From 44984cda744fa881a2dc2dbad00dfb7cc68ec681 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 May 2024 13:04:03 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- .../acpi-disable-wstringop-truncation.patch | 48 ++ ...-call-packet_read_pending-from-tpack.patch | 49 ++ ...-races-in-unix_release_sock-unix_str.patch | 76 +++ ...fix-usage-of-device_get_named_child_.patch | 55 ++ ...-rt5645-add-cbj-sleeve-gpio-property.patch | 48 ++ ...the-electric-noise-due-to-the-cbj-co.patch | 105 ++++ ...ort-snd_soc_dapm_dir_out-to-its-valu.patch | 48 ++ .../crypto-bcm-fix-pointer-arithmetic.patch | 40 ++ ...rypto-ccp-drop-platform-ifdef-checks.patch | 94 +++ ...rypto-ccp-remove-forward-declaration.patch | 105 ++++ ...fix-potential-index-out-of-bounds-in.patch | 58 ++ ...set-color_mgmt_changed-to-true-on-un.patch | 37 ++ ...ix-a-possible-null-pointer-dereferen.patch | 42 ++ ...-add-0-size-check-to-mtk_drm_gem_obj.patch | 44 ++ ...fs-fix-buffer-size-for-tag-66-packet.patch | 116 ++++ ...sive-credit-estimate-in-ext4_tmpfile.patch | 52 ++ .../fbdev-sh7760fb-allow-modular-build.patch | 50 ++ ...dev-shmobile-fix-snprintf-truncation.patch | 40 ++ .../fbdev-sisfb-hide-unused-variables.patch | 68 ++ ...rypi-use-correct-device-for-dma-mapp.patch | 65 ++ ...e-convert-to-platform-remove-callbac.patch | 68 ++ ...t-convert-to-platform-remove-callbac.patch | 68 ++ .../ipv6-sr-add-missing-seg6_local_exit.patch | 38 ++ ...v6-sr-fix-incorrect-unregister-order.patch | 39 ++ ...sr-fix-invalid-unregister-error-path.patch | 46 ++ ...si-fix-off-by-one-in-allocation-erro.patch | 40 ++ ...ttr-node-from-overflowing-the-eraseb.patch | 81 +++ ...nlock-race-in-kernel-thread-creation.patch | 77 +++ ...m68k-mac-fix-reboot-hang-on-mac-iici.patch | 99 +++ ...8k-mac-use-030-reset-method-on-se-30.patch | 60 ++ ...cii-fix-bug-sleeping-function-called.patch | 59 ++ ...cii-macintosh-adb-iop-clean-up-white.patch | 587 ++++++++++++++++++ ...h-via-macii-remove-bug_on-assertions.patch | 161 +++++ ...ftlockup-when-bitmap-size-is-less-th.patch | 93 +++ ...dvb_ca_en50221_init-return-value-che.patch | 40 ++ ...o-shark2-avoid-led_names-truncations.patch | 40 ++ queue-4.19/mtd-rawnand-hynix-fixed-typo.patch | 43 ++ .../net-ethernet-cortina-locking-fixes.patch | 86 +++ ...fix-overwriting-ct-original-tuple-fo.patch | 86 +++ ...wwan-add-telit-fn920c04-compositions.patch | 108 ++++ ...sc95xx-stop-lying-about-skb-truesize.patch | 87 +++ ...sr9700-stop-lying-about-skb-truesize.patch | 59 ++ ...ix-possible-dead-lock-in-nr_rt_ioctl.patch | 192 ++++++ ...tex-before-calling-move_to_close_lru.patch | 82 +++ .../nilfs2-fix-out-of-range-warning.patch | 45 ++ ...sing-mutex_destroy-at-module-removal.patch | 37 ++ ...c-add-missing-export-of-__cmpxchg_u8.patch | 36 ++ ...s_usbpd-provide-id-table-for-avoidin.patch | 66 ++ ...c-fsl-soc-hide-unused-const-variable.patch | 48 ++ ...d-avoid-truncating-work-queue-length.patch | 58 ++ ...s-use-complete-parentheses-in-macros.patch | 52 ++ ...format-truncation-compilation-errors.patch | 66 ++ ...-calling-csum_partial-with-misaligne.patch | 187 ++++++ ...fix-tracepoint-subchannel-type-field.patch | 38 ++ ...-disabling-sched_balance_newidle-wit.patch | 64 ++ ...on-t-set-sd_balance_wake-on-cpuset-d.patch | 70 +++ ...ure-the-copied-buf-is-nul-terminated.patch | 49 ++ ...location-size-for-scsi_host-private-.patch | 41 ++ ...the-failure-of-adding-phy-with-zero-.patch | 55 ++ ...ure-the-copied-buf-is-nul-terminated.patch | 40 ++ ...ow-level-__ufshcd_issue_tm_cmd-helpe.patch | 217 +++++++ ...ufs-cleanup-struct-utp_task_req_desc.patch | 243 ++++++++ ...rform-read-back-after-disabling-inte.patch | 53 ++ ...rform-read-back-after-disabling-uic_.patch | 52 ++ ...rform-read-back-after-writing-reset-.patch | 71 +++ ...ake-the-test-output-consistent-and-c.patch | 82 +++ ...lftests-kcmp-remove-unused-open-mode.patch | 42 ++ queue-4.19/series | 79 +++ ...-arch_copy_kprobe-into-arch_prepare_.patch | 53 ++ .../sunrpc-fix-gss_free_in_token_pages.patch | 78 +++ ...-enable-proper-endpoint-verification.patch | 99 +++ ...an-error-code-problem-in-ath10k_dbg_.patch | 43 ++ ...-service-ready-message-before-failin.patch | 81 +++ ...h10k-populate-board-data-for-wcn3990.patch | 65 ++ ...d-a-proper-sanity-check-for-endpoint.patch | 97 +++ ...x-the-order-of-arguments-for-trace-e.patch | 50 ++ ...i-mwl8k-initialize-cmd-addr-properly.patch | 38 ++ ...relocations-in-.notes-sections-in-wa.patch | 54 ++ ...h-instruction-in-x86-instruction-dec.patch | 98 +++ ...itch-to-the-position-independent-sma.patch | 81 +++ 80 files changed, 6207 insertions(+) create mode 100644 queue-4.19/acpi-disable-wstringop-truncation.patch create mode 100644 queue-4.19/af_packet-do-not-call-packet_read_pending-from-tpack.patch create mode 100644 queue-4.19/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch create mode 100644 queue-4.19/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch create mode 100644 queue-4.19/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch create mode 100644 queue-4.19/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch create mode 100644 queue-4.19/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch create mode 100644 queue-4.19/crypto-bcm-fix-pointer-arithmetic.patch create mode 100644 queue-4.19/crypto-ccp-drop-platform-ifdef-checks.patch create mode 100644 queue-4.19/crypto-ccp-remove-forward-declaration.patch create mode 100644 queue-4.19/drm-amd-display-fix-potential-index-out-of-bounds-in.patch create mode 100644 queue-4.19/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch create mode 100644 queue-4.19/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch create mode 100644 queue-4.19/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch create mode 100644 queue-4.19/ecryptfs-fix-buffer-size-for-tag-66-packet.patch create mode 100644 queue-4.19/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch create mode 100644 queue-4.19/fbdev-sh7760fb-allow-modular-build.patch create mode 100644 queue-4.19/fbdev-shmobile-fix-snprintf-truncation.patch create mode 100644 queue-4.19/fbdev-sisfb-hide-unused-variables.patch create mode 100644 queue-4.19/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch create mode 100644 queue-4.19/hsi-omap_ssi_core-convert-to-platform-remove-callbac.patch create mode 100644 queue-4.19/hsi-omap_ssi_port-convert-to-platform-remove-callbac.patch create mode 100644 queue-4.19/ipv6-sr-add-missing-seg6_local_exit.patch create mode 100644 queue-4.19/ipv6-sr-fix-incorrect-unregister-order.patch create mode 100644 queue-4.19/ipv6-sr-fix-invalid-unregister-error-path.patch create mode 100644 queue-4.19/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch create mode 100644 queue-4.19/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch create mode 100644 queue-4.19/m68k-fix-spinlock-race-in-kernel-thread-creation.patch create mode 100644 queue-4.19/m68k-mac-fix-reboot-hang-on-mac-iici.patch create mode 100644 queue-4.19/m68k-mac-use-030-reset-method-on-se-30.patch create mode 100644 queue-4.19/macintosh-via-macii-fix-bug-sleeping-function-called.patch create mode 100644 queue-4.19/macintosh-via-macii-macintosh-adb-iop-clean-up-white.patch create mode 100644 queue-4.19/macintosh-via-macii-remove-bug_on-assertions.patch create mode 100644 queue-4.19/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch create mode 100644 queue-4.19/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch create mode 100644 queue-4.19/media-radio-shark2-avoid-led_names-truncations.patch create mode 100644 queue-4.19/mtd-rawnand-hynix-fixed-typo.patch create mode 100644 queue-4.19/net-ethernet-cortina-locking-fixes.patch create mode 100644 queue-4.19/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch create mode 100644 queue-4.19/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch create mode 100644 queue-4.19/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch create mode 100644 queue-4.19/net-usb-sr9700-stop-lying-about-skb-truesize.patch create mode 100644 queue-4.19/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch create mode 100644 queue-4.19/nfsd-drop-st_mutex-before-calling-move_to_close_lru.patch create mode 100644 queue-4.19/nilfs2-fix-out-of-range-warning.patch create mode 100644 queue-4.19/null_blk-fix-missing-mutex_destroy-at-module-removal.patch create mode 100644 queue-4.19/parisc-add-missing-export-of-__cmpxchg_u8.patch create mode 100644 queue-4.19/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch create mode 100644 queue-4.19/powerpc-fsl-soc-hide-unused-const-variable.patch create mode 100644 queue-4.19/qed-avoid-truncating-work-queue-length.patch create mode 100644 queue-4.19/rdma-hns-use-complete-parentheses-in-macros.patch create mode 100644 queue-4.19/rdma-ipoib-fix-format-truncation-compilation-errors.patch create mode 100644 queue-4.19/revert-sh-handle-calling-csum_partial-with-misaligne.patch create mode 100644 queue-4.19/s390-cio-fix-tracepoint-subchannel-type-field.patch create mode 100644 queue-4.19/sched-fair-allow-disabling-sched_balance_newidle-wit.patch create mode 100644 queue-4.19/sched-topology-don-t-set-sd_balance_wake-on-cpuset-d.patch create mode 100644 queue-4.19/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch create mode 100644 queue-4.19/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch create mode 100644 queue-4.19/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch create mode 100644 queue-4.19/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch create mode 100644 queue-4.19/scsi-ufs-add-a-low-level-__ufshcd_issue_tm_cmd-helpe.patch create mode 100644 queue-4.19/scsi-ufs-cleanup-struct-utp_task_req_desc.patch create mode 100644 queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-inte.patch create mode 100644 queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch create mode 100644 queue-4.19/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch create mode 100644 queue-4.19/selftests-kcmp-make-the-test-output-consistent-and-c.patch create mode 100644 queue-4.19/selftests-kcmp-remove-unused-open-mode.patch create mode 100644 queue-4.19/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch create mode 100644 queue-4.19/sunrpc-fix-gss_free_in_token_pages.patch create mode 100644 queue-4.19/wifi-ar5523-enable-proper-endpoint-verification.patch create mode 100644 queue-4.19/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch create mode 100644 queue-4.19/wifi-ath10k-poll-service-ready-message-before-failin.patch create mode 100644 queue-4.19/wifi-ath10k-populate-board-data-for-wcn3990.patch create mode 100644 queue-4.19/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch create mode 100644 queue-4.19/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch create mode 100644 queue-4.19/wifi-mwl8k-initialize-cmd-addr-properly.patch create mode 100644 queue-4.19/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch create mode 100644 queue-4.19/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch create mode 100644 queue-4.19/x86-purgatory-switch-to-the-position-independent-sma.patch diff --git a/queue-4.19/acpi-disable-wstringop-truncation.patch b/queue-4.19/acpi-disable-wstringop-truncation.patch new file mode 100644 index 00000000000..1c7db8e87b1 --- /dev/null +++ b/queue-4.19/acpi-disable-wstringop-truncation.patch @@ -0,0 +1,48 @@ +From df631b0586e5427a7faaa3d0c06992250a7f7b80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 16:00:55 +0200 +Subject: ACPI: disable -Wstringop-truncation + +From: Arnd Bergmann + +[ Upstream commit a3403d304708f60565582d60af4316289d0316a0 ] + +gcc -Wstringop-truncation warns about copying a string that results in a +missing nul termination: + +drivers/acpi/acpica/tbfind.c: In function 'acpi_tb_find_table': +drivers/acpi/acpica/tbfind.c:60:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation] + 60 | strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/acpi/acpica/tbfind.c:61:9: error: 'strncpy' specified bound 8 equals destination size [-Werror=stringop-truncation] + 61 | strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code works as intended, and the warning could be addressed by using +a memcpy(), but turning the warning off for this file works equally well +and may be easier to merge. + +Fixes: 47c08729bf1c ("ACPICA: Fix for LoadTable operator, input strings") +Link: https://lore.kernel.org/lkml/CAJZ5v0hoUfv54KW7y4223Mn9E7D4xvR7whRFNLTBqCZMUxT50Q@mail.gmail.com/#t +Signed-off-by: Arnd Bergmann +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index 8ce51f0f40ce5..dec40cb81cc42 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -5,6 +5,7 @@ + + ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT ++CFLAGS_tbfind.o += $(call cc-disable-warning, stringop-truncation) + + # use acpi.o to put all files here into acpi.o modparam namespace + obj-y += acpi.o +-- +2.43.0 + diff --git a/queue-4.19/af_packet-do-not-call-packet_read_pending-from-tpack.patch b/queue-4.19/af_packet-do-not-call-packet_read_pending-from-tpack.patch new file mode 100644 index 00000000000..3389c2a63a7 --- /dev/null +++ b/queue-4.19/af_packet-do-not-call-packet_read_pending-from-tpack.patch @@ -0,0 +1,49 @@ +From 8a301e284547338e8bce1410d6a61b5899cd0ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 16:33:58 +0000 +Subject: af_packet: do not call packet_read_pending() from + tpacket_destruct_skb() + +From: Eric Dumazet + +[ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ] + +trafgen performance considerably sank on hosts with many cores +after the blamed commit. + +packet_read_pending() is very expensive, and calling it +in af_packet fast path defeats Daniel intent in commit +b013840810c2 ("packet: use percpu mmap tx frame pending refcount") + +tpacket_destruct_skb() makes room for