From 428aa3458e047ab5be03234ecf6bee353c893f2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 26 May 2023 20:07:37 +0100 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch m68k-move-signal-frame-following-exception-on-68020-030.patch mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch parisc-allow-to-reboot-machine-after-system-halt.patch parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch x86-mm-avoid-incomplete-global-invlpg-flushes.patch --- ...-ca0132-add-quirk-for-evga-x299-dark.patch | 33 +++++ ...er-update-during-auto-suspend-period.patch | 67 +++++++++ ...ltek-enable-headset-onlenovo-m70-m90.patch | 33 +++++ ...san-tag-if-page-is-not-pg_mte_tagged.patch | 54 ++++++++ ...k-detection-interrupt-during-suspend.patch | 85 ++++++++++++ ...ame-following-exception-on-68020-030.patch | 90 +++++++++++++ ...ci-esdhc-imx-make-no-mmc-hs400-works.patch | 79 +++++++++++ ...th-too-low-values-of-dwntboutmaxsize.patch | 127 ++++++++++++++++++ ...-to-reboot-machine-after-system-halt.patch | 43 ++++++ ...b-breakpoints-only-in-kernel-context.patch | 32 +++++ queue-5.15/series | 11 ++ ...oid-incomplete-global-invlpg-flushes.patch | 85 ++++++++++++ 12 files changed, 739 insertions(+) create mode 100644 queue-5.15/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch create mode 100644 queue-5.15/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch create mode 100644 queue-5.15/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch create mode 100644 queue-5.15/arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch create mode 100644 queue-5.15/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch create mode 100644 queue-5.15/m68k-move-signal-frame-following-exception-on-68020-030.patch create mode 100644 queue-5.15/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch create mode 100644 queue-5.15/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch create mode 100644 queue-5.15/parisc-allow-to-reboot-machine-after-system-halt.patch create mode 100644 queue-5.15/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch create mode 100644 queue-5.15/x86-mm-avoid-incomplete-global-invlpg-flushes.patch diff --git a/queue-5.15/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch b/queue-5.15/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch new file mode 100644 index 00000000000..3bca9071021 --- /dev/null +++ b/queue-5.15/alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch @@ -0,0 +1,33 @@ +From 7843380d07bbeffd3ce6504e73cf61f840ae76ca Mon Sep 17 00:00:00 2001 +From: Adam Stylinski +Date: Sun, 21 May 2023 10:52:23 -0400 +Subject: ALSA: hda/ca0132: add quirk for EVGA X299 DARK + +From: Adam Stylinski + +commit 7843380d07bbeffd3ce6504e73cf61f840ae76ca upstream. + +This quirk is necessary for surround and other DSP effects to work +with the onboard ca0132 based audio chipset for the EVGA X299 dark +mainboard. + +Signed-off-by: Adam Stylinski +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=67071 +Link: https://lore.kernel.org/r/ZGopOe19T1QOwizS@eggsbenedict.adamsnet +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_ca0132.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1306,6 +1306,7 @@ static const struct snd_pci_quirk ca0132 + SND_PCI_QUIRK(0x1458, 0xA026, "Gigabyte G1.Sniper Z97", QUIRK_R3DI), + SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI), + SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI), ++ SND_PCI_QUIRK(0x3842, 0x104b, "EVGA X299 Dark", QUIRK_R3DI), + SND_PCI_QUIRK(0x3842, 0x1055, "EVGA Z390 DARK", QUIRK_R3DI), + SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D), diff --git a/queue-5.15/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch b/queue-5.15/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch new file mode 100644 index 00000000000..ef02319d858 --- /dev/null +++ b/queue-5.15/alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch @@ -0,0 +1,67 @@ +From 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 18 May 2023 13:35:20 +0200 +Subject: ALSA: hda: Fix unhandled register update during auto-suspend period +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 upstream. + +It's reported that the recording started right after the driver probe +doesn't work properly, and it turned out that this is related with the +codec auto-suspend. Namely, after