From 3fcf643db31ca1c179b6b3dae26aa88cdcd62c84 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 30 Mar 2023 07:50:33 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...-check-if-the-input-of-level-and-typ.patch | 97 +++++++++++ ...acklight-native-dmi-quirk-for-dell-v.patch | 41 +++++ ...-asihpi-check-pao-in-control_message.patch | 72 +++++++++ ...fixup-buffer-overrun-at-tuning_ctl_s.patch | 62 ++++++++ ...acro-fix-for-kasan-slab-out-of-bound.patch | 93 +++++++++++ ...a7219-explicitly-define-codec-format.patch | 66 ++++++++ ...ax98357a-explicitly-define-codec-for.patch | 74 +++++++++ ...tel-avs-nau8825-adjust-clock-control.patch | 54 +++++++ ...ntel-avs-ssm4567-remove-nau8825-bits.patch | 80 ++++++++++ ...ci-tng-revert-invalid-bar-size-setti.patch | 60 +++++++ ...eck-for-upper-size-limit-for-the-rec.patch | 45 ++++++ ...pology-fix-incorrect-sample-rate-pri.patch | 39 +++++ ...date-gain-ipc-msg-definition-to-alig.patch | 103 ++++++++++++ ...missing-unload_nls-in-smb2_reconnect.patch | 54 +++++++ ...-potential-double-free-in-pqm_create.patch | 39 +++++ ...o-offset-for-multi-vma-page-migratio.patch | 109 +++++++++++++ ...rm-amdkfd-fix-potential-kgd_mem-uafs.patch | 98 ++++++++++++ ...d-kfd_process-cleanup-on-module-exit.patch | 150 ++++++++++++++++++ ...u1200fb-fix-potential-divide-by-zero.patch | 39 +++++ ...intelfb-fix-potential-divide-by-zero.patch | 39 +++++ ...ev-lxfb-fix-potential-divide-by-zero.patch | 38 +++++ ...-nvidia-fix-potential-divide-by-zero.patch | 40 +++++ ...v-tgafb-fix-potential-divide-by-zero.patch | 44 +++++ ...-avoid-signed-overflow-in-slot_store.patch | 44 +++++ ...g-netdev_err-message-on-unknown-prp-.patch | 40 +++++ ...maximum-allowed-mtu-in-xsk-to-match-.patch | 72 +++++++++ ...nvme_quirk_bogus_nid-for-lexar-nm620.patch | 35 ++++ ...y-don-t-assume-cpumask_size-is-fully.patch | 82 ++++++++++ queue-6.1/series | 34 ++++ ...turbostat-fix-decoding-of-hwp_status.patch | 37 +++++ ...ostat-fix-dev-cpu_dma_latency-warnin.patch | 58 +++++++ ...ng-return-in-kprobe_event_gen_test.c.patch | 53 +++++++ ...-pvh-obtain-vga-console-info-in-dom0.patch | 139 ++++++++++++++++ ...padding-when-dumping-algos-and-encap.patch | 111 +++++++++++++ queue-6.1/zstd-fix-definition-of-assert.patch | 39 +++++ 35 files changed, 2280 insertions(+) create mode 100644 queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch create mode 100644 queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch create mode 100644 queue-6.1/alsa-asihpi-check-pao-in-control_message.patch create mode 100644 queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch create mode 100644 queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch create mode 100644 queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch create mode 100644 queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch create mode 100644 queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch create mode 100644 queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch create mode 100644 queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch create mode 100644 queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch create mode 100644 queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch create mode 100644 queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch create mode 100644 queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch create mode 100644 queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch create mode 100644 queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch create mode 100644 queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch create mode 100644 queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch create mode 100644 queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch create mode 100644 queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch create mode 100644 queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch create mode 100644 queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch create mode 100644 queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch create mode 100644 queue-6.1/md-avoid-signed-overflow-in-slot_store.patch create mode 100644 queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch create mode 100644 queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch create mode 100644 queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch create mode 100644 queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch create mode 100644 queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch create mode 100644 queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch create mode 100644 queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch create mode 100644 queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch create mode 100644 queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch create mode 100644 queue-6.1/zstd-fix-definition-of-assert.patch diff --git a/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch b/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch new file mode 100644 index 00000000000..674e8b4f5ca --- /dev/null +++ b/queue-6.1/acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch @@ -0,0 +1,97 @@ +From 406de9ced74f49bbfac384903542cb52af4aa567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 21:23:09 +0800 +Subject: ACPI: tools: pfrut: Check if the input of level and type is in the + right numeric range +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Yu + +[ Upstream commit 0bc23d8b2237a104d7f8379d687aa4cb82e2968b ] + +The user provides arbitrary non-numeic value to level and type, +which could bring unexpected behavior. In this case the expected +behavior would be to throw an error. + + pfrut -h +usage: pfrut [OPTIONS] +code injection: +-l, --load +-s, --stage +-a, --activate +-u, --update [stage and activate] +-q, --query +-d, --revid +update telemetry: +-G, --getloginfo +-T, --type(0:execution, 1:history) +-L, --level(0, 1, 2, 4) +-R, --read +-D, --revid log + + pfrut -T A + pfrut -G +log_level:0 +log_type:0 +log_revid:2 +max_data_size:65536 +chunk1_size:0 +chunk2_size:1530 +rollover_cnt:0 +reset_cnt:17 + +Fix this by restricting the input to be in the expected range. + +Reported-by: Hariganesh Govindarajulu +Suggested-by: "Rafael J. Wysocki" +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/acpi/tools/pfrut/pfrut.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/tools/power/acpi/tools/pfrut/pfrut.c b/tools/power/acpi/tools/pfrut/pfrut.c +index 52aa0351533c3..388c9e3ad0407 100644 +--- a/tools/power/acpi/tools/pfrut/pfrut.c ++++ b/tools/power/acpi/tools/pfrut/pfrut.c +@@ -97,7 +97,7 @@ static struct option long_options[] = { + static void parse_options(int argc, char **argv) + { + int option_index = 0; +- char *pathname; ++ char *pathname, *endptr; + int opt; + + pathname = strdup(argv[0]); +@@ -125,11 +125,23 @@ static void parse_options(int argc, char **argv) + log_getinfo = 1; + break; + case 'T': +- log_type = atoi(optarg); ++ log_type = strtol(optarg, &endptr, 0); ++ if (*endptr || (log_type != 0 && log_type != 1)) { ++ printf("Number expected: type(0:execution, 1:history) - Quit.\n"); ++ exit(1); ++ } ++ + set_log_type = 1; + break; + case 'L': +- log_level = atoi(optarg); ++ log_level = strtol(optarg, &endptr, 0); ++ if (*endptr || ++ (log_level != 0 && log_level != 1 && ++ log_level != 2 && log_level != 4)) { ++ printf("Number expected: level(0, 1, 2, 4) - Quit.\n"); ++ exit(1); ++ } ++ + set_log_level = 1; + break; + case 'R': +-- +2.39.2 + diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch new file mode 100644 index 00000000000..76573928e14 --- /dev/null +++ b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch @@ -0,0 +1,41 @@ +From cc036f40a73c23369d89e9cb6704f35650b2cad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 17:33:00 +0800 +Subject: ACPI: video: Add backlight=native DMI quirk for Dell Vostro 15 3535 + +From: Chia-Lin Kao (AceLan) + +[ Upstream commit 89b0411481967a2e8c91190a211a359966cfcf4b ] + +Sometimes the system boots up with a acpi_video0 backlight interface +which doesn't work. So add Dell Vostro 15 3535 into the +video_detect_dmi_table to set it to native explicitly. + +Signed-off-by: Chia-Lin Kao (AceLan) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 7f0ed845cd6ad..f06b3d3556710 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -714,6 +714,13 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5515"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 15 3535"), ++ }, ++ }, + + /* + * Desktops which falsely report a backlight and which our heuristics +-- +2.39.2 + diff --git a/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch b/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch new file mode 100644 index 00000000000..dd77660e41d --- /dev/null +++ b/queue-6.1/alsa-asihpi-check-pao-in-control_message.patch @@ -0,0 +1,72 @@ +From 2e99f1279e29cb442623e6dde00422a8da4b6850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:49:24 +0000 +Subject: ALSA: asihpi: check pao in control_message() + +From: Kuninori Morimoto + +[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ] + +control_message() might be called with pao = NULL. +Here indicates control_message() as sample. + +(B) static void control_message(struct hpi_adapter_obj *pao, ...) + { ^^^ + struct hpi_hw_obj *phw = pao->priv; + ... ^^^ + } + +(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...) + { ^^^ + ... + case HPI_OBJ_CONTROL: +(B) control_message(pao, phm, phr); + break; ^^^ + ... + } + + void HPI_6205(...) + { + ... +(A) _HPI_6205(NULL, phm, phr); + ... ^^^^ + } + +Therefore, We will get too many warning via cppcheck, like below + + sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer] + struct hpi_hw_obj *phw = pao->priv; + ^ + sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0 + _HPI_6205(NULL, phm, phr); + ^ + sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0 + control_message(pao, phm, phr); + ^ +Set phr->error like many functions doing, and don't call _HPI_6205() +with NULL. