From 2db12c985543cd9d196ce6e9dc655340cc8fb532 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 5 Jul 2024 15:22:24 -0400 Subject: [PATCH] Revert "Fixes for 5.15" This reverts commit 061446834b0c07cca80d42b3fccf7f2f8fd07768. Signed-off-by: Sasha Levin --- ...ialized-value-in-bpf_core_read_bitfi.patch | 59 ------ ...-cipher-zeroize-key-buffer-after-use.patch | 53 ----- ...check-index-msg_id-before-read-or-wr.patch | 56 ----- ...check-pipe-offset-before-setting-vbl.patch | 45 ---- ...skip-finding-free-audio-for-unknown-.patch | 44 ---- ...alize-timestamp-for-some-legacy-socs.patch | 46 ---- ...shared-irq-handling-on-driver-remove.patch | 88 -------- ...re-dmi-stop-decoding-on-broken-entry.patch | 46 ---- ...otate-apanel_addr-as-__ro_after_init.patch | 35 ---- ...plement-a-limit-on-umad-receive-list.patch | 125 ----------- ...log-entry-using-uninitialized-netdev.patch | 61 ------ ...efer-struct_size-over-open-coded-ari.patch | 73 ------- ...ts-remove-bug_on-in-its_vpe_irq_doma.patch | 41 ---- ...ial-illegal-address-access-in-jffs2_.patch | 94 --------- queue-5.15/kunit-fix-timeout-message.patch | 52 ----- ...king-mutex-introduce-devm_mutex_init.patch | 113 ---------- ...2-fe-fix-as10x_register_addr-packing.patch | 44 ---- ...ntends-tda10048-fix-integer-overflow.patch | 53 ----- ...nds-tda18271c2dd-remove-casting-duri.patch | 49 ----- ...b0700_devices-add-missing-release_fi.patch | 68 ------ ...-don-t-translate-i2c-read-into-write.patch | 197 ------------------ ...refcount_t-instead-of-atomic_t-for-n.patch | 109 ---------- ...88e6xxx-correct-check-for-empty-list.patch | 50 ----- ...ug_on-in-nilfs_finish_roll_forward-t.patch | 45 ---- ...angefs-fix-out-of-bounds-fsid-access.patch | 43 ---- ...io_base-to-poison_pointer_delta-not-.patch | 49 ----- ...check-cpu-id-in-commands-c-dp-and-dx.patch | 61 ------ ...-in-__load_psw_mask-as-__unitialized.patch | 47 ----- ...-pkey-wipe-sensitive-data-on-failure.patch | 47 ----- ...ake-qedf_execute_tmf-non-preemptible.patch | 54 ----- ...ruct_size-over-open-coded-arithmetic.patch | 74 ------- queue-5.15/series | 34 --- ...turbostat-remember-global-max_die_id.patch | 65 ------ ...-potential-failure-in-handle_tx_even.patch | 54 ----- ...76-replace-skb_put-with-skb_put_zero.patch | 83 -------- 35 files changed, 2257 deletions(-) delete mode 100644 queue-5.15/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch delete mode 100644 queue-5.15/crypto-aead-cipher-zeroize-key-buffer-after-use.patch delete mode 100644 queue-5.15/drm-amd-display-check-index-msg_id-before-read-or-wr.patch delete mode 100644 queue-5.15/drm-amd-display-check-pipe-offset-before-setting-vbl.patch delete mode 100644 queue-5.15/drm-amd-display-skip-finding-free-audio-for-unknown-.patch delete mode 100644 queue-5.15/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch delete mode 100644 queue-5.15/drm-lima-fix-shared-irq-handling-on-driver-remove.patch delete mode 100644 queue-5.15/firmware-dmi-stop-decoding-on-broken-entry.patch delete mode 100644 queue-5.15/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch delete mode 100644 queue-5.15/ib-core-implement-a-limit-on-umad-receive-list.patch delete mode 100644 queue-5.15/igc-fix-a-log-entry-using-uninitialized-netdev.patch delete mode 100644 queue-5.15/input-ff-core-prefer-struct_size-over-open-coded-ari.patch delete mode 100644 queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch delete mode 100644 queue-5.15/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch delete mode 100644 queue-5.15/kunit-fix-timeout-message.patch delete mode 100644 queue-5.15/locking-mutex-introduce-devm_mutex_init.patch delete mode 100644 queue-5.15/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch delete mode 100644 queue-5.15/media-dvb-frontends-tda10048-fix-integer-overflow.patch delete mode 100644 queue-5.15/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch delete mode 100644 queue-5.15/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch delete mode 100644 queue-5.15/media-dw2102-don-t-translate-i2c-read-into-write.patch delete mode 100644 queue-5.15/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch delete mode 100644 queue-5.15/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch delete mode 100644 queue-5.15/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch delete mode 100644 queue-5.15/orangefs-fix-out-of-bounds-fsid-access.patch delete mode 100644 queue-5.15/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch delete mode 100644 queue-5.15/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch delete mode 100644 queue-5.15/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch delete mode 100644 queue-5.15/s390-pkey-wipe-sensitive-data-on-failure.patch delete mode 100644 queue-5.15/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch delete mode 100644 queue-5.15/sctp-prefer-struct_size-over-open-coded-arithmetic.patch delete mode 100644 queue-5.15/series delete mode 100644 queue-5.15/tools-power-turbostat-remember-global-max_die_id.patch delete mode 100644 queue-5.15/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch delete mode 100644 queue-5.15/wifi-mt76-replace-skb_put-with-skb_put_zero.patch diff --git a/queue-5.15/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch b/queue-5.15/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch deleted file mode 100644 index 9aeb769d026..00000000000 --- a/queue-5.15/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fd890a29bdf28db6c8e96d8c814e73a24bd69fb3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 12:13:13 +0200 -Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD - -From: Jose E. Marchesi - -[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ] - -[Changes from V1: - - Use a default branch in the switch statement to initialize `val'.] - -GCC warns that `val' may be used uninitialized in the -BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: - - [...] - unsigned long long val; \ - [...] \ - switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ - case 1: val = *(const unsigned char *)p; break; \ - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ - } \ - [...] - val; \ - } \ - -This patch adds a default entry in the switch statement that sets -`val' to zero in order to avoid the warning, and random values to be -used in case __builtin_preserve_field_info returns unexpected values -for BPF_FIELD_BYTE_SIZE. - -Tested in bpf-next master. -No regressions. - -Signed-off-by: Jose E. Marchesi -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com -Signed-off-by: Sasha Levin ---- - tools/lib/bpf/bpf_core_read.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h -index e4aa9996a5501..b8e68a17f3f1b 100644 ---- a/tools/lib/bpf/bpf_core_read.h -+++ b/tools/lib/bpf/bpf_core_read.h -@@ -101,6 +101,7 @@ enum bpf_enum_value_kind { - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ -+ default: val = 0; break; \ - } \ - val <<= __CORE_RELO(s, field, LSHIFT_U64); \ - if (__CORE_RELO(s, field, SIGNED)) \ --- -2.43.0 - diff --git a/queue-5.15/crypto-aead-cipher-zeroize-key-buffer-after-use.patch b/queue-5.15/crypto-aead-cipher-zeroize-key-buffer-after-use.patch deleted file mode 100644 index ee89bd5940f..00000000000 --- a/queue-5.15/crypto-aead-cipher-zeroize-key-buffer-after-use.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 5ada0c1e10881d0762ac513ac3e8956e64405d15 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Apr 2024 22:19:15 +0000 -Subject: crypto: aead,cipher - zeroize key buffer after use - -From: Hailey Mothershead - -[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ] - -I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding -cryptographic information should be zeroized once they are no longer -needed. Accomplish this by using kfree_sensitive for buffers that -previously held the private key. - -Signed-off-by: Hailey Mothershead -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/aead.c | 3 +-- - crypto/cipher.c | 3 +-- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/crypto/aead.c b/crypto/aead.c -index 16991095270d2..c4ece86c45bc4 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -35,8 +35,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - } - -diff --git a/crypto/cipher.c b/crypto/cipher.c -index b47141ed4a9f3..395f0c2fbb9ff 100644 ---- a/crypto/cipher.c -+++ b/crypto/cipher.c -@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - - } --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-check-index-msg_id-before-read-or-wr.patch b/queue-5.15/drm-amd-display-check-index-msg_id-before-read-or-wr.patch deleted file mode 100644 index 6f159c9e179..00000000000 --- a/queue-5.15/drm-amd-display-check-index-msg_id-before-read-or-wr.patch +++ /dev/null @@ -1,56 +0,0 @@ -From f990da8272868fee947c435f5a0a09810098c653 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 13:27:43 -0600 -Subject: drm/amd/display: Check index msg_id before read or write - -From: Alex Hung - -[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ] - -[WHAT] -msg_id is used as an array index and it cannot be a negative value, and -therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). - -[HOW] -Check whether msg_id is valid before reading and setting. - -This fixes 4 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -index f7b5583ee609a..8e9caae7c9559 100644 ---- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); -@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-check-pipe-offset-before-setting-vbl.patch b/queue-5.15/drm-amd-display-check-pipe-offset-before-setting-vbl.patch deleted file mode 100644 index 8fba878fd5f..00000000000 --- a/queue-5.15/drm-amd-display-check-pipe-offset-before-setting-vbl.