbd0116f33b2c9f079a59565dfab31403a722c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 7 Apr 2024 16:11:07 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...paround-for-mask-in-snd_soc_get_vols.patch | 42 ++++ ...asoc-rt5682-sdw-fix-locking-sequence.patch | 45 +++++ ...asoc-rt711-sdca-fix-locking-sequence.patch | 46 +++++ .../asoc-rt711-sdw-fix-locking-sequence.patch | 45 +++++ ...pci-device-id-table-declaration-comp.patch | 124 ++++++++++++ ...fix-pdc20621_get_from_dimm-on-64-bit.patch | 71 +++++++ ...dep-false-positive-in-watchqueue-pip.patch | 74 +++++++ ...use-read_once-write_once-for-running.patch | 112 +++++++++++ ...ter-weight-client-reference-over-cb_.patch | 65 ++++++ ...ewalk-usage-in-arch_dma_-clear-set-_.patch | 62 ++++++ .../scsi-mylex-fix-sysfs-buffer-lengths.patch | 189 ++++++++++++++++++ queue-5.15/series | 11 + 12 files changed, 886 insertions(+) create mode 100644 queue-5.15/asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch create mode 100644 queue-5.15/asoc-rt5682-sdw-fix-locking-sequence.patch create mode 100644 queue-5.15/asoc-rt711-sdca-fix-locking-sequence.patch create mode 100644 queue-5.15/asoc-rt711-sdw-fix-locking-sequence.patch create mode 100644 queue-5.15/ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch create mode 100644 queue-5.15/ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch create mode 100644 queue-5.15/fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch create mode 100644 queue-5.15/hid-uhid-use-read_once-write_once-for-running.patch create mode 100644 queue-5.15/nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch create mode 100644 queue-5.15/openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch create mode 100644 queue-5.15/scsi-mylex-fix-sysfs-buffer-lengths.patch diff --git a/queue-5.15/asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch b/queue-5.15/asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch new file mode 100644 index 00000000000..731844afdda --- /dev/null +++ b/queue-5.15/asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch @@ -0,0 +1,42 @@ +From c000a704924aa2235f9a4f69aa94758d7dfdfcbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 18:01:31 -0700 +Subject: ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw + +From: Stephen Lee + +[ Upstream commit fc563aa900659a850e2ada4af26b9d7a3de6c591 ] + +In snd_soc_info_volsw(), mask is generated by figuring out the index of +the most significant bit set in max and converting the index to a +bitmask through bit shift 1. Unintended wraparound occurs when max is an +integer value with msb bit set. Since the bit shift value 1 is treated +as an integer type, the left shift operation will wraparound and set +mask to 0 instead of all 1's. In order to fix this, we type cast 1 as +`1ULL` to prevent the wraparound. + +Fixes: 7077148fb50a ("ASoC: core: Split ops out of soc-core.c") +Signed-off-by: Stephen Lee +Link: https://msgid.link/r/20240326010131.6211-1-slee08177@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index c56379fac9272..57caa91a4376e 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -246,7 +246,7 @@ int snd_soc_get_volsw(struct snd_kcontrol *kcontrol, + int max = mc->max; + int min = mc->min; + int sign_bit = mc->sign_bit; +- unsigned int mask = (1 << fls(max)) - 1; ++ unsigned int mask = (1ULL << fls(max)) - 1; + unsigned int invert = mc->invert; + int val; + int ret; +-- +2.43.0 + diff --git a/queue-5.15/asoc-rt5682-sdw-fix-locking-sequence.patch b/queue-5.15/asoc-rt5682-sdw-fix-locking-sequence.patch new file mode 100644 index 00000000000..557a22157da --- /dev/null +++ b/queue-5.15/asoc-rt5682-sdw-fix-locking-sequence.patch @@ -0,0 +1,45 @@ +From ac25a7a03ad5b893d4b45df962330374699c6e84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 17:18:12 -0500 +Subject: ASoC: rt5682-sdw: fix locking sequence + +From: Pierre-Louis Bossart + +[ Upstream commit 310a5caa4e861616a27a83c3e8bda17d65026fa8 ] + +The disable_irq_lock protects the 'disable_irq' value, we need to lock +before testing it. + +Fixes: 02fb23d72720 ("ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Chao Song +Link: https://msgid.link/r/20240325221817.206465-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5682-sdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/rt5682-sdw.c b/sound/soc/codecs/rt5682-sdw.c +index 9fdd9afe00da4..f452245b210f6 