the probe phase, the usage count +goes zero, and the auto-suspend is programmed, but the codec is kept +still active until the auto-suspend expiration. When an application +(e.g. alsactl) updates the mixer values at this moment, the values are +cached but not actually written. Then, starting arecord thereafter +also results in the silence because of the missing unmute. + +The root cause is the handling of "lazy update" mode; when a mixer +value is updated *after* the suspend, it should update only the cache +and exits. At the resume, the cached value is written to the device, +in turn. The problem is that the current code misinterprets the state +of auto-suspend as if it were already suspended. + +Although we can add the check of the actual device state after +pm_runtime_get_if_in_use() for catching the missing state, this won't +suffice; the second call of regmap_update_bits_check() will skip +writing the register because the cache has been already updated by the +first call. So we'd need fixes in two different places. + +OTOH, a simpler fix is to replace pm_runtime_get_if_in_use() with +pm_runtime_get_if_active() (with ign_usage_count=true). This change +implies that the driver takes the pm refcount if the device is still +in ACTIVE state and continues the processing. A small caveat is that +this will leave the auto-suspend timer. But, since the timer callback +itself checks the device state and aborts gracefully when it's active, +this won't be any substantial problem. + +Long story short: we address the missing register-write problem just +by replacing the pm_runtime_*() call in snd_hda_keep_power_up(). + +Fixes: fc4f000bf8c0 ("ALSA: hda - Fix unexpected resume through regmap code path") +Reported-by: Amadeusz Sławiński +Closes: https://lore.kernel.org/r/a7478636-af11-92ab-731c-9b13c582a70d@linux.intel.com +Suggested-by: Cezary Rojewski +Cc: +Link: https://lore.kernel.org/r/20230518113520.15213-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/hdac_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/hda/hdac_device.c ++++ b/sound/hda/hdac_device.c +@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm); + int snd_hdac_keep_power_up(struct hdac_device *codec) + { + if (!atomic_inc_not_zero(&codec->in_pm)) { +- int ret = pm_runtime_get_if_in_use(&codec->dev); ++ int ret = pm_runtime_get_if_active(&codec->dev, true); + if (!ret) + return -1; + if (ret < 0) diff --git a/queue-5.15/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch b/queue-5.15/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch new file mode 100644 index 00000000000..7b66f3fd69c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch @@ -0,0 +1,33 @@ +From 4ca110cab46561cd74a2acd9b447435acb4bec5f Mon Sep 17 00:00:00 2001 +From: Bin Li +Date: Wed, 24 May 2023 19:37:55 +0800 +Subject: ALSA: hda/realtek: Enable headset onLenovo M70/M90 + +From: Bin Li + +commit 4ca110cab46561cd74a2acd9b447435acb4bec5f upstream. + +Lenovo M70/M90 Gen4 are equipped with ALC897, and they need +ALC897_FIXUP_HEADSET_MIC_PIN quirk to make its headset mic work. +The previous quirk for M70/M90 is for Gen3. + +Signed-off-by: Bin Li +Cc: +Link: https://lore.kernel.org/r/20230524113755.1346928-1-bin.li@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11274,6 +11274,8 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3321, "Lenovo ThinkCentre M70 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x331b, "Lenovo ThinkCentre M90 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD), + SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD), diff --git a/queue-5.15/arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch b/queue-5.15/arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch new file mode 100644 index 00000000000..2a4df81cece --- /dev/null +++ b/queue-5.15/arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch @@ -0,0 +1,54 @@ +From 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 Mon Sep 17 00:00:00 2001 +From: Peter Collingbourne +Date: Thu, 20 Apr 2023 14:09:45 -0700 +Subject: arm64: Also reset KASAN tag if page is not PG_mte_tagged + +From: Peter Collingbourne + +commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 upstream. + +Consider the following sequence of events: + +1) A page in a PROT_READ|PROT_WRITE VMA is faulted. +2) Page