one packet, we can immediately +wakeup a producer, no need to completely drain the tx ring. + +Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Cc: Daniel Borkmann +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240515163358.4105915-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index e8b05769d1c9a..4ddc60c7509fb 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2441,8 +2441,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb) + ts = __packet_set_timestamp(po, ph, skb); + __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts); + +- if (!packet_read_pending(&po->tx_ring)) +- complete(&po->skb_completion); ++ complete(&po->skb_completion); + } + + sock_wfree(skb); +-- +2.43.0 + diff --git a/queue-4.19/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch b/queue-4.19/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch new file mode 100644 index 00000000000..aab68a957d3 --- /dev/null +++ b/queue-4.19/af_unix-fix-data-races-in-unix_release_sock-unix_str.patch @@ -0,0 +1,76 @@ +From d2aba116e6fd284f879ffaa655e62dccd63868c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 01:14:46 -0700 +Subject: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg + +From: Breno Leitao + +[ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] + +A data-race condition has been identified in af_unix. In one data path, +the write function unix_release_sock() atomically writes to +sk->sk_shutdown using WRITE_ONCE. However, on the reader side, +unix_stream_sendmsg() does not read it atomically. Consequently, this +issue is causing the following KCSAN splat to occur: + + BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg + + write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: + unix_release_sock (net/unix/af_unix.c:640) + unix_release (net/unix/af_unix.c:1050) + sock_close (net/socket.c:659 net/socket.c:1421) + __fput (fs/file_table.c:422) + __fput_sync (fs/file_table.c:508) + __se_sys_close (fs/open.c:1559 fs/open.c:1541) + __x64_sys_close (fs/open.c:1541) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: + unix_stream_sendmsg (net/unix/af_unix.c:2273) + __sock_sendmsg (net/socket.c:730 net/socket.c:745) + ____sys_sendmsg (net/socket.c:2584) + __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) + __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) + x64_sys_call (arch/x86/entry/syscall_64.c:33) + do_syscall_64 (arch/x86/entry/common.c:?) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + value changed: 0x01 -> 0x03 + +The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). + +Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") +addressed a comparable issue in the past regarding sk->sk_shutdown. +However, it overlooked resolving this particular data path. +This patch only offending unix_stream_sendmsg() function, since the +other reads seem to be protected by unix_state_lock() as discussed in +Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Breno Leitao +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 921b7e355b9b9..02100e62bf608 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1895,7 +1895,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, + goto out_err; + } + +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto pipe_err; + + while (sent < len) { +-- +2.43.0 + diff --git a/queue-4.19/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch b/queue-4.19/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch new file mode 100644 index 00000000000..9af0754da4f --- /dev/null +++ b/queue-4.19/asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch @@ -0,0 +1,55 @@ +From 3f5afa1927bb4170c0b04b348e16c9ddba851a6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 10:30:33 -0500 +Subject: ASoC: da7219-aad: fix usage of device_get_named_child_node() + +From: Pierre-Louis Bossart + +[ Upstream commit e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 ] + +The documentation for device_get_named_child_node() mentions this +important point: + +" +The caller is responsible for calling fwnode_handle_put() on the +returned fwnode pointer. +" + +Add fwnode_handle_put() to avoid a leaked reference. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240426153033.38500-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/da7219-aad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/da7219-aad.c b/sound/soc/codecs/da7219-aad.c +index e3515ac8b223f..c7c800f8133b6 100644 +--- a/sound/soc/codecs/da7219-aad.c ++++ b/sound/soc/codecs/da7219-aad.c +@@ -634,8 +634,10 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct snd_soc_component + return NULL; + + aad_pdata = devm_kzalloc(dev, sizeof(*aad_pdata), GFP_KERNEL); +- if (!aad_pdata) ++ if (!aad_pdata) { ++ fwnode_handle_put(aad_np); + return NULL; ++ } + + aad_pdata->irq = i2c->irq; + +@@ -710,6 +712,8 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct snd_soc_component + else + aad_pdata->adc_1bit_rpt = DA7219_AAD_ADC_1BIT_RPT_1; + ++ fwnode_handle_put(aad_np); ++ + return aad_pdata; + } + +-- +2.43.0 + diff --git a/queue-4.19/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch b/queue-4.19/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch new file mode 100644 index 00000000000..ff0998b0686 --- /dev/null +++ b/queue-4.19/asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch @@ -0,0 +1,48 @@ +From dd010aa1850464d466083bba3e2119a4e8e023fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 17:10:57 +0800 +Subject: ASoC: dt-bindings: rt5645: add cbj sleeve gpio property + +From: Derek Fang + +[ Upstream commit 306b38e3fa727d22454a148a364123709e356600 ] + +Add an optional gpio property to control external CBJ circuits +to avoid some electric noise caused by sleeve/ring2 contacts floating. + +Signed-off-by: Derek Fang + +Link: https://msgid.link/r/20240408091057.14165-2-derek.fang@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/sound/rt5645.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Documentation/devicetree/bindings/sound/rt5645.txt b/Documentation/devicetree/bindings/sound/rt5645.txt +index a03f9a872a716..bfb2217a9a658 100644 +--- a/Documentation/devicetree/bindings/sound/rt5645.txt ++++ b/Documentation/devicetree/bindings/sound/rt5645.txt +@@ -16,6 +16,11 @@ Optional properties: + a GPIO spec for the external headphone detect pin. If jd-mode = 0, + we will get the JD status by getting the value of hp-detect-gpios. + ++- cbj-sleeve-gpios: ++ a GPIO spec to control the external combo jack circuit to tie the sleeve/ring2 ++ contacts to the ground or floating. It could avoid some electric noise from the ++ active speaker jacks. ++ + - realtek,in2-differential + Boolean. Indicate MIC2 input are differential, rather than single-ended. + +@@ -64,6 +69,7 @@ codec: rt5650@1a { + compatible = "realtek,rt5650"; + reg = <0x1a>; + hp-detect-gpios = <&gpio 19 0>; ++ cbj-sleeve-gpios = <&gpio 20 0>; + interrupt-parent = <&gpio>; + interrupts = <7 IRQ_TYPE_EDGE_FALLING>; + realtek,dmic-en = "true"; +-- +2.43.0 + diff --git a/queue-4.19/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch b/queue-4.19/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch new file mode 100644 index 00000000000..40ba2195b13 --- /dev/null +++ b/queue-4.19/asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch @@ -0,0 +1,105 @@ +From 1d4ac4195f9b4e64b6c31f7a3a7ff249f6e1c282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 17:10:56 +0800 +Subject: ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating + +From: Derek Fang + +[ Upstream commit 103abab975087e1f01b76fcb54c91dbb65dbc249 ] + +The codec leaves tie combo jack's sleeve/ring2 to floating status +default. It would cause electric noise while connecting the active +speaker jack during boot or shutdown. +This patch requests a gpio to control the additional jack circuit +to tie the contacts to the ground or floating. + +Signed-off-by: Derek Fang + +Link: https://msgid.link/r/20240408091057.14165-1-derek.fang@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5645.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c +index 5f23369d7ccad..fbb3fca59c8cb 100644 +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -412,6 +412,7 @@ struct rt5645_priv { + struct regmap *regmap; + struct i2c_client *i2c; + struct gpio_desc *gpiod_hp_det; ++ struct gpio_desc *gpiod_cbj_sleeve; + struct snd_soc_jack *hp_jack; + struct snd_soc_jack *mic_jack; + struct snd_soc_jack *btn_jack; +@@ -3206,6 +3207,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + regmap_update_bits(rt5645->regmap, RT5645_IN1_CTRL2, + RT5645_CBJ_MN_JD, 0); + ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 1); ++ + msleep(600); + regmap_read(rt5645->regmap, RT5645_IN1_CTRL3, &val); + val &= 0x7; +@@ -3222,6 +3226,8 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + snd_soc_dapm_disable_pin(dapm, "Mic Det Power"); + snd_soc_dapm_sync(dapm); + rt5645->jack_type = SND_JACK_HEADPHONE; ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + if (rt5645->pdata.level_trigger_irq) + regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, +@@ -3247,6 +3253,9 @@ static int rt5645_jack_detect(struct snd_soc_component *component, int jack_inse + if (rt5645->pdata.level_trigger_irq) + regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, + RT5645_JD_1_1_MASK, RT5645_JD_1_1_INV); ++ ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + + return rt5645->jack_type; +@@ -3892,6 +3901,16 @@ static int rt5645_i2c_probe(struct i2c_client *i2c, + return ret; + } + ++ rt5645->gpiod_cbj_sleeve = devm_gpiod_get_optional(&i2c->dev, "cbj-sleeve", ++ GPIOD_OUT_LOW); ++ ++ if (IS_ERR(rt5645->gpiod_cbj_sleeve)) { ++ ret = PTR_ERR(rt5645->gpiod_cbj_sleeve); ++ dev_info(&i2c->dev, "failed to initialize gpiod, ret=%d\n", ret); ++ if (ret != -ENOENT) ++ return ret; ++ } ++ + for (i = 0; i < ARRAY_SIZE(rt5645->supplies); i++) + rt5645->supplies[i].supply = rt5645_supply_names[i]; + +@@ -4135,6 +4154,9 @@ static int rt5645_i2c_remove(struct i2c_client *i2c) + cancel_delayed_work_sync(&rt5645->jack_detect_work); + cancel_delayed_work_sync(&rt5645->rcclock_work); + ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); ++ + regulator_bulk_disable(ARRAY_SIZE(rt5645->supplies), rt5645->supplies); + + return 0; +@@ -4152,6 +4174,9 @@ static void rt5645_i2c_shutdown(struct i2c_client *i2c) + 0); + msleep(20); + regmap_write(rt5645->regmap, RT5645_RESET, 0); ++ ++ if (rt5645->gpiod_cbj_sleeve) ++ gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + } + + static struct i2c_driver rt5645_i2c_driver = { +-- +2.43.0 + diff --git a/queue-4.19/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch b/queue-4.19/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch new file mode 100644 index 00000000000..ce937f4df40 --- /dev/null +++ b/queue-4.19/asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch @@ -0,0 +1,48 @@ +From b40921428fd7efe33721725eb590735b86c784de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 00:03:03 -0400 +Subject: ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value + +From: Steven Rostedt + +[ Upstream commit 58300f8d6a48e58d1843199be743f819e2791ea3 ] + +The string SND_SOC_DAPM_DIR_OUT is printed in the snd_soc_dapm_path trace +event instead of its value: + + (((REC->path_dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + +User space cannot parse this, as it has no idea what SND_SOC_DAPM_DIR_OUT +is. Use TRACE_DEFINE_ENUM() to convert it to its value: + + (((REC->path_dir) == 1) ? "->" : "<-") + +So that user space tools, such as perf and trace-cmd, can parse it +correctly. + +Reported-by: Luca Ceresoli +Fixes: 6e588a0d839b5 ("ASoC: dapm: Consolidate path trace events") +Signed-off-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20240416000303.04670cdf@rorschach.local.home +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/trace/events/asoc.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/trace/events/asoc.h b/include/trace/events/asoc.h +index 40c300fe704da..f62d5b7024261 100644 +--- a/include/trace/events/asoc.h ++++ b/include/trace/events/asoc.h +@@ -11,6 +11,8 @@ + #define DAPM_DIRECT "(direct)" + #define DAPM_ARROW(dir) (((dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") + ++TRACE_DEFINE_ENUM(SND_SOC_DAPM_DIR_OUT); ++ + struct snd_soc_jack; + struct snd_soc_card; + struct snd_soc_dapm_widget; +-- +2.43.0 + diff --git a/queue-4.19/crypto-bcm-fix-pointer-arithmetic.patch b/queue-4.19/crypto-bcm-fix-pointer-arithmetic.patch new file mode 100644 index 00000000000..3d2c6af46c2 --- /dev/null +++ b/queue-4.19/crypto-bcm-fix-pointer-arithmetic.patch @@ -0,0 +1,40 @@ +From 4b686a6e08992068fa36c37e7baf29fab42c260d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 23:59:15 +0300 +Subject: crypto: bcm - Fix pointer arithmetic + +From: Aleksandr Mishin + +[ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ] + +In spu2_dump_omd() value of ptr is increased by ciph_key_len +instead of hash_iv_len which could lead to going beyond the +buffer boundaries. +Fix this bug by changing ciph_key_len to hash_iv_len. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Signed-off-by: Aleksandr Mishin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/bcm/spu2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c +index bf7ac621c591d..0f6023347cc89 100644 +--- a/drivers/crypto/bcm/spu2.c ++++ b/drivers/crypto/bcm/spu2.c +@@ -506,7 +506,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, + if (hash_iv_len) { + packet_log(" Hash IV Length %u bytes\n", hash_iv_len); + packet_dump(" hash IV: ", ptr, hash_iv_len); +- ptr += ciph_key_len; ++ ptr += hash_iv_len; + } + + if (ciph_iv_len) { +-- +2.43.0 + diff --git a/queue-4.19/crypto-ccp-drop-platform-ifdef-checks.patch b/queue-4.19/crypto-ccp-drop-platform-ifdef-checks.patch new file mode 100644 index 00000000000..d1dc4ca0cc4 --- /dev/null +++ b/queue-4.19/crypto-ccp-drop-platform-ifdef-checks.patch @@ -0,0 +1,94 @@ +From 305358e26c956ee005e0da24cf5085038106d8fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:42 +0200 +Subject: crypto: ccp - drop platform ifdef checks + +From: Arnd Bergmann + +[ Upstream commit 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab ] + +When both ACPI and OF are disabled, the dev_vdata variable is unused: + +drivers/crypto/ccp/sp-platform.c:33:34: error: unused variable 'dev_vdata' [-Werror,-Wunused-const-variable] + +This is not a useful configuration, and there is not much point in saving +a few bytes when only one of the two is enabled, so just remove all +these ifdef checks and rely on of_match_node() and acpi_match_device() +returning NULL when these subsystems are disabled. + +Fixes: 6c5063434098 ("crypto: ccp - Add ACPI support") +Signed-off-by: Arnd Bergmann +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-platform.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c +index b75dc7db2d4a1..8494f7d8912c3 100644 +--- a/drivers/crypto/ccp/sp-platform.c ++++ b/drivers/crypto/ccp/sp-platform.c +@@ -42,44 +42,38 @@ static const struct sp_dev_vdata dev_vdata[] = { + }, + }; + +-#ifdef CONFIG_ACPI + static const struct acpi_device_id sp_acpi_match[] = { + { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(acpi, sp_acpi_match); +-#endif + +-#ifdef CONFIG_OF + static const struct of_device_id sp_of_match[] = { + { .compatible = "amd,ccp-seattle-v1a", + .data = (const void *)&dev_vdata[0] }, + { }, + }; + MODULE_DEVICE_TABLE(of, sp_of_match); +-#endif + + static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) + { +-#ifdef CONFIG_OF + const struct of_device_id *match; + + match = of_match_node(sp_of_match, pdev->dev.of_node); + if (match && match->data) + return (struct sp_dev_vdata *)match->data; +-#endif ++ + return NULL; + } + + static struct sp_dev_vdata *sp_get_acpi_version(struct platform_device *pdev) + { +-#ifdef CONFIG_ACPI + const struct acpi_device_id *match; + + match = acpi_match_device(sp_acpi_match, &pdev->dev); + if (match && match->driver_data) + return (struct sp_dev_vdata *)match->driver_data; +-#endif ++ + return NULL; + } + +@@ -227,12 +221,8 @@ static int sp_platform_resume(struct platform_device *pdev) + static struct platform_driver sp_platform_driver = { + .driver = { + .name = "ccp", +-#ifdef CONFIG_ACPI + .acpi_match_table = sp_acpi_match, +-#endif +-#ifdef CONFIG_OF + .of_match_table = sp_of_match, +-#endif + }, + .probe = sp_platform_probe, + .remove = sp_platform_remove, +-- +2.43.0 + diff --git a/queue-4.19/crypto-ccp-remove-forward-declaration.patch b/queue-4.19/crypto-ccp-remove-forward-declaration.patch new file mode 100644 index 00000000000..fbbf005bd00 --- /dev/null +++ b/queue-4.19/crypto-ccp-remove-forward-declaration.patch @@ -0,0 +1,105 @@ +From 51d39dc8a564f6f43b0895073f6837b3eb288b9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Sep 2018 10:26:15 -0700 +Subject: crypto: ccp - Remove forward declaration + +From: Nathan Chancellor + +[ Upstream commit 3512dcb4e6c64733871202c01f0ec6b5d84d32ac ] + +Clang emits a warning about this construct: + +drivers/crypto/ccp/sp-platform.c:36:36: warning: tentative array +definition assumed to have one element +static const struct acpi_device_id sp_acpi_match[]; + ^ +1 warning generated. + +Just remove the forward declarations and move the initializations up +so that they can be used in sp_get_of_version and sp_get_acpi_version. + +Reported-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Stable-dep-of: 42c2d7d02977 ("crypto: ccp - drop platform ifdef checks") +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-platform.c | 53 +++++++++++++++----------------- + 1 file changed, 25 insertions(+), 28 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c +index 71734f254fd15..b75dc7db2d4a1 100644 +--- a/drivers/crypto/ccp/sp-platform.c ++++ b/drivers/crypto/ccp/sp-platform.c +@@ -33,8 +33,31 @@ struct sp_platform { + unsigned int irq_count; + }; + +-static const struct acpi_device_id sp_acpi_match[]; +-static const struct of_device_id sp_of_match[]; ++static const struct sp_dev_vdata dev_vdata[] = { ++ { ++ .bar = 0, ++#ifdef CONFIG_CRYPTO_DEV_SP_CCP ++ .ccp_vdata = &ccpv3_platform, ++#endif ++ }, ++}; ++ ++#ifdef CONFIG_ACPI ++static const struct acpi_device_id sp_acpi_match[] = { ++ { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(acpi, sp_acpi_match); ++#endif ++ ++#ifdef CONFIG_OF ++static const struct of_device_id sp_of_match[] = { ++ { .compatible = "amd,ccp-seattle-v1a", ++ .data = (const void *)&dev_vdata[0] }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, sp_of_match); ++#endif + + static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) + { +@@ -201,32 +224,6 @@ static int sp_platform_resume(struct platform_device *pdev) + } + #endif + +-static const struct sp_dev_vdata dev_vdata[] = { +- { +- .bar = 0, +-#ifdef CONFIG_CRYPTO_DEV_SP_CCP +- .ccp_vdata = &ccpv3_platform, +-#endif +- }, +-}; +- +-#ifdef CONFIG_ACPI +-static const struct acpi_device_id sp_acpi_match[] = { +- { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, +- { }, +-}; +-MODULE_DEVICE_TABLE(acpi, sp_acpi_match); +-#endif +- +-#ifdef CONFIG_OF +-static const struct of_device_id sp_of_match[] = { +- { .compatible = "amd,ccp-seattle-v1a", +- .data = (const void *)&dev_vdata[0] }, +- { }, +-}; +-MODULE_DEVICE_TABLE(of, sp_of_match); +-#endif +- + static struct platform_driver sp_platform_driver = { + .driver = { + .name = "ccp", +-- +2.43.0 + diff --git a/queue-4.19/drm-amd-display-fix-potential-index-out-of-bounds-in.patch b/queue-4.19/drm-amd-display-fix-potential-index-out-of-bounds-in.patch new file mode 100644 index 00000000000..0d1f2cf9ff5 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-potential-index-out-of-bounds-in.patch @@ -0,0 +1,58 @@ +From d5a6524a84a63a64d5a93dbcb3c4e02512a6e96a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 18:38:08 +0530 +Subject: drm/amd/display: Fix potential index out of bounds in color + transformation function + +From: Srinivasan Shanmugam + +[ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] + +Fixes index out of bounds issue in the color transformation function. +The issue could occur when the index 'i' exceeds the number of transfer +function points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds, an error message is +logged and the function returns false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") +Cc: Vitaly Prosyak +Cc: Charlene Liu +Cc: Harry Wentland +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Aurabindo Pillai +Cc: Tom Chung +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index f8904f73f57b0..67a3ba49234ee 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -315,6 +315,11 @@ bool cm_helper_translate_curve_to_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) { ++ DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", ++ i, TRANSFER_FUNC_POINTS); ++ return false; ++ } + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-4.19/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch b/queue-4.19/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch new file mode 100644 index 00000000000..ca638b12160 --- /dev/null +++ b/queue-4.19/drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch @@ -0,0 +1,37 @@ +From fdfa4374061c5aef7d92f3a6e4c79a80ca6b41db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 04:21:55 +0000 +Subject: drm/amd/display: Set color_mgmt_changed to true on unsuspend + +From: Joshua Ashton + +[ Upstream commit 2eb9dd497a698dc384c0dd3e0311d541eb2e13dd ] + +Otherwise we can end up with a frame on unsuspend where color management +is not applied when userspace has not committed themselves. + +Fixes re-applying color management on Steam Deck/Gamescope on S3 resume. + +Signed-off-by: Joshua Ashton +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 98d51bc204172..e4139723c473c 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -816,6 +816,7 @@ static int dm_resume(void *handle) + dc_stream_release(dm_new_crtc_state->stream); + dm_new_crtc_state->stream = NULL; + } ++ dm_new_crtc_state->base.color_mgmt_changed = true; + } + + for_each_new_plane_in_state(dm->cached_state, plane, new_plane_state, i) { +-- +2.43.0 + diff --git a/queue-4.19/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch b/queue-4.19/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch new file mode 100644 index 00000000000..13d23d38c81 --- /dev/null +++ b/queue-4.19/drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch @@ -0,0 +1,42 @@ +From 5c9987a3e04729271b5ceaeb93b88dad5b8f37c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Apr 2024 14:30:53 +0800 +Subject: drm/arm/malidp: fix a possible null pointer dereference + +From: Huai-Yuan Liu + +[ Upstream commit a1f95aede6285dba6dd036d907196f35ae3a11ea ] + +In malidp_mw_connector_reset, new memory is allocated with kzalloc, but +no check is performed. In order to prevent null pointer dereferencing, +ensure that mw_state is checked before calling +__drm_atomic_helper_connector_reset. + +Fixes: 8cbc5caf36ef ("drm: mali-dp: Add writeback connector") +Signed-off-by: Huai-Yuan Liu +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20240407063053.5481-1-qq810974084@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/arm/malidp_mw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_mw.c b/drivers/gpu/drm/arm/malidp_mw.c +index 7266d3c8b8f41..420efbdea76c3 100644 +--- a/drivers/gpu/drm/arm/malidp_mw.c ++++ b/drivers/gpu/drm/arm/malidp_mw.c +@@ -69,7 +69,10 @@ static void malidp_mw_connector_reset(struct drm_connector *connector) + __drm_atomic_helper_connector_destroy_state(connector->state); + + kfree(connector->state); +- __drm_atomic_helper_connector_reset(connector, &mw_state->base); ++ connector->state = NULL; ++ ++ if (mw_state) ++ __drm_atomic_helper_connector_reset(connector, &mw_state->base); + } + + static enum drm_connector_status +-- +2.43.0 + diff --git a/queue-4.19/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch b/queue-4.19/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch new file mode 100644 index 00000000000..eb65b14e64d --- /dev/null +++ b/queue-4.19/drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch @@ -0,0 +1,44 @@ +From ac94087ab05762d61489b865384df2b43f0ca590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 13:00:51 -0500 +Subject: drm/mediatek: Add 0 size check to mtk_drm_gem_obj + +From: Justin Green + +[ Upstream commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 ] + +Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object +of 0 bytes. Currently, no such check exists and the kernel will panic if +a userspace application attempts to allocate a 0x0 GBM buffer. + +Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and +verifying that we now return EINVAL. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Justin Green +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index b09a37a38e0ae..079df67892df5 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -26,6 +26,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, + + size = round_up(size, PAGE_SIZE); + ++ if (size == 0) ++ return ERR_PTR(-EINVAL); ++ + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); + if (!mtk_gem_obj) + return ERR_PTR(-ENOMEM); +-- +2.43.0 + diff --git a/queue-4.19/ecryptfs-fix-buffer-size-for-tag-66-packet.patch b/queue-4.19/ecryptfs-fix-buffer-size-for-tag-66-packet.patch new file mode 100644 index 00000000000..0ec6cb93c52 --- /dev/null +++ b/queue-4.19/ecryptfs-fix-buffer-size-for-tag-66-packet.patch @@ -0,0 +1,116 @@ +From 23fbaf96fe2d2fd4ccd8545192149c0bc306c9ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 07:46:00 -0700 +Subject: ecryptfs: Fix buffer size for tag 66 packet + +From: Brian Kubisiak + +[ Upstream commit 85a6a1aff08ec9f5b929d345d066e2830e8818e5 ] + +The 'TAG 66 Packet Format' description is missing the cipher code and +checksum fields that are packed into the message packet. As a result, +the buffer allocated for the packet is 3 bytes too small and +write_tag_66_packet() will write up to 3 bytes past the end of the +buffer. + +Fix this by increasing the size of the allocation so the whole packet +will always fit in the buffer. + +This fixes the below kasan slab-out-of-bounds bug: + + BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 + Write of size 1 at addr ffff88800afbb2a5 by task touch/181 + + CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 + Call Trace: + + dump_stack_lvl+0x4c/0x70 + print_report+0xc5/0x610 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? kasan_complete_mode_report_info+0x44/0x210 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + kasan_report+0xc2/0x110 + ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 + __asan_store1+0x62/0x80 + ecryptfs_generate_key_packet_set+0x7d6/0xde0 + ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 + ? __alloc_pages+0x2e2/0x540 + ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] + ? dentry_open+0x8f/0xd0 + ecryptfs_write_metadata+0x30a/0x550 + ? __pfx_ecryptfs_write_metadata+0x10/0x10 + ? ecryptfs_get_lower_file+0x6b/0x190 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + ? __pfx_path_openat+0x10/0x10 + do_filp_open+0x15e/0x290 + ? __pfx_do_filp_open+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? _raw_spin_lock+0x86/0xf0 + ? __pfx__raw_spin_lock+0x10/0x10 + ? __kasan_check_write+0x18/0x30 + ? alloc_fd+0xf4/0x330 + do_sys_openat2+0x122/0x160 + ? __pfx_do_sys_openat2+0x10/0x10 + __x64_sys_openat+0xef/0x170 + ? __pfx___x64_sys_openat+0x10/0x10 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7f00a703fd67 + Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f + RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 + RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 + RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c + RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 + R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 + R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 + + + Allocated by task 181: + kasan_save_stack+0x2f/0x60 + kasan_set_track+0x29/0x40 + kasan_save_alloc_info+0x25/0x40 + __kasan_kmalloc+0xc5/0xd0 + __kmalloc+0x66/0x160 + ecryptfs_generate_key_packet_set+0x6d2/0xde0 + ecryptfs_write_metadata+0x30a/0x550 + ecryptfs_initialize_file+0x77/0x150 + ecryptfs_create+0x1c2/0x2f0 + path_openat+0x17cf/0x1ba0 + do_filp_open+0x15e/0x290 + do_sys_openat2+0x122/0x160 + __x64_sys_openat+0xef/0x170 + do_syscall_64+0x60/0xd0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management") +Signed-off-by: Brian Kubisiak +Link: https://lore.kernel.org/r/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/keystore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c +index 250cb23ae69f2..12a5ea9e3e35d 100644 +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -314,9 +314,11 @@ write_tag_66_packet(char *signature, u8 cipher_code, + * | Key Identifier Size | 1 or 2 bytes | + * | Key Identifier | arbitrary | + * | File Encryption Key Size | 1 or 2 bytes | ++ * | Cipher Code | 1 byte | + * | File Encryption Key | arbitrary | ++ * | Checksum | 2 bytes | + */ +- data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); ++ data_len = (8 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); + *packet = kmalloc(data_len, GFP_KERNEL); + message = *packet; + if (!message) { +-- +2.43.0 + diff --git a/queue-4.19/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch b/queue-4.19/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch new file mode 100644 index 00000000000..887173506a2 --- /dev/null +++ b/queue-4.19/ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch @@ -0,0 +1,52 @@ +From 41c13d6eb59f82053867acbe146abcaddda27d3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 12:53:20 +0100 +Subject: ext4: avoid excessive credit estimate in ext4_tmpfile() + +From: Jan Kara + +[ Upstream commit 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 ] + +A user with minimum journal size (1024 blocks these days) complained +about the following error triggered by generic/697 test in +ext4_tmpfile(): + +run fstests generic/697 at 2024-02-28 05:34:46 +JBD2: vfstest wants too many credits credits:260 rsv_credits:0 max:256 +EXT4-fs error (device loop0) in __ext4_new_inode:1083: error 28 + +Indeed the credit estimate in ext4_tmpfile() is huge. +EXT4_MAXQUOTAS_INIT_BLOCKS() is 219, then 10 credits from ext4_tmpfile() +itself and then ext4_xattr_credits_for_new_inode() adds more credits +needed for security attributes and ACLs. Now the +EXT4_MAXQUOTAS_INIT_BLOCKS() is in fact unnecessary because we've +already initialized quotas with dquot_init() shortly before and so +EXT4_MAXQUOTAS_TRANS_BLOCKS() is enough (which boils down to 3 credits). + +Fixes: af51a2ac36d1 ("ext4: ->tmpfile() support") +Signed-off-by: Jan Kara +Tested-by: Luis Henriques +Tested-by: Disha Goel +Link: https://lore.kernel.org/r/20240307115320.28949-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 93d392576c127..d4441e481642c 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2625,7 +2625,7 @@ static int ext4_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode) + inode = ext4_new_inode_start_handle(dir, mode, + NULL, 0, NULL, + EXT4_HT_DIR, +- EXT4_MAXQUOTAS_INIT_BLOCKS(dir->i_sb) + ++ EXT4_MAXQUOTAS_TRANS_BLOCKS(dir->i_sb) + + 4 + EXT4_XATTR_TRANS_BLOCKS); + handle = ext4_journal_current_handle(); + err = PTR_ERR(inode); +-- +2.43.0 + diff --git a/queue-4.19/fbdev-sh7760fb-allow-modular-build.patch b/queue-4.19/fbdev-sh7760fb-allow-modular-build.patch new file mode 100644 index 00000000000..9d69aeda3c7 --- /dev/null +++ b/queue-4.19/fbdev-sh7760fb-allow-modular-build.patch @@ -0,0 +1,50 @@ +From f73840826d0cc403b6cec272ed12e361ad8de39e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 21:39:38 -0800 +Subject: fbdev: sh7760fb: allow modular build + +From: Randy Dunlap + +[ Upstream commit 51084f89d687e14d96278241e5200cde4b0985c7 ] + +There is no reason to prohibit sh7760fb from being built as a +loadable module as suggested by Geert, so change the config symbol +from bool to tristate to allow that and change the FB dependency as +needed. + +Fixes: f75f71b2c418 ("fbdev/sh7760fb: Depend on FB=y") +Suggested-by: Geert Uytterhoeven +Signed-off-by: Randy Dunlap +Cc: Thomas Zimmermann +Cc: Javier Martinez Canillas +Cc: John Paul Adrian Glaubitz +Cc: Sam Ravnborg +Cc: Helge Deller +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Acked-by: John Paul Adrian Glaubitz +Acked-by: Javier Martinez Canillas +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 8e224ee27ade9..12846837f5de0 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -2084,8 +2084,8 @@ config FB_COBALT + depends on FB && MIPS_COBALT + + config FB_SH7760 +- bool "SH7760/SH7763/SH7720/SH7721 LCDC support" +- depends on FB=y && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ ++ tristate "SH7760/SH7763/SH7720/SH7721 LCDC support" ++ depends on FB && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ + || CPU_SUBTYPE_SH7720 || CPU_SUBTYPE_SH7721) + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA +-- +2.43.0 + diff --git a/queue-4.19/fbdev-shmobile-fix-snprintf-truncation.patch b/queue-4.19/fbdev-shmobile-fix-snprintf-truncation.patch new file mode 100644 index 00000000000..ca6d3de67dd --- /dev/null +++ b/queue-4.19/fbdev-shmobile-fix-snprintf-truncation.patch @@ -0,0 +1,40 @@ +From 5924c6052c0e4442135e4c7d09fbea206554dc08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:00 +0100 +Subject: fbdev: shmobile: fix snprintf truncation + +From: Arnd Bergmann + +[ Upstream commit 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 ] + +The name of the overlay does not fit into the fixed-length field: + +drivers/video/fbdev/sh_mobile_lcdcfb.c:1577:2: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 25 + +Make it short enough by changing the string. + +Fixes: c5deac3c9b22 ("fbdev: sh_mobile_lcdc: Implement overlays support") +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c +index dc46be38c9706..4e97525346ed3 100644 +--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c ++++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c +@@ -1662,7 +1662,7 @@ sh_mobile_lcdc_overlay_fb_init(struct sh_mobile_lcdc_overlay *ovl) + */ + info->fix = sh_mobile_lcdc_overlay_fix; + snprintf(info->fix.id, sizeof(info->fix.id), +- "SH Mobile LCDC Overlay %u", ovl->index); ++ "SHMobile ovl %u", ovl->index); + info->fix.smem_start = ovl->dma_handle; + info->fix.smem_len = ovl->fb_size; + info->fix.line_length = ovl->pitch; +-- +2.43.0 + diff --git a/queue-4.19/fbdev-sisfb-hide-unused-variables.patch b/queue-4.19/fbdev-sisfb-hide-unused-variables.patch new file mode 100644 index 00000000000..906fa7e9d3c --- /dev/null +++ b/queue-4.19/fbdev-sisfb-hide-unused-variables.patch @@ -0,0 +1,68 @@ +From 2eecc3616af2954a521d8095749d433c667fa1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:31 +0200 +Subject: fbdev: sisfb: hide unused variables + +From: Arnd Bergmann + +[ Upstream commit 688cf598665851b9e8cb5083ff1d208ce43d10ff ] + +Building with W=1 shows that a couple of variables in this driver are only +used in certain configurations: + +drivers/video/fbdev/sis/init301.c:239:28: error: 'SiS_Part2CLVX_6' defined but not used [-Werror=unused-const-variable=] + 239 | static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:230:28: error: 'SiS_Part2CLVX_5' defined but not used [-Werror=unused-const-variable=] + 230 | static const unsigned char SiS_Part2CLVX_5[] = { /* 750p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:211:28: error: 'SiS_Part2CLVX_4' defined but not used [-Werror=unused-const-variable=] + 211 | static const unsigned char SiS_Part2CLVX_4[] = { /* PAL */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:192:28: error: 'SiS_Part2CLVX_3' defined but not used [-Werror=unused-const-variable=] + 192 | static const unsigned char SiS_Part2CLVX_3[] = { /* NTSC, 525i, 525p */ + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:184:28: error: 'SiS_Part2CLVX_2' defined but not used [-Werror=unused-const-variable=] + 184 | static const unsigned char SiS_Part2CLVX_2[] = { + | ^~~~~~~~~~~~~~~ +drivers/video/fbdev/sis/init301.c:176:28: error: 'SiS_Part2CLVX_1' defined but not used [-Werror=unused-const-variable=] + 176 | static const unsigned char SiS_Part2CLVX_1[] = { + | ^~~~~~~~~~~~~~~ + +This started showing up after the definitions were moved into the +source file from the header, which was not flagged by the compiler. +Move the definition into the appropriate #ifdef block that already +exists next to them. + +Fixes: 5908986ef348 ("video: fbdev: sis: avoid mismatched prototypes") +Signed-off-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init301.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c +index a8fb41f1a2580..09329072004f4 100644 +--- a/drivers/video/fbdev/sis/init301.c ++++ b/drivers/video/fbdev/sis/init301.c +@@ -172,7 +172,7 @@ static const unsigned char SiS_HiTVGroup3_2[] = { + }; + + /* 301C / 302ELV extended Part2 TV registers (4 tap scaler) */ +- ++#ifdef CONFIG_FB_SIS_315 + static const unsigned char SiS_Part2CLVX_1[] = { + 0x00,0x00, + 0x00,0x20,0x00,0x00,0x7F,0x20,0x02,0x7F,0x7D,0x20,0x04,0x7F,0x7D,0x1F,0x06,0x7E, +@@ -245,7 +245,6 @@ static const unsigned char SiS_Part2CLVX_6[] = { /* 1080i */ + 0xFF,0xFF, + }; + +-#ifdef CONFIG_FB_SIS_315 + /* 661 et al LCD data structure (2.03.00) */ + static const unsigned char SiS_LCDStruct661[] = { + /* 1024x768 */ +-- +2.43.0 + diff --git a/queue-4.19/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch b/queue-4.19/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch new file mode 100644 index 00000000000..65786d52bc4 --- /dev/null +++ b/queue-4.19/firmware-raspberrypi-use-correct-device-for-dma-mapp.patch @@ -0,0 +1,65 @@ +From 8f234e96dd5c9d97a197cf9e0d72a110694b5c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:58:06 +0200 +Subject: firmware: raspberrypi: Use correct device for DMA mappings + +From: Laurent Pinchart + +[ Upstream commit df518a0ae1b982a4dcf2235464016c0c4576a34d ] + +The buffer used to transfer data over the mailbox interface is mapped +using the client's device. This is incorrect, as the device performing +the DMA transfer is the mailbox itself. Fix it by using the mailbox +controller device instead. + +This requires including the mailbox_controller.h header to dereference +the mbox_chan and mbox_controller structures. The header is not meant to +be included by clients. This could be fixed by extending the client API +with a function to access the controller's device. + +Fixes: 4e3d60656a72 ("ARM: bcm2835: Add the Raspberry Pi firmware driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Stefan Wahren +Tested-by: Ivan T. Ivanov +Link: https://lore.kernel.org/r/20240326195807.15163-3-laurent.pinchart@ideasonboard.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/firmware/raspberrypi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c +index 44eb99807e337..ea3975b94d6a1 100644 +--- a/drivers/firmware/raspberrypi.c ++++ b/drivers/firmware/raspberrypi.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -91,8 +92,8 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + if (size & 3) + return -EINVAL; + +- buf = dma_alloc_coherent(fw->cl.dev, PAGE_ALIGN(size), &bus_addr, +- GFP_ATOMIC); ++ buf = dma_alloc_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), ++ &bus_addr, GFP_ATOMIC); + if (!buf) + return -ENOMEM; + +@@ -120,7 +121,7 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, + ret = -EINVAL; + } + +- dma_free_coherent(fw->cl.dev, PAGE_ALIGN(size), buf, bus_addr); ++ dma_free_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), buf, bus_addr); + + return ret; + } +-- +2.43.0 + diff --git a/queue-4.19/hsi-omap_ssi_core-convert-to-platform-remove-callbac.patch b/queue-4.19/hsi-omap_ssi_core-convert-to-platform-remove-callbac.patch new file mode 100644 index 00000000000..a112bce35c1 --- /dev/null +++ b/queue-4.19/hsi-omap_ssi_core-convert-to-platform-remove-callbac.patch @@ -0,0 +1,68 @@ +From 0f7521231349911108210eccd3d6360be044a980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 15:41:10 +0200 +Subject: HSI: omap_ssi_core: Convert to platform remove callback returning + void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 94eabddc24b3ec2d9e0ff77e17722a2afb092155 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/bc6b1caafa977346b33c1040d0f8e616bc0457bf.1712756364.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 6595f34e51aad..366117e51f418 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -581,7 +581,7 @@ static int ssi_probe(struct platform_device *pd) + return err; + } + +-static int ssi_remove(struct platform_device *pd) ++static void ssi_remove(struct platform_device *pd) + { + struct hsi_controller *ssi = platform_get_drvdata(pd); + +@@ -595,8 +595,6 @@ static int ssi_remove(struct platform_device *pd) + platform_set_drvdata(pd, NULL); + + pm_runtime_disable(&pd->dev); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -652,7 +650,7 @@ MODULE_DEVICE_TABLE(of, omap_ssi_of_match); + + static struct platform_driver ssi_pdriver = { + .probe = ssi_probe, +- .remove = ssi_remove, ++ .remove_new = ssi_remove, + .driver = { + .name = "omap_ssi", + .pm = DEV_PM_OPS, +-- +2.43.0 + diff --git a/queue-4.19/hsi-omap_ssi_port-convert-to-platform-remove-callbac.patch b/queue-4.19/hsi-omap_ssi_port-convert-to-platform-remove-callbac.patch new file mode 100644 index 00000000000..f0aa0799b4b --- /dev/null +++ b/queue-4.19/hsi-omap_ssi_port-convert-to-platform-remove-callbac.patch @@ -0,0 +1,68 @@ +From c479dbc2c44d3dabeec1eb829e48813c6d0d3fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 15:41:11 +0200 +Subject: HSI: omap_ssi_port: Convert to platform remove callback returning + void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit c076486b6a28aa584b3e86312442bac09279a015 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/11e06f4cce041436bd63fb24361f3cee06bd2d59.1712756364.