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 71e7fbfbe73282464add73ac9de645952b1500c0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 18:07:17 -0600 -Subject: drm/amd/display: Check pipe offset before setting vblank - -From: Alex Hung - -[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ] - -pipe_ctx has a size of MAX_PIPES so checking its index before accessing -the array. - -This fixes an OVERRUN issue reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -index 378cc11aa0476..3d8b2b127f3f5 100644 ---- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -+++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service, - info->ext_id); - uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK; - -- struct timing_generator *tg = -- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; -+ struct timing_generator *tg; -+ -+ if (pipe_offset >= MAX_PIPES) -+ return false; -+ -+ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; - - if (enable) { - if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) { --- -2.43.0 - diff --git a/queue-5.15/drm-amd-display-skip-finding-free-audio-for-unknown-.patch b/queue-5.15/drm-amd-display-skip-finding-free-audio-for-unknown-.patch deleted file mode 100644 index 9bbe5d7a25a..00000000000 --- a/queue-5.15/drm-amd-display-skip-finding-free-audio-for-unknown-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 45d6ca9aff49734cf979984224e0b0c3061fc795 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 13:52:27 -0600 -Subject: drm/amd/display: Skip finding free audio for unknown engine_id - -From: Alex Hung - -[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ] - -[WHY] -ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it -also means it is uninitialized and does not need free audio. - -[HOW] -Skip and return NULL. - -This fixes 2 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -index fa4d671b5b2cc..42432af34db29 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -@@ -1728,6 +1728,9 @@ static struct audio *find_first_free_audio( - { - int i, available_audio_count; - -+ if (id == ENGINE_ID_UNKNOWN) -+ return NULL; -+ - available_audio_count = pool->audio_count; - - for (i = 0; i < available_audio_count; i++) { --- -2.43.0 - diff --git a/queue-5.15/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch b/queue-5.15/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch deleted file mode 100644 index d1c0eb04c47..00000000000 --- a/queue-5.15/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0a4be599cf84c2dc6de61ca08a8a03d238caef14 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 10:07:51 +0800 -Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ma Jun - -[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ] - -Initialize the interrupt timestamp for some legacy SOCs -to fix the coverity issue "Uninitialized scalar variable" - -Signed-off-by: Ma Jun -Suggested-by: Christian König -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -index cc2e0c9cfe0a1..c04f458db937f 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -@@ -494,6 +494,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, - - entry.ih = ih; - entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; -+ -+ /* -+ * timestamp is not supported on some legacy SOCs (cik, cz, iceland, -+ * si and tonga), so initialize timestamp and timestamp_src to 0 -+ */ -+ entry.timestamp = 0; -+ entry.timestamp_src = 0; -+ - amdgpu_ih_decode_iv(adev, &entry); - - trace_amdgpu_iv(ih - &adev->irq.ih, &entry); --- -2.43.0 - diff --git a/queue-5.15/drm-lima-fix-shared-irq-handling-on-driver-remove.patch b/queue-5.15/drm-lima-fix-shared-irq-handling-on-driver-remove.patch deleted file mode 100644 index b15cba73146..00000000000 --- a/queue-5.15/drm-lima-fix-shared-irq-handling-on-driver-remove.patch +++ /dev/null @@ -1,88 +0,0 @@ -From eb15884065daf9cf8d235ca1c04e7d06cad4a82e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Apr 2024 00:43:28 +0200 -Subject: drm/lima: fix shared irq handling on driver remove - -From: Erico Nunes - -[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ] - -lima uses a shared interrupt, so the interrupt handlers must be prepared -to be called at any time. At driver removal time, the clocks are -disabled early and the interrupts stay registered until the very end of -the remove process due to the devm usage. -This is potentially a bug as the interrupts access device registers -which assumes clocks are enabled. A crash can be triggered by removing -the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. -This patch frees the interrupts at each lima device finishing callback -so that the handlers are already unregistered by the time we fully -disable clocks. - -Signed-off-by: Erico Nunes -Signed-off-by: Qiang Yu -Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/lima/lima_gp.c | 2 ++ - drivers/gpu/drm/lima/lima_mmu.c | 5 +++++ - drivers/gpu/drm/lima/lima_pp.c | 4 ++++ - 3 files changed, 11 insertions(+) - -diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c -index 6cf46b653e810..ca3842f719842 100644 ---- a/drivers/gpu/drm/lima/lima_gp.c -+++ b/drivers/gpu/drm/lima/lima_gp.c -@@ -324,7 +324,9 @@ int lima_gp_init(struct lima_ip *ip) - - void lima_gp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_gp_pipe_init(struct lima_device *dev) -diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c -index a1ae6c252dc2b..8ca7047adbaca 100644 ---- a/drivers/gpu/drm/lima/lima_mmu.c -+++ b/drivers/gpu/drm/lima/lima_mmu.c -@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip) - - void lima_mmu_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; -+ -+ if (ip->id == lima_ip_ppmmu_bcast) -+ return; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - void lima_mmu_flush_tlb(struct lima_ip *ip) -diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c -index 54b208a4a768e..d34c9e8840f45 100644 ---- a/drivers/gpu/drm/lima/lima_pp.c -+++ b/drivers/gpu/drm/lima/lima_pp.c -@@ -266,7 +266,9 @@ int lima_pp_init(struct lima_ip *ip) - - void lima_pp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_pp_bcast_resume(struct lima_ip *ip) -@@ -299,7 +301,9 @@ int lima_pp_bcast_init(struct lima_ip *ip) - - void lima_pp_bcast_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - static int lima_pp_task_validate(struct lima_sched_pipe *pipe, --- -2.43.0 - diff --git a/queue-5.15/firmware-dmi-stop-decoding-on-broken-entry.patch b/queue-5.15/firmware-dmi-stop-decoding-on-broken-entry.patch deleted file mode 100644 index 2501abdac23..00000000000 --- a/queue-5.15/firmware-dmi-stop-decoding-on-broken-entry.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8cdec862cede34e6652d66ab814025842efa3d4a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:29:32 +0200 -Subject: firmware: dmi: Stop decoding on broken entry - -From: Jean Delvare - -[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] - -If a DMI table entry is shorter than 4 bytes, it is invalid. Due to -how DMI table parsing works, it is impossible to safely recover from -such an error, so we have to stop decoding the table. - -Signed-off-by: Jean Delvare -Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ -Reviewed-by: Michael Kelley -Signed-off-by: Sasha Levin ---- - drivers/firmware/dmi_scan.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index f191a1f901ac7..dcfddde767d1a 100644 ---- a/drivers/firmware/dmi_scan.c -+++ b/drivers/firmware/dmi_scan.c -@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf, - (data - buf + sizeof(struct dmi_header)) <= dmi_len) { - const struct dmi_header *dm = (const struct dmi_header *)data; - -+ /* -+ * If a short entry is found (less than 4 bytes), not only it -+ * is invalid, but we cannot reliably locate the next entry. -+ */ -+ if (dm->length < sizeof(struct dmi_header)) { -+ pr_warn(FW_BUG -+ "Corrupted DMI table, offset %zd (only %d entries processed)\n", -+ data - buf, i); -+ break; -+ } -+ - /* - * We want to know the total length (formatted area and - * strings) before decoding to make sure we won't run off the --- -2.43.0 - diff --git a/queue-5.15/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch b/queue-5.15/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch deleted file mode 100644 index ce0d3364b30..00000000000 --- a/queue-5.15/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d45f1f5953e44a4b7342997839d45e685cd628b7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 Apr 2024 12:21:58 +0200 -Subject: i2c: i801: Annotate apanel_addr as __ro_after_init - -From: Heiner Kallweit - -[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] - -Annotate this variable as __ro_after_init to protect it from being -overwritten later. - -Signed-off-by: Heiner Kallweit -Signed-off-by: Andi Shyti -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-i801.