migration allocates a page with the KASAN allocator, + causing it to receive a non-match-all tag, and uses it + to replace the page faulted in 1. +3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1. + +As a result of step 3, we are left with a non-match-all tag for a page +with tags accessible to userspace, which can lead to the same kind of +tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in +copy_highpage with HW tags only") intended to fix. + +The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED +is that they cannot have a non-match-all tag. As a result of step 2, the +invariant is broken. This means that the fix in the referenced commit +was incomplete and we also need to reset the tag for pages without +PG_mte_tagged. + +Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags") +Cc: # 5.15 +Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff +Signed-off-by: Peter Collingbourne +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/copypage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/mm/copypage.c ++++ b/arch/arm64/mm/copypage.c +@@ -21,9 +21,10 @@ void copy_highpage(struct page *to, stru + + copy_page(kto, kfrom); + ++ page_kasan_tag_reset(to); ++ + if (system_supports_mte() && test_bit(PG_mte_tagged, &from->flags)) { + set_bit(PG_mte_tagged, &to->flags); +- page_kasan_tag_reset(to); + /* + * We need smp_wmb() in between setting the flags and clearing the + * tags because if another thread reads page->flags and builds a diff --git a/queue-5.15/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch b/queue-5.15/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch new file mode 100644 index 00000000000..315228b5f4b --- /dev/null +++ b/queue-5.15/asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch @@ -0,0 +1,85 @@ +From 8b271370e963370703819bd9795a54d658071bed Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Tue, 16 May 2023 16:46:30 +0000 +Subject: ASoC: rt5682: Disable jack detection interrupt during suspend + +From: Matthias Kaehlcke + +commit 8b271370e963370703819bd9795a54d658071bed upstream. + +The rt5682 driver switches its regmap to cache-only when the +device suspends and back to regular mode on resume. When the +jack detect interrupt fires rt5682_irq() schedules the jack +detect work. This can result in invalid reads from the regmap +in cache-only mode if the work runs before the device has +resumed: + +[ 56.245502] rt5682 9-001a: ASoC: error at soc_component_read_no_lock on rt5682.9-001a for register: [0x000000f0] -16 + +Disable the jack detection interrupt during suspend and +re-enable it on resume. The driver already schedules the +jack detection work on resume, so any state change during +suspend is still handled. + +This is essentially the same as commit f7d00a9be147 ("SoC: +rt5682s: Disable jack detection interrupt during suspend") +for the rt5682s. + +Cc: stable@kernel.org +Signed-off-by: Matthias Kaehlcke +--- + sound/soc/codecs/rt5682-i2c.c | 4 +++- + sound/soc/codecs/rt5682.c | 6 ++++++ + sound/soc/codecs/rt5682.h | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5682-i2c.c ++++ b/sound/soc/codecs/rt5682-i2c.c +@@ -268,7 +268,9 @@ static int rt5682_i2c_probe(struct i2c_c + ret = devm_request_threaded_irq(&i2c->dev, i2c->irq, NULL, + rt5682_irq, IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING + | IRQF_ONESHOT, "rt5682", rt5682); +- if (ret) ++ if (!ret) ++ rt5682->irq = i2c->irq; ++ else + dev_err(&i2c->dev, "Failed to reguest IRQ: %d\n", ret); + } + +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -2951,6 +2951,9 @@ static int rt5682_suspend(struct snd_soc + if (rt5682->is_sdw) + return 0; + ++ if (rt5682->irq) ++ disable_irq(rt5682->irq); ++ + cancel_delayed_work_sync(&rt5682->jack_detect_work); + cancel_delayed_work_sync(&rt5682->jd_check_work); + if (rt5682->hs_jack && (rt5682->jack_type & SND_JACK_HEADSET) == SND_JACK_HEADSET) { +@@ -3019,6 +3022,9 @@ static int rt5682_resume(struct snd_soc_ + mod_delayed_work(system_power_efficient_wq, + &rt5682->jack_detect_work, msecs_to_jiffies(0)); + ++ if (rt5682->irq) ++ enable_irq(rt5682->irq); ++ + return 0; + } + #else +--- a/sound/soc/codecs/rt5682.h ++++ b/sound/soc/codecs/rt5682.h +@@ -1462,6 +1462,7 @@ struct rt5682_priv { + int pll_out[RT5682_PLLS]; + + int jack_type; ++ int irq; + int irq_work_delay_time; + }; + diff --git a/queue-5.15/m68k-move-signal-frame-following-exception-on-68020-030.patch b/queue-5.15/m68k-move-signal-frame-following-exception-on-68020-030.patch new file mode 100644 index 00000000000..3a0b85a0096 --- /dev/null +++ b/queue-5.15/m68k-move-signal-frame-following-exception-on-68020-030.patch @@ -0,0 +1,90 @@ +From b845b574f86dcb6a70dfa698aa87a237b0878d2a Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sat, 6 May 2023 19:38:12 +1000 +Subject: m68k: Move signal frame following exception on 68020/030 + +From: Finn Thain + +commit b845b574f86dcb6a70dfa698aa87a237b0878d2a upstream. + +On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause +a stack page fault during instruction execution (i.e. not at an +instruction boundary) and produce a format 0xB exception frame. + +In this situation, the value of USP will be unreliable. If a signal is +to be delivered following the exception, this USP value is used to +calculate the location for a signal frame. This can result in a +corrupted user stack. + +The corruption was detected in dash (actually in glibc) where it showed +up as an intermittent "stack smashing detected" message and crash +following signal delivery for SIGCHLD. + +It was hard to reproduce that failure because delivery of the signal +raced with the page fault and because the kernel places an unpredictable +gap of up to 7 bytes between the USP and the signal frame. + +A format 0xB exception frame can be produced by a bus error or an +address error. The 68030 Users Manual says that address errors occur +immediately upon detection during instruction prefetch. The instruction +pipeline allows prefetch to overlap with other instructions, which means +an address error can arise during the execution of a different +instruction. So it seems likely that this patch may help in the address +error case also. + +Reported-and-tested-by: Stan Johnson +Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/ +Cc: Michael Schmitz +Cc: Andreas Schwab +Cc: stable@vger.kernel.org +Co-developed-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/9e66262a754fcba50208aa424188896cc52a1dd1.1683365892.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/signal.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/m68k/kernel/signal.c ++++ b/arch/m68k/kernel/signal.c +@@ -858,11 +858,17 @@ static inline int rt_setup_ucontext(stru + } + + static inline void __user * +-get_sigframe(struct ksignal *ksig, size_t frame_size) ++get_sigframe(struct ksignal *ksig, struct pt_regs *tregs, size_t frame_size) + { + unsigned long usp = sigsp(rdusp(), ksig); ++ unsigned long gap = 0; + +- return (void __user *)((usp - frame_size) & -8UL); ++ if (CPU_IS_020_OR_030 && tregs->format == 0xb) { ++ /* USP is unreliable so use worst-case value */ ++ gap = 256; ++ } ++ ++ return (void __user *)((usp - gap - frame_size) & -8UL); + } + + static int setup_frame(struct ksignal *ksig, sigset_t *set, +@@ -880,7 +886,7 @@ static int setup_frame(struct ksignal *k + return -EFAULT; + } + +- frame = get_sigframe(ksig, sizeof(*frame) + fsize); ++ frame = get_sigframe(ksig, tregs, sizeof(*frame) + fsize); + + if (fsize) + err |= copy_to_user (frame + 1, regs + 1, fsize); +@@ -952,7 +958,7 @@ static int setup_rt_frame(struct ksignal + return -EFAULT; + } + +- frame = get_sigframe(ksig, sizeof(*frame)); ++ frame = get_sigframe(ksig, tregs, sizeof(*frame)); + + if (fsize) + err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize); diff --git a/queue-5.15/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch b/queue-5.15/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch new file mode 100644 index 00000000000..eab670b7c1e --- /dev/null +++ b/queue-5.15/mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch @@ -0,0 +1,79 @@ +From 81dce1490e28439c3cd8a8650b862a712f3061ba Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Thu, 4 May 2023 19:22:22 +0800 +Subject: mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works + +From: Haibo Chen + +commit 81dce1490e28439c3cd8a8650b862a712f3061ba upstream. + +After commit 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate +ESDHC_FLAG_HS400* only on 8bit bus"), the property "no-mmc-hs400" +from device tree file do not work any more. +This patch reorder the code, which can avoid the warning message +"drop HS400 support since no 8-bit bus" and also make the property +"no-mmc-hs400" from dts file works. + +Fixes: 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus") +Signed-off-by: Haibo Chen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230504112222.3599602-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1568,6 +1568,10 @@ sdhci_esdhc_imx_probe_dt(struct platform + if (ret) + return ret; + ++ /* HS400/HS400ES require 8 bit bus */ ++ if (!