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_port.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c +index e6149fd43b628..2de7e54ddcca0 100644 +--- a/drivers/hsi/controllers/omap_ssi_port.c ++++ b/drivers/hsi/controllers/omap_ssi_port.c +@@ -1259,7 +1259,7 @@ static int ssi_port_probe(struct platform_device *pd) + return err; + } + +-static int ssi_port_remove(struct platform_device *pd) ++static void ssi_port_remove(struct platform_device *pd) + { + struct hsi_port *port = platform_get_drvdata(pd); + struct omap_ssi_port *omap_port = hsi_port_drvdata(port); +@@ -1286,8 +1286,6 @@ static int ssi_port_remove(struct platform_device *pd) + + pm_runtime_dont_use_autosuspend(&pd->dev); + pm_runtime_disable(&pd->dev); +- +- return 0; + } + + static int ssi_restore_divisor(struct omap_ssi_port *omap_port) +@@ -1422,7 +1420,7 @@ MODULE_DEVICE_TABLE(of, omap_ssi_port_of_match); + + struct platform_driver ssi_port_pdriver = { + .probe = ssi_port_probe, +- .remove = ssi_port_remove, ++ .remove_new = ssi_port_remove, + .driver = { + .name = "omap_ssi_port", + .of_match_table = omap_ssi_port_of_match, +-- +2.43.0 + diff --git a/queue-4.19/ipv6-sr-add-missing-seg6_local_exit.patch b/queue-4.19/ipv6-sr-add-missing-seg6_local_exit.patch new file mode 100644 index 00000000000..b8f56b88577 --- /dev/null +++ b/queue-4.19/ipv6-sr-add-missing-seg6_local_exit.patch @@ -0,0 +1,38 @@ +From e5eb689da77f8a30a7ec49f3e16d77fab3f57282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:10 +0800 +Subject: ipv6: sr: add missing seg6_local_exit + +From: Hangbin Liu + +[ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ] + +Currently, we only call seg6_local_exit() in seg6_init() if +seg6_local_init() failed. But forgot to call it in seg6_exit(). + +Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-2-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 4bd601c964343..42ff4f421d42a 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -497,6 +497,7 @@ void seg6_exit(void) + seg6_hmac_exit(); + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL ++ seg6_local_exit(); + seg6_iptunnel_exit(); + #endif + unregister_pernet_subsys(&ip6_segments_ops); +-- +2.43.0 + diff --git a/queue-4.19/ipv6-sr-fix-incorrect-unregister-order.patch b/queue-4.19/ipv6-sr-fix-incorrect-unregister-order.patch new file mode 100644 index 00000000000..0edb3ea0101 --- /dev/null +++ b/queue-4.19/ipv6-sr-fix-incorrect-unregister-order.patch @@ -0,0 +1,39 @@ +From 76b049237553b398aeeecd50f202882079d67e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:11 +0800 +Subject: ipv6: sr: fix incorrect unregister order + +From: Hangbin Liu + +[ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ] + +Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and +null-ptr-deref") changed the register order in seg6_init(). But the +unregister order in seg6_exit() is not updated. + +Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 42ff4f421d42a..9810ce81dee81 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -500,6 +500,6 @@ void seg6_exit(void) + seg6_local_exit(); + seg6_iptunnel_exit(); + #endif +- unregister_pernet_subsys(&ip6_segments_ops); + genl_unregister_family(&seg6_genl_family); ++ unregister_pernet_subsys(&ip6_segments_ops); + } +-- +2.43.0 + diff --git a/queue-4.19/ipv6-sr-fix-invalid-unregister-error-path.patch b/queue-4.19/ipv6-sr-fix-invalid-unregister-error-path.patch new file mode 100644 index 00000000000..d861e698204 --- /dev/null +++ b/queue-4.19/ipv6-sr-fix-invalid-unregister-error-path.patch @@ -0,0 +1,46 @@ +From 567bc76e6cfad0755032e6ae953af7b058fba699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 21:18:12 +0800 +Subject: ipv6: sr: fix invalid unregister error path + +From: Hangbin Liu + +[ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ] + +The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL +is not defined. In that case if seg6_hmac_init() fails, the +genl_unregister_family() isn't called. + +This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control +lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible +use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() +with genl_unregister_family() in this error path. + +Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") +Reported-by: Guillaume Nault +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20240509131812.1662197-4-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 9810ce81dee81..605d270d8c109 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -484,6 +484,8 @@ int __init seg6_init(void) + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + out_unregister_genl: ++#endif ++#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) + genl_unregister_family(&seg6_genl_family); + #endif + out_unregister_pernet: +-- +2.43.0 + diff --git a/queue-4.19/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch b/queue-4.19/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch new file mode 100644 index 00000000000..006f987b524 --- /dev/null +++ b/queue-4.19/irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch @@ -0,0 +1,40 @@ +From 7e2b92f9ad2bf8aaf413b6aff22be6b8f135bd7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 22:23:05 +0800 +Subject: irqchip/alpine-msi: Fix off-by-one in allocation error path + +From: Zenghui Yu + +[ Upstream commit ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 ] + +When alpine_msix_gic_domain_alloc() fails, there is an off-by-one in the +number of interrupts to be freed. + +Fix it by passing the number of successfully allocated interrupts, instead +of the relative index of the last allocated one. + +Fixes: 3841245e8498 ("irqchip/alpine-msi: Fix freeing of interrupts on allocation error path") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240327142305.1048-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index 1819bb1d27230..aedbc4befcdf0 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -165,7 +165,7 @@ static int alpine_msix_middle_domain_alloc(struct irq_domain *domain, + return 0; + + err_sgi: +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + alpine_msix_free_sgi(priv, sgi, nr_irqs); + return err; + } +-- +2.43.0 + diff --git a/queue-4.19/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch b/queue-4.19/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch new file mode 100644 index 00000000000..942b5387f15 --- /dev/null +++ b/queue-4.19/jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch @@ -0,0 +1,81 @@ +From 4456fa1c87dc0447153d390266532604e20f16ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 18:53:54 +0300 +Subject: jffs2: prevent xattr node from overflowing the eraseblock + +From: Ilya Denisyev + +[ Upstream commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 ] + +Add a check to make sure that the requested xattr node size is no larger +than the eraseblock minus the cleanmarker. + +Unlike the usual inode nodes, the xattr nodes aren't split into parts +and spread across multiple eraseblocks, which means that a xattr node +must not occupy more than one eraseblock. If the requested xattr value is +too large, the xattr node can spill onto the next eraseblock, overwriting +the nodes and causing errors such as: + +jffs2: argh. node added in wrong place at 0x0000b050(2) +jffs2: nextblock 0x0000a000, expected at 0000b00c +jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, +read=0xfc892c93, calc=0x000000 +jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed +at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} +jffs2: Node at 0x0000000c with length 0x00001044 would run over the +end of the erase block +jffs2: Perhaps the file system was created with the wrong erase size? +jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found +at 0x00000010: 0x1044 instead + +This breaks the filesystem and can lead to KASAN crashes such as: + +BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 +Read of size 4 at addr ffff88802c31e914 by task repro/830 +CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS Arch Linux 1.16.3-1-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc6/0x120 + print_report+0xc4/0x620 + ? __virt_addr_valid+0x308/0x5b0 + kasan_report+0xc1/0xf0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + ? jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_sum_add_kvec+0x125e/0x15d0 + jffs2_flash_direct_writev+0xa8/0xd0 + jffs2_flash_writev+0x9c9/0xef0 + ? __x64_sys_setxattr+0xc4/0x160 + ? do_syscall_64+0x69/0x140 + ? entry_SYSCALL_64_after_hwframe+0x76/0x7e + [...] + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)") +Signed-off-by: Ilya Denisyev +Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/jffs2/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c +index acb4492f5970c..5a31220f96f5f 100644 +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -1111,6 +1111,9 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname, + return rc; + + request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size); ++ if (request > c->sector_size - c->cleanmarker_size) ++ return -ERANGE; ++ + rc = jffs2_reserve_space(c, request, &length, + ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE); + if (rc) { +-- +2.43.0 + diff --git a/queue-4.19/m68k-fix-spinlock-race-in-kernel-thread-creation.patch b/queue-4.19/m68k-fix-spinlock-race-in-kernel-thread-creation.patch new file mode 100644 index 00000000000..01fa4b344c0 --- /dev/null +++ b/queue-4.19/m68k-fix-spinlock-race-in-kernel-thread-creation.patch @@ -0,0 +1,77 @@ +From 21d265ce13ca673129d4682c5e078ad9cbf25bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 15:36:31 +1200 +Subject: m68k: Fix spinlock race in kernel thread creation + +From: Michael Schmitz + +[ Upstream commit da89ce46f02470ef08f0f580755d14d547da59ed ] + +Context switching does take care to retain the correct lock owner across +the switch from 'prev' to 'next' tasks. This does rely on interrupts +remaining disabled for the entire duration of the switch. + +This condition is guaranteed for normal process creation and context +switching between already running processes, because both 'prev' and +'next' already have interrupts disabled in their saved copies of the +status register. + +The situation is different for newly created kernel threads. The status +register is set to PS_S in copy_thread(), which does leave the IPL at 0. +Upon restoring the 'next' thread's status register in switch_to() aka +resume(), interrupts then become enabled prematurely. resume() then +returns via ret_from_kernel_thread() and schedule_tail() where run queue +lock is released (see finish_task_switch() and finish_lock_switch()). + +A timer interrupt calling scheduler_tick() before the lock is released +in finish_task_switch() will find the lock already taken, with the +current task as lock owner. This causes a spinlock recursion warning as +reported by Guenter Roeck. + +As far as I can ascertain, this race has been opened in commit +533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +but I haven't done a detailed study of kernel history so it may well +predate that commit. + +Interrupts cannot be disabled in the saved status register copy for +kernel threads (init will complain about interrupts disabled when +finally starting user space). Disable interrupts temporarily when +switching the tasks' register sets in resume(). + +Note that a simple oriw 0x700,%sr after restoring sr is not enough here +- this leaves enough of a race for the 'spinlock recursion' warning to +still be observed. + +Tested on ARAnyM and qemu (Quadra 800 emulation). + +Fixes: 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/07811b26-677c-4d05-aeb4-996cd880b789@roeck-us.net +Signed-off-by: Michael Schmitz +Tested-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240411033631.16335-1-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/entry.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 9a66657773beb..417d8f0e89627 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -425,7 +425,9 @@ resume: + movec %a0,%dfc + + /* restore status register */ +- movew %a1@(TASK_THREAD+THREAD_SR),%sr ++ movew %a1@(TASK_THREAD+THREAD_SR),%d0 ++ oriw #0x0700,%d0 ++ movew %d0,%sr + + rts + +-- +2.43.0 + diff --git a/queue-4.19/m68k-mac-fix-reboot-hang-on-mac-iici.patch b/queue-4.19/m68k-mac-fix-reboot-hang-on-mac-iici.patch new file mode 100644 index 00000000000..1260d7ec97a --- /dev/null +++ b/queue-4.19/m68k-mac-fix-reboot-hang-on-mac-iici.patch @@ -0,0 +1,99 @@ +From dffdcbaf4ee3a58614ce1d1f1fb649a412fefc58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:31:12 +1000 +Subject: m68k: mac: Fix reboot hang on Mac IIci + +From: Finn Thain + +[ Upstream commit 265a3b322df9a973ff1fc63da70af456ab6ae1d6 ] + +Calling mac_reset() on a Mac IIci does reset the system, but what +follows is a POST failure that requires a manual reset to resolve. +Avoid that by using the 68030 asm implementation instead of the C +implementation. + +Apparently the SE/30 has a similar problem as it has used the asm +implementation since before git. This patch extends that solution to +other systems with a similar ROM. + +After this patch, the only systems still using the C implementation are +68040 systems where adb_type is either MAC_ADB_IOP or MAC_ADB_II. This +implies a 1 MiB Quadra ROM. + +This now includes the Quadra 900/950, which previously fell through to +the "should never get here" catch-all. + +Reported-and-tested-by: Stan Johnson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/480ebd1249d229c6dc1f3f1c6d599b8505483fd8.1714797072.