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpi6205.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c +index 27e11b5f70b97..c7d7eff86727f 100644 +--- a/sound/pci/asihpi/hpi6205.c ++++ b/sound/pci/asihpi/hpi6205.c +@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr) + pao = hpi_find_adapter(phm->adapter_index); + } else { + /* subsys messages don't address an adapter */ +- _HPI_6205(NULL, phm, phr); ++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX; + return; + } + +-- +2.39.2 + diff --git a/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch b/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch new file mode 100644 index 00000000000..87efc61d756 --- /dev/null +++ b/queue-6.1/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch @@ -0,0 +1,62 @@ +From 8521235e020ba95566662203fe583a7445b83902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:50:28 +0000 +Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + +From: Kuninori Morimoto + +[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ] + +tuning_ctl_set() might have buffer overrun at (X) if it didn't break +from loop by matching (A). + + static int tuning_ctl_set(...) + { + for (i = 0; i < TUNING_CTLS_COUNT; i++) +(A) if (nid == ca0132_tuning_ctls[i].nid) + break; + + snd_hda_power_up(...); +(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...); + snd_hda_power_down(...); ^ + + return 1; + } + +We will get below error by cppcheck + + sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 + for (i = 0; i < TUNING_CTLS_COUNT; i++) + ^ + sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ^ +This patch cares non match case. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index acde4cd58785e..099722ebaed83 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4228,8 +4228,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid, + + for (i = 0; i < TUNING_CTLS_COUNT; i++) + if (nid == ca0132_tuning_ctls[i].nid) +- break; ++ goto found; + ++ return -EINVAL; ++found: + snd_hda_power_up(codec); + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ca0132_tuning_ctls[i].req, +-- +2.39.2 + diff --git a/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch b/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch new file mode 100644 index 00000000000..f9f2622f792 --- /dev/null +++ b/queue-6.1/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch @@ -0,0 +1,93 @@ +From 4bf00f852586aa2901db7651e94a731e99d0c01f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 13:37:02 +0530 +Subject: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds + +From: Ravulapati Vishnu Vardhan Rao + +[ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ] + +When we run syzkaller we get below Out of Bound. + "KASAN: slab-out-of-bounds Read in regcache_flat_read" + + Below is the backtrace of the issue: + + dump_backtrace+0x0/0x4c8 + show_stack+0x34/0x44 + dump_stack_lvl+0xd8/0x118 + print_address_description+0x30/0x2d8 + kasan_report+0x158/0x198 + __asan_report_load4_noabort+0x44/0x50 + regcache_flat_read+0x10c/0x110 + regcache_read+0xf4/0x180 + _regmap_read+0xc4/0x278 + _regmap_update_bits+0x130/0x290 + regmap_update_bits_base+0xc0/0x15c + snd_soc_component_update_bits+0xa8/0x22c + snd_soc_component_write_field+0x68/0xd4 + tx_macro_digital_mute+0xec/0x140 + + Actually There is no need to have decimator with 32 bits. + By limiting the variable with short type u8 issue is resolved. + +Signed-off-by: Ravulapati Vishnu Vardhan Rao +Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 5d1c58df081ac..e5611f655beda 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -241,7 +241,7 @@ enum { + + struct tx_mute_work { + struct tx_macro *tx; +- u32 decimator; ++ u8 decimator; + struct delayed_work dwork; + }; + +@@ -634,7 +634,7 @@ static int tx_macro_mclk_enable(struct tx_macro *tx, + return 0; + } + +-static bool is_amic_enabled(struct snd_soc_component *component, int decimator) ++static bool is_amic_enabled(struct snd_soc_component *component, u8 decimator) + { + u16 adc_mux_reg, adc_reg, adc_n; + +@@ -845,7 +845,7 @@ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); +- unsigned int decimator; ++ u8 decimator; + u16 tx_vol_ctl_reg, dec_cfg_reg, hpf_gate_reg, tx_gain_ctl_reg; + u8 hpf_cut_off_freq; + int hpf_delay = TX_MACRO_DMIC_HPF_DELAY_MS; +@@ -1060,7 +1060,8 @@ static int tx_macro_hw_params(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct snd_soc_component *component = dai->component; +- u32 decimator, sample_rate; ++ u32 sample_rate; ++ u8 decimator; + int tx_fs_rate; + struct tx_macro *tx = snd_soc_component_get_drvdata(component); + +@@ -1124,7 +1125,7 @@ static int tx_macro_digital_mute(struct snd_soc_dai *dai, int mute, int stream) + { + struct snd_soc_component *component = dai->component; + struct tx_macro *tx = snd_soc_component_get_drvdata(component); +- u16 decimator; ++ u8 decimator; + + /* active decimator not set yet */ + if (tx->active_decimator[dai->id] == -1) +-- +2.39.2 + diff --git a/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch b/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch new file mode 100644 index 00000000000..563e0dd3690 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-da7219-explicitly-define-codec-format.patch @@ -0,0 +1,66 @@ +From c09404a7e647f585d21274b5020edde51b000663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 14:48:51 +0100 +Subject: ASoC: Intel: avs: da7219: Explicitly define codec format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit 61f368624fe4d0c25c6e9c917574b8ace51d776e ] + +da7219 is headset codec configured in 48000/2/S24_LE format regardless +of front end format, so force it to be so. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230303134854.2277146-3-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/da7219.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/sound/soc/intel/avs/boards/da7219.c b/sound/soc/intel/avs/boards/da7219.c +index 02ae542ad7792..a63563594b4cd 100644 +--- a/sound/soc/intel/avs/boards/da7219.c ++++ b/sound/soc/intel/avs/boards/da7219.c +@@ -111,6 +111,26 @@ static int avs_da7219_codec_init(struct snd_soc_pcm_runtime *runtime) + return 0; + } + ++static int ++avs_da7219_be_fixup(struct snd_soc_pcm_runtime *runrime, struct snd_pcm_hw_params *params) ++{ ++ struct snd_interval *rate, *channels; ++ struct snd_mask *fmt; ++ ++ rate = hw_param_interval(params, SNDRV_PCM_HW_PARAM_RATE); ++ channels = hw_param_interval(params, SNDRV_PCM_HW_PARAM_CHANNELS); ++ fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); ++ ++ /* The ADSP will convert the FE rate to 48k, stereo */ ++ rate->min = rate->max = 48000; ++ channels->min = channels->max = 2; ++ ++ /* set SSP0 to 24 bit */ ++ snd_mask_none(fmt); ++ snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S24_LE); ++ return 0; ++} ++ + static int avs_create_dai_link(struct device *dev, const char *platform_name, int ssp_port, + struct snd_soc_dai_link **dai_link) + { +@@ -142,6 +162,7 @@ static int avs_create_dai_link(struct device *dev, const char *platform_name, in + dl->num_platforms = 1; + dl->id = 0; + dl->dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS; ++ dl->be_hw_params_fixup = avs_da7219_be_fixup; + dl->init = avs_da7219_codec_init; + dl->nonatomic = 1; + dl->no_pcm = 1; +-- +2.39.2 + diff --git a/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch b/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch new file mode 100644 index 00000000000..4e2d12304bb --- /dev/null +++ b/queue-6.1/asoc-intel-avs-max98357a-explicitly-define-codec-for.patch @@ -0,0 +1,74 @@ +From 3993c440d44d5243cdb4cdd293b151438692918c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 14:48:50 +0100 +Subject: ASoC: Intel: avs: max98357a: Explicitly define codec format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit d16c893425d07ada1fdd817ec06d322efcf69480 ] + +max98357a is speaker codec configured in 48000/2/S16_LE format +regardless of front end format, so force it to be so. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230303134854.2277146-2-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/max98357a.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/soc/intel/avs/boards/max98357a.c b/sound/soc/intel/avs/boards/max98357a.c +index 921f42caf7e09..183123d08c5a3 100644 +--- a/sound/soc/intel/avs/boards/max98357a.c ++++ b/sound/soc/intel/avs/boards/max98357a.c +@@ -8,6 +8,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -24,6 +25,26 @@ static const struct snd_soc_dapm_route card_base_routes[] = { + { "Spk", NULL, "Speaker" }, + }; + ++static int ++avs_max98357a_be_fixup(struct snd_soc_pcm_runtime *runrime, struct snd_pcm_hw_params *params) ++{ ++ struct snd_interval *rate, *channels; ++ struct snd_mask *fmt; ++ ++ rate = hw_param_interval(params, SNDRV_PCM_HW_PARAM_RATE); ++ channels = hw_param_interval(params, SNDRV_PCM_HW_PARAM_CHANNELS); ++ fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); ++ ++ /* The ADSP will convert the FE rate to 48k, stereo */ ++ rate->min = rate->max = 48000; ++ channels->min = channels->max = 2; ++ ++ /* set SSP0 to 16 bit */ ++ snd_mask_none(fmt); ++ snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE); ++ return 0; ++} ++ + static int avs_create_dai_link(struct device *dev, const char *platform_name, int ssp_port, + struct snd_soc_dai_link **dai_link) + { +@@ -55,6 +76,7 @@ static int avs_create_dai_link(struct device *dev, const char *platform_name, in + dl->num_platforms = 1; + dl->id = 0; + dl->dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_CBS_CFS; ++ dl->be_hw_params_fixup = avs_max98357a_be_fixup; + dl->nonatomic = 1; + dl->no_pcm = 1; + dl->dpcm_playback = 1; +-- +2.39.2 + diff --git a/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch b/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch new file mode 100644 index 00000000000..aa11464aca6 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-nau8825-adjust-clock-control.patch @@ -0,0 +1,54 @@ +From d0797c6ec91033bb70c51066e4e4056bd17f4ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 14:48:54 +0100 +Subject: ASoC: Intel: avs: nau8825: Adjust clock control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 6206b2e787da2ed567922c37bb588a44f6fb6705 ] + +Internal clock shall be adjusted also in cases when DAPM event other +than 'ON' is triggered. + +Signed-off-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230303134854.2277146-6-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/nau8825.