(host->mmc->caps & MMC_CAP_8_BIT_DATA)) ++ host->mmc->caps2 &= ~(MMC_CAP2_HS400 | MMC_CAP2_HS400_ES); ++ + if (mmc_gpio_get_cd(host->mmc) >= 0) + host->quirks &= ~SDHCI_QUIRK_BROKEN_CARD_DETECTION; + +@@ -1652,10 +1656,6 @@ static int sdhci_esdhc_imx_probe(struct + host->mmc_host_ops.execute_tuning = usdhc_execute_tuning; + } + +- err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data); +- if (err) +- goto disable_ahb_clk; +- + if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) + sdhci_esdhc_ops.platform_execute_tuning = + esdhc_executing_tuning; +@@ -1663,15 +1663,13 @@ static int sdhci_esdhc_imx_probe(struct + if (imx_data->socdata->flags & ESDHC_FLAG_ERR004536) + host->quirks |= SDHCI_QUIRK_BROKEN_ADMA; + +- if (host->mmc->caps & MMC_CAP_8_BIT_DATA && +- imx_data->socdata->flags & ESDHC_FLAG_HS400) ++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400) + host->mmc->caps2 |= MMC_CAP2_HS400; + + if (imx_data->socdata->flags & ESDHC_FLAG_BROKEN_AUTO_CMD23) + host->quirks2 |= SDHCI_QUIRK2_ACMD23_BROKEN; + +- if (host->mmc->caps & MMC_CAP_8_BIT_DATA && +- imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) { ++ if (imx_data->socdata->flags & ESDHC_FLAG_HS400_ES) { + host->mmc->caps2 |= MMC_CAP2_HS400_ES; + host->mmc_host_ops.hs400_enhanced_strobe = + esdhc_hs400_enhanced_strobe; +@@ -1693,6 +1691,10 @@ static int sdhci_esdhc_imx_probe(struct + goto disable_ahb_clk; + } + ++ err = sdhci_esdhc_imx_probe_dt(pdev, host, imx_data); ++ if (err) ++ goto disable_ahb_clk; ++ + sdhci_esdhc_imx_hwinit(host); + + err = sdhci_add_host(host); diff --git a/queue-5.15/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch b/queue-5.15/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch new file mode 100644 index 00000000000..ec6cfabac42 --- /dev/null +++ b/queue-5.15/net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch @@ -0,0 +1,127 @@ +From 7e01c7f7046efc2c7c192c3619db43292b98e997 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Wed, 17 May 2023 13:38:08 +0000 +Subject: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize + +From: Tudor Ambarus + +commit 7e01c7f7046efc2c7c192c3619db43292b98e997 upstream. + +Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than +the calculated "min" value, but greater than zero, the logic sets +tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in +cdc_ncm_fill_tx_frame() where all the data is handled. + +For small values of dwNtbOutMaxSize the memory allocated during +alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to +how size is aligned at alloc time: + size = SKB_DATA_ALIGN(size); + size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +Thus we hit the same bug that we tried to squash with +commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero") + +Low values of dwNtbOutMaxSize do not cause an issue presently because at +alloc_skb() time more memory (512b) is allocated than required for the +SKB headers alone (320b), leaving some space (512b - 320b = 192b) +for CDC data (172b). + +However, if more elements (for example 3 x u64 = [24b]) were added to +one of the SKB header structs, say 'struct skb_shared_info', +increasing its original size (320b [320b aligned]) to something larger +(344b [384b aligned]), then suddenly the CDC data (172b) no longer +fits in the spare SKB data area (512b - 384b = 128b). + +Consequently the SKB bounds checking semantics fails and panics: + +skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev: +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:113! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 +Workqueue: mld mld_ifc_work +RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] +RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 +[snip] +Call Trace: + + skb_put+0x151/0x210 net/core/skbuff.c:2047 + skb_put_zero include/linux/skbuff.h:2422 [inline] + cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] + cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 + cdc_ncm_tx_fixup+0xa3/0x100 + +Deal with too low values of dwNtbOutMaxSize, clamp it in the range +[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure +enough data space is allocated to handle CDC data by making sure +dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE. + +Fixes: 289507d3364f ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") +Cc: stable@vger.kernel.org +Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d +Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/ +Signed-off-by: Tudor Ambarus +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -180,9 +180,12 @@ static u32 cdc_ncm_check_tx_max(struct u + else + min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth32); + +- max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize)); +- if (max == 0) ++ if (le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) == 0) + max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */ ++ else ++ max = clamp_t(u32, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize), ++ USB_CDC_NCM_NTB_MIN_OUT_SIZE, ++ CDC_NCM_NTB_MAX_SIZE_TX); + + /* some devices set dwNtbOutMaxSize too low for the above default */ + min = min(min, max); +@@ -1243,6 +1246,9 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + * further. + */ + if (skb_out == NULL) { ++ /* If even the smallest allocation fails, abort. */ ++ if (ctx->tx_curr_size == USB_CDC_NCM_NTB_MIN_OUT_SIZE) ++ goto alloc_failed; + ctx->tx_low_mem_max_cnt = min(ctx->tx_low_mem_max_cnt + 1, + (unsigned)CDC_NCM_LOW_MEM_MAX_CNT); + ctx->tx_low_mem_val = ctx->tx_low_mem_max_cnt; +@@ -1261,13 +1267,8 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + skb_out = alloc_skb(ctx->tx_curr_size, GFP_ATOMIC); + + /* No allocation possible so we will abort */ +- if (skb_out == NULL) { +- if (skb != NULL) { +- dev_kfree_skb_any(skb); +- dev->net->stats.tx_dropped++; +- } +- goto exit_no_skb; +- } ++ if (!skb_out) ++ goto alloc_failed; + ctx->tx_low_mem_val--; + } + if (ctx->is_ndp16) { +@@ -1460,6 +1461,11 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + + return skb_out; + ++alloc_failed: ++ if (skb) { ++ dev_kfree_skb_any(skb); ++ dev->net->stats.tx_dropped++; ++ } + exit_no_skb: + /* Start timer, if there is a remaining non-empty skb */ + if (ctx->tx_curr_skb != NULL && n > 0) diff --git a/queue-5.15/parisc-allow-to-reboot-machine-after-system-halt.patch b/queue-5.15/parisc-allow-to-reboot-machine-after-system-halt.patch new file mode 100644 index 00000000000..18d64494784 --- /dev/null +++ b/queue-5.15/parisc-allow-to-reboot-machine-after-system-halt.patch @@ -0,0 +1,43 @@ +From 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 22 May 2023 22:57:30 +0200 +Subject: parisc: Allow to reboot machine after system halt + +From: Helge Deller + +commit 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 upstream. + +In case a machine can't power-off itself on system shutdown, +allow the user to reboot it by pressing the RETURN key. + +Cc: # v4.14+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/process.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/process.c ++++ b/arch/parisc/kernel/process.c +@@ -120,13 +120,18 @@ void machine_power_off(void) + /* It seems we have no way to power the system off via + * software. The user has to press the button himself. */ + +- printk(KERN_EMERG "System shut down completed.\n" +- "Please power this system off now."); ++ printk("Power off or press RETURN to reboot.\n"); + + /* prevent soft lockup/stalled CPU messages for endless loop. */ + rcu_sysrq_start(); + lockup_detector_soft_poweroff(); +- for (;;); ++ while (1) { ++ /* reboot if user presses RETURN key */ ++ if (pdc_iodc_getc() == 13) { ++ printk("Rebooting...