100644 +--- a/sound/soc/codecs/rt5682-sdw.c ++++ b/sound/soc/codecs/rt5682-sdw.c +@@ -787,12 +787,12 @@ static int __maybe_unused rt5682_dev_resume(struct device *dev) + return 0; + + if (!slave->unattach_request) { ++ mutex_lock(&rt5682->disable_irq_lock); + if (rt5682->disable_irq == true) { +- mutex_lock(&rt5682->disable_irq_lock); + sdw_write_no_pm(slave, SDW_SCP_INTMASK1, SDW_SCP_INT1_IMPL_DEF); + rt5682->disable_irq = false; +- mutex_unlock(&rt5682->disable_irq_lock); + } ++ mutex_unlock(&rt5682->disable_irq_lock); + goto regmap_sync; + } + +-- +2.43.0 + diff --git a/queue-5.15/asoc-rt711-sdca-fix-locking-sequence.patch b/queue-5.15/asoc-rt711-sdca-fix-locking-sequence.patch new file mode 100644 index 00000000000..2bf3f57ca04 --- /dev/null +++ b/queue-5.15/asoc-rt711-sdca-fix-locking-sequence.patch @@ -0,0 +1,46 @@ +From 09fcb51aab39c1f2dc9c370105cf546fa7b9e46e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 17:18:13 -0500 +Subject: ASoC: rt711-sdca: fix locking sequence + +From: Pierre-Louis Bossart + +[ Upstream commit ee287771644394d071e6a331951ee8079b64f9a7 ] + +The disable_irq_lock protects the 'disable_irq' value, we need to lock +before testing it. + +Fixes: 23adeb7056ac ("ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Chao Song +Link: https://msgid.link/r/20240325221817.206465-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt711-sdca-sdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/rt711-sdca-sdw.c b/sound/soc/codecs/rt711-sdca-sdw.c +index 4faf6b8544ddd..25e8b9906f316 100644 +--- a/sound/soc/codecs/rt711-sdca-sdw.c ++++ b/sound/soc/codecs/rt711-sdca-sdw.c +@@ -443,13 +443,13 @@ static int __maybe_unused rt711_sdca_dev_resume(struct device *dev) + return 0; + + if (!slave->unattach_request) { ++ mutex_lock(&rt711->disable_irq_lock); + if (rt711->disable_irq == true) { +- mutex_lock(&rt711->disable_irq_lock); + sdw_write_no_pm(slave, SDW_SCP_SDCA_INTMASK1, SDW_SCP_SDCA_INTMASK_SDCA_0); + sdw_write_no_pm(slave, SDW_SCP_SDCA_INTMASK2, SDW_SCP_SDCA_INTMASK_SDCA_8); + rt711->disable_irq = false; +- mutex_unlock(&rt711->disable_irq_lock); + } ++ mutex_unlock(&rt711->disable_irq_lock); + goto regmap_sync; + } + +-- +2.43.0 + diff --git a/queue-5.15/asoc-rt711-sdw-fix-locking-sequence.patch b/queue-5.15/asoc-rt711-sdw-fix-locking-sequence.patch new file mode 100644 index 00000000000..52d5089fe47 --- /dev/null +++ b/queue-5.15/asoc-rt711-sdw-fix-locking-sequence.patch @@ -0,0 +1,45 @@ +From 9ef4a6433bdbbe097997b469518005f2d89662e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 17:18:14 -0500 +Subject: ASoC: rt711-sdw: fix locking sequence + +From: Pierre-Louis Bossart + +[ Upstream commit aae86cfd8790bcc7693a5a0894df58de5cb5128c ] + +The disable_irq_lock protects the 'disable_irq' value, we need to lock +before testing it. + +Fixes: b69de265bd0e ("ASoC: rt711: fix for JD event handling in ClockStop Mode0") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Chao Song +Link: https://msgid.link/r/20240325221817.206465-4-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt711-sdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/rt711-sdw.c b/sound/soc/codecs/rt711-sdw.c +index 9545b8a7eb192..af7a0ab5669f4 100644 +--- a/sound/soc/codecs/rt711-sdw.c ++++ b/sound/soc/codecs/rt711-sdw.c +@@ -542,12 +542,12 @@ static int __maybe_unused rt711_dev_resume(struct device *dev) + return 0; + + if (!slave->unattach_request) { ++ mutex_lock(&rt711->disable_irq_lock); + if (rt711->disable_irq == true) { +- mutex_lock(&rt711->disable_irq_lock); + sdw_write_no_pm(slave, SDW_SCP_INTMASK1, SDW_SCP_INT1_IMPL_DEF); + rt711->disable_irq = false; +- mutex_unlock(&rt711->disable_irq_lock); + } ++ mutex_unlock(&rt711->disable_irq_lock); + goto regmap_sync; + } + +-- +2.43.0 + diff --git a/queue-5.15/ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch b/queue-5.15/ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch new file mode 100644 index 00000000000..1d3d247e7fa --- /dev/null +++ b/queue-5.15/ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch @@ -0,0 +1,124 @@ +From 827e47e8afd46d3bf158577026fbc56eb2af6367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:48 +0200 +Subject: ata: sata_mv: Fix PCI device ID table declaration compilation warning + +From: Arnd Bergmann + +[ Upstream commit 3137b83a90646917c90951d66489db466b4ae106 ] + +Building with W=1 shows a