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/intel/avs/boards/nau8825.c b/sound/soc/intel/avs/boards/nau8825.c +index f76909e9f990a..8392d8fac8f9c 100644 +--- a/sound/soc/intel/avs/boards/nau8825.c ++++ b/sound/soc/intel/avs/boards/nau8825.c +@@ -33,15 +33,15 @@ avs_nau8825_clock_control(struct snd_soc_dapm_widget *w, struct snd_kcontrol *co + return -EINVAL; + } + +- if (!SND_SOC_DAPM_EVENT_ON(event)) { ++ if (SND_SOC_DAPM_EVENT_ON(event)) ++ ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_MCLK, 24000000, ++ SND_SOC_CLOCK_IN); ++ else + ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_INTERNAL, 0, SND_SOC_CLOCK_IN); +- if (ret < 0) { +- dev_err(card->dev, "set sysclk err = %d\n", ret); +- return ret; +- } +- } ++ if (ret < 0) ++ dev_err(card->dev, "Set sysclk failed: %d\n", ret); + +- return 0; ++ return ret; + } + + static const struct snd_kcontrol_new card_controls[] = { +-- +2.39.2 + diff --git a/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch b/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch new file mode 100644 index 00000000000..e5c7afd2523 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-ssm4567-remove-nau8825-bits.patch @@ -0,0 +1,80 @@ +From 7fb447172287a8fc3ef02a8a2f940ec22ba5366f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 14:48:53 +0100 +Subject: ASoC: Intel: avs: ssm4567: Remove nau8825 bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 933de2d127281731166cf2880fa1e23c5a0f7faa ] + +Some of the nau8825 clock control got into the ssm4567, remove it. + +Signed-off-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230303134854.2277146-5-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/ssm4567.c | 31 ---------------------------- + 1 file changed, 31 deletions(-) + +diff --git a/sound/soc/intel/avs/boards/ssm4567.c b/sound/soc/intel/avs/boards/ssm4567.c +index 9f84c8ab34478..51a8867326b47 100644 +--- a/sound/soc/intel/avs/boards/ssm4567.c ++++ b/sound/soc/intel/avs/boards/ssm4567.c +@@ -15,7 +15,6 @@ + #include + #include "../../../codecs/nau8825.h" + +-#define SKL_NUVOTON_CODEC_DAI "nau8825-hifi" + #define SKL_SSM_CODEC_DAI "ssm4567-hifi" + + static struct snd_soc_codec_conf card_codec_conf[] = { +@@ -34,41 +33,11 @@ static const struct snd_kcontrol_new card_controls[] = { + SOC_DAPM_PIN_SWITCH("Right Speaker"), + }; + +-static int +-platform_clock_control(struct snd_soc_dapm_widget *w, struct snd_kcontrol *control, int event) +-{ +- struct snd_soc_dapm_context *dapm = w->dapm; +- struct snd_soc_card *card = dapm->card; +- struct snd_soc_dai *codec_dai; +- int ret; +- +- codec_dai = snd_soc_card_get_codec_dai(card, SKL_NUVOTON_CODEC_DAI); +- if (!codec_dai) { +- dev_err(card->dev, "Codec dai not found\n"); +- return -EINVAL; +- } +- +- if (SND_SOC_DAPM_EVENT_ON(event)) { +- ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_MCLK, 24000000, +- SND_SOC_CLOCK_IN); +- if (ret < 0) +- dev_err(card->dev, "set sysclk err = %d\n", ret); +- } else { +- ret = snd_soc_dai_set_sysclk(codec_dai, NAU8825_CLK_INTERNAL, 0, SND_SOC_CLOCK_IN); +- if (ret < 0) +- dev_err(card->dev, "set sysclk err = %d\n", ret); +- } +- +- return ret; +-} +- + static const struct snd_soc_dapm_widget card_widgets[] = { + SND_SOC_DAPM_SPK("Left Speaker", NULL), + SND_SOC_DAPM_SPK("Right Speaker", NULL), + SND_SOC_DAPM_SPK("DP1", NULL), + SND_SOC_DAPM_SPK("DP2", NULL), +- SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0, platform_clock_control, +- SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), + }; + + static const struct snd_soc_dapm_route card_base_routes[] = { +-- +2.39.2 + diff --git a/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch b/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch new file mode 100644 index 00000000000..c57cc7e74d1 --- /dev/null +++ b/queue-6.1/asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch @@ -0,0 +1,60 @@ +From 26966d2d8afa2f9f5203fe666e882f3dc0b30c85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 11:53:41 +0200 +Subject: ASoC: SOF: Intel: pci-tng: revert invalid bar size setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit ca09e2a351fbc7836ba9418304ff0c3e72addfe0 ] + +The logic for the ioremap is to find the resource index 3 (IRAM) and +infer the BAR address by subtracting the IRAM offset. The BAR size +defined in hardware specifications is 2MB. + +The commit 5947b2726beb6 ("ASoC: SOF: Intel: Check the bar size before +remapping") tried to find the BAR size by querying the resource length +instead of a pre-canned value, but by requesting the size for index 3 +it only gets the size of the IRAM. That's obviously wrong and prevents +the probe from proceeding. + +This commit attempted to fix an issue in a fuzzing/simulated +environment but created another on actual devices, so the best course +of action is to revert that change. + +Reported-by: Ferry Toth +Tested-by: Ferry Toth (Intel Edison-Arduino) +Link: https://github.com/thesofproject/linux/issues/3901 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Ranjani Sridharan +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230307095341.3222-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/pci-tng.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/sound/soc/sof/intel/pci-tng.c b/sound/soc/sof/intel/pci-tng.c +index f0f6d9ba88037..0b17d1bb225e2 100644 +--- a/sound/soc/sof/intel/pci-tng.c ++++ b/sound/soc/sof/intel/pci-tng.c +@@ -75,11 +75,7 @@ static int tangier_pci_probe(struct snd_sof_dev *sdev) + + /* LPE base */ + base = pci_resource_start(pci, desc->resindex_lpe_base) - IRAM_OFFSET; +- size = pci_resource_len(pci, desc->resindex_lpe_base); +- if (size < PCI_BAR_SIZE) { +- dev_err(sdev->dev, "error: I/O region is too small.\n"); +- return -ENODEV; +- } ++ size = PCI_BAR_SIZE; + + dev_dbg(sdev->dev, "LPE PHY base at 0x%x size 0x%x", base, size); + sdev->bar[DSP_BAR] = devm_ioremap(sdev->dev, base, size); +-- +2.39.2 + diff --git a/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch b/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch new file mode 100644 index 00000000000..0240b453083 --- /dev/null +++ b/queue-6.1/asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch @@ -0,0 +1,45 @@ +From 7825616fffd90bbecd9bbf669d1eef42d89a4a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:49:17 +0200 +Subject: ASoC: SOF: ipc3: Check for upper size limit for the received message + +From: Peter Ujfalusi + +[ Upstream commit 989a3e4479177d0f4afab8be1960731bc0ffbbd0 ] + +The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is +missing the check for upper limit. +Corrupted or compromised firmware might be able to take advantage of this +to cause out of bounds reads outside of the message area. + +Reported-by: Curtis Malainey +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Curtis Malainey +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c +index b28af3a48b707..60b96b0c2412f 100644 +--- a/sound/soc/sof/ipc3.c ++++ b/sound/soc/sof/ipc3.c +@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev) + return; + } + +- if (hdr.size < sizeof(hdr)) { +- dev_err(sdev->dev, "The received message size is invalid\n"); ++ if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) { ++ dev_err(sdev->dev, "The received message size is invalid: %u\n", ++ hdr.size); + return; + } + +-- +2.39.2 + diff --git a/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch b/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch new file mode 100644 index 00000000000..922edc3c220 --- /dev/null +++ b/queue-6.1/asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch @@ -0,0 +1,39 @@ +From 030ffd72d9ea90d6222145554f1475e00fbd9fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:07:51 +0200 +Subject: ASoC: SOF: ipc4-topology: Fix incorrect sample rate print unit + +From: Seppo Ingalsuo + +[ Upstream commit 9e269e3aa9006440de639597079ee7140ef5b5f3 ] + +This patch fixes the sample rate print unit from KHz to Hz. +E.g. 48000KHz becomes 48000Hz. + +Signed-off-by: Seppo Ingalsuo +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230307110751.2053-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c +index a81af5f73a4b4..41617569f50fb 100644 +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -154,7 +154,7 @@ static void sof_ipc4_dbg_audio_format(struct device *dev, + for (i = 0; i < num_format; i++, ptr = (u8 *)ptr + object_size) { + fmt = ptr; + dev_dbg(dev, +- " #%d: %uKHz, %ubit (ch_map %#x ch_cfg %u interleaving_style %u fmt_cfg %#x)\n", ++ " #%d: %uHz, %ubit (ch_map %#x ch_cfg %u interleaving_style %u fmt_cfg %#x)\n", + i, fmt->sampling_frequency, fmt->bit_depth, fmt->ch_map, + fmt->ch_cfg, fmt->interleaving_style, fmt->fmt_cfg); + } +-- +2.39.2 + diff --git a/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch b/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch new file mode 100644 index 00000000000..93d4f84fdf7 --- /dev/null +++ b/queue-6.1/asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch @@ -0,0 +1,103 @@ +From 00ce3ca84d50a0914fad30c44e77a709107e231e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:06:56 +0200 +Subject: ASoC: SOF: IPC4: update gain ipc msg definition to align with fw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rander Wang + +[ Upstream commit e45cd86c3a78bfb9875a5eb8ab5dab459b59bbe2 ] + +Recent firmware changes modified the curve duration from 32 to 64 bits, +which breaks volume ramps. A simple solution would be to change the +definition, but unfortunately the ASoC topology framework only supports +up to 32 bit tokens. + +This patch suggests breaking the 64 bit value in low and high parts, with +only the low-part extracted from topology and high-part only zeroes. Since +the curve duration is represented in hundred of nanoseconds, we can still +represent a 400s ramp, which is just fine. The defacto ABI change has no +effect on existing users since the IPC4 firmware has not been released just +yet. + +Link: https://github.com/thesofproject/linux/issues/4026 + +Signed-off-by: Rander Wang +Reviewed-by: Ranjani Sridharan +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230307110656.1816-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4-control.c | 3 ++- + sound/soc/sof/ipc4-topology.c | 4 ++-- + sound/soc/sof/ipc4-topology.h | 6 ++++-- + 3 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/ipc4-control.c b/sound/soc/sof/ipc4-control.c +index 0d5a578c34962..7442ec1c5a4d4 100644 +--- a/sound/soc/sof/ipc4-control.c ++++ b/sound/soc/sof/ipc4-control.c +@@ -84,7 +84,8 @@ sof_ipc4_set_volume_data(struct snd_sof_dev *sdev, struct snd_sof_widget *swidge + } + + /* set curve type and duration from topology */ +- data.curve_duration = gain->data.curve_duration; ++ data.curve_duration_l = gain->data.curve_duration_l; ++ data.curve_duration_h = gain->data.curve_duration_h; + data.curve_type = gain->data.curve_type; + + msg->data_ptr = &data; +diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c +index 41617569f50fb..49289932ba7e6 100644 +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -106,7 +106,7 @@ static const struct sof_topology_token gain_tokens[] = { + get_token_u32, offsetof(struct sof_ipc4_gain_data, curve_type)}, + {SOF_TKN_GAIN_RAMP_DURATION, + SND_SOC_TPLG_TUPLE_TYPE_WORD, get_token_u32, +- offsetof(struct sof_ipc4_gain_data, curve_duration)}, ++ offsetof(struct sof_ipc4_gain_data, curve_duration_l)}, + {SOF_TKN_GAIN_VAL, SND_SOC_TPLG_TUPLE_TYPE_WORD, + get_token_u32, offsetof(struct sof_ipc4_gain_data, init_val)}, + }; +@@ -682,7 +682,7 @@ static int sof_ipc4_widget_setup_comp_pga(struct snd_sof_widget *swidget) + + dev_dbg(scomp->dev, + "pga widget %s: ramp type: %d, ramp duration %d, initial gain value: %#x, cpc %d\n", +- swidget->widget->name, gain->data.curve_type, gain->data.curve_duration, ++ swidget->widget->name, gain->data.curve_type, gain->data.curve_duration_l, + gain->data.init_val, gain->base_config.cpc); + + ret = sof_ipc4_widget_setup_msg(swidget, &gain->msg); +diff --git a/sound/soc/sof/ipc4-topology.h b/sound/soc/sof/ipc4-topology.h +index 2363a7cc0b57d..cf9d278524572 100644 +--- a/sound/soc/sof/ipc4-topology.h ++++ b/sound/soc/sof/ipc4-topology.h +@@ -217,14 +217,16 @@ struct sof_ipc4_control_data { + * @init_val: Initial value + * @curve_type: Curve type + * @reserved: reserved for future use +- * @curve_duration: Curve duration ++ * @curve_duration_l: Curve duration low part ++ * @curve_duration_h: Curve duration high part + */ + struct sof_ipc4_gain_data { + uint32_t channels; + uint32_t init_val; + uint32_t curve_type; + uint32_t reserved; +- uint32_t curve_duration; ++ uint32_t curve_duration_l; ++ uint32_t curve_duration_h; + } __aligned(8); + + /** +-- +2.39.2 + diff --git a/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch b/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch new file mode 100644 index 00000000000..8e54fc4c77f --- /dev/null +++ b/queue-6.1/cifs-fix-missing-unload_nls-in-smb2_reconnect.patch @@ -0,0 +1,54 @@ +From bac794eed3f9012ee360c554340e4af8048bb677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 16:05:19 -0300 +Subject: cifs: fix missing unload_nls() in smb2_reconnect() + +From: Paulo Alcantara + +[ Upstream commit c24bb1a87dc3f2d77d410eaac2c6a295961bf50e ] + +Make sure to unload_nls() @nls_codepage if we no longer need it. + +Fixes: bc962159e8e3 ("cifs: avoid race conditions with parallel reconnects") +Signed-off-by: Paulo Alcantara (SUSE) +Cc: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index f0b1ae0835d71..b37379b62cc77 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -144,7 +144,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon, + struct TCP_Server_Info *server) + { + int rc = 0; +- struct nls_table *nls_codepage; ++ struct nls_table *nls_codepage = NULL; + struct cifs_ses *ses; + + /* +@@ -216,8 +216,6 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon, + tcon->ses->chans_need_reconnect, + tcon->need_reconnect); + +- nls_codepage = load_nls_default(); +- + mutex_lock(&ses->session_mutex); + /* + * Recheck after acquire mutex. If another thread is negotiating +@@ -237,6 +235,8 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon, + } + spin_unlock(&server->srv_lock); + ++ nls_codepage = load_nls_default(); ++ + /* + * need to prevent multiple threads trying to simultaneously + * reconnect the same SMB session +-- +2.39.2 + diff --git a/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch b/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch new file mode 100644 index 00000000000..5fb37e43067 --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch @@ -0,0 +1,39 @@ +From e0e7ffd7d641e7ed9f53c8e5e337267062d24620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 16:19:02 -0800 +Subject: drm/amdkfd: fix a potential double free in pqm_create_queue + +From: Chia-I Wu + +[ Upstream commit b2ca5c5d416b4e72d1e9d0293fc720e2d525fd42 ] + +Set *q to NULL on errors, otherwise pqm_create_queue would free it +again. + +Signed-off-by: Chia-I Wu +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 5137476ec18e6..4236539d9f932 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -218,8 +218,8 @@ static int init_user_queue(struct process_queue_manager *pqm, + return 0; + + cleanup: +- if (dev->shared_resources.enable_mes) +- uninit_queue(*q); ++ uninit_queue(*q); ++ *q = NULL; + return retval; + } + +-- +2.39.2 + diff --git a/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch b/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch new file mode 100644 index 00000000000..f36b3e4e50d --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch @@ -0,0 +1,109 @@ +From 815b2b37852599024a4bfcc862c5f8dd8a36085d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 10:21:06 -0600 +Subject: drm/amdkfd: Fix BO offset for multi-VMA page migration + +From: Xiaogang Chen + +[ Upstream commit b4ee9606378bb9520c94d8b96f0305c3696f5c29 ] + +svm_migrate_ram_to_vram migrates a prange from sys ram to vram. The prange may +cross multiple vma. Need remember current dst vram offset in the TTM resource for +each migration. + +v2: squash in warning fix (Alex) + +Signed-off-by: Xiaogang Chen +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +index 22b077ac9a196..fad500dd224d8 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +@@ -295,7 +295,7 @@ static unsigned long svm_migrate_unsuccessful_pages(struct migrate_vma *migrate) + static int + svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + struct migrate_vma *migrate, struct dma_fence **mfence, +- dma_addr_t *scratch) ++ dma_addr_t *scratch, uint64_t ttm_res_offset) + { + uint64_t npages = migrate->npages; + struct device *dev = adev->dev; +@@ -305,8 +305,8 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + uint64_t i, j; + int r; + +- pr_debug("svms 0x%p [0x%lx 0x%lx]\n", prange->svms, prange->start, +- prange->last); ++ pr_debug("svms 0x%p [0x%lx 0x%lx 0x%llx]\n", prange->svms, prange->start, ++ prange->last, ttm_res_offset); + + src = scratch; + dst = (uint64_t *)(scratch + npages); +@@ -317,7 +317,7 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + goto out; + } + +- amdgpu_res_first(prange->ttm_res, prange->offset << PAGE_SHIFT, ++ amdgpu_res_first(prange->ttm_res, ttm_res_offset, + npages << PAGE_SHIFT, &cursor); + for (i = j = 0; i < npages; i++) { + struct page *spage; +@@ -404,7 +404,7 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + static long + svm_migrate_vma_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + struct vm_area_struct *vma, uint64_t start, +- uint64_t end, uint32_t trigger) ++ uint64_t end, uint32_t trigger, uint64_t ttm_res_offset) + { + struct kfd_process *p = container_of(prange->svms, struct kfd_process, svms); + uint64_t npages = (end - start) >> PAGE_SHIFT; +@@ -457,7 +457,7 @@ svm_migrate_vma_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + else + pr_debug("0x%lx pages migrated\n", cpages); + +- r = svm_migrate_copy_to_vram(adev, prange, &migrate, &mfence, scratch); ++ r = svm_migrate_copy_to_vram(adev, prange, &migrate, &mfence, scratch, ttm_res_offset); + migrate_vma_pages(&migrate); + + pr_debug("successful/cpages/npages 0x%lx/0x%lx/0x%lx\n", +@@ -505,6 +505,7 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc, + unsigned long addr, start, end; + struct vm_area_struct *vma; + struct amdgpu_device *adev; ++ uint64_t ttm_res_offset; + unsigned long cpages = 0; + long r = 0; + +@@ -525,6 +526,7 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc, + + start = prange->start << PAGE_SHIFT; + end = (prange->last + 1) << PAGE_SHIFT; ++ ttm_res_offset = prange->offset << PAGE_SHIFT; + + for (addr = start; addr < end;) { + unsigned long next; +@@ -534,13 +536,14 @@ svm_migrate_ram_to_vram(struct svm_range *prange, uint32_t best_loc, + break; + + next = min(vma->vm_end, end); +- r = svm_migrate_vma_to_vram(adev, prange, vma, addr, next, trigger); ++ r = svm_migrate_vma_to_vram(adev, prange, vma, addr, next, trigger, ttm_res_offset); + if (r < 0) { + pr_debug("failed %ld to