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c -index 7844fba281905..758bbb13b8be3 100644 ---- a/drivers/i2c/busses/i2c-i801.c -+++ b/drivers/i2c/busses/i2c-i801.c -@@ -1045,7 +1045,7 @@ static const struct pci_device_id i801_ids[] = { - MODULE_DEVICE_TABLE(pci, i801_ids); - - #if defined CONFIG_X86 && defined CONFIG_DMI --static unsigned char apanel_addr; -+static unsigned char apanel_addr __ro_after_init; - - /* Scan the system ROM for the signature "FJKEYINF" */ - static __init const void __iomem *bios_signature(const void __iomem *bios) --- -2.43.0 - diff --git a/queue-5.15/ib-core-implement-a-limit-on-umad-receive-list.patch b/queue-5.15/ib-core-implement-a-limit-on-umad-receive-list.patch deleted file mode 100644 index 5b778ead4b1..00000000000 --- a/queue-5.15/ib-core-implement-a-limit-on-umad-receive-list.patch +++ /dev/null @@ -1,125 +0,0 @@ -From bf021c67b1e6442e10bc469fb8304d4fe1fbbecd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 Apr 2024 15:01:44 +0300 -Subject: IB/core: Implement a limit on UMAD receive List - -From: Michael Guralnik - -[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] - -The existing behavior of ib_umad, which maintains received MAD -packets in an unbounded list, poses a risk of uncontrolled growth. -As user-space applications extract packets from this list, the rate -of extraction may not match the rate of incoming packets, leading -to potential list overflow. - -To address this, we introduce a limit to the size of the list. After -considering typical scenarios, such as OpenSM processing, which can -handle approximately 100k packets per second, and the 1-second retry -timeout for most packets, we set the list size limit to 200k. Packets -received beyond this limit are dropped, assuming they are likely timed -out by the time they are handled by user-space. - -Notably, packets queued on the receive list due to reasons like -timed-out sends are preserved even when the list is full. - -Signed-off-by: Michael Guralnik -Reviewed-by: Mark Zhang -Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c -index 5c284dfbe6923..66a0c5a73b832 100644 ---- a/drivers/infiniband/core/user_mad.c -+++ b/drivers/infiniband/core/user_mad.c -@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier"); - MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); - MODULE_LICENSE("Dual BSD/GPL"); - -+#define MAX_UMAD_RECV_LIST_SIZE 200000 -+ - enum { - IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS, - IB_UMAD_MAX_AGENTS = 32, -@@ -113,6 +115,7 @@ struct ib_umad_file { - struct mutex mutex; - struct ib_umad_port *port; - struct list_head recv_list; -+ atomic_t recv_list_size; - struct list_head send_list; - struct list_head port_list; - spinlock_t send_lock; -@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) - return file->agents_dead ? NULL : file->agent[id]; - } - --static int queue_packet(struct ib_umad_file *file, -- struct ib_mad_agent *agent, -- struct ib_umad_packet *packet) -+static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, -+ struct ib_umad_packet *packet, bool is_recv_mad) - { - int ret = 1; - - mutex_lock(&file->mutex); - -+ if (is_recv_mad && -+ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) -+ goto unlock; -+ - for (packet->mad.hdr.id = 0; - packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; - packet->mad.hdr.id++) - if (agent == __get_agent(file, packet->mad.hdr.id)) { - list_add_tail(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - wake_up_interruptible(&file->recv_wait); - ret = 0; - break; - } -- -+unlock: - mutex_unlock(&file->mutex); - - return ret; -@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent, - if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { - packet->length = IB_MGMT_MAD_HDR; - packet->mad.hdr.status = ETIMEDOUT; -- if (!queue_packet(file, agent, packet)) -+ if (!queue_packet(file, agent, packet, false)) - return; - } - kfree(packet); -@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent, - rdma_destroy_ah_attr(&ah_attr); - } - -- if (queue_packet(file, agent, packet)) -+ if (queue_packet(file, agent, packet, true)) - goto err2; - return; - -@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - - packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); - list_del(&packet->list); -+ atomic_dec(&file->recv_list_size); - - mutex_unlock(&file->mutex); - -@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - /* Requeue packet */ - mutex_lock(&file->mutex); - list_add(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - mutex_unlock(&file->mutex); - } else { - if (packet->recv_wc) --- -2.43.0 - diff --git a/queue-5.15/igc-fix-a-log-entry-using-uninitialized-netdev.patch b/queue-5.15/igc-fix-a-log-entry-using-uninitialized-netdev.patch deleted file mode 100644 index 14fd927429c..00000000000 --- a/queue-5.15/igc-fix-a-log-entry-using-uninitialized-netdev.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 92fe14faa73957ee1f1dbe5ed0b279b6ee5c9cff Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 12:24:54 +0200 -Subject: igc: fix a log entry using uninitialized netdev - -From: Corinna Vinschen - -[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ] - -During successful probe, igc logs this: - -[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The reason is that igc_ptp_init() is called very early, even before -register_netdev() has been called. So the netdev_info() call works -on a partially uninitialized netdev. - -Fix this by calling igc_ptp_init() after register_netdev(), right -after the media autosense check, just as in igb. Add a comment, -just as in igb. - -Now the log message is fine: - -[ 5.200987] igc 0000:01:00.0 eth0: PHC added - -Signed-off-by: Corinna Vinschen -Reviewed-by: Hariprasad Kelam -Acked-by: Vinicius Costa Gomes -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index 6185566fbb98c..16a3d0f67ec96 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -6673,8 +6673,6 @@ static int igc_probe(struct pci_dev *pdev, - device_set_wakeup_enable(&adapter->pdev->dev, - adapter->flags & IGC_FLAG_WOL_SUPPORTED); - -- igc_ptp_init(adapter); -- - igc_tsn_clear_schedule(adapter); - - /* reset the hardware with the new settings */ -@@ -6696,6 +6694,9 @@ static int igc_probe(struct pci_dev *pdev, - /* Check if Media Autosense is enabled */ - adapter->ei = *ei; - -+ /* do hw tstamp init after resetting */ -+ igc_ptp_init(adapter); -+ - /* print pcie link status and MAC address */ - pcie_print_link_status(pdev); - netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr); --- -2.43.0 - diff --git a/queue-5.15/input-ff-core-prefer-struct_size-over-open-coded-ari.patch b/queue-5.15/input-ff-core-prefer-struct_size-over-open-coded-ari.patch deleted file mode 100644 index 3f44b1250db..00000000000 --- a/queue-5.15/input-ff-core-prefer-struct_size-over-open-coded-ari.patch +++ /dev/null @@ -1,73 +0,0 @@ -From df013b40cecc45fb740a1783fcb7419e63b53b69 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 17:05:56 +0200 -Subject: Input: ff-core - prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ff" variable is a pointer to "struct ff_device" and this -structure ends in a flexible array: - -struct ff_device { - [...] - struct file *effect_owners[] __counted_by(max_effects); -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + count * size" in -the kzalloc() function. - -The struct_size() helper returns SIZE_MAX on overflow. So, refactor -the comparison to take advantage of this. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/ff-core.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c -index 1cf5deda06e19..a765e185c7a12 100644 ---- a/drivers/input/ff-core.c -+++ b/drivers/input/ff-core.c -@@ -12,8 +12,10 @@ - /* #define DEBUG */ - - #include -+#include - #include - #include -+#include - #include - #include - -@@ -318,9 +320,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) - return -EINVAL; - } - -- ff_dev_size = sizeof(struct ff_device) + -- max_effects * sizeof(struct file *); -- if (ff_dev_size < max_effects) /* overflow */ -+ ff_dev_size = struct_size(ff, effect_owners, max_effects); -+ if (ff_dev_size == SIZE_MAX) /* overflow */ - return -EINVAL; - - ff = kzalloc(ff_dev_size, GFP_KERNEL); --- -2.43.0 - diff --git a/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch deleted file mode 100644 index f59e9636e5c..00000000000 --- a/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 63fa0d12f873318e314562d760d9ed060657fb6c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 14:10:53 +0800 -Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc - -From: Guanrui Huang - -[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] - -This BUG_ON() is useless, because the same effect will be obtained -by letting the code run its course and vm being dereferenced, -triggering an exception. - -So just remove this check. - -Signed-off-by: Guanrui Huang -Signed-off-by: Thomas Gleixner -Reviewed-by: Zenghui Yu -Acked-by: Marc Zyngier -Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com -Signed-off-by: Sasha Levin ---- - drivers/irqchip/irq-gic-v3-its.