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/misc.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c +index 3848ff15c59f7..3d7b34504ab9c 100644 +--- a/arch/m68k/mac/misc.c ++++ b/arch/m68k/mac/misc.c +@@ -462,30 +462,18 @@ void mac_poweroff(void) + + void mac_reset(void) + { +- if (macintosh_config->adb_type == MAC_ADB_II && +- macintosh_config->ident != MAC_MODEL_SE30) { +- /* need ROMBASE in booter */ +- /* indeed, plus need to MAP THE ROM !! */ +- +- if (mac_bi_data.rombase == 0) +- mac_bi_data.rombase = 0x40800000; +- +- /* works on some */ +- rom_reset = (void *) (mac_bi_data.rombase + 0xa); +- +- local_irq_disable(); +- rom_reset(); + #ifdef CONFIG_ADB_CUDA +- } else if (macintosh_config->adb_type == MAC_ADB_EGRET || +- macintosh_config->adb_type == MAC_ADB_CUDA) { ++ if (macintosh_config->adb_type == MAC_ADB_EGRET || ++ macintosh_config->adb_type == MAC_ADB_CUDA) { + cuda_restart(); ++ } else + #endif + #ifdef CONFIG_ADB_PMU +- } else if (macintosh_config->adb_type == MAC_ADB_PB2) { ++ if (macintosh_config->adb_type == MAC_ADB_PB2) { + pmu_restart(); ++ } else + #endif +- } else if (CPU_IS_030) { +- ++ if (CPU_IS_030) { + /* 030-specific reset routine. The idea is general, but the + * specific registers to reset are '030-specific. Until I + * have a non-030 machine, I can't test anything else. +@@ -533,6 +521,18 @@ void mac_reset(void) + "jmp %/a0@\n\t" /* jump to the reset vector */ + ".chip 68k" + : : "r" (offset), "a" (rombase) : "a0"); ++ } else { ++ /* need ROMBASE in booter */ ++ /* indeed, plus need to MAP THE ROM !! */ ++ ++ if (mac_bi_data.rombase == 0) ++ mac_bi_data.rombase = 0x40800000; ++ ++ /* works on some */ ++ rom_reset = (void *)(mac_bi_data.rombase + 0xa); ++ ++ local_irq_disable(); ++ rom_reset(); + } + + /* should never get here */ +-- +2.43.0 + diff --git a/queue-4.19/m68k-mac-use-030-reset-method-on-se-30.patch b/queue-4.19/m68k-mac-use-030-reset-method-on-se-30.patch new file mode 100644 index 00000000000..64ffddd9abf --- /dev/null +++ b/queue-4.19/m68k-mac-use-030-reset-method-on-se-30.patch @@ -0,0 +1,60 @@ +From 15dbf3485adf9f93fdfc8cd955ab2c2f30296721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Dec 2018 13:18:01 +1100 +Subject: m68k/mac: Use '030 reset method on SE/30 + +From: Finn Thain + +[ Upstream commit 9c0e91f6b701dce6902408d50c4df9cebe4744f5 ] + +The comment says that calling the ROM routine doesn't work. But testing +shows that the 68030 fall-back reset method does work, so just use that. + +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Geert Uytterhoeven +Stable-dep-of: 265a3b322df9 ("m68k: mac: Fix reboot hang on Mac IIci") +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/misc.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c +index 1b083c500b9a1..3848ff15c59f7 100644 +--- a/arch/m68k/mac/misc.c ++++ b/arch/m68k/mac/misc.c +@@ -462,9 +462,8 @@ void mac_poweroff(void) + + void mac_reset(void) + { +- if (macintosh_config->adb_type == MAC_ADB_II) { +- unsigned long flags; +- ++ if (macintosh_config->adb_type == MAC_ADB_II && ++ macintosh_config->ident != MAC_MODEL_SE30) { + /* need ROMBASE in booter */ + /* indeed, plus need to MAP THE ROM !! */ + +@@ -474,17 +473,8 @@ void mac_reset(void) + /* works on some */ + rom_reset = (void *) (mac_bi_data.rombase + 0xa); + +- if (macintosh_config->ident == MAC_MODEL_SE30) { +- /* +- * MSch: Machines known to crash on ROM reset ... +- */ +- } else { +- local_irq_save(flags); +- +- rom_reset(); +- +- local_irq_restore(flags); +- } ++ local_irq_disable(); ++ rom_reset(); + #ifdef CONFIG_ADB_CUDA + } else if (macintosh_config->adb_type == MAC_ADB_EGRET || + macintosh_config->adb_type == MAC_ADB_CUDA) { +-- +2.43.0 + diff --git a/queue-4.19/macintosh-via-macii-fix-bug-sleeping-function-called.patch b/queue-4.19/macintosh-via-macii-fix-bug-sleeping-function-called.patch new file mode 100644 index 00000000000..e502c912120 --- /dev/null +++ b/queue-4.19/macintosh-via-macii-fix-bug-sleeping-function-called.patch @@ -0,0 +1,59 @@ +From d2ae4213cf9ad9183ea1ea2220523373fb011c65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:53:41 +1100 +Subject: macintosh/via-macii: Fix "BUG: sleeping function called from invalid + context" + +From: Finn Thain + +[ Upstream commit d301a71c76ee4c384b4e03cdc320a55f5cf1df05 ] + +The via-macii ADB driver calls request_irq() after disabling hard +interrupts. But disabling interrupts isn't necessary here because the +VIA shift register interrupt was masked during VIA1 initialization. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/419fcc09d0e563b425c419053d02236b044d86b0.1710298421.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/macintosh/via-macii.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index 177c3ef59c875..107f529a8e466 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -135,24 +135,19 @@ static int macii_probe(void) + /* Initialize the driver */ + int macii_init(void) + { +- unsigned long flags; + int err; + +- local_irq_save(flags); +- + err = macii_init_via(); + if (err) +- goto out; ++ return err; + + err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", + macii_interrupt); + if (err) +- goto out; ++ return err; + + macii_state = idle; +-out: +- local_irq_restore(flags); +- return err; ++ return 0; + } + + /* initialize the hardware */ +-- +2.43.0 + diff --git a/queue-4.19/macintosh-via-macii-macintosh-adb-iop-clean-up-white.patch b/queue-4.19/macintosh-via-macii-macintosh-adb-iop-clean-up-white.patch new file mode 100644 index 00000000000..c544aa8a1f2 --- /dev/null +++ b/queue-4.19/macintosh-via-macii-macintosh-adb-iop-clean-up-white.patch @@ -0,0 +1,587 @@ +From b1e3790208d68278b99f11ffffdd6a96f01e4982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Sep 2018 20:18:44 -0400 +Subject: macintosh/via-macii, macintosh/adb-iop: Clean up whitespace + +From: Finn Thain + +[ Upstream commit 47fd2060660e62b169990a6fcd9eb61bc1a85c5c ] + +Signed-off-by: Finn Thain +Signed-off-by: Michael Ellerman +Stable-dep-of: d301a71c76ee ("macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"") +Signed-off-by: Sasha Levin +--- + drivers/macintosh/adb-iop.c | 48 +++--- + drivers/macintosh/via-macii.c | 288 +++++++++++++++++----------------- + 2 files changed, 175 insertions(+), 161 deletions(-) + +diff --git a/drivers/macintosh/adb-iop.c b/drivers/macintosh/adb-iop.c +index ca623e6446e4c..17280410e930a 100644 +--- a/drivers/macintosh/adb-iop.c ++++ b/drivers/macintosh/adb-iop.c +@@ -20,13 +20,13 @@ + #include + #include + +-#include +-#include ++#include ++#include + #include + #include + #include + +-#include ++#include + + /*#define DEBUG_ADB_IOP*/ + +@@ -38,9 +38,9 @@ static unsigned char *reply_ptr; + #endif + + static enum adb_iop_state { +- idle, +- sending, +- awaiting_reply ++ idle, ++ sending, ++ awaiting_reply + } adb_iop_state; + + static void adb_iop_start(void); +@@ -66,7 +66,8 @@ static void adb_iop_end_req(struct adb_request *req, int state) + { + req->complete = 1; + current_req = req->next; +- if (req->done) (*req->done)(req); ++ if (req->done) ++ (*req->done)(req); + adb_iop_state = state; + } + +@@ -100,7 +101,7 @@ static void adb_iop_complete(struct iop_msg *msg) + + static void adb_iop_listen(struct iop_msg *msg) + { +- struct adb_iopmsg *amsg = (struct adb_iopmsg *) msg->message; ++ struct adb_iopmsg *amsg = (struct adb_iopmsg *)msg->message; + struct adb_request *req; + unsigned long flags; + #ifdef DEBUG_ADB_IOP +@@ -113,9 +114,9 @@ static void adb_iop_listen(struct iop_msg *msg) + + #ifdef DEBUG_ADB_IOP + printk("adb_iop_listen %p: rcvd packet, %d bytes: %02X %02X", req, +- (uint) amsg->count + 2, (uint) amsg->flags, (uint) amsg->cmd); ++ (uint)amsg->count + 2, (uint)amsg->flags, (uint)amsg->cmd); + for (i = 0; i < amsg->count; i++) +- printk(" %02X", (uint) amsg->data[i]); ++ printk(" %02X", (uint)amsg->data[i]); + printk("\n"); + #endif + +@@ -168,14 +169,15 @@ static void adb_iop_start(void) + + /* get the packet to send */ + req = current_req; +- if (!req) return; ++ if (!req) ++ return; + + local_irq_save(flags); + + #ifdef DEBUG_ADB_IOP + printk("adb_iop_start %p: sending packet, %d bytes:", req, req->nbytes); +- for (i = 0 ; i < req->nbytes ; i++) +- printk(" %02X", (uint) req->data[i]); ++ for (i = 0; i < req->nbytes; i++) ++ printk(" %02X", (uint)req->data[i]); + printk("\n"); + #endif + +@@ -196,13 +198,14 @@ static void adb_iop_start(void) + /* Now send it. The IOP manager will call adb_iop_complete */ + /* when the packet has been sent. */ + +- iop_send_message(ADB_IOP, ADB_CHAN, req, +- sizeof(amsg), (__u8 *) &amsg, adb_iop_complete); ++ iop_send_message(ADB_IOP, ADB_CHAN, req, sizeof(amsg), (__u8 *)&amsg, ++ adb_iop_complete); + } + + int adb_iop_probe(void) + { +- if (!iop_ism_present) return -ENODEV; ++ if (!iop_ism_present) ++ return -ENODEV; + return 0; + } + +@@ -218,10 +221,12 @@ int adb_iop_send_request(struct adb_request *req, int sync) + int err; + + err = adb_iop_write(req); +- if (err) return err; ++ if (err) ++ return err; + + if (sync) { +- while (!req->complete) adb_iop_poll(); ++ while (!req->complete) ++ adb_iop_poll(); + } + return 0; + } +@@ -251,7 +256,9 @@ static int adb_iop_write(struct adb_request *req) + } + + local_irq_restore(flags); +- if (adb_iop_state == idle) adb_iop_start(); ++ ++ if (adb_iop_state == idle) ++ adb_iop_start(); + return 0; + } + +@@ -263,7 +270,8 @@ int adb_iop_autopoll(int devs) + + void adb_iop_poll(void) + { +- if (adb_iop_state == idle) adb_iop_start(); ++ if (adb_iop_state == idle) ++ adb_iop_start(); + iop_ism_irq_poll(ADB_IOP); + } + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index fc6ad5bf1875a..177c3ef59c875 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -12,7 +12,7 @@ + * + * 1999-08-02 (jmt) - Initial rewrite for Unified ADB. + * 2000-03-29 Tony Mantler +- * - Big overhaul, should actually work now. ++ * - Big overhaul, should actually work now. + * 2006-12-31 Finn Thain - Another overhaul. + * + * Suggested reading: +@@ -23,7 +23,7 @@ + * Apple's "ADB Analyzer" bus sniffer is invaluable: + * ftp://ftp.apple.com/developer/Tool_Chest/Devices_-_Hardware/Apple_Desktop_Bus/ + */ +- ++ + #include + #include + #include +@@ -77,7 +77,7 @@ static volatile unsigned char *via; + #define ST_ODD 0x20 /* ADB state: odd data byte */ + #define ST_IDLE 0x30 /* ADB state: idle, nothing to send */ + +-static int macii_init_via(void); ++static int macii_init_via(void); + static void macii_start(void); + static irqreturn_t macii_interrupt(int irq, void *arg); + static void macii_queue_poll(void); +@@ -123,7 +123,8 @@ static int autopoll_devs; /* bits set are device addresses to be polled */ + /* Check for MacII style ADB */ + static int macii_probe(void) + { +- if (macintosh_config->adb_type != MAC_ADB_II) return -ENODEV; ++ if (macintosh_config->adb_type != MAC_ADB_II) ++ return -ENODEV; + + via = via1; + +@@ -136,15 +137,17 @@ int macii_init(void) + { + unsigned long flags; + int err; +- ++ + local_irq_save(flags); +- ++ + err = macii_init_via(); +- if (err) goto out; ++ if (err) ++ goto out; + + err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", + macii_interrupt); +- if (err) goto out; ++ if (err) ++ goto out; + + macii_state = idle; + out: +@@ -152,7 +155,7 @@ int macii_init(void) + return err; + } + +-/* initialize the hardware */ ++/* initialize the hardware */ + static int macii_init_via(void) + { + unsigned char x; +@@ -162,7 +165,7 @@ static int macii_init_via(void) + + /* Set up state: idle */ + via[B] |= ST_IDLE; +- last_status = via[B] & (ST_MASK|CTLR_IRQ); ++ last_status = via[B] & (ST_MASK | CTLR_IRQ); + + /* Shift register on input */ + via[ACR] = (via[ACR] & ~SR_CTRL) | SR_EXT; +@@ -188,7 +191,8 @@ static void macii_queue_poll(void) + int next_device; + static struct adb_request req; + +- if (!autopoll_devs) return; ++ if (!autopoll_devs) ++ return; + + device_mask = (1 << (((command_byte & 0xF0) >> 4) + 1)) - 1; + if (autopoll_devs & ~device_mask) +@@ -196,8 +200,7 @@ static void macii_queue_poll(void) + else + next_device = ffs(autopoll_devs) - 1; + +- adb_request(&req, NULL, ADBREQ_NOSEND, 1, +- ADB_READREG(next_device, 0)); ++ adb_request(&req, NULL, ADBREQ_NOSEND, 1, ADB_READREG(next_device, 0)); + + req.sent = 0; + req.complete = 0; +@@ -236,7 +239,7 @@ static int macii_write(struct adb_request *req) + req->complete = 1; + return -EINVAL; + } +- ++ + req->next = NULL; + req->sent = 0; + req->complete = 0; +@@ -248,7 +251,8 @@ static int macii_write(struct adb_request *req) + } else { + current_req = req; + last_req = req; +- if (macii_state == idle) macii_start(); ++ if (macii_state == idle) ++ macii_start(); + } + return 0; + } +@@ -263,7 +267,8 @@ static int macii_autopoll(int devs) + /* bit 1 == device 1, and so on. */ + autopoll_devs = devs & 0xFFFE; + +- if (!autopoll_devs) return 0; ++ if (!autopoll_devs) ++ return 0; + + local_irq_save(flags); + +@@ -280,7 +285,8 @@ static int macii_autopoll(int devs) + return err; + } + +-static inline int need_autopoll(void) { ++static inline int need_autopoll(void) ++{ + /* Was the last command Talk Reg 0 + * and is the target on the autopoll list? + */ +@@ -302,7 +308,7 @@ static void macii_poll(void) + static int macii_reset_bus(void) + { + static struct adb_request req; +- ++ + /* Command = 0, Address = ignored */ + adb_request(&req, NULL, 0, 1, ADB_BUSRESET); + +@@ -344,7 +350,7 @@ static void macii_start(void) + * to be activity on the ADB bus. The chip will poll to achieve this. + * + * The basic ADB state machine was left unchanged from the original MacII code +- * by Alan Cox, which was based on the CUDA driver for PowerMac. ++ * by Alan Cox, which was based on the CUDA driver for PowerMac. + * The syntax of the ADB status lines is totally different on MacII, + * though. MacII uses the states Command -> Even -> Odd -> Even ->...