warning for an unused variable when CONFIG_PCI +is diabled: + +drivers/ata/sata_mv.c:790:35: error: unused variable 'mv_pci_tbl' [-Werror,-Wunused-const-variable] +static const struct pci_device_id mv_pci_tbl[] = { + +Move the table into the same block that containsn the pci_driver +definition. + +Fixes: 7bb3c5290ca0 ("sata_mv: Remove PCI dependency") +Signed-off-by: Arnd Bergmann +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_mv.c | 63 +++++++++++++++++++++---------------------- + 1 file changed, 31 insertions(+), 32 deletions(-) + +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index c53633d47bfb3..1c9dde51d456c 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -787,37 +787,6 @@ static const struct ata_port_info mv_port_info[] = { + }, + }; + +-static const struct pci_device_id mv_pci_tbl[] = { +- { PCI_VDEVICE(MARVELL, 0x5040), chip_504x }, +- { PCI_VDEVICE(MARVELL, 0x5041), chip_504x }, +- { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 }, +- { PCI_VDEVICE(MARVELL, 0x5081), chip_508x }, +- /* RocketRAID 1720/174x have different identifiers */ +- { PCI_VDEVICE(TTI, 0x1720), chip_6042 }, +- { PCI_VDEVICE(TTI, 0x1740), chip_6042 }, +- { PCI_VDEVICE(TTI, 0x1742), chip_6042 }, +- +- { PCI_VDEVICE(MARVELL, 0x6040), chip_604x }, +- { PCI_VDEVICE(MARVELL, 0x6041), chip_604x }, +- { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 }, +- { PCI_VDEVICE(MARVELL, 0x6080), chip_608x }, +- { PCI_VDEVICE(MARVELL, 0x6081), chip_608x }, +- +- { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x }, +- +- /* Adaptec 1430SA */ +- { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 }, +- +- /* Marvell 7042 support */ +- { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 }, +- +- /* Highpoint RocketRAID PCIe series */ +- { PCI_VDEVICE(TTI, 0x2300), chip_7042 }, +- { PCI_VDEVICE(TTI, 0x2310), chip_7042 }, +- +- { } /* terminate list */ +-}; +- + static const struct mv_hw_ops mv5xxx_ops = { + .phy_errata = mv5_phy_errata, + .enable_leds = mv5_enable_leds, +@@ -4311,6 +4280,36 @@ static int mv_pci_init_one(struct pci_dev *pdev, + static int mv_pci_device_resume(struct pci_dev *pdev); + #endif + ++static const struct pci_device_id mv_pci_tbl[] = { ++ { PCI_VDEVICE(MARVELL, 0x5040), chip_504x }, ++ { PCI_VDEVICE(MARVELL, 0x5041), chip_504x }, ++ { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 }, ++ { PCI_VDEVICE(MARVELL, 0x5081), chip_508x }, ++ /* RocketRAID 1720/174x have different identifiers */ ++ { PCI_VDEVICE(TTI, 0x1720), chip_6042 }, ++ { PCI_VDEVICE(TTI, 0x1740), chip_6042 }, ++ { PCI_VDEVICE(TTI, 0x1742), chip_6042 }, ++ ++ { PCI_VDEVICE(MARVELL, 0x6040), chip_604x }, ++ { PCI_VDEVICE(MARVELL, 0x6041), chip_604x }, ++ { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 }, ++ { PCI_VDEVICE(MARVELL, 0x6080), chip_608x }, ++ { PCI_VDEVICE(MARVELL, 0x6081), chip_608x }, ++ ++ { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x }, ++ ++ /* Adaptec 1430SA */ ++ { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 }, ++ ++ /* Marvell 7042 support */ ++ { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 }, ++ ++ /* Highpoint RocketRAID PCIe series */ ++ { PCI_VDEVICE(TTI, 0x2300), chip_7042 }, ++ { PCI_VDEVICE(TTI, 0x2310), chip_7042 }, ++ ++ { } /* terminate list */ ++}; + + static struct pci_driver mv_pci_driver = { + .name = DRV_NAME, +@@ -4323,6 +4322,7 @@ static struct pci_driver mv_pci_driver = { + #endif + + }; ++MODULE_DEVICE_TABLE(pci, mv_pci_tbl); + + /** + * mv_print_info - Dump key info to kernel log for perusal. +@@ -4495,7 +4495,6 @@ static void __exit mv_exit(void) + MODULE_AUTHOR("Brett Russ"); + MODULE_DESCRIPTION("SCSI low-level driver for Marvell SATA controllers"); + MODULE_LICENSE("GPL v2"); +-MODULE_DEVICE_TABLE(pci, mv_pci_tbl); + MODULE_VERSION(DRV_VERSION); + MODULE_ALIAS("platform:" DRV_NAME); + +-- +2.43.0 + diff --git a/queue-5.15/ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch b/queue-5.15/ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch new file mode 100644 index 00000000000..df6c14cde6e --- /dev/null +++ b/queue-5.15/ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch @@ -0,0 +1,71 @@ +From 18d590f9a71fa92d8c9d4139bbc06e8f9c3bad69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 15:53:37 +0100 +Subject: ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit + +From: Arnd Bergmann + +[ Upstream commit 