migrate\n", r); + break; + } else { + cpages += r; + } ++ ttm_res_offset += next - addr; + addr = next; + } + +-- +2.39.2 + diff --git a/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch b/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch new file mode 100644 index 00000000000..cde6df6148a --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-potential-kgd_mem-uafs.patch @@ -0,0 +1,98 @@ +From 24f132f16144585a944e487597647f970083e7fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 13:37:24 -0800 +Subject: drm/amdkfd: fix potential kgd_mem UAFs + +From: Chia-I Wu + +[ Upstream commit 9da050b0d9e04439d225a2ec3044af70cdfb3933 ] + +kgd_mem pointers returned by kfd_process_device_translate_handle are +only guaranteed to be valid while p->mutex is held. As soon as the mutex +is unlocked, another thread can free the BO. + +Signed-off-by: Chia-I Wu +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +index f79b8e964140e..e191d38f3da62 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1298,14 +1298,14 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep, + args->n_success = i+1; + } + +- mutex_unlock(&p->mutex); +- + err = amdgpu_amdkfd_gpuvm_sync_memory(dev->adev, (struct kgd_mem *) mem, true); + if (err) { + pr_debug("Sync memory failed, wait interrupted by user signal\n"); + goto sync_memory_failed; + } + ++ mutex_unlock(&p->mutex); ++ + /* Flush TLBs after waiting for the page table updates to complete */ + for (i = 0; i < args->n_devices; i++) { + peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); +@@ -1321,9 +1321,9 @@ static int kfd_ioctl_map_memory_to_gpu(struct file *filep, + bind_process_to_device_failed: + get_mem_obj_from_handle_failed: + map_memory_to_gpu_failed: ++sync_memory_failed: + mutex_unlock(&p->mutex); + copy_from_user_failed: +-sync_memory_failed: + kfree(devices_arr); + + return err; +@@ -1337,6 +1337,7 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, + void *mem; + long err = 0; + uint32_t *devices_arr = NULL, i; ++ bool flush_tlb; + + if (!args->n_devices) { + pr_debug("Device IDs array empty\n"); +@@ -1389,16 +1390,19 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, + } + args->n_success = i+1; + } +- mutex_unlock(&p->mutex); + +- if (kfd_flush_tlb_after_unmap(pdd->dev)) { ++ flush_tlb = kfd_flush_tlb_after_unmap(pdd->dev); ++ if (flush_tlb) { + err = amdgpu_amdkfd_gpuvm_sync_memory(pdd->dev->adev, + (struct kgd_mem *) mem, true); + if (err) { + pr_debug("Sync memory failed, wait interrupted by user signal\n"); + goto sync_memory_failed; + } ++ } ++ mutex_unlock(&p->mutex); + ++ if (flush_tlb) { + /* Flush TLBs after waiting for the page table updates to complete */ + for (i = 0; i < args->n_devices; i++) { + peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); +@@ -1414,9 +1418,9 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, + bind_process_to_device_failed: + get_mem_obj_from_handle_failed: + unmap_memory_from_gpu_failed: ++sync_memory_failed: + mutex_unlock(&p->mutex); + copy_from_user_failed: +-sync_memory_failed: + kfree(devices_arr); + return err; + } +-- +2.39.2 + diff --git a/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch b/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch new file mode 100644 index 00000000000..a8db25ec554 --- /dev/null +++ b/queue-6.1/drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch @@ -0,0 +1,150 @@ +From 6bb203694b2d1465be7f6fe3e8039c5f1ea48a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 14:11:24 -0500 +Subject: drm/amdkfd: Fixed kfd_process cleanup on module exit. + +From: David Belanger + +[ Upstream commit 20bc9f76b6a2455c6b54b91ae7634f147f64987f ] + +Handle case when module is unloaded (kfd_exit) before a process space +(mm_struct) is released. + +v2: Fixed potential race conditions by removing all kfd_process from +the process table first, then working on releasing the resources. + +v3: Fixed loop element access / synchronization. Fixed extra empty lines. + +Signed-off-by: David Belanger +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_module.c | 1 + + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 + + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 67 +++++++++++++++++++++--- + 3 files changed, 62 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_module.c b/drivers/gpu/drm/amd/amdkfd/kfd_module.c +index 09b966dc37681..aee2212e52f69 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_module.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_module.c +@@ -77,6 +77,7 @@ static int kfd_init(void) + + static void kfd_exit(void) + { ++ kfd_cleanup_processes(); + kfd_debugfs_fini(); + kfd_process_destroy_wq(); + kfd_procfs_shutdown(); +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +index bf610e3b683bb..6d6588b9beed7 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -928,6 +928,7 @@ bool kfd_dev_is_large_bar(struct kfd_dev *dev); + + int kfd_process_create_wq(void); + void kfd_process_destroy_wq(void); ++void kfd_cleanup_processes(void); + struct kfd_process *kfd_create_process(struct file *filep); + struct kfd_process *kfd_get_process(const struct task_struct *task); + struct kfd_process *kfd_lookup_process_by_pasid(u32 pasid); +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +index dd351105c1bcf..7f68d51541e8e 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -1167,6 +1167,17 @@ static void kfd_process_free_notifier(struct mmu_notifier *mn) + kfd_unref_process(container_of(mn, struct kfd_process, mmu_notifier)); + } + ++static void kfd_process_notifier_release_internal(struct kfd_process *p) ++{ ++ cancel_delayed_work_sync(&p->eviction_work); ++ cancel_delayed_work_sync(&p->restore_work); ++ ++ /* Indicate to other users that MM is no longer valid */ ++ p->mm = NULL; ++ ++ mmu_notifier_put(&p->mmu_notifier); ++} ++ + static void kfd_process_notifier_release(struct mmu_notifier *mn, + struct mm_struct *mm) + { +@@ -1181,17 +1192,22 @@ static void kfd_process_notifier_release(struct mmu_notifier *mn, + return; + + mutex_lock(&kfd_processes_mutex); ++ /* ++ * Do early return if table is empty. ++ * ++ * This could potentially happen if this function is called concurrently ++ * by mmu_notifier and by kfd_cleanup_pocesses. ++ * ++ */ ++ if (hash_empty(kfd_processes_table)) { ++ mutex_unlock(&kfd_processes_mutex); ++ return; ++ } + hash_del_rcu(&p->kfd_processes); + mutex_unlock(&kfd_processes_mutex); + synchronize_srcu(&kfd_processes_srcu); + +- cancel_delayed_work_sync(&p->eviction_work); +- cancel_delayed_work_sync(&p->restore_work); +- +- /* Indicate to other users that MM is no longer valid */ +- p->mm = NULL; +- +- mmu_notifier_put(&p->mmu_notifier); ++ kfd_process_notifier_release_internal(p); + } + + static const struct mmu_notifier_ops kfd_process_mmu_notifier_ops = { +@@ -1200,6 +1216,43 @@ static const struct mmu_notifier_ops kfd_process_mmu_notifier_ops = { + .free_notifier = kfd_process_free_notifier, + }; + ++/* ++ * This code handles the case when driver is being unloaded before all ++ * mm_struct are released. We need to safely free the kfd_process and ++ * avoid race conditions with mmu_notifier that might try to free them. ++ * ++ */ ++void kfd_cleanup_processes(void) ++{ ++ struct kfd_process *p; ++ struct hlist_node *p_temp; ++ unsigned int temp; ++ HLIST_HEAD(cleanup_list); ++ ++ /* ++ * Move all remaining kfd_process from the process table to a ++ * temp list for processing. Once done, callback from mmu_notifier ++ * release will not see the kfd_process in the table and do early return, ++ * avoiding double free issues. ++ */ ++ mutex_lock(&kfd_processes_mutex); ++ hash_for_each_safe(kfd_processes_table, temp, p_temp, p, kfd_processes) { ++ hash_del_rcu(&p->kfd_processes); ++ synchronize_srcu(&kfd_processes_srcu); ++ hlist_add_head(&p->kfd_processes, &cleanup_list); ++ } ++ mutex_unlock(&kfd_processes_mutex); ++ ++ hlist_for_each_entry_safe(p, p_temp, &cleanup_list, kfd_processes) ++ kfd_process_notifier_release_internal(p); ++ ++ /* ++ * Ensures that all outstanding free_notifier get called, triggering ++ * the release of the kfd_process struct. ++ */ ++ mmu_notifier_synchronize(); ++} ++ + static int kfd_process_init_cwsr_apu(struct kfd_process *p, struct file *filep) + { + unsigned long offset; +-- +2.39.2 + diff --git a/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..77be2e50e2c --- /dev/null +++ b/queue-6.1/fbdev-au1200fb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From fcddd6ad4a76e1d2616ebee671fa0b28dada5ea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:22:54 +0000 +Subject: fbdev: au1200fb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ] + +var->pixclock can be assigned to zero by user. Without +proper check, divide by zero would occur when invoking +macro PICOS2KHZ in au1200fb_fb_check_var. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index 81c3154544287..b6b22fa4a8a01 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1040,6 +1040,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var, + u32 pixclock; + int screen_size, plane; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + plane = fbdev->plane; + + /* Make sure that the mode respect all LCD controller and +-- +2.39.2 + diff --git a/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..b0452e9671e --- /dev/null +++ b/queue-6.1/fbdev-intelfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 5095dae39f2cd2e74a45e92a87a4d0f46d76b453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:33:47 +0000 +Subject: fbdev: intelfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ] + +Variable var->pixclock is controlled by user and can be assigned +to zero. Without proper check, divide by zero would occur in +intelfbhw_validate_mode and intelfbhw_mode_to_hw. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c +index d4a2891a9a7ac..a93dd531d00df 100644 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c +@@ -1219,6 +1219,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var, + + dinfo = GET_DINFO(info); + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* update the pitch */ + if (intelfbhw_validate_mode(dinfo, var) != 0) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..53df88d1281 --- /dev/null +++ b/queue-6.1/fbdev-lxfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,38 @@ +From ffe15fa85fec6a0ee103109303b743442b200816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:05:18 +0000 +Subject: fbdev: lxfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ] + +var->pixclock can be assigned to zero by user. Without proper +check, divide by zero would occur in lx_set_clock. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/geode/lxfb_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c +index 9d26592dbfce9..41fda498406c1 100644 +--- a/drivers/video/fbdev/geode/lxfb_core.c ++++ b/drivers/video/fbdev/geode/lxfb_core.c +@@ -235,6 +235,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size) + + static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (var->xres > 1920 || var->yres > 1440) + return -EINVAL; + +-- +2.39.2 + diff --git a/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..190c46c5d56 --- /dev/null +++ b/queue-6.1/fbdev-nvidia-fix-potential-divide-by-zero.patch @@ -0,0 +1,40 @@ +From f84f4f6bef0bc94d4ee4d29b3edd998cb28c92e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 07:18:31 +0000 +Subject: fbdev: nvidia: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ] + +variable var->pixclock can be set by user. In case it +equals to zero, divide by zero would occur in nvidiafb_set_par. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to nvidia_check_var and nvidiafb_set_par. We believe it +could also be triggered in driver nvidia from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/nvidia/nvidia.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c +index a6c3bc2222463..1b8904824ad83 100644 +--- a/drivers/video/fbdev/nvidia/nvidia.c ++++ b/drivers/video/fbdev/nvidia/nvidia.c +@@ -764,6 +764,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var, + int pitch, err = 0; + + NVTRACE_ENTER(); ++ if (!var->pixclock) ++ return -EINVAL; + + var->transp.offset = 0; + var->transp.length = 0; +-- +2.39.2 + diff --git a/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch b/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..04327508467 --- /dev/null +++ b/queue-6.1/fbdev-tgafb-fix-potential-divide-by-zero.patch @@ -0,0 +1,44 @@ +From 30951bb7f4be88accaf8ecb3d8cb716402cf8c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:08:56 +0000 +Subject: fbdev: tgafb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ] + +fb_set_var would by called when user invokes ioctl with cmd +FBIOPUT_VSCREENINFO. User-provided data would finally reach +tgafb_check_var. In case var->pixclock is assigned to zero, +divide by zero would occur when checking whether reciprocal +of var->pixclock is too high. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to tgafb_check_var. We believe it could also be triggered +in driver tgafb from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/tgafb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c +index 251dbd282f5ed..84d5daef97666 100644 +--- a/drivers/video/fbdev/tgafb.c ++++ b/drivers/video/fbdev/tgafb.c +@@ -173,6 +173,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct tga_par *par = (struct tga_par *)info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (par->tga_type == TGA_TYPE_8PLANE) { + if (var->bits_per_pixel != 8) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch b/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch new file mode 100644 index 00000000000..bd82b68f1a9 --- /dev/null +++ b/queue-6.1/md-avoid-signed-overflow-in-slot_store.patch @@ -0,0 +1,44 @@ +From 4ec013df50959c702142eb8b97465c8b34c7262f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 09:36:25 +1100 +Subject: md: avoid signed overflow in slot_store() + +From: NeilBrown + +[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ] + +slot_store() uses kstrtouint() to get a slot number, but stores the +result in an "int" variable (by casting a pointer). +This can result in a negative slot number if the unsigned int value is +very large. + +A negative number means that the slot is empty, but setting a negative +slot number this way will not remove the device from the array. I don't +think this is a serious problem, but it could cause confusion and it is +best to fix it. + +Reported-by: Dan Carpenter +Signed-off-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 0368b3c51c7f7..d5c362b1602b6 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3152,6 +3152,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len) + err = kstrtouint(buf, 10, (unsigned int *)&slot); + if (err < 0) + return err; ++ if (slot < 0) ++ /* overflow */ ++ return -ENOSPC; + } + if (rdev->mddev->pers && slot == -1) { + /* Setting 'slot' on an active array requires also +-- +2.39.2 + diff --git a/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch b/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch new file mode 100644 index 00000000000..9122eec821e --- /dev/null +++ b/queue-6.1/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch @@ -0,0 +1,40 @@ +From 8ac242011145a2d5d1aa758009e6c46585efd5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 14:32:29 +0100 +Subject: net: hsr: Don't log netdev_err message on unknown prp dst node + +From: Kristian Overskeid + +[ Upstream commit 28e8cabe80f3e6e3c98121576eda898eeb20f1b1 ] + +If no frames has been exchanged with a node for HSR_NODE_FORGET_TIME, the +node will be deleted from the node_db list. If a frame is sent to the node +after it is deleted, a netdev_err message for each slave interface is +produced. This should not happen with dan nodes because of supervision +frames, but can happen often with san nodes, which clutters the kernel +log. Since the hsr protocol does not support sans, this is only relevant +for the prp protocol. + +Signed-off-by: Kristian Overskeid +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 39a6088080e93..bd0afb8991174 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -422,7 +422,7 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb, + node_dst = find_node_by_addr_A(&port->hsr->node_db, + eth_hdr(skb)->h_dest); + if (!node_dst) { +- if (net_ratelimit()) ++ if (net_ratelimit() && port->hsr->prot_version != PRP_V1) + netdev_err(skb->dev, "%s: Unknown node\n", __func__); + return; + } +-- +2.39.2 + diff --git a/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch b/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch new file mode 100644 index 00000000000..4e776829f40 --- /dev/null +++ b/queue-6.1/net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch @@ -0,0 +1,72 @@ +From 455536e949d2e58938370e85180cf5245424ddcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 10:09:01 +0200 +Subject: net/mlx5e: Lower maximum allowed MTU in XSK to match XDP + prerequisites + +From: Adham Faris + +[ Upstream commit 78dee7befd56987283c13877b834c0aa97ad51b9 ] + +XSK redirecting XDP programs require linearity, hence applies +restrictions on the MTU. For PAGE_SIZE=4K, MTU shouldn't exceed 3498. + +Features that contradict with XDP such HW-LRO and HW-GRO are enforced +by the driver in advance, during XSK params validation, except for MTU, +which was not enforced before this patch. + +This has been spotted during test scenario described below: +Attaching xdpsock program (PAGE_SIZE=4K), with MTU < 3498, detaching +XDP program, changing the MTU to arbitrary value in the range +[3499, 3754], attaching XDP program again, which ended up with failure +since MTU is > 3498. + +This commit lowers the XSK MTU limitation to be aligned with XDP MTU +limitation, since XSK socket is meaningless without XDP program. + +Signed-off-by: Adham Faris +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 3b5c5064cfafc..5e01de4c32037 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4104,13 +4104,17 @@ static bool mlx5e_xsk_validate_mtu(struct net_device *netdev, + struct xsk_buff_pool *xsk_pool = + mlx5e_xsk_get_pool(&chs->params, chs->params.xsk, ix); + struct mlx5e_xsk_param xsk; ++ int max_xdp_mtu; + + if (!xsk_pool) + continue; + + mlx5e_build_xsk_param(xsk_pool, &xsk); ++ max_xdp_mtu = mlx5e_xdp_max_mtu(new_params, &xsk); + +- if (!mlx5e_validate_xsk_param(new_params, &xsk, mdev)) { ++ /* Validate XSK params and XDP MTU in advance */ ++ if (!mlx5e_validate_xsk_param(new_params, &xsk, mdev) || ++ new_params->sw_mtu > max_xdp_mtu) { + u32 hr = mlx5e_get_linear_rq_headroom(new_params, &xsk); + int max_mtu_frame, max_mtu_page, max_mtu; + +@@ -4120,9 +4124,9 @@ static bool mlx5e_xsk_validate_mtu(struct net_device *netdev, + */ + max_mtu_frame = MLX5E_HW2SW_MTU(new_params, xsk.chunk_size - hr); + max_mtu_page = MLX5E_HW2SW_MTU(new_params, SKB_MAX_HEAD(0)); +- max_mtu = min(max_mtu_frame, max_mtu_page); ++ max_mtu = min3(max_mtu_frame, max_mtu_page, max_xdp_mtu); + +- netdev_err(netdev, "MTU %d is too big for an XSK running on channel %u. Try MTU <= %d\n", ++ netdev_err(netdev, "MTU %d is too big for an XSK running on channel %u or its redirection XDP program. Try MTU <= %d\n", + new_params->sw_mtu, ix, max_mtu); + return false; + } +-- +2.39.2 + diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch new file mode 100644 index 00000000000..96c1cde6d9d --- /dev/null +++ b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch @@ -0,0 +1,35 @@ +From 19de71b62853afe99b7a83df9640d0336815af67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 11:11:50 +0100 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM620 + +From: Philipp Geulen + +[ Upstream commit b65d44fa0fe072c91bf41cd8756baa2b4c77eff2 ] + +Added a quirk to fix Lexar NM620 1TB SSD reporting duplicate