\n"); ++ machine_restart(NULL); ++ } ++ } + } + + void (*pm_power_off)(void); diff --git a/queue-5.15/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch b/queue-5.15/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch new file mode 100644 index 00000000000..48dc82e5e34 --- /dev/null +++ b/queue-5.15/parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch @@ -0,0 +1,32 @@ +From 6888ff04e37d01295620a73f3f7efbc79f6ef152 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 24 May 2023 14:34:58 +0200 +Subject: parisc: Handle kgdb breakpoints only in kernel context + +From: Helge Deller + +commit 6888ff04e37d01295620a73f3f7efbc79f6ef152 upstream. + +The kernel kgdb break instructions should only be handled when running +in kernel context. + +Cc: # v5.4+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -305,8 +305,8 @@ static void handle_break(struct pt_regs + #endif + + #ifdef CONFIG_KGDB +- if (unlikely(iir == PARISC_KGDB_COMPILED_BREAK_INSN || +- iir == PARISC_KGDB_BREAK_INSN)) { ++ if (unlikely((iir == PARISC_KGDB_COMPILED_BREAK_INSN || ++ iir == PARISC_KGDB_BREAK_INSN)) && !user_mode(regs)) { + kgdb_handle_exception(9, SIGTRAP, 0, regs); + return; + } diff --git a/queue-5.15/series b/queue-5.15/series index 608688dc9b2..46603427eaa 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -7,3 +7,14 @@ arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm32mp15.patch spi-fsl-spi-re-organise-transfer-bits_per_word-adaptation.patch spi-fsl-cpm-use-16-bit-mode-for-large-transfers-with-even-size.patch ocfs2-switch-to-security_inode_init_security.patch +arm64-also-reset-kasan-tag-if-page-is-not-pg_mte_tagged.patch +x86-mm-avoid-incomplete-global-invlpg-flushes.patch +alsa-hda-ca0132-add-quirk-for-evga-x299-dark.patch +alsa-hda-fix-unhandled-register-update-during-auto-suspend-period.patch +alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch +mmc-sdhci-esdhc-imx-make-no-mmc-hs400-works.patch +asoc-rt5682-disable-jack-detection-interrupt-during-suspend.patch +net-cdc_ncm-deal-with-too-low-values-of-dwntboutmaxsize.patch +m68k-move-signal-frame-following-exception-on-68020-030.patch +parisc-handle-kgdb-breakpoints-only-in-kernel-context.patch +parisc-allow-to-reboot-machine-after-system-halt.patch diff --git a/queue-5.15/x86-mm-avoid-incomplete-global-invlpg-flushes.patch b/queue-5.15/x86-mm-avoid-incomplete-global-invlpg-flushes.patch new file mode 100644 index 00000000000..ef71ba8aa95 --- /dev/null +++ b/queue-5.15/x86-mm-avoid-incomplete-global-invlpg-flushes.patch @@ -0,0 +1,85 @@ +From ce0b15d11ad837fbacc5356941712218e38a0a83 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 16 May 2023 12:24:25 -0700 +Subject: x86/mm: Avoid incomplete Global INVLPG flushes + +From: Dave Hansen + +commit ce0b15d11ad837fbacc5356941712218e38a0a83 upstream. + +The INVLPG instruction is used to invalidate TLB entries for a +specified virtual address. When PCIDs are enabled, INVLPG is supposed +to invalidate TLB entries for the specified address for both the +current PCID *and* Global entries. (Note: Only kernel mappings set +Global=1.) + +Unfortunately, some INVLPG implementations can leave Global +translations unflushed when PCIDs are enabled. + +As a workaround, never enable PCIDs on affected processors. + +I expect there to eventually be microcode mitigations to replace this +software workaround. However, the exact version numbers where that +will happen are not known today. Once the version numbers are set in +stone, the processor list can be tweaked to only disable PCIDs on +affected processors with affected microcode. + +Note: if anyone wants a quick fix that doesn't require patching, just +stick 'nopcid' on your kernel command-line. + +Signed-off-by: Dave Hansen +Reviewed-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -9,6 +9,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -261,6 +262,24 @@ static void __init probe_page_size_mask( + } + } + ++#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ ++ .family = 6, \ ++ .model = _model, \ ++ } ++/* ++ * INVLPG may not properly flush Global entries ++ * on these CPUs when PCIDs are enabled. ++ */ ++static const struct x86_cpu_id invlpg_miss_ids[] = { ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), ++ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), ++ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), ++ {} ++}; ++ + static void setup_pcid(void) + { + if (!IS_ENABLED(CONFIG_X86_64)) +@@ -269,6 +288,12 @@ static void setup_pcid(void) + if (!boot_cpu_has(X86_FEATURE_PCID)) + return; + ++ if (x86_match_cpu(invlpg_miss_ids)) { ++ pr_info("Incomplete global flushes, disabling PCID"); ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ return; ++ } ++ + if (boot_cpu_has(X86_FEATURE_PGE)) { + /* + * This can't be cr4_set_bits_and_update_boot() -- the -- 2.47.3