52f80bb181a9a1530ade30bc18991900bbb9697f ] + +gcc warns about a memcpy() with overlapping pointers because of an +incorrect size calculation: + +In file included from include/linux/string.h:369, + from drivers/ata/sata_sx4.c:66: +In function 'memcpy_fromio', + inlined from 'pdc20621_get_from_dimm.constprop' at drivers/ata/sata_sx4.c:962:2: +include/linux/fortify-string.h:97:33: error: '__builtin_memcpy' accessing 4294934464 bytes at offsets 0 and [16, 16400] overlaps 6442385281 bytes at offset -2147450817 [-Werror=restrict] + 97 | #define __underlying_memcpy __builtin_memcpy + | ^ +include/linux/fortify-string.h:620:9: note: in expansion of macro '__underlying_memcpy' + 620 | __underlying_##op(p, q, __fortify_size); \ + | ^~~~~~~~~~~~~ +include/linux/fortify-string.h:665:26: note: in expansion of macro '__fortify_memcpy_chk' + 665 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ + | ^~~~~~~~~~~~~~~~~~~~ +include/asm-generic/io.h:1184:9: note: in expansion of macro 'memcpy' + 1184 | memcpy(buffer, __io_virt(addr), size); + | ^~~~~~ + +The problem here is the overflow of an unsigned 32-bit number to a +negative that gets converted into a signed 'long', keeping a large +positive number. + +Replace the complex calculation with a more readable min() variant +that avoids the warning. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Arnd Bergmann +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sx4.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index 4c01190a5e370..c95685f693a68 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -1004,8 +1004,7 @@ static void pdc20621_get_from_dimm(struct ata_host *host, void *psource, + + offset -= (idx * window_size); + idx++; +- dist = ((long) (window_size - (offset + size))) >= 0 ? size : +- (long) (window_size - offset); ++ dist = min(size, window_size - offset); + memcpy_fromio(psource, dimm_mmio + offset / 4, dist); + + psource += dist; +@@ -1053,8 +1052,7 @@ static void pdc20621_put_to_dimm(struct ata_host *host, void *psource, + readl(mmio + PDC_DIMM_WINDOW_CTLR); + offset -= (idx * window_size); + idx++; +- dist = ((long)(s32)(window_size - (offset + size))) >= 0 ? size : +- (long) (window_size - offset); ++ dist = min(size, window_size - offset); + memcpy_toio(dimm_mmio + offset / 4, psource, dist); + writel(0x01, mmio + PDC_GENERAL_CTLR); + readl(mmio + PDC_GENERAL_CTLR); +-- +2.43.0 + diff --git a/queue-5.15/fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch b/queue-5.15/fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch new file mode 100644 index 00000000000..435ed731cee --- /dev/null +++ b/queue-5.15/fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch @@ -0,0 +1,74 @@ +From be7cd770fe928dd49c14b3afbbe4c298d8a6e27a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Nov 2023 16:08:22 +0100 +Subject: fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() + +From: Jann Horn + +[ Upstream commit 055ca83559912f2cfd91c9441427bac4caf3c74e ] + +When you try to splice between a normal pipe and a notification pipe, +get_pipe_info(..., true) fails, so splice() falls back to treating the +notification pipe like a normal pipe - so we end up in +iter_file_splice_write(), which first locks the input pipe, then calls +vfs_iter_write(), which locks the output pipe. + +Lockdep complains about that, because we're taking a pipe lock while +already holding another pipe lock. + +I think this probably (?) can't actually lead to deadlocks, since you'd +need another way to nest locking a normal pipe into locking a +watch_queue pipe, but the lockdep annotations don't make that clear. + +Bail out earlier in pipe_write() for notification pipes, before taking +the pipe lock. + +Reported-and-tested-by: +Closes: https://syzkaller.appspot.com/bug?extid=011e4ea1da6692cf881c +Fixes: c73be61cede5 ("pipe: Add general notification queue support") +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20231124150822.2121798-1-jannh@google.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/pipe.