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c -index fa89e590c1333..3fa6c71843261 100644 ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -4491,8 +4491,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq - struct page *vprop_page; - int base, nr_ids, i, err = 0; - -- BUG_ON(!vm); -- - bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); - if (!bitmap) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-5.15/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch b/queue-5.15/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch deleted file mode 100644 index e8c6975452e..00000000000 --- a/queue-5.15/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 1d930105d9e2ed2dfd65ecfa800a778fd0fa04d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 15:00:46 +0800 -Subject: jffs2: Fix potential illegal address access in jffs2_free_inode - -From: Wang Yong - -[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] - -During the stress testing of the jffs2 file system,the following -abnormal printouts were found: -[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 -[ 2430.649622] Mem abort info: -[ 2430.649829] ESR = 0x96000004 -[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits -[ 2430.650564] SET = 0, FnV = 0 -[ 2430.650795] EA = 0, S1PTW = 0 -[ 2430.651032] FSC = 0x04: level 0 translation fault -[ 2430.651446] Data abort info: -[ 2430.651683] ISV = 0, ISS = 0x00000004 -[ 2430.652001] CM = 0, WnR = 0 -[ 2430.652558] [0069696969696948] address between user and kernel address ranges -[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP -[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 -[ 2430.655008] Hardware name: linux,dummy-virt (DT) -[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) -[ 2430.656142] pc : kfree+0x78/0x348 -[ 2430.656630] lr : jffs2_free_inode+0x24/0x48 -[ 2430.657051] sp : ffff800009eebd10 -[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 -[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 -[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 -[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 -[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 -[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 -[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 -[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 -[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 -[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 -[ 2430.664217] Call trace: -[ 2430.664528] kfree+0x78/0x348 -[ 2430.664855] jffs2_free_inode+0x24/0x48 -[ 2430.665233] i_callback+0x24/0x50 -[ 2430.665528] rcu_do_batch+0x1ac/0x448 -[ 2430.665892] rcu_core+0x28c/0x3c8 -[ 2430.666151] rcu_core_si+0x18/0x28 -[ 2430.666473] __do_softirq+0x138/0x3cc -[ 2430.666781] irq_exit+0xf0/0x110 -[ 2430.667065] handle_domain_irq+0x6c/0x98 -[ 2430.667447] gic_handle_irq+0xac/0xe8 -[ 2430.667739] call_on_irq_stack+0x28/0x54 -The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of -the jffs_inode_info structure. It was found that all variables in the jffs_inode_info -structure were 5a5a5a5a, except for the first member sem. It is suspected that these -variables are not initialized because they were set to 5a5a5a5a during memory testing, -which is meant to detect uninitialized memory.The sem variable is initialized in the -function jffs2_i_init_once, while other members are initialized in -the function jffs2_init_inode_info. - -The function jffs2_init_inode_info is called after iget_locked, -but in the iget_locked function, the destroy_inode process is triggered, -which releases the inode and consequently, the target member of the inode -is not initialized.In concurrent high pressure scenarios, iget_locked -may enter the destroy_inode branch as described in the code. - -Since the destroy_inode functionality of jffs2 only releases the target, -the fix method is to set target to NULL in jffs2_i_init_once. - -Signed-off-by: Wang Yong -Reviewed-by: Lu Zhongjun -Reviewed-by: Yang Tao -Cc: Xu Xin -Cc: Yang Yang -Signed-off-by: Richard Weinberger -Signed-off-by: Sasha Levin ---- - fs/jffs2/super.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c -index 81ca58c10b728..40cc5e62907c1 100644 ---- a/fs/jffs2/super.c -+++ b/fs/jffs2/super.c -@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo) - struct jffs2_inode_info *f = foo; - - mutex_init(&f->sem); -+ f->target = NULL; - inode_init_once(&f->vfs_inode); - } - --- -2.43.0 - diff --git a/queue-5.15/kunit-fix-timeout-message.patch b/queue-5.15/kunit-fix-timeout-message.patch deleted file mode 100644 index 7f6db3358c5..00000000000 --- a/queue-5.15/kunit-fix-timeout-message.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 1cebd4cb2463e99c7a1a5da5627b080944661469 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 09:46:21 +0200 -Subject: kunit: Fix timeout message -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Mickaël Salaün - -[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ] - -The exit code is always checked, so let's properly handle the -ETIMEDOUT -error code. - -Cc: Brendan Higgins -Cc: Shuah Khan -Reviewed-by: Kees Cook -Reviewed-by: David Gow -Reviewed-by: Rae Moar -Signed-off-by: Mickaël Salaün -Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - lib/kunit/try-catch.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c -index 71e5c58530996..d18da926b2cd7 100644 ---- a/lib/kunit/try-catch.c -+++ b/lib/kunit/try-catch.c -@@ -76,7 +76,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - time_remaining = wait_for_completion_timeout(&try_completion, - kunit_test_timeout()); - if (time_remaining == 0) { -- kunit_err(test, "try timed out\n"); - try_catch->try_result = -ETIMEDOUT; - } - -@@ -89,6 +88,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - try_catch->try_result = 0; - else if (exit_code == -EINTR) - kunit_err(test, "wake_up_process() was never called\n"); -+ else if (exit_code == -ETIMEDOUT) -+ kunit_err(test, "try timed out\n"); - else if (exit_code) - kunit_err(test, "Unknown error: %d\n", exit_code); - --- -2.43.0 - diff --git a/queue-5.15/locking-mutex-introduce-devm_mutex_init.patch b/queue-5.15/locking-mutex-introduce-devm_mutex_init.patch deleted file mode 100644 index cafcc50cf2d..00000000000 --- a/queue-5.15/locking-mutex-introduce-devm_mutex_init.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 68d8297b07f5011e65513b8fbce242f377c45794 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:25 +0300 -Subject: locking/mutex: Introduce devm_mutex_init() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: George Stark - -[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ] - -Using of devm API leads to a certain order of releasing resources. -So all dependent resources which are not devm-wrapped should be deleted -with respect to devm-release order. Mutex is one of such objects that -often is bound to other resources and has no own devm wrapping. -Since mutex_destroy() actually does nothing in non-debug builds -frequently calling mutex_destroy() is just ignored which is safe for now -but wrong formally and can lead to a problem if mutex_destroy() will be -extended so introduce devm_mutex_init(). - -Suggested-by: Christophe Leroy -Signed-off-by: George Stark -Reviewed-by: Christophe Leroy -Reviewed-by: Andy Shevchenko -Reviewed-by: Marek Behún -Acked-by: Waiman Long -Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - include/linux/mutex.h | 27 +++++++++++++++++++++++++++ - kernel/locking/mutex-debug.c | 12 ++++++++++++ - 2 files changed, 39 insertions(+) - -diff --git a/include/linux/mutex.h b/include/linux/mutex.h -index 8f226d460f51c..9ef01b9d24563 100644 ---- a/include/linux/mutex.h -+++ b/include/linux/mutex.h -@@ -20,6 +20,8 @@ - #include - #include - -+struct device; -+ - #ifdef CONFIG_DEBUG_LOCK_ALLOC - # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \ - , .dep_map = { \ -@@ -170,6 +172,31 @@ do { \ - } while (0) - #endif /* CONFIG_PREEMPT_RT */ - -+#ifdef CONFIG_DEBUG_MUTEXES -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock); -+ -+#else -+ -+static inline int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ /* -+ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so -+ * no really need to register it in the devm subsystem. -+ */ -+ return 0; -+} -+ -+#endif -+ -+#define devm_mutex_init(dev, mutex) \ -+({ \ -+ typeof(mutex) mutex_ = (mutex); \ -+ \ -+ mutex_init(mutex_); \ -+ __devm_mutex_init(dev, mutex_); \ -+}) -+ - /* - * See kernel/locking/mutex.c for detailed documentation of these APIs. - * Also see Documentation/locking/mutex-design.rst. -diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c -index bc8abb8549d20..6e6f6071cfa27 100644 ---- a/kernel/locking/mutex-debug.c -+++ b/kernel/locking/mutex-debug.c -@@ -12,6 +12,7 @@ - */ - #include - #include -+#include - #include - #include - #include -@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name, - lock->magic = lock; - } - -+static void devm_mutex_release(void *res) -+{ -+ mutex_destroy(res); -+} -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ return devm_add_action_or_reset(dev, devm_mutex_release, lock); -+} -+EXPORT_SYMBOL_GPL(__devm_mutex_init); -+ - /*** - * mutex_destroy - mark a mutex unusable - * @lock: the mutex to be destroyed --- -2.43.0 - diff --git a/queue-5.15/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch b/queue-5.15/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch deleted file mode 100644 index 501a0a727aa..00000000000 --- a/queue-5.15/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0a2ffb66e597f5f7dae99e9a12d4d645e3eefbc3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 12:24:37 +0000 -Subject: media: dvb: as102-fe: Fix as10x_register_addr packing - -From: Ricardo Ribalda - -[ Upstream commit 309422d280748c74f57f471559980268ac27732a ] - -This structure is embedded in multiple other structures that are packed, -which conflicts with it being aligned. - -drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] - -Mark it as being packed. - -Marking the inner struct as 'packed' does not change the layout, since the -whole struct is already packed, it just silences the clang warning. See -also this llvm discussion: - -https://github.com/llvm/llvm-project/issues/55520 - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/as102_fe_types.