NGUIDs. + +Signed-off-by: Philipp Geulen +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 100f774bc97fa..60452f6a9f711 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3547,6 +3547,8 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1d97, 0x2263), /* Lexar NM610 */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x1d97, 0x1d97), /* Lexar NM620 */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1d97, 0x2269), /* Lexar NM760 */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), +-- +2.39.2 + diff --git a/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch b/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch new file mode 100644 index 00000000000..3af7132affe --- /dev/null +++ b/queue-6.1/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch @@ -0,0 +1,82 @@ +From fa210acb09e88a0733304812b93bda09f0315337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 19:32:38 -0700 +Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + +From: Linus Torvalds + +[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ] + +The getaffinity() system call uses 'cpumask_size()' to decide how big +the CPU mask is - so far so good. It is indeed the allocation size of a +cpumask. + +But the code also assumes that the whole allocation is initialized +without actually doing so itself. That's wrong, because we might have +fixed-size allocations (making copying and clearing more efficient), but +not all of it is then necessarily used if 'nr_cpu_ids' is smaller. + +Having checked other users of 'cpumask_size()', they all seem to be ok, +either using it purely for the allocation size, or explicitly zeroing +the cpumask before using the size in bytes to copy it. + +See for example the ublk_ctrl_get_queue_affinity() function that uses +the proper 'zalloc_cpumask_var()' to make sure that the whole mask is +cleared, whether the storage is on the stack or if it was an external +allocation. + +Fix this by just zeroing the allocation before using it. Do the same +for the compat version of sched_getaffinity(), which had the same logic. + +Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to +access the bits. For a cpumask_var_t, it ends up being a pointer to the +same data either way, but it's just a good idea to treat it like you +would a 'cpumask_t'. The compat case already did that. + +Reported-by: Ryan Roberts +Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/ +Cc: Yury Norov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/compat.c | 2 +- + kernel/sched/core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/compat.c b/kernel/compat.c +index 55551989d9da5..fb50f29d9b361 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -152,7 +152,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len, + if (len & (sizeof(compat_ulong_t)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 9ebfd484189b3..b23dcbeacdf33 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8304,14 +8304,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len, + if (len & (sizeof(unsigned long)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); + if (ret == 0) { + unsigned int retlen = min(len, cpumask_size()); + +- if (copy_to_user(user_mask_ptr, mask, retlen)) ++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen)) + ret = -EFAULT; + else + ret = retlen; +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index 441c62da5b1..d1252044b9a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -27,3 +27,37 @@ tracing-add-.graph-suffix-option-to-histogram-value.patch tracing-do-not-let-histogram-values-have-some-modifi.patch net-mscc-ocelot-fix-stats-region-batching.patch arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch +cifs-fix-missing-unload_nls-in-smb2_reconnect.patch +xfrm-zero-padding-when-dumping-algos-and-encap.patch +asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch +asoc-intel-avs-max98357a-explicitly-define-codec-for.patch +asoc-intel-avs-da7219-explicitly-define-codec-format.patch +asoc-intel-avs-ssm4567-remove-nau8825-bits.patch +asoc-intel-avs-nau8825-adjust-clock-control.patch +zstd-fix-definition-of-assert.patch +acpi-video-add-backlight-native-dmi-quirk-for-dell-v.patch +asoc-sof-ipc3-check-for-upper-size-limit-for-the-rec.patch +asoc-sof-ipc4-topology-fix-incorrect-sample-rate-pri.patch +asoc-sof-intel-pci-tng-revert-invalid-bar-size-setti.patch +asoc-sof-ipc4-update-gain-ipc-msg-definition-to-alig.patch +md-avoid-signed-overflow-in-slot_store.patch +x86-pvh-obtain-vga-console-info-in-dom0.patch +drm-amdkfd-fix-bo-offset-for-multi-vma-page-migratio.patch +drm-amdkfd-fix-a-potential-double-free-in-pqm_create.patch +drm-amdkfd-fix-potential-kgd_mem-uafs.patch +net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch +alsa-asihpi-check-pao-in-control_message.patch +alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch +fbdev-tgafb-fix-potential-divide-by-zero.patch +acpi-tools-pfrut-check-if-the-input-of-level-and-typ.patch +sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-lexar-nm620.patch +drm-amdkfd-fixed-kfd_process-cleanup-on-module-exit.patch +net-mlx5e-lower-maximum-allowed-mtu-in-xsk-to-match-.patch +fbdev-nvidia-fix-potential-divide-by-zero.patch +fbdev-intelfb-fix-potential-divide-by-zero.patch +fbdev-lxfb-fix-potential-divide-by-zero.patch +fbdev-au1200fb-fix-potential-divide-by-zero.patch +tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch +tools-power-turbostat-fix-decoding-of-hwp_status.patch +tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch diff --git a/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch b/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch new file mode 100644 index 00000000000..5cbf781e595 --- /dev/null +++ b/queue-6.1/tools-power-turbostat-fix-decoding-of-hwp_status.patch @@ -0,0 +1,37 @@ +From 090ac5828b9a7cef1497e27550c0ba68f90b825f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 15:17:50 +0200 +Subject: tools/power turbostat: fix decoding of HWP_STATUS + +From: Antti Laakso + +[ Upstream commit 92c25393586ac799b9b7d9e50434f3c44a7622c4 ] + +The "excursion to minimum" information is in bit2 +in HWP_STATUS MSR. Fix the bitmask used for +decoding the register. + +Signed-off-by: Antti Laakso +Reviewed-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index c24054e3ef7ad..c61c6c704fbe6 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4426,7 +4426,7 @@ int print_hwp(struct thread_data *t, struct core_data *c, struct pkg_data *p) + + fprintf(outf, "cpu%d: MSR_HWP_STATUS: 0x%08llx " + "(%sGuaranteed_Perf_Change, %sExcursion_Min)\n", +- cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x2) ? "" : "No-"); ++ cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x4) ? "" : "No-"); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch b/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch new file mode 100644 index 00000000000..ce620828971 --- /dev/null +++ b/queue-6.1/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch @@ -0,0 +1,58 @@ +From 7b1873aca600b79103cf3018af357f0fb4db80cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:18:16 -0500 +Subject: tools/power turbostat: Fix /dev/cpu_dma_latency warnings + +From: Prarit Bhargava + +[ Upstream commit 40aafc7d58d3544f152a863a0e9863014b6d5d8c ] + +When running as non-root the following error is seen in turbostat: + +turbostat: fopen /dev/cpu_dma_latency +: Permission denied + +turbostat and the man page have information on how to avoid other +permission errors, so these can be fixed the same way. + +Provide better /dev/cpu_dma_latency warnings that provide instructions on +how to avoid the error, and update the man page. + +Signed-off-by: Prarit Bhargava +Cc: linux-pm@vger.kernel.org +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.8 | 2 ++ + tools/power/x86/turbostat/turbostat.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8 +index c7b26a3603afe..3e1a4c4be001a 100644 +--- a/tools/power/x86/turbostat/turbostat.8 ++++ b/tools/power/x86/turbostat/turbostat.8 +@@ -344,6 +344,8 @@ Alternatively, non-root users can be enabled to run turbostat this way: + + # chmod +r /dev/cpu/*/msr + ++# chmod +r /dev/cpu_dma_latency ++ + .B "turbostat " + reads hardware counters, but doesn't write them. + So it will not interfere with the OS or other programs, including +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index aba460410dbd1..c24054e3ef7ad 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -5482,7 +5482,7 @@ void print_dev_latency(void) + + retval = read(fd, (void *)&value, sizeof(int)); + if (retval != sizeof(int)) { +- warn("read %s\n", path); ++ warn("read failed %s\n", path); + close(fd); + return; + } +-- +2.39.2 + diff --git a/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch b/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch new file mode 100644 index 00000000000..48989115000 --- /dev/null +++ b/queue-6.1/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch @@ -0,0 +1,53 @@ +From acdcdf044d9b96740e6ba957004ea1712182c4bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 10:58:18 +0300 +Subject: tracing: Fix wrong return in kprobe_event_gen_test.c + +From: Anton Gusev + +[ Upstream commit bc4f359b3b607daac0290d0038561237a86b38cb ] + +Overwriting the error code with the deletion result may cause the +function to return 0 despite encountering an error. Commit b111545d26c0 +("tracing: Remove the useless value assignment in +test_create_synth_event()") solves a similar issue by +returning the original error code, so this patch does the same. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lore.kernel.org/linux-trace-kernel/20230131075818.5322-1-aagusev@ispras.ru + +Signed-off-by: Anton Gusev +Reviewed-by: Steven Rostedt (Google) +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/kprobe_event_gen_test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c +index c736487fc0e48..e0c420eb0b2b4 100644 +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -146,7 +146,7 @@ static int __init test_gen_kprobe_cmd(void) + if (trace_event_file_is_valid(gen_kprobe_test)) + gen_kprobe_test = NULL; + /* We got an error after creating the event, delete it */ +- ret = kprobe_event_delete("gen_kprobe_test"); ++ kprobe_event_delete("gen_kprobe_test"); + goto out; + } + +@@ -211,7 +211,7 @@ static int __init test_gen_kretprobe_cmd(void) + if (trace_event_file_is_valid(gen_kretprobe_test)) + gen_kretprobe_test = NULL; + /* We got an error after creating the event, delete it */ +- ret = kprobe_event_delete("gen_kretprobe_test"); ++ kprobe_event_delete("gen_kretprobe_test"); + goto out; + } + +-- +2.39.2 + diff --git a/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch b/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch new file mode 100644 index 00000000000..df4c8cb5517 --- /dev/null +++ b/queue-6.1/x86-pvh-obtain-vga-console-info-in-dom0.patch @@ -0,0 +1,139 @@ +From e7c18bc6ba0e1d0390d8660606f02a2f5ed00516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:45:48 +0100 +Subject: x86/PVH: obtain VGA console info in Dom0 + +From: Jan Beulich + +[ Upstream commit 934ef33ee75c3846f605f18b65048acd147e3918 ] + +A new platform-op was added to Xen to allow obtaining the same VGA +console information PV Dom0 is handed. Invoke the new function and have +the output data processed by xen_init_vga(). + +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross + +Link: https://lore.kernel.org/r/8f315e92-7bda-c124-71cc-478ab9c5e610@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/Makefile | 2 +- + arch/x86/xen/enlighten_pv.c | 3 ++- + arch/x86/xen/enlighten_pvh.c | 13 +++++++++++++ + arch/x86/xen/vga.c | 5 ++--- + arch/x86/xen/xen-ops.h | 7 ++++--- + include/xen/interface/platform.h | 3 +++ + 6 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/xen/Makefile b/arch/x86/xen/Makefile +index 3c5b52fbe4a7f..a9ec8c9f5c5dd 100644 +--- a/arch/x86/xen/Makefile ++++ b/arch/x86/xen/Makefile +@@ -45,6 +45,6 @@ obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o + + obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o + +-obj-$(CONFIG_XEN_PV_DOM0) += vga.o ++obj-$(CONFIG_XEN_DOM0) += vga.o + + obj-$(CONFIG_XEN_EFI) += efi.o +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 8944726255c9c..333539bdbdaae 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -1389,7 +1389,8 @@ asmlinkage __visible void __init xen_start_kernel(struct start_info *si) + + x86_platform.set_legacy_features = + xen_dom0_set_legacy_features; +- xen_init_vga(info, xen_start_info->console.dom0.info_size); ++ xen_init_vga(info, xen_start_info->console.dom0.info_size, ++ &boot_params.screen_info); + xen_start_info->console.domU.mfn = 0; + xen_start_info->console.domU.evtchn = 0; + +diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c +index bcae606bbc5cf..1da44aca896c6 100644 +--- a/arch/x86/xen/enlighten_pvh.c ++++ b/arch/x86/xen/enlighten_pvh.c +@@ -43,6 +43,19 @@ void __init xen_pvh_init(struct boot_params *boot_params) + x86_init.oem.banner = xen_banner; + + xen_efi_init(boot_params); ++ ++ if (xen_initial_domain()) { ++ struct xen_platform_op op = { ++ .cmd = XENPF_get_dom0_console, ++ }; ++ long ret = HYPERVISOR_platform_op(&op); ++ ++ if (ret > 0) ++ xen_init_vga(&op.u.dom0_console, ++ min(ret * sizeof(char), ++ sizeof(op.u.dom0_console)), ++ &boot_params->screen_info); ++ } + } + + void __init mem_map_via_hcall(struct boot_params *boot_params_p) +diff --git a/arch/x86/xen/vga.c b/arch/x86/xen/vga.c +index 14ea32e734d59..d97adab8420f4 100644 +--- a/arch/x86/xen/vga.c ++++ b/arch/x86/xen/vga.c +@@ -9,10 +9,9 @@ + + #include "xen-ops.h" + +-void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size) ++void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size, ++ struct screen_info *screen_info) + { +- struct screen_info *screen_info = &boot_params.screen_info; +- + /* This is drawn from a dump from vgacon:startup in + * standard Linux. */ + screen_info->orig_video_mode = 3; +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 9a8bb972193d8..a10903785a338 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -108,11 +108,12 @@ static inline void xen_uninit_lock_cpu(int cpu) + + struct dom0_vga_console_info; + +-#ifdef CONFIG_XEN_PV_DOM0 +-void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size); ++#ifdef CONFIG_XEN_DOM0 ++void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size, ++ struct screen_info *); + #else + static inline void __init xen_init_vga(const struct dom0_vga_console_info *info, +- size_t size) ++ size_t size, struct screen_info *si) + { + } + #endif +diff --git a/include/xen/interface/platform.h b/include/xen/interface/platform.h +index 655d92e803e14..79a443c65ea93 100644 +--- a/include/xen/interface/platform.h ++++ b/include/xen/interface/platform.h +@@ -483,6 +483,8 @@ struct xenpf_symdata { + }; + DEFINE_GUEST_HANDLE_STRUCT(xenpf_symdata); + ++#define XENPF_get_dom0_console 64 ++ + struct xen_platform_op { + uint32_t cmd; + uint32_t interface_version; /* XENPF_INTERFACE_VERSION */ +@@ -506,6 +508,7 @@ struct xen_platform_op { + struct xenpf_mem_hotadd mem_add; + struct xenpf_core_parking core_parking; + struct xenpf_symdata symdata; ++ struct dom0_vga_console_info dom0_console; + uint8_t pad[128]; + } u; + }; +-- +2.39.2 + diff --git a/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch b/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch new file mode 100644 index 00000000000..0b448bfc0ce --- /dev/null +++ b/queue-6.1/xfrm-zero-padding-when-dumping-algos-and-encap.patch @@ -0,0 +1,111 @@ +From 53ceaf0d2b19808df145d6b4bb7469edbd7f7553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 09:09:52 +0800 +Subject: xfrm: Zero padding when dumping algos and encap + +From: Herbert Xu + +[ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ] + +When copying data to user-space we should ensure that only valid +data is copied over. Padding in structures may be filled with +random (possibly sensitve) data and should never be given directly +to user-space. + +This patch fixes the copying of xfrm algorithms and the encap +template in xfrm_user so that padding is zeroed. + +Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com +Reported-by: Hyunwoo Kim +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 45 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 41 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index e73f9efc54c12..83f35ecacf24f 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -997,7 +997,9 @@ static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) + return -EMSGSIZE; + + ap = nla_data(nla); +- memcpy(ap, aead, sizeof(*aead)); ++ strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = aead->alg_key_len; ++ ap->alg_icv_len = aead->alg_icv_len; + + if (redact_secret && aead->alg_key_len) + memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); +@@ -1017,7 +1019,8 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) + return -EMSGSIZE; + + ap = nla_data(nla); +- memcpy(ap, ealg, sizeof(*ealg)); ++ strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = ealg->alg_key_len; + + if (redact_secret && ealg->alg_key_len) + memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); +@@ -1028,6 +1031,40 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) + return 0; + } + ++static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb) ++{ ++ struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg)); ++ struct xfrm_algo *ap; ++ ++ if (!nla) ++ return -EMSGSIZE; ++ ++ ap = nla_data(nla); ++ strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = 0; ++ ++ return 0; ++} ++ ++static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb) ++{ ++ struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep)); ++ struct xfrm_encap_tmpl *uep; ++ ++ if (!nla) ++ return -EMSGSIZE; ++ ++ uep = nla_data(nla); ++ memset(uep, 0, sizeof(*uep)); ++ ++ uep->encap_type = ep->encap_type; ++ uep->encap_sport = ep->encap_sport; ++ uep->encap_dport = ep->encap_dport; ++ uep->encap_oa = ep->encap_oa; ++ ++ return 0; ++} ++ + static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m) + { + int ret = 0; +@@ -1083,12 +1120,12 @@ static int copy_to_user_state_extra(struct xfrm_state *x, + goto out; + } + if (x->calg) { +- ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); ++ ret = copy_to_user_calg(x->calg, skb); + if (ret) + goto out; + } + if (x->encap) { +- ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); ++ ret = copy_to_user_encap(x->encap, skb); + if (ret) + goto out; + } +-- +2.39.2 + diff --git a/queue-6.1/zstd-fix-definition-of-assert.patch b/queue-6.1/zstd-fix-definition-of-assert.patch new file mode 100644 index 00000000000..4a8451e0dbf --- /dev/null +++ b/queue-6.1/zstd-fix-definition-of-assert.patch @@ -0,0 +1,39 @@ +From 20c83d02e1ab046e7927cb86043bf5667790a694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jan 2023 14:14:36 +0100 +Subject: zstd: Fix definition of assert() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit 6906598f1ce93761716d780b6e3f171e13f0f4ce ] + +assert(x) should emit a warning if x is false. WARN_ON(x) emits a +warning if x is true. Thus, assert(x) should be defined as WARN_ON(!x) +rather than WARN_ON(x). + +Signed-off-by: Jonathan Neuschäfer +Signed-off-by: Nick Terrell +Signed-off-by: Sasha Levin +--- + lib/zstd/common/zstd_deps.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/zstd/common/zstd_deps.h b/lib/zstd/common/zstd_deps.h +index 7a5bf44839c9c..f06df065dec01 100644 +--- a/lib/zstd/common/zstd_deps.h ++++ b/lib/zstd/common/zstd_deps.h +@@ -84,7 +84,7 @@ static uint64_t ZSTD_div64(uint64_t dividend, uint32_t divisor) { + + #include + +-#define assert(x) WARN_ON((x)) ++#define assert(x) WARN_ON(!(x)) + + #endif /* ZSTD_DEPS_ASSERT */ + #endif /* ZSTD_DEPS_NEED_ASSERT */ +-- +2.39.2 + -- 2.47.3