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/fs/pipe.c b/fs/pipe.c +index a8b8ef2dae7b7..0a8095070b70e 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -423,6 +423,18 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) + bool was_empty = false; + bool wake_next_writer = false; + ++ /* ++ * Reject writing to watch queue pipes before the point where we lock ++ * the pipe. ++ * Otherwise, lockdep would be unhappy if the caller already has another ++ * pipe locked. ++ * If we had to support locking a normal pipe and a notification pipe at ++ * the same time, we could set up lockdep annotations for that, but ++ * since we don't actually need that, it's simpler to just bail here. ++ */ ++ if (pipe_has_watch_queue(pipe)) ++ return -EXDEV; ++ + /* Null write succeeds. */ + if (unlikely(total_len == 0)) + return 0; +@@ -435,11 +447,6 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) + goto out; + } + +- if (pipe_has_watch_queue(pipe)) { +- ret = -EXDEV; +- goto out; +- } +- + /* + * If it wasn't empty we try to merge new data into + * the last buffer. +-- +2.43.0 + diff --git a/queue-5.15/hid-uhid-use-read_once-write_once-for-running.patch b/queue-5.15/hid-uhid-use-read_once-write_once-for-running.patch new file mode 100644 index 00000000000..7e7ac16c27d --- /dev/null +++ b/queue-5.15/hid-uhid-use-read_once-write_once-for-running.patch @@ -0,0 +1,112 @@ +From 652f2e382be89b8af0c340397dcd2e03609843ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jan 2022 14:33:31 +0100 +Subject: HID: uhid: Use READ_ONCE()/WRITE_ONCE() for ->running + +From: Jann Horn + +[ Upstream commit c8e7ff41f819b0c31c66c5196933c26c18f7681f ] + +The flag uhid->running can be set to false by uhid_device_add_worker() +without holding the uhid->devlock. Mark all reads/writes of the flag +that might race with READ_ONCE()/WRITE_ONCE() for clarity and +correctness. + +Signed-off-by: Jann Horn +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/uhid.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c +index ba0ca652b9dab..09da654d2b05c 100644 +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -84,7 +84,7 @@ static void uhid_device_add_worker(struct work_struct *work) + * However, we do have to clear the ->running flag and do a + * wakeup to make sure userspace knows that the device is gone. + */ +- uhid->running = false; ++ WRITE_ONCE(uhid->running, false); + wake_up_interruptible(&uhid->report_wait); + } + } +@@ -194,9 +194,9 @@ static int __uhid_report_queue_and_wait(struct uhid_device *uhid, + spin_unlock_irqrestore(&uhid->qlock, flags); + + ret = wait_event_interruptible_timeout(uhid->report_wait, +- !uhid->report_running || !uhid->running, ++ !uhid->report_running || !READ_ONCE(uhid->running), + 5 * HZ); +- if (!ret || !uhid->running || uhid->report_running) ++ if (!ret || !READ_ONCE(uhid->running) || uhid->report_running) + ret = -EIO; + else if (ret < 0) + ret = -ERESTARTSYS; +@@ -237,7 +237,7 @@ static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum, + struct uhid_event *ev; + int ret; + +- if (!uhid->running) ++ if (!READ_ONCE(uhid->running)) + return -EIO; + + ev = kzalloc(sizeof(*ev), GFP_KERNEL); +@@ -279,7 +279,7 @@ static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum, + struct uhid_event *ev; + int ret; + +- if (!uhid->running || count > UHID_DATA_MAX) ++ if (!READ_ONCE(uhid->running) || count > UHID_DATA_MAX) + return -EIO; + + ev = kzalloc(sizeof(*ev), GFP_KERNEL); +@@ -580,7 +580,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid) + if (!uhid->hid) + return -EINVAL; + +- uhid->running = false; ++ WRITE_ONCE(uhid->running, false); + wake_up_interruptible(&uhid->report_wait); + + cancel_work_sync(&uhid->worker); +@@ -594,7 +594,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid) + + static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev) + { +- if (!uhid->running) ++ if (!READ_ONCE(uhid->running)) + return -EINVAL; + + hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data, +@@ -605,7 +605,7 @@ static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev) + + static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev) + { +- if (!uhid->running) ++ if (!READ_ONCE(uhid->running)) + return -EINVAL; + + hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data, +@@ -617,7 +617,7 @@ static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev) + static int uhid_dev_get_report_reply(struct uhid_device *uhid, + struct uhid_event *ev) + { +- if (!uhid->running) ++ if (!READ_ONCE(uhid->running)) + return -EINVAL; + + uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev); +@@ -627,7 +627,7 @@ static int uhid_dev_get_report_reply(struct uhid_device *uhid, + static int uhid_dev_set_report_reply(struct