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h -index 297f9520ebf9d..8a4e392c88965 100644 ---- a/drivers/media/dvb-frontends/as102_fe_types.h -+++ b/drivers/media/dvb-frontends/as102_fe_types.h -@@ -174,6 +174,6 @@ struct as10x_register_addr { - uint32_t addr; - /* register mode access */ - uint8_t mode; --}; -+} __packed; - - #endif --- -2.43.0 - diff --git a/queue-5.15/media-dvb-frontends-tda10048-fix-integer-overflow.patch b/queue-5.15/media-dvb-frontends-tda10048-fix-integer-overflow.patch deleted file mode 100644 index a65f96d2d76..00000000000 --- a/queue-5.15/media-dvb-frontends-tda10048-fix-integer-overflow.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 09b949027f0eb10e8dca12b78c07189f2a879161 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:05:04 +0100 -Subject: media: dvb-frontends: tda10048: Fix integer overflow - -From: Ricardo Ribalda - -[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] - -state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer -when multiplied by pll_mfactor. - -Create a new 64 bit variable to hold the calculations. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org -Reported-by: Dan Carpenter -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c -index f1d5e77d5dcce..db829754f1359 100644 ---- a/drivers/media/dvb-frontends/tda10048.c -+++ b/drivers/media/dvb-frontends/tda10048.c -@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - struct tda10048_config *config = &state->config; - int i; - u32 if_freq_khz; -+ u64 sample_freq; - - dprintk(1, "%s(bw = %d)\n", __func__, bw); - -@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); - - /* Calculate the sample frequency */ -- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); -- state->sample_freq /= (state->pll_nfactor + 1); -- state->sample_freq /= (state->pll_pfactor + 4); -+ sample_freq = state->xtal_hz; -+ sample_freq *= state->pll_mfactor + 45; -+ do_div(sample_freq, state->pll_nfactor + 1); -+ do_div(sample_freq, state->pll_pfactor + 4); -+ state->sample_freq = sample_freq; - dprintk(1, "- sample_freq = %d\n", state->sample_freq); - - /* Update the I/F */ --- -2.43.0 - diff --git a/queue-5.15/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch b/queue-5.15/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch deleted file mode 100644 index 8d2fe2ec31c..00000000000 --- a/queue-5.15/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6c200a6065dde0e39a0289fe2e24db01db09a257 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:47 +0100 -Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div - -From: Ricardo Ribalda - -[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] - -do_div() divides 64 bits by 32. We were adding a casting to the divider -to 64 bits, for a number that fits perfectly in 32 bits. Remove it. - -Found by cocci: -drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. -drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c -index a348344879433..fd928787207ed 100644 ---- a/drivers/media/dvb-frontends/tda18271c2dd.c -+++ b/drivers/media/dvb-frontends/tda18271c2dd.c -@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) - - OscFreq = (u64) freq * (u64) Div; - OscFreq *= (u64) 16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - MainDiv = OscFreq; - - state->m_Regs[MPD] = PostDiv & 0x77; -@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) - OscFreq = (u64)freq * (u64)Div; - /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ - OscFreq *= (u64)16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - CalDiv = OscFreq; - - state->m_Regs[CPD] = PostDiv; --- -2.43.0 - diff --git a/queue-5.15/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch b/queue-5.15/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch deleted file mode 100644 index 1270dfa684e..00000000000 --- a/queue-5.15/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 907963173f880a77c3f8b33805a0bb80530de7ca Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 21:17:56 +0000 -Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware() - -From: Ricardo Ribalda - -[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] - -Add missing release_firmware on the error paths. - -drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. -drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c -index 710c1afe3e85c..c7019e767da4c 100644 ---- a/drivers/media/usb/dvb-usb/dib0700_devices.c -+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c -@@ -2419,7 +2419,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) - - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); - -- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) -@@ -2492,8 +2497,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); - -- if (adap->fe_adap[0].fe == NULL) -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); - return -ENODEV; -+ } - - i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); - dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); -@@ -2501,7 +2508,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); - dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); - -- return fe_slave == NULL ? -ENODEV : 0; -+ if (!fe_slave) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) --- -2.43.0 - diff --git a/queue-5.15/media-dw2102-don-t-translate-i2c-read-into-write.patch b/queue-5.15/media-dw2102-don-t-translate-i2c-read-into-write.patch deleted file mode 100644 index 6cc5be8a373..00000000000 --- a/queue-5.15/media-dw2102-don-t-translate-i2c-read-into-write.patch +++ /dev/null @@ -1,197 +0,0 @@ -From b9256894f87ecc5e7f64289294755b0ff484099a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jan 2022 11:22:36 +0000 -Subject: media: dw2102: Don't translate i2c read into write - -From: Michael Bunk - -[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] - -The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed -an i2c transaction with a single message must be a write operation and a -transaction with two messages would be a read operation. - -Though this works for the driver code, it leads to problems once the i2c -device is exposed to code not knowing this convention. For example, -I did "insmod i2c-dev" and issued read requests from userspace, which -were translated into write requests and destroyed the EEPROM of my -device. - -So, just check and respect the I2C_M_READ flag, which indicates a read -when set on a message. If it is absent, it is a write message. - -Incidentally, changing from the case statement to a while loop allows -the code to lift the limitation to two i2c messages per transaction. - -There are 4 more *_i2c_transfer functions affected by the same behaviour -and limitation that should be fixed in the same way. - -Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org -Signed-off-by: Michael Bunk -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- - 1 file changed, 73 insertions(+), 47 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c -index 253d13bdb63e5..ec4247f49bf69 100644 ---- a/drivers/media/usb/dvb-usb/dw2102.c -+++ b/drivers/media/usb/dvb-usb/dw2102.c -@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - { - struct dvb_usb_device *d = i2c_get_adapdata(adap); - struct dw2102_state *state; -+ int j; - - if (!d) - return -ENODEV; -@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - return -EAGAIN; - } - -- switch (num) { -- case 1: -- switch (msg[0].addr) { -+ j = 0; -+ while (j < num) { -+ switch (msg[j].addr) { - case SU3000_STREAM_CTRL: -- state->data[0] = msg[0].buf[0] + 0x36; -+ state->data[0] = msg[j].buf[0] + 0x36; - state->data[1] = 3; - state->data[2] = 0; - if (dvb_usb_generic_rw(d, state->data, 3, -@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - if (dvb_usb_generic_rw(d, state->data, 1, - state->data, 2, 0) < 0) - err("i2c transfer failed."); -- msg[0].buf[1] = state->data[0]; -- msg[0].buf[0] = state->data[1]; -+ msg[j].buf[1] = state->data[0]; -+ msg[j].buf[0] = state->data[1]; - break; - default: -- if (3 + msg[0].len > sizeof(state->data)) { -- warn("i2c wr: len=%d is too big!\n", -- msg[0].len); -+ /* if the current write msg is followed by a another -+ * read msg to/from the same address -+ */ -+ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && -+ (msg[j].addr == msg[j+1].addr)) { -+ /* join both i2c msgs to one usb read command */ -+ if (4 + msg[j].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: write len=%d is too big!\n", -+ msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ if (1 + msg[j+1].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: read len=%d is too big!\n", -+ msg[j+1].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = msg[j].len; -+ state->data[2] = msg[j+1].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, -+ state->data, msg[j+1].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); -+ j++; -+ break; -+ } -+ -+ if (msg[j].flags & I2C_M_RD) { -+ /* single read */ -+ if (1 + msg[j].len > sizeof(state->data)) { -+ warn("i2c rd: len=%d is too big!\n", msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = 0; -+ state->data[2] = msg[j].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, 4, -+ state->data, msg[j].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j].buf, &state->data[1], msg[j].len); -+ break; -+ } -+ -+ /* single write */ -+ if (3 + msg[j].len > sizeof(state->data)) { -+ warn("i2c wr: len=%d is too big!\n", msg[j].len); - num = -EOPNOTSUPP; - break; - } - -- /* always i2c write*/ - state->data[0] = 0x08; -- state->data[1] = msg[0].addr; -- state->data[2] = msg[0].len; -+ state->data[1] = msg[j].addr; -+ state->data[2] = msg[j].len; - -- memcpy(&state->data[3], msg[0].buf, msg[0].len); -+ memcpy(&state->data[3], msg[j].buf, msg[j].len); - -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, - state->data, 1, 0) < 0) - err("i2c transfer failed."); -+ } // switch -+ j++; - -- } -- break; -- case 2: -- /* always i2c read */ -- if (4 + msg[0].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[0].len); -- num = -EOPNOTSUPP; -- break; -- } -- if (1 + msg[1].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[1].len); -- num = -EOPNOTSUPP; -- break; -- } -- -- state->data[0] = 0x09; -- state->data[1] = msg[0].len; -- state->data[2] = msg[1].len; -- state->data[3] = msg[0].addr; -- memcpy(&state->data[4], msg[0].buf, msg[0].len); -- -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, -- state->data, msg[1].len + 1, 0) < 0) -- err("i2c transfer failed."); -- -- memcpy(msg[1].buf, &state->data[1], msg[1].len); -- break; -- default: -- warn("more than 2 i2c messages at a time is not handled yet."); -- break; -- } -+ } // while - mutex_unlock(&d->data_mutex); - mutex_unlock(&d->i2c_mutex); - return num; --- -2.43.0 - diff --git a/queue-5.15/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch b/queue-5.15/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch deleted file mode 100644 index 9be7c42a9ae..00000000000 --- a/queue-5.15/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch +++ /dev/null @@ -1,109 +0,0 @@ -From e302406f0ce08b566e9afdc4bcc6a85e6056704b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:50 +0100 -Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels - -From: Ricardo Ribalda - -[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] - -Use an API that resembles more the actual use of num_channels. - -Found by cocci: -drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. -drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c -index acf18e2251a52..6c9870541c53d 100644 ---- a/drivers/media/usb/s2255/s2255drv.c -+++ b/drivers/media/usb/s2255/s2255drv.c -@@ -247,7 +247,7 @@ struct s2255_vc { - struct s2255_dev { - struct s2255_vc vc[MAX_CHANNELS]; - struct v4l2_device v4l2_dev; -- atomic_t num_channels; -+ refcount_t num_channels; - int frames; - struct mutex lock; /* channels[].vdev.lock */ - struct mutex cmdlock; /* protects cmdbuf */ -@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev) - container_of(vdev, struct s2255_vc, vdev); - - dprintk(dev, 4, "%s, chnls: %d\n", __func__, -- atomic_read(&dev->num_channels)); -+ refcount_read(&dev->num_channels)); - - v4l2_ctrl_handler_free(&vc->hdl); - -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - return; - } -@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - "failed to register video device!\n"); - break; - } -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", - video_device_node_name(&vc->vdev)); - -@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - pr_info("Sensoray 2255 V4L driver Revision: %s\n", - S2255_VERSION); - /* if no channels registered, return error and probe will fail*/ -- if (atomic_read(&dev->num_channels) == 0) { -+ if (refcount_read(&dev->num_channels) == 0) { - v4l2_device_unregister(&dev->v4l2_dev); - return ret; - } -- if (atomic_read(&dev->num_channels) != MAX_CHANNELS) -+ if (refcount_read(&dev->num_channels) != MAX_CHANNELS) - pr_warn("s2255: Not all channels available.\n"); - return 0; - } -@@ -2220,7 +2220,7 @@ static int s2255_probe(struct usb_interface *interface, - goto errorFWDATA1; - } - -- atomic_set(&dev->num_channels, 0); -+ refcount_set(&dev->num_channels, 0); - dev->pid = id->idProduct; - dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); - if (!dev->fw_data) -@@ -2340,12 +2340,12 @@ static void s2255_disconnect(struct usb_interface *interface) - { - struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); - int i; -- int channels = atomic_read(&dev->num_channels); -+ int channels = refcount_read(&dev->num_channels); - mutex_lock(&dev->lock); - v4l2_device_disconnect(&dev->v4l2_dev); - mutex_unlock(&dev->lock); - /*see comments in the uvc_driver.c usb disconnect function */ -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - /* unregister each video device. */ - for (i = 0; i < channels; i++) - video_unregister_device(&dev->vc[i].vdev); -@@ -2358,7 +2358,7 @@ static void s2255_disconnect(struct usb_interface *interface) - dev->vc[i].vidstatus_ready = 1; - wake_up(&dev->vc[i].wait_vidstatus); - } -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - dev_info(&interface->dev, "%s\n", __func__); - } --- -2.43.0 - diff --git a/queue-5.15/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch b/queue-5.15/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch deleted file mode 100644 index 25c17de1dba..00000000000 --- a/queue-5.15/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7dd6b0f0dc060779c3ccb7658f26d93b3b286591 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:46:45 +0100 -Subject: net: dsa: mv88e6xxx: Correct check for empty list - -From: Simon Horman - -[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] - -Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO -busses") mv88e6xxx_default_mdio_bus() has checked that the -return value of list_first_entry() is non-NULL. - -This appears to be intended to guard against the list chip->mdios being -empty. However, it is not the correct check as the implementation of -list_first_entry is not designed to return NULL for empty lists. - -Instead, use list_first_entry_or_null() which does return NULL if the -list is empty. - -Flagged by Smatch. -Compile tested only. - -Reviewed-by: Andrew Lunn -Signed-off-by: Simon Horman -Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c -index 5ddd97f79e8e6..7985a48e08306 100644 ---- a/drivers/net/dsa/mv88e6xxx/chip.c -+++ b/drivers/net/dsa/mv88e6xxx/chip.c -@@ -117,8 +117,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) - { - struct mv88e6xxx_mdio_bus *mdio_bus; - -- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, -- list); -+ mdio_bus = list_first_entry_or_null(&chip->mdios, -+ struct mv88e6xxx_mdio_bus, list); - if (!mdio_bus) - return NULL; - --- -2.43.0 - diff --git a/queue-5.15/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch b/queue-5.15/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch deleted file mode 100644 index b3dcb1142c8..00000000000 --- a/queue-5.15/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch +++ /dev/null @@ -1,45 +0,0 @@ -From c17b1af38274dafc27de706df9814fcd1970c521 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 May 2024 07:14:29 +0900 -Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON() - -From: Ryusuke Konishi - -[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ] - -The BUG_ON check performed on the return value of __getblk() in -nilfs_finish_roll_forward() assumes that a buffer that has been -successfully read once is retrieved with the same parameters and does not -fail (__getblk() does not return an error due to memory allocation -failure). Also, nilfs_finish_roll_forward() is called at most once during -mount. - -Taking these into consideration, rewrite the check to use WARN_ON() to -avoid using BUG_ON(). - -Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com -Signed-off-by: Ryusuke Konishi -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - fs/nilfs2/recovery.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c -index 188b8cc52e2b6..e8d436bb8ecb5 100644 ---- a/fs/nilfs2/recovery.c -+++ b/fs/nilfs2/recovery.c -@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs, - return; - - bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize); -- BUG_ON(!bh); -+ if (WARN_ON(!bh)) -+ return; /* should never happen */ -+ - memset(bh->b_data, 0, bh->b_size); - set_buffer_dirty(bh); - err = sync_dirty_buffer(bh); --- -2.43.0 - diff --git a/queue-5.15/orangefs-fix-out-of-bounds-fsid-access.patch b/queue-5.15/orangefs-fix-out-of-bounds-fsid-access.patch deleted file mode 100644 index e15a4cb3545..00000000000 --- a/queue-5.15/orangefs-fix-out-of-bounds-fsid-access.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4809e0b1cc2214969d60225b0f22e371b1f08440 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 16:20:36 -0400 -Subject: orangefs: fix out-of-bounds fsid access - -From: Mike Marshall - -[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] - -Arnd Bergmann sent a patch to fsdevel, he says: - -"orangefs_statfs() copies two consecutive fields of the superblock into -the statfs structure, which triggers a warning from the string fortification -helpers" - -Jan Kara suggested an alternate way to do the patch to make it more readable. - -I ran both ideas through xfstests and both seem fine. This patch -is based on Jan Kara's suggestion. - -Signed-off-by: Mike Marshall -Signed-off-by: Sasha Levin ---- - fs/orangefs/super.