uhid_device *uhid, + struct uhid_event *ev) + { +- if (!uhid->running) ++ if (!READ_ONCE(uhid->running)) + return -EINVAL; + + uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev); +-- +2.43.0 + diff --git a/queue-5.15/nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch b/queue-5.15/nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch new file mode 100644 index 00000000000..52b7c1f56ce --- /dev/null +++ b/queue-5.15/nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch @@ -0,0 +1,65 @@ +From 07729bac319307a1e1fb725be28959f1c3c41886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 13:56:18 -0400 +Subject: nfsd: hold a lighter-weight client reference over CB_RECALL_ANY + +From: Jeff Layton + +[ Upstream commit 10396f4df8b75ff6ab0aa2cd74296565466f2c8d ] + +Currently the CB_RECALL_ANY job takes a cl_rpc_users reference to the +client. While a callback job is technically an RPC that counter is +really more for client-driven RPCs, and this has the effect of +preventing the client from being unhashed until the callback completes. + +If nfsd decides to send a CB_RECALL_ANY just as the client reboots, we +can end up in a situation where the callback can't complete on the (now +dead) callback channel, but the new client can't connect because the old +client can't be unhashed. This usually manifests as a NFS4ERR_DELAY +return on the CREATE_SESSION operation. + +The job is only holding a reference to the client so it can clear a flag +after the RPC completes. Fix this by having CB_RECALL_ANY instead hold a +reference to the cl_nfsdfs.cl_ref. Typically we only take that sort of +reference when dealing with the nfsdfs info files, but it should work +appropriately here to ensure that the nfs4_client doesn't disappear. + +Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition") +Reported-by: Vladimir Benes +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index ccc235a8bc1b4..40b5b226e504d 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -2889,12 +2889,9 @@ static void + nfsd4_cb_recall_any_release(struct nfsd4_callback *cb) + { + struct nfs4_client *clp = cb->cb_clp; +- struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id); + +- spin_lock(&nn->client_lock); + clear_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags); +- put_client_renew_locked(clp); +- spin_unlock(&nn->client_lock); ++ drop_client(clp); + } + + static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = { +@@ -6234,7 +6231,7 @@ deleg_reaper(struct nfsd_net *nn) + list_add(&clp->cl_ra_cblist, &cblist); + + /* release in nfsd4_cb_recall_any_release */ +- atomic_inc(&clp->cl_rpc_users); ++ kref_get(&clp->cl_nfsdfs.cl_ref); + set_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags); + clp->cl_ra_time = ktime_get_boottime_seconds(); + } +-- +2.43.0 + diff --git a/queue-5.15/openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch b/queue-5.15/openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch new file mode 100644 index 00000000000..59fc68421b0 --- /dev/null +++ b/queue-5.15/openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch @@ -0,0 +1,62 @@ +From 89e6f0e2c56eb4a9460a921e5f3e9a0b3c506427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Oct 2022 20:33:01 +0200 +Subject: openrisc: Fix pagewalk usage in arch_dma_{clear, set}_uncached + +From: Jann Horn + +[ Upstream commit 28148a17c988b614534f457da86893f83664ad43 ] + +Since commit 8782fb61cc848 ("mm: pagewalk: Fix race between unmap and page +walker"), walk_page_range() on kernel ranges won't work anymore, +walk_page_range_novma() must be used instead. + +Note: I don't have an openrisc development setup, so this is completely +untested. + +Fixes: 8782fb61cc848 ("mm: pagewalk: Fix race between unmap and page walker") +Signed-off-by: Jann Horn +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/dma.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/openrisc/kernel/dma.c b/arch/openrisc/kernel/dma.c +index a82b2caaa560d..b3edbb33b621d 100644 +--- a/arch/openrisc/kernel/dma.c ++++ b/arch/openrisc/kernel/dma.c +@@ -74,10 +74,10 @@ void *arch_dma_set_uncached(void *cpu_addr, size_t size) + * We need to iterate through the pages, clearing the dcache for + * them and setting the cache-inhibit bit. + */ +- mmap_read_lock(&init_mm); +- error = walk_page_range(&init_mm, va, va + size, &set_nocache_walk_ops, +- NULL); +- mmap_read_unlock(&init_mm); ++ mmap_write_lock(&init_mm); ++ error = walk_page_range_novma(&init_mm, va, va + size, ++ &set_nocache_walk_ops, NULL, NULL); ++ mmap_write_unlock(&init_mm); + + if (error) + return ERR_PTR(error); +@@ -88,11 +88,11 @@ void arch_dma_clear_uncached(void *cpu_addr, size_t size) + { + unsigned long va = (unsigned long)cpu_addr; + +- mmap_read_lock(&init_mm); ++ mmap_write_lock(&init_mm); + /* walk_page_range shouldn't be able to fail here */ +- WARN_ON(walk_page_range(&init_mm, va, va + size, +- &clear_nocache_walk_ops, NULL)); +- mmap_read_unlock(&init_mm); ++ WARN_ON(walk_page_range_novma(&init_mm, va, va + size, ++ &clear_nocache_walk_ops, NULL, NULL)); ++ mmap_write_unlock(&init_mm); + } + + void arch_sync_dma_for_device(phys_addr_t addr, size_t size, +-- +2.43.0 + diff --git a/queue-5.15/scsi-mylex-fix-sysfs-buffer-lengths.patch b/queue-5.15/scsi-mylex-fix-sysfs-buffer-lengths.patch new file mode 100644 index 00000000000..fde4092fc36 --- /dev/null +++ b/queue-5.15/scsi-mylex-fix-sysfs-buffer-lengths.patch @@ -0,0 +1,189 @@ +From 1505d5f373c12e9065b0cb228362ed4d16ee4737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:06 +0100 +Subject: scsi: mylex: Fix sysfs buffer lengths + +From: Arnd Bergmann + +[ Upstream commit 1197c5b2099f716b3de327437fb50900a0b936c9 ] + +The myrb and myrs drivers use an odd way of implementing their sysfs files, +calling snprintf() with a fixed length of 32 bytes to print into a page +sized buffer. One of the strings is actually longer than 32 bytes, which +clang can warn about: + +drivers/scsi/myrb.c:1906:10: error: 'snprintf' will always be truncated; specified size is 32, but format string expands to at least 34 [-Werror,-Wformat-truncation] +drivers/scsi/myrs.c:1089:10: error: 'snprintf' will always be truncated; specified size is 32, but format string expands to at least 34 [-Werror,-Wformat-truncation] + +These could all be plain sprintf() without a length as the buffer is always +long enough. On the other hand, sysfs files should not be overly long +either, so just double the length to make sure the longest strings don't +get truncated here. + +Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)") +Fixes: 081ff398c56c ("scsi: myrb: Add Mylex RAID controller (block interface)") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-8-arnd@kernel.org +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/myrb.c | 20 ++++++++++---------- + drivers/scsi/myrs.c | 24 ++++++++++++------------ + 2 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/scsi/myrb.c b/drivers/scsi/myrb.c +index 386256369dfc3..2a61cb7268839 100644 +--- a/drivers/scsi/myrb.c ++++ b/drivers/scsi/myrb.c +@@ -1775,9 +1775,9 @@ static ssize_t raid_state_show(struct device *dev, + + name = myrb_devstate_name(ldev_info->state); + if (name) +- ret = snprintf(buf, 32, "%s\n", name); ++ ret = snprintf(buf, 64, "%s\n", name); + else +- ret = snprintf(buf, 32, "Invalid (%02X)\n", ++ ret = snprintf(buf, 64, "Invalid (%02X)\n", + ldev_info->state); + } else { + struct myrb_pdev_state *pdev_info = sdev->hostdata; +@@ -1796,9 +1796,9 @@ static ssize_t raid_state_show(struct device *dev, + else + name = myrb_devstate_name(pdev_info->state); + if (name) +- ret = snprintf(buf, 32, "%s\n", name); ++ ret = snprintf(buf, 64, "%s\n", name); + else +- ret = snprintf(buf, 32, "Invalid (%02X)\n", ++ ret = snprintf(buf, 64, "Invalid (%02X)\n", + pdev_info->state); + } + return ret; +@@ -1886,11 +1886,11 @@ static ssize_t raid_level_show(struct device *dev, + + name = myrb_raidlevel_name(ldev_info->raid_level); + if (!name) +- return snprintf(buf, 32, "Invalid (%02X)\n", ++ return snprintf(buf, 64, "Invalid (%02X)\n", + ldev_info->state); +- return snprintf(buf, 32, "%s\n", name); ++ return snprintf(buf, 64, "%s\n", name); + } +- return snprintf(buf, 32, "Physical Drive\n"); ++ return snprintf(buf, 64, "Physical Drive\n"); + } + static DEVICE_ATTR_RO(raid_level); + +@@ -1903,15 +1903,15 @@ static ssize_t rebuild_show(struct device *dev, + unsigned char status; + + if (sdev->channel < myrb_logical_channel(sdev->host)) +- return snprintf(buf, 32, "physical device - not rebuilding\n"); ++ return snprintf(buf, 64, "physical device - not rebuilding\n"); + + status = myrb_get_rbld_progress(cb, &rbld_buf); + + if (rbld_buf.ldev_num != sdev->id || + status != MYRB_STATUS_SUCCESS) +- return snprintf(buf, 