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c -index 2f2e430461b21..b48aef43b51d5 100644 ---- a/fs/orangefs/super.c -+++ b/fs/orangefs/super.c -@@ -200,7 +200,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) - (long)new_op->downcall.resp.statfs.files_avail); - - buf->f_type = sb->s_magic; -- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); -+ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; -+ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; - buf->f_bsize = new_op->downcall.resp.statfs.block_size; - buf->f_namelen = ORANGEFS_NAME_MAX; - --- -2.43.0 - diff --git a/queue-5.15/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch b/queue-5.15/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch deleted file mode 100644 index 3dcb0c3b773..00000000000 --- a/queue-5.15/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b46d75aa719553d7c8667e3aea4c6beace9b40e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 May 2024 17:56:19 +1000 -Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for - CONFIG_PCI=n - -From: Michael Ellerman - -[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] - -There is code that builds with calls to IO accessors even when -CONFIG_PCI=n, but the actual calls are guarded by runtime checks. - -If not those calls would be faulting, because the page at virtual -address zero is (usually) not mapped into the kernel. As Arnd pointed -out, it is possible a large port value could cause the address to be -above mmap_min_addr which would then access userspace, which would be -a bug. - -To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That -is a value chosen to point into unmapped space between the kernel and -userspace, so any access will always fault. - -Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an -effect on 64-bit. - -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/io.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h -index 56eb8ac443930..636605f91ea3f 100644 ---- a/arch/powerpc/include/asm/io.h -+++ b/arch/powerpc/include/asm/io.h -@@ -45,7 +45,7 @@ extern struct pci_dev *isa_bridge_pcidev; - * define properly based on the platform - */ - #ifndef CONFIG_PCI --#define _IO_BASE 0 -+#define _IO_BASE POISON_POINTER_DELTA - #define _ISA_MEM_BASE 0 - #define PCI_DRAM_OFFSET 0 - #elif defined(CONFIG_PPC32) --- -2.43.0 - diff --git a/queue-5.15/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch b/queue-5.15/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch deleted file mode 100644 index a362543bc8e..00000000000 --- a/queue-5.15/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0f36b478457790169ff04f05243efdde1b745db5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Mar 2021 19:11:10 +0100 -Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Greg Kurz - -[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] - -All these commands end up peeking into the PACA using the user -originated cpu id as an index. Check the cpu id is valid in order -to prevent xmon to crash. Instead of printing an error, this follows -the same behavior as the "lp s #" command : ignore the buggy cpu id -parameter and fall back to the #-less version of the command. - -Signed-off-by: Greg Kurz -Reviewed-by: Cédric Le Goater -Signed-off-by: Michael Ellerman -Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan -Signed-off-by: Sasha Levin ---- - arch/powerpc/xmon/xmon.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c -index 8b5277c3b1476..4178d5e8b42d9 100644 ---- a/arch/powerpc/xmon/xmon.c -+++ b/arch/powerpc/xmon/xmon.c -@@ -1356,7 +1356,7 @@ static int cpu_cmd(void) - } - termch = cpu; - -- if (!scanhex(&cpu)) { -+ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { - /* print cpus waiting or in xmon */ - printf("cpus stopped:"); - last_cpu = first_cpu = NR_CPUS; -@@ -2771,7 +2771,7 @@ static void dump_pacas(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_paca(num); - else - dump_one_paca(xmon_owner); -@@ -2844,7 +2844,7 @@ static void dump_xives(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_xive(num); - else - dump_one_xive(xmon_owner); --- -2.43.0 - diff --git a/queue-5.15/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-5.15/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch deleted file mode 100644 index d8423386f7e..00000000000 --- a/queue-5.15/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b66eb59a965b2a46b4bc5da36cb1639d458aafc1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 16:30:01 +0200 -Subject: s390: Mark psw in __load_psw_mask() as __unitialized - -From: Sven Schnelle - -[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] - -Without __unitialized, the following code is generated when -INIT_STACK_ALL_ZERO is enabled: - -86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) -8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) -92: c0 10 00 00 00 08 larl %r1, 0xa2 -98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) -9e: b2 b2 f0 a0 lpswe 160(%r15) - -The xc is not adding any security because psw is fully initialized -with the following instructions. Add __unitialized to the psw -definitiation to avoid the superfluous clearing of psw. - -Reviewed-by: Heiko Carstens -Signed-off-by: Sven Schnelle -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - arch/s390/include/asm/processor.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h -index d7ca76bb2720f..2ba16e67c96d5 100644 ---- a/arch/s390/include/asm/processor.h -+++ b/arch/s390/include/asm/processor.h -@@ -250,8 +250,8 @@ static inline void __load_psw(psw_t psw) - */ - static __always_inline void __load_psw_mask(unsigned long mask) - { -+ psw_t psw __uninitialized; - unsigned long addr; -- psw_t psw; - - psw.mask = mask; - --- -2.43.0 - diff --git a/queue-5.15/s390-pkey-wipe-sensitive-data-on-failure.patch b/queue-5.15/s390-pkey-wipe-sensitive-data-on-failure.patch deleted file mode 100644 index c2f5ec05cd7..00000000000 --- a/queue-5.15/s390-pkey-wipe-sensitive-data-on-failure.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b8aede5f0b0f7c95014df5bdde62b64530461f3a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 17:03:18 +0200 -Subject: s390/pkey: Wipe sensitive data on failure - -From: Holger Dengler - -[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] - -Wipe sensitive data from stack also if the copy_to_user() fails. - -Suggested-by: Heiko Carstens -Reviewed-by: Harald Freudenberger -Reviewed-by: Ingo Franzki -Acked-by: Heiko Carstens -Signed-off-by: Holger Dengler -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index 34e1d1b339c12..43dd937cdfba1 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1170,7 +1170,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcs, sizeof(kcs)); - break; - } -@@ -1202,7 +1202,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcp, sizeof(kcp)); - break; - } --- -2.43.0 - diff --git a/queue-5.15/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch b/queue-5.15/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch deleted file mode 100644 index 0d4026cdb20..00000000000 --- a/queue-5.15/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 263a566fcc3e3ce7cf7cd38af2fc27893c26a8fd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Apr 2024 11:01:55 -0400 -Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible - -From: John Meneghini - -[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ] - -Stop calling smp_processor_id() from preemptible code in -qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. - -[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 -[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] - -Tested-by: Guangwu Zhang -Cc: Saurav Kashyap -Cc: Nilesh Javali -Signed-off-by: John Meneghini -Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com -Acked-by: Saurav Kashyap -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qedf/qedf_io.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c -index a1a1f4e466609..450b2baf1fd14 100644 ---- a/drivers/scsi/qedf/qedf_io.c -+++ b/drivers/scsi/qedf/qedf_io.c -@@ -2340,9 +2340,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, - io_req->fcport = fcport; - io_req->cmd_type = QEDF_TASK_MGMT_CMD; - -- /* Record which cpu this request is associated with */ -- io_req->cpu = smp_processor_id(); -- - /* Set TM flags */ - io_req->io_req_flags = QEDF_READ; - io_req->data_xfer_len = 0; -@@ -2364,6 +2361,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, - - spin_lock_irqsave(&fcport->rport_lock, flags); - -+ /* Record which cpu this request is associated with */ -+ io_req->cpu = smp_processor_id(); -+ - sqe_idx = qedf_get_sqe_idx(fcport); - sqe = &fcport->sq[sqe_idx]; - memset(sqe, 0, sizeof(struct fcoe_wqe)); --- -2.43.0 - diff --git a/queue-5.15/sctp-prefer-struct_size-over-open-coded-arithmetic.patch b/queue-5.15/sctp-prefer-struct_size-over-open-coded-arithmetic.patch deleted file mode 100644 index f4319777698..00000000000 --- a/queue-5.15/sctp-prefer-struct_size-over-open-coded-arithmetic.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 9ed46027be2f87a0a9d10365bd58dd6597ac6c26 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 19:23:36 +0200 -Subject: sctp: prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this -structure ends in a flexible array: - -struct sctp_assoc_ids { - [...] - sctp_assoc_t gaids_assoc_id[]; -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + size * count" in -the kmalloc() function. - -Also, refactor the code adding the "ids_size" variable to avoid sizing -twice. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Acked-by: Xin Long -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sctp/socket.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index d9271ffb29781..967b330ffd4e3 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7112,6 +7112,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - struct sctp_sock *sp = sctp_sk(sk); - struct sctp_association *asoc; - struct sctp_assoc_ids *ids; -+ size_t ids_size; - u32 num = 0; - - if (sctp_style(sk, TCP)) -@@ -7124,11 +7125,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - num++; - } - -- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) -+ ids_size = struct_size(ids, gaids_assoc_id, num); -+ if (len < ids_size) - return -EINVAL; - -- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; -- -+ len = ids_size; - ids = kmalloc(len, GFP_USER | __GFP_NOWARN); - if (unlikely(!ids)) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-5.15/series b/queue-5.15/series deleted file mode 100644 index a1009af5200..00000000000 --- a/queue-5.15/series +++ /dev/null @@ -1,34 +0,0 @@ -locking-mutex-introduce-devm_mutex_init.patch -drm-lima-fix-shared-irq-handling-on-driver-remove.patch -media-dvb-as102-fe-fix-as10x_register_addr-packing.patch -media-dvb-usb-dib0700_devices-add-missing-release_fi.patch -ib-core-implement-a-limit-on-umad-receive-list.patch -scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch -irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch -crypto-aead-cipher-zeroize-key-buffer-after-use.patch -drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch -drm-amd-display-check-index-msg_id-before-read-or-wr.patch -drm-amd-display-check-pipe-offset-before-setting-vbl.patch -drm-amd-display-skip-finding-free-audio-for-unknown-.patch -media-dw2102-don-t-translate-i2c-read-into-write.patch -sctp-prefer-struct_size-over-open-coded-arithmetic.patch -firmware-dmi-stop-decoding-on-broken-entry.patch -input-ff-core-prefer-struct_size-over-open-coded-ari.patch -usb-xhci-prevent-potential-failure-in-handle_tx_even.patch -wifi-mt76-replace-skb_put-with-skb_put_zero.patch -net-dsa-mv88e6xxx-correct-check-for-empty-list.patch -media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch -media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch -media-dvb-frontends-tda10048-fix-integer-overflow.patch -i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch -powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch -orangefs-fix-out-of-bounds-fsid-access.patch -kunit-fix-timeout-message.patch -powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch -igc-fix-a-log-entry-using-uninitialized-netdev.patch -bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch -nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch -jffs2-fix-potential-illegal-address-access-in-jffs2_.patch -s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch -s390-pkey-wipe-sensitive-data-on-failure.patch -tools-power-turbostat-remember-global-max_die_id.patch diff --git a/queue-5.15/tools-power-turbostat-remember-global-max_die_id.patch b/queue-5.15/tools-power-turbostat-remember-global-max_die_id.patch deleted file mode 100644 index 1e672edf011..00000000000 --- a/queue-5.15/tools-power-turbostat-remember-global-max_die_id.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2e83bef412c2b179037bc99b745593eaf921d3be Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 21 Apr 2024 11:56:48 -0400 -Subject: tools/power turbostat: Remember global max_die_id - -From: Len Brown - -[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ] - -This is necessary to gracefully handle sparse die_id's. - -no functional change - -Signed-off-by: Len Brown -Signed-off-by: Sasha Levin ---- - tools/power/x86/turbostat/turbostat.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c -index 0822e7dc0fd8b..5a9fc659e8930 100644 ---- a/tools/power/x86/turbostat/turbostat.c -+++ b/tools/power/x86/turbostat/turbostat.c -@@ -417,6 +417,7 @@ struct topo_params { - int num_cpus; - int num_cores; - int max_cpu_num; -+ int max_die_id; - int max_node_num; - int nodes_per_pkg; - int cores_per_node; -@@ -5614,7 +5615,6 @@ void topology_probe() - int i; - int max_core_id = 0; - int max_package_id = 0; -- int max_die_id = 0; - int max_siblings = 0; - - /* Initialize num_cpus, max_cpu_num */ -@@ -5683,8 +5683,8 @@ void topology_probe() - - /* get die information */ - cpus[i].die_id = get_die_id(i); -- if (cpus[i].die_id > max_die_id) -- max_die_id = cpus[i].die_id; -+ if (cpus[i].die_id > topo.max_die_id) -+ topo.max_die_id = cpus[i].die_id; - - /* get numa node information */ - cpus[i].physical_node_id = get_physical_node_id(&cpus[i]); -@@ -5710,9 +5710,9 @@ void topology_probe() - if (!summary_only && topo.cores_per_node > 1) - BIC_PRESENT(BIC_Core); - -- topo.num_die = max_die_id + 1; -+ topo.num_die = topo.max_die_id + 1; - if (debug > 1) -- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die); -+ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die); - if (!summary_only && topo.num_die > 1) - BIC_PRESENT(BIC_Die); - --- -2.43.0 - diff --git a/queue-5.15/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch b/queue-5.15/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch deleted file mode 100644 index 9aaac34ced2..00000000000 --- a/queue-5.15/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 97070f1f720dbf1ac212cdbe20e754b9c70262d4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 17:02:37 +0300 -Subject: usb: xhci: prevent potential failure in handle_tx_event() for - Transfer events without TRB - -From: Niklas Neronin - -[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ] - -Some transfer events don't always point to a TRB, and consequently don't -have a endpoint ring. In these cases, function handle_tx_event() should -not proceed, because if 'ep->skip' is set, the pointer to the endpoint -ring is used. - -To prevent a potential failure and make the code logical, return after -checking the completion code for a Transfer event without TRBs. - -Signed-off-by: Niklas Neronin -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci-ring.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index ddb5640a8bf39..16d4d2203e074 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -2695,16 +2695,17 @@ static int handle_tx_event(struct xhci_hcd *xhci, - else - xhci_handle_halted_endpoint(xhci, ep, 0, NULL, - EP_SOFT_RESET); -- goto cleanup; -+ break; - case COMP_RING_UNDERRUN: - case COMP_RING_OVERRUN: - case COMP_STOPPED_LENGTH_INVALID: -- goto cleanup; -+ break; - default: - xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n", - slot_id, ep_index); - goto err_out; - } -+ return 0; - } - - /* Count current td numbers if ep->skip is set */ --- -2.43.0 - diff --git a/queue-5.15/wifi-mt76-replace-skb_put-with-skb_put_zero.patch b/queue-5.15/wifi-mt76-replace-skb_put-with-skb_put_zero.patch deleted file mode 100644 index f29d398df55..00000000000 --- a/queue-5.15/wifi-mt76-replace-skb_put-with-skb_put_zero.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 3c6d3826f55e4743e2e3edd15e3d34732e64b5d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Mar 2024 17:02:52 +0100 -Subject: wifi: mt76: replace skb_put with skb_put_zero - -From: Felix Fietkau - -[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ] - -Avoid potentially reusing uninitialized data - -Signed-off-by: Felix Fietkau -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++----- - drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -index 98f651fec3bf3..a5dda20f39f3a 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -@@ -234,7 +234,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len, - }; - u16 ntlv; - -- ptlv = skb_put(skb, len); -+ ptlv = skb_put_zero(skb, len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - ntlv = le16_to_cpu(ntlv_hdr->tlv_num); -@@ -1417,7 +1417,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, - set_bit(MT76_HW_SCANNING, &phy->state); - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req)); - - req->seq_num = mvif->scan_seq_num | ext_phy << 7; - req->bss_idx = mvif->idx; -@@ -1535,7 +1535,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy, - - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req)); - req->version = 1; - req->seq_num = mvif->scan_seq_num | ext_phy << 7; - -@@ -1985,7 +1985,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb, -+ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb, - sizeof(*gtk_tlv)); - gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY); - gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv)); -@@ -2107,7 +2107,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv)); -+ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv)); - ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN); - ptlv->len = cpu_to_le16(sizeof(*ptlv)); - ptlv->data_len = pattern->pattern_len; -diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -index 1c900454cf58c..169055261e9b9 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -@@ -804,7 +804,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len, - .len = cpu_to_le16(sub_len), - }; - -- ptlv = skb_put(skb, sub_len); -+ ptlv = skb_put_zero(skb, sub_len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - le16_add_cpu(sub_ntlv, 1); --- -2.43.0 - -- 2.47.3