32, "not rebuilding\n"); ++ return snprintf(buf, 64, "not rebuilding\n"); + +- return snprintf(buf, 32, "rebuilding block %u of %u\n", ++ return snprintf(buf, 64, "rebuilding block %u of %u\n", + rbld_buf.ldev_size - rbld_buf.blocks_left, + rbld_buf.ldev_size); + } +diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c +index a4d244ee4548c..3f05f13fb107a 100644 +--- a/drivers/scsi/myrs.c ++++ b/drivers/scsi/myrs.c +@@ -949,9 +949,9 @@ static ssize_t raid_state_show(struct device *dev, + + name = myrs_devstate_name(ldev_info->dev_state); + if (name) +- ret = snprintf(buf, 32, "%s\n", name); ++ ret = snprintf(buf, 64, "%s\n", name); + else +- ret = snprintf(buf, 32, "Invalid (%02X)\n", ++ ret = snprintf(buf, 64, "Invalid (%02X)\n", + ldev_info->dev_state); + } else { + struct myrs_pdev_info *pdev_info; +@@ -960,9 +960,9 @@ static ssize_t raid_state_show(struct device *dev, + pdev_info = sdev->hostdata; + name = myrs_devstate_name(pdev_info->dev_state); + if (name) +- ret = snprintf(buf, 32, "%s\n", name); ++ ret = snprintf(buf, 64, "%s\n", name); + else +- ret = snprintf(buf, 32, "Invalid (%02X)\n", ++ ret = snprintf(buf, 64, "Invalid (%02X)\n", + pdev_info->dev_state); + } + return ret; +@@ -1068,13 +1068,13 @@ static ssize_t raid_level_show(struct device *dev, + ldev_info = sdev->hostdata; + name = myrs_raid_level_name(ldev_info->raid_level); + if (!name) +- return snprintf(buf, 32, "Invalid (%02X)\n", ++ return snprintf(buf, 64, "Invalid (%02X)\n", + ldev_info->dev_state); + + } else + name = myrs_raid_level_name(MYRS_RAID_PHYSICAL); + +- return snprintf(buf, 32, "%s\n", name); ++ return snprintf(buf, 64, "%s\n", name); + } + static DEVICE_ATTR_RO(raid_level); + +@@ -1088,7 +1088,7 @@ static ssize_t rebuild_show(struct device *dev, + unsigned char status; + + if (sdev->channel < cs->ctlr_info->physchan_present) +- return snprintf(buf, 32, "physical device - not rebuilding\n"); ++ return snprintf(buf, 64, "physical device - not rebuilding\n"); + + ldev_info = sdev->hostdata; + ldev_num = ldev_info->ldev_num; +@@ -1100,11 +1100,11 @@ static ssize_t rebuild_show(struct device *dev, + return -EIO; + } + if (ldev_info->rbld_active) { +- return snprintf(buf, 32, "rebuilding block %zu of %zu\n", ++ return snprintf(buf, 64, "rebuilding block %zu of %zu\n", + (size_t)ldev_info->rbld_lba, + (size_t)ldev_info->cfg_devsize); + } else +- return snprintf(buf, 32, "not rebuilding\n"); ++ return snprintf(buf, 64, "not rebuilding\n"); + } + + static ssize_t rebuild_store(struct device *dev, +@@ -1192,7 +1192,7 @@ static ssize_t consistency_check_show(struct device *dev, + unsigned short ldev_num; + + if (sdev->channel < cs->ctlr_info->physchan_present) +- return snprintf(buf, 32, "physical device - not checking\n"); ++ return snprintf(buf, 64, "physical device - not checking\n"); + + ldev_info = sdev->hostdata; + if (!ldev_info) +@@ -1200,11 +1200,11 @@ static ssize_t consistency_check_show(struct device *dev, + ldev_num = ldev_info->ldev_num; + myrs_get_ldev_info(cs, ldev_num, ldev_info); + if (ldev_info->cc_active) +- return snprintf(buf, 32, "checking block %zu of %zu\n", ++ return snprintf(buf, 64, "checking block %zu of %zu\n", + (size_t)ldev_info->cc_lba, + (size_t)ldev_info->cfg_devsize); + else +- return snprintf(buf, 32, "not checking\n"); ++ return snprintf(buf, 64, "not checking\n"); + } + + static ssize_t consistency_check_store(struct device *dev, +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index d3554d6fc64..cb79ca3a5da 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -664,3 +664,14 @@ net-usb-asix-suspend-embedded-phy-if-external-is-use.patch drivers-net-convert-to-boolean-for-the-mac_managed_p.patch net-fec-set-mac_managed_pm-during-probe.patch net-ravb-always-process-tx-descriptor-ring.patch +asoc-rt5682-sdw-fix-locking-sequence.patch +asoc-rt711-sdca-fix-locking-sequence.patch +asoc-rt711-sdw-fix-locking-sequence.patch +asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch +ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch +scsi-mylex-fix-sysfs-buffer-lengths.patch +ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch +nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch +hid-uhid-use-read_once-write_once-for-running.patch +openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch +fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch -- 2.39.5