-> Idle + * for sending and Idle -> Even -> Odd -> Even ->...-> Idle for receiving. +@@ -367,147 +373,147 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + } + + last_status = status; +- status = via[B] & (ST_MASK|CTLR_IRQ); ++ status = via[B] & (ST_MASK | CTLR_IRQ); + + switch (macii_state) { +- case idle: +- if (reading_reply) { +- reply_ptr = current_req->reply; +- } else { +- WARN_ON(current_req); +- reply_ptr = reply_buf; +- } ++ case idle: ++ if (reading_reply) { ++ reply_ptr = current_req->reply; ++ } else { ++ WARN_ON(current_req); ++ reply_ptr = reply_buf; ++ } ++ ++ x = via[SR]; ++ ++ if ((status & CTLR_IRQ) && (x == 0xFF)) { ++ /* Bus timeout without SRQ sequence: ++ * data is "FF" while CTLR_IRQ is "H" ++ */ ++ reply_len = 0; ++ srq_asserted = 0; ++ macii_state = read_done; ++ } else { ++ macii_state = reading; ++ *reply_ptr = x; ++ reply_len = 1; ++ } ++ ++ /* set ADB state = even for first data byte */ ++ via[B] = (via[B] & ~ST_MASK) | ST_EVEN; ++ break; + +- x = via[SR]; ++ case sending: ++ req = current_req; ++ if (data_index >= req->nbytes) { ++ req->sent = 1; ++ macii_state = idle; + +- if ((status & CTLR_IRQ) && (x == 0xFF)) { +- /* Bus timeout without SRQ sequence: +- * data is "FF" while CTLR_IRQ is "H" +- */ +- reply_len = 0; +- srq_asserted = 0; +- macii_state = read_done; ++ if (req->reply_expected) { ++ reading_reply = 1; + } else { +- macii_state = reading; +- *reply_ptr = x; +- reply_len = 1; +- } ++ req->complete = 1; ++ current_req = req->next; ++ if (req->done) ++ (*req->done)(req); + +- /* set ADB state = even for first data byte */ +- via[B] = (via[B] & ~ST_MASK) | ST_EVEN; +- break; ++ if (current_req) ++ macii_start(); ++ else if (need_autopoll()) ++ macii_autopoll(autopoll_devs); ++ } + +- case sending: +- req = current_req; +- if (data_index >= req->nbytes) { +- req->sent = 1; +- macii_state = idle; +- +- if (req->reply_expected) { +- reading_reply = 1; +- } else { +- req->complete = 1; +- current_req = req->next; +- if (req->done) (*req->done)(req); +- +- if (current_req) +- macii_start(); +- else +- if (need_autopoll()) +- macii_autopoll(autopoll_devs); +- } ++ if (macii_state == idle) { ++ /* reset to shift in */ ++ via[ACR] &= ~SR_OUT; ++ x = via[SR]; ++ /* set ADB state idle - might get SRQ */ ++ via[B] = (via[B] & ~ST_MASK) | ST_IDLE; ++ } ++ } else { ++ via[SR] = req->data[data_index++]; + +- if (macii_state == idle) { +- /* reset to shift in */ +- via[ACR] &= ~SR_OUT; +- x = via[SR]; +- /* set ADB state idle - might get SRQ */ +- via[B] = (via[B] & ~ST_MASK) | ST_IDLE; +- } ++ if ((via[B] & ST_MASK) == ST_CMD) { ++ /* just sent the command byte, set to EVEN */ ++ via[B] = (via[B] & ~ST_MASK) | ST_EVEN; + } else { +- via[SR] = req->data[data_index++]; +- +- if ( (via[B] & ST_MASK) == ST_CMD ) { +- /* just sent the command byte, set to EVEN */ +- via[B] = (via[B] & ~ST_MASK) | ST_EVEN; +- } else { +- /* invert state bits, toggle ODD/EVEN */ +- via[B] ^= ST_MASK; +- } ++ /* invert state bits, toggle ODD/EVEN */ ++ via[B] ^= ST_MASK; + } +- break; +- +- case reading: +- x = via[SR]; +- WARN_ON((status & ST_MASK) == ST_CMD || +- (status & ST_MASK) == ST_IDLE); +- +- /* Bus timeout with SRQ sequence: +- * data is "XX FF" while CTLR_IRQ is "L L" +- * End of packet without SRQ sequence: +- * data is "XX...YY 00" while CTLR_IRQ is "L...H L" +- * End of packet SRQ sequence: +- * data is "XX...YY 00" while CTLR_IRQ is "L...L L" +- * (where XX is the first response byte and +- * YY is the last byte of valid response data.) +- */ ++ } ++ break; + +- srq_asserted = 0; +- if (!(status & CTLR_IRQ)) { +- if (x == 0xFF) { +- if (!(last_status & CTLR_IRQ)) { +- macii_state = read_done; +- reply_len = 0; +- srq_asserted = 1; +- } +- } else if (x == 0x00) { ++ case reading: ++ x = via[SR]; ++ WARN_ON((status & ST_MASK) == ST_CMD || ++ (status & ST_MASK) == ST_IDLE); ++ ++ /* Bus timeout with SRQ sequence: ++ * data is "XX FF" while CTLR_IRQ is "L L" ++ * End of packet without SRQ sequence: ++ * data is "XX...YY 00" while CTLR_IRQ is "L...H L" ++ * End of packet SRQ sequence: ++ * data is "XX...YY 00" while CTLR_IRQ is "L...L L" ++ * (where XX is the first response byte and ++ * YY is the last byte of valid response data.) ++ */ ++ ++ srq_asserted = 0; ++ if (!(status & CTLR_IRQ)) { ++ if (x == 0xFF) { ++ if (!(last_status & CTLR_IRQ)) { + macii_state = read_done; +- if (!(last_status & CTLR_IRQ)) +- srq_asserted = 1; ++ reply_len = 0; ++ srq_asserted = 1; + } ++ } else if (x == 0x00) { ++ macii_state = read_done; ++ if (!(last_status & CTLR_IRQ)) ++ srq_asserted = 1; + } ++ } + +- if (macii_state == reading && +- reply_len < ARRAY_SIZE(reply_buf)) { +- reply_ptr++; +- *reply_ptr = x; +- reply_len++; +- } +- +- /* invert state bits, toggle ODD/EVEN */ +- via[B] ^= ST_MASK; +- break; ++ if (macii_state == reading && ++ reply_len < ARRAY_SIZE(reply_buf)) { ++ reply_ptr++; ++ *reply_ptr = x; ++ reply_len++; ++ } + +- case read_done: +- x = via[SR]; +- +- if (reading_reply) { +- reading_reply = 0; +- req = current_req; +- req->reply_len = reply_len; +- req->complete = 1; +- current_req = req->next; +- if (req->done) (*req->done)(req); +- } else if (reply_len && autopoll_devs) +- adb_input(reply_buf, reply_len, 0); +- +- macii_state = idle; +- +- /* SRQ seen before, initiate poll now */ +- if (srq_asserted) +- macii_queue_poll(); ++ /* invert state bits, toggle ODD/EVEN */ ++ via[B] ^= ST_MASK; ++ break; + +- if (current_req) +- macii_start(); +- else +- if (need_autopoll()) +- macii_autopoll(autopoll_devs); ++ case read_done: ++ x = via[SR]; + +- if (macii_state == idle) +- via[B] = (via[B] & ~ST_MASK) | ST_IDLE; +- break; ++ if (reading_reply) { ++ reading_reply = 0; ++ req = current_req; ++ req->reply_len = reply_len; ++ req->complete = 1; ++ current_req = req->next; ++ if (req->done) ++ (*req->done)(req); ++ } else if (reply_len && autopoll_devs) ++ adb_input(reply_buf, reply_len, 0); ++ ++ macii_state = idle; ++ ++ /* SRQ seen before, initiate poll now */ ++ if (srq_asserted) ++ macii_queue_poll(); ++ ++ if (current_req) ++ macii_start(); ++ else if (need_autopoll()) ++ macii_autopoll(autopoll_devs); ++ ++ if (macii_state == idle) ++ via[B] = (via[B] & ~ST_MASK) | ST_IDLE; ++ break; + +- default: ++ default: + break; + } + +-- +2.43.0 + diff --git a/queue-4.19/macintosh-via-macii-remove-bug_on-assertions.patch b/queue-4.19/macintosh-via-macii-remove-bug_on-assertions.patch new file mode 100644 index 00000000000..68716a35659 --- /dev/null +++ b/queue-4.19/macintosh-via-macii-remove-bug_on-assertions.patch @@ -0,0 +1,161 @@ +From fbf78a5ebfb4a9780a9d7b781b373d0a277805e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Sep 2018 20:18:44 -0400 +Subject: macintosh/via-macii: Remove BUG_ON assertions + +From: Finn Thain + +[ Upstream commit 5f93d7081a47e1972031ccf57c4b2779eee162fb ] + +The BUG_ON assertions I added to the via-macii driver over a decade ago +haven't fired AFAIK. Some can never fire (by inspection). One assertion +checks for a NULL pointer, but that would merely substitute a BUG crash +for an Oops crash. Remove the pointless BUG_ON assertions and replace +the others with a WARN_ON and an array bounds check. + +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Michael Ellerman +Stable-dep-of: d301a71c76ee ("macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"") +Signed-off-by: Sasha Levin +--- + drivers/macintosh/via-macii.c | 49 +++++------------------------------ + 1 file changed, 7 insertions(+), 42 deletions(-) + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index cf6f7d52d6bee..fc6ad5bf1875a 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -120,23 +120,6 @@ static int srq_asserted; /* have to poll for the device that asserted it */ + static int command_byte; /* the most recent command byte transmitted */ + static int autopoll_devs; /* bits set are device addresses to be polled */ + +-/* Sanity check for request queue. Doesn't check for cycles. */ +-static int request_is_queued(struct adb_request *req) { +- struct adb_request *cur; +- unsigned long flags; +- local_irq_save(flags); +- cur = current_req; +- while (cur) { +- if (cur == req) { +- local_irq_restore(flags); +- return 1; +- } +- cur = cur->next; +- } +- local_irq_restore(flags); +- return 0; +-} +- + /* Check for MacII style ADB */ + static int macii_probe(void) + { +@@ -213,8 +196,6 @@ static void macii_queue_poll(void) + else + next_device = ffs(autopoll_devs) - 1; + +- BUG_ON(request_is_queued(&req)); +- + adb_request(&req, NULL, ADBREQ_NOSEND, 1, + ADB_READREG(next_device, 0)); + +@@ -237,18 +218,13 @@ static int macii_send_request(struct adb_request *req, int sync) + int err; + unsigned long flags; + +- BUG_ON(request_is_queued(req)); +- + local_irq_save(flags); + err = macii_write(req); + local_irq_restore(flags); + +- if (!err && sync) { +- while (!req->complete) { ++ if (!err && sync) ++ while (!req->complete) + macii_poll(); +- } +- BUG_ON(request_is_queued(req)); +- } + + return err; + } +@@ -327,9 +303,6 @@ static int macii_reset_bus(void) + { + static struct adb_request req; + +- if (request_is_queued(&req)) +- return 0; +- + /* Command = 0, Address = ignored */ + adb_request(&req, NULL, 0, 1, ADB_BUSRESET); + +@@ -346,10 +319,6 @@ static void macii_start(void) + + req = current_req; + +- BUG_ON(req == NULL); +- +- BUG_ON(macii_state != idle); +- + /* Now send it. Be careful though, that first byte of the request + * is actually ADB_PACKET; the real data begins at index 1! + * And req->nbytes is the number of bytes of real data plus one. +@@ -387,7 +356,6 @@ static void macii_start(void) + static irqreturn_t macii_interrupt(int irq, void *arg) + { + int x; +- static int entered; + struct adb_request *req; + + if (!arg) { +@@ -398,8 +366,6 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + return IRQ_NONE; + } + +- BUG_ON(entered++); +- + last_status = status; + status = via[B] & (ST_MASK|CTLR_IRQ); + +@@ -408,7 +374,7 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + if (reading_reply) { + reply_ptr = current_req->reply; + } else { +- BUG_ON(current_req != NULL); ++ WARN_ON(current_req); + reply_ptr = reply_buf; + } + +@@ -473,8 +439,8 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + + case reading: + x = via[SR]; +- BUG_ON((status & ST_MASK) == ST_CMD || +- (status & ST_MASK) == ST_IDLE); ++ WARN_ON((status & ST_MASK) == ST_CMD || ++ (status & ST_MASK) == ST_IDLE); + + /* Bus timeout with SRQ sequence: + * data is "XX FF" while CTLR_IRQ is "L L" +@@ -501,8 +467,8 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + } + } + +- if (macii_state == reading) { +- BUG_ON(reply_len > 15); ++ if (macii_state == reading && ++ reply_len < ARRAY_SIZE(reply_buf)) { + reply_ptr++; + *reply_ptr = x; + reply_len++; +@@ -545,6 +511,5 @@ static irqreturn_t macii_interrupt(int irq, void *arg) + break; + } + +- entered--; + return IRQ_HANDLED; + } +-- +2.43.0 + diff --git a/queue-4.19/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch b/queue-4.19/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch new file mode 100644 index 00000000000..149a2e11ad3 --- /dev/null +++ b/queue-4.19/md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch @@ -0,0 +1,93 @@ +From 0996b41c0db02116d0f7d0f99790270770a8a73a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 14:58:24 +0800 +Subject: md: fix resync softlockup when bitmap size is less than array size + +From: Yu Kuai + +[ Upstream commit f0e729af2eb6bee9eb58c4df1087f14ebaefe26b ] + +Is is reported that for dm-raid10, lvextend + lvchange --syncaction will +trigger following softlockup: + +kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] +CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 +RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 +Call Trace: + + md_bitmap_start_sync+0x6b/0xf0 + raid10_sync_request+0x25c/0x1b40 [raid10] + md_do_sync+0x64b/0x1020 + md_thread+0xa7/0x170 + kthread+0xcf/0x100 + ret_from_fork+0x30/0x50 + ret_from_fork_asm+0x1a/0x30 + +And the detailed process is as follows: + +md_do_sync + j = mddev->resync_min + while (j < max_sectors) + sectors = raid10_sync_request(mddev, j, &skipped) + if (!md_bitmap_start_sync(..., &sync_blocks)) + // md_bitmap_start_sync set sync_blocks to 0 + return sync_blocks + sectors_skippe; + // sectors = 0; + j += sectors; + // j never change + +Root cause is that commit 301867b1c168 ("md/raid10: check +slab-out-of-bounds in md_bitmap_get_counter") return early from +md_bitmap_get_counter(), without setting returned blocks. + +Fix this problem by always set returned blocks from +md_bitmap_get_counter"(), as it used to be. + +Noted that this patch just fix the softlockup problem in kernel, the +case that bitmap size doesn't match array size still need to be fixed. + +Fixes: 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") +Reported-and-tested-by: Nigel Croxon +Closes: https://lore.kernel.org/all/71ba5272-ab07-43ba-8232-d2da642acb4e@redhat.com/ +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240422065824.2516-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 7ca81e917aef4..6cbf4a069652c 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1358,7 +1358,7 @@ __acquires(bitmap->lock) + sector_t chunk = offset >> bitmap->chunkshift; + unsigned long page = chunk >> PAGE_COUNTER_SHIFT; + unsigned long pageoff = (chunk & PAGE_COUNTER_MASK) << COUNTER_BYTE_SHIFT; +- sector_t csize; ++ sector_t csize = ((sector_t)1) << bitmap->chunkshift; + int err; + + if (page >= bitmap->pages) { +@@ -1367,6 +1367,7 @@ __acquires(bitmap->lock) + * End-of-device while looking for a whole page or + * user set a huge number to sysfs bitmap_set_bits. + */ ++ *blocks = csize - (offset & (csize - 1)); + return NULL; + } + err = md_bitmap_checkpage(bitmap, page, create, 0); +@@ -1375,8 +1376,7 @@ __acquires(bitmap->lock) + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT); +- else +- csize = ((sector_t)1) << bitmap->chunkshift; ++ + *blocks = csize - (offset & (csize - 1)); + + if (err < 0) +-- +2.43.0 + diff --git a/queue-4.19/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch b/queue-4.19/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch new file mode 100644 index 00000000000..17e85c393fc --- /dev/null +++ b/queue-4.19/media-ngene-add-dvb_ca_en50221_init-return-value-che.patch @@ -0,0 +1,40 @@ +From 9bd398ebae4539e1bc6e69b07d67328e97d2901d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 14:15:53 +0300 +Subject: media: ngene: Add dvb_ca_en50221_init return value check + +From: Aleksandr Burakov + +[ Upstream commit 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 ] + +The return value of dvb_ca_en50221_init() is not checked here that may +cause undefined behavior in case of nonzero value return. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 25aee3debe04 ("[media] Rename media/dvb as media/pci") +Signed-off-by: Aleksandr Burakov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ngene/ngene-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ngene/ngene-core.c b/drivers/media/pci/ngene/ngene-core.c +index aa60559bbbb49..ee36beda54273 100644 +--- a/drivers/media/pci/ngene/ngene-core.c ++++ b/drivers/media/pci/ngene/ngene-core.c +@@ -1505,7 +1505,9 @@ static int init_channel(struct ngene_channel *chan) + } + + if (dev->ci.en && (io & NGENE_IO_TSOUT)) { +- dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ ret = dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); ++ if (ret != 0) ++ goto err; + set_transfer(chan, 1); + chan->dev->channel[2].DataFormatFlags = DF_SWAP32; + set_transfer(&chan->dev->channel[2], 1); +-- +2.43.0 + diff --git a/queue-4.19/media-radio-shark2-avoid-led_names-truncations.patch b/queue-4.19/media-radio-shark2-avoid-led_names-truncations.patch new file mode 100644 index 00000000000..ec36537bf77 --- /dev/null +++ b/queue-4.19/media-radio-shark2-avoid-led_names-truncations.patch @@ -0,0 +1,40 @@ +From 48c22617cfee2a82a8eb93ac36cd2fcb35a90be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:50:24 +0000 +Subject: media: radio-shark2: Avoid led_names truncations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 1820e16a3019b6258e6009d34432946a6ddd0a90 ] + +Increase the size of led_names so it can fit any valid v4l2 device name. + +Fixes: +drivers/media/radio/radio-shark2.c:197:17: warning: ‘%s’ directive output may be truncated writing up to 35 bytes into a region of size 32 [-Wformat-truncation=] + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/radio-shark2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c +index 5356941f54aef..fda988139fa46 100644 +--- a/drivers/media/radio/radio-shark2.c ++++ b/drivers/media/radio/radio-shark2.c +@@ -62,7 +62,7 @@ struct shark_device { + #ifdef SHARK_USE_LEDS + struct work_struct led_work; + struct led_classdev leds[NO_LEDS]; +- char led_names[NO_LEDS][32]; ++ char led_names[NO_LEDS][64]; + atomic_t brightness[NO_LEDS]; + unsigned long brightness_new; + #endif +-- +2.43.0 + diff --git a/queue-4.19/mtd-rawnand-hynix-fixed-typo.patch b/queue-4.19/mtd-rawnand-hynix-fixed-typo.patch new file mode 100644 index 00000000000..2145bcd095b --- /dev/null +++ b/queue-4.19/mtd-rawnand-hynix-fixed-typo.patch @@ -0,0 +1,43 @@ +From e6e1e5fa31d252f360be7442938f42de7b4e04bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:27:20 +0300 +Subject: mtd: rawnand: hynix: fixed typo + +From: Maxim Korotkov + +[ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ] + +The function hynix_nand_rr_init() should probably return an error code. +Judging by the usage, it seems that the return code is passed up +the call stack. +Right now, it always returns 0 and the function hynix_nand_cleanup() +in hynix_nand_init() has never been called. + +Found by RASU JSC and Linux Verification Center (linuxtesting.org) + +Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs") + +Signed-off-by: Maxim Korotkov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_hynix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/nand_hynix.c b/drivers/mtd/nand/raw/nand_hynix.c +index 4ffbb26e76d6d..6f595455a8c23 100644 +--- a/drivers/mtd/nand/raw/nand_hynix.c ++++ b/drivers/mtd/nand/raw/nand_hynix.c +@@ -414,7 +414,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip) + if (ret) + pr_warn("failed to initialize read-retry infrastructure"); + +- return 0; ++ return ret; + } + + static void hynix_nand_extract_oobsize(struct nand_chip *chip, +-- +2.43.0 + diff --git a/queue-4.19/net-ethernet-cortina-locking-fixes.patch b/queue-4.19/net-ethernet-cortina-locking-fixes.patch new file mode 100644 index 00000000000..e2c3cb8aac5 --- /dev/null +++ b/queue-4.19/net-ethernet-cortina-locking-fixes.patch @@ -0,0 +1,86 @@ +From a6a7a505598bbb8d7b1d769d1b989d394862fa1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 09:44:54 +0200 +Subject: net: ethernet: cortina: Locking fixes + +From: Linus Walleij + +[ Upstream commit 812552808f7ff71133fc59768cdc253c5b8ca1bf ] + +This fixes a probably long standing problem in the Cortina +Gemini ethernet driver: there are some paths in the code +where the IRQ registers are written without taking the proper +locks. + +Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") +Signed-off-by: Linus Walleij +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509-gemini-ethernet-locking-v1-1-afd00a528b95@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index b7ebe5eb46f5a..d464dec9825ad 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1116,10 +1116,13 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + { + struct gemini_ethernet_port *port = netdev_priv(netdev); + struct gemini_ethernet *geth = port->geth; ++ unsigned long flags; + u32 val, mask; + + netdev_dbg(netdev, "%s device %d\n", __func__, netdev->dev_id); + ++ spin_lock_irqsave(&geth->irq_lock, flags); ++ + mask = GMAC0_IRQ0_TXQ0_INTS << (6 * netdev->dev_id + txq); + + if (en) +@@ -1128,6 +1131,8 @@ static void gmac_tx_irq_enable(struct net_device *netdev, + val = readl(geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); + val = en ? val | mask : val & ~mask; + writel(val, geth->base + GLOBAL_INTERRUPT_ENABLE_0_REG); ++ ++ spin_unlock_irqrestore(&geth->irq_lock, flags); + } + + static void gmac_tx_irq(struct net_device *netdev, unsigned int txq_num) +@@ -1436,15 +1441,19 @@ static unsigned int gmac_rx(struct net_device *netdev, unsigned int budget) + union gmac_rxdesc_3 word3; + struct page *page = NULL; + unsigned int page_offs; ++ unsigned long flags; + unsigned short r, w; + union dma_rwptr rw; + dma_addr_t mapping; + int frag_nr = 0; + ++ spin_lock_irqsave(&geth->irq_lock, flags); + rw.bits32 = readl(ptr_reg); + /* Reset interrupt as all packages until here are taken into account */ + writel(DEFAULT_Q0_INT_BIT << netdev->dev_id, + geth->base + GLOBAL_INTERRUPT_STATUS_1_REG); ++ spin_unlock_irqrestore(&geth->irq_lock, flags); ++ + r = rw.bits.rptr; + w = rw.bits.wptr; + +@@ -1747,10 +1756,9 @@ static irqreturn_t gmac_irq(int irq, void *data) + gmac_update_hw_stats(netdev); + + if (val & (GMAC0_RX_OVERRUN_INT_BIT << (netdev->dev_id * 8))) { ++ spin_lock(&geth->irq_lock); + writel(GMAC0_RXDERR_INT_BIT << (netdev->dev_id * 8), + geth->base + GLOBAL_INTERRUPT_STATUS_4_REG); +- +- spin_lock(&geth->irq_lock); + u64_stats_update_begin(&port->ir_stats_syncp); + ++port->stats.rx_fifo_errors; + u64_stats_update_end(&port->ir_stats_syncp); +-- +2.43.0 + diff --git a/queue-4.19/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch b/queue-4.19/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch new file mode 100644 index 00000000000..759c5a51410 --- /dev/null +++ b/queue-4.19/net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch @@ -0,0 +1,86 @@ +From 59f4076c7318096da4ef168d8cdcd6274040c82f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 11:38:05 +0200 +Subject: net: openvswitch: fix overwriting ct original tuple for ICMPv6 + +From: Ilya Maximets + +[ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ] + +OVS_PACKET_CMD_EXECUTE has 3 main attributes: + - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. + - OVS_PACKET_ATTR_PACKET - Binary packet content. + - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. + +OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure +with the metadata like conntrack state, input port, recirculation id, +etc. Then the packet itself gets parsed to populate the rest of the +keys from the packet headers. + +Whenever the packet parsing code starts parsing the ICMPv6 header, it +first zeroes out fields in the key corresponding to Neighbor Discovery +information even if it is not an ND packet. + +It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares +the space between 'nd' and 'ct_orig' that holds the original tuple +conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. + +ND packets should not normally have conntrack state, so it's fine to +share the space, but normal ICMPv6 Echo packets or maybe other types of +ICMPv6 can have the state attached and it should not be overwritten. + +The issue results in all but the last 4 bytes of the destination +address being wiped from the original conntrack tuple leading to +incorrect packet matching and potentially executing wrong actions +in case this packet recirculates within the datapath or goes back +to userspace. + +ND fields should not be accessed in non-ND packets, so not clearing +them should be fine. Executing memset() only for actual ND packets to +avoid the issue. + +Initializing the whole thing before parsing is needed because ND packet +may not contain all the options. + +The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't +affect packets entering OVS datapath from network interfaces, because +in this case CT metadata is populated from skb after the packet is +already parsed. + +Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") +Reported-by: Antonin Bas +Closes: https://github.com/openvswitch/ovs-issues/issues/327 +Signed-off-by: Ilya Maximets +Acked-by: Aaron Conole +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240509094228.1035477-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index 56b8e7167790f..857b1ffe3d856 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -427,7 +427,6 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + */ + key->tp.src = htons(icmp->icmp6_type); + key->tp.dst = htons(icmp->icmp6_code); +- memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); + + if (icmp->icmp6_code == 0 && + (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION || +@@ -436,6 +435,8 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, + struct nd_msg *nd; + int offset; + ++ memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); ++ + /* In order to process neighbor discovery options, we need the + * entire packet. + */ +-- +2.43.0 + diff --git a/queue-4.19/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch b/queue-4.19/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch new file mode 100644 index 00000000000..32f0a188c4a --- /dev/null +++ b/queue-4.19/net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch @@ -0,0 +1,108 @@ +From d55ab87a7bfa083628ad9cb83524e434db1a0a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 13:12:07 +0200 +Subject: net: usb: qmi_wwan: add Telit FN920C04 compositions + +From: Daniele Palmas + +[ Upstream commit 0b8fe5bd73249dc20be2e88a12041f8920797b59 ] + +Add the following Telit FN920C04 compositions: + +0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a0 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a4 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a9 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index b4d436f985cfb..3e59b63b838f6 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1326,6 +1326,9 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.43.0 + diff --git a/queue-4.19/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch b/queue-4.19/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..b7f21caa8dc --- /dev/null +++ b/queue-4.19/net-usb-smsc95xx-stop-lying-about-skb-truesize.patch @@ -0,0 +1,87 @@ +From af5e46f3da21616414bc839268d5066f6c8f52ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 08:33:13 +0000 +Subject: net: usb: smsc95xx: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit d50729f1d60bca822ef6d9c1a5fb28d486bd7593 ] + +Some usb drivers try to set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +v3: also fix a sparse error ( https://lore.kernel.org/oe-kbuild-all/202405091310.KvncIecx-lkp@intel.com/ ) +v2: leave the skb_trim() game because smsc95xx_rx_csum_offload() + needs the csum part. (Jakub) + While we are it, use get_unaligned() in smsc95xx_rx_csum_offload(). + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Signed-off-by: Eric Dumazet +Cc: Steve Glendinning +Cc: UNGLinuxDriver@microchip.com +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240509083313.2113832-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 37547ac72840f..be5543c71d069 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1924,9 +1924,11 @@ static int smsc95xx_reset_resume(struct usb_interface *intf) + + static void smsc95xx_rx_csum_offload(struct sk_buff *skb) + { +- skb->csum = *(u16 *)(skb_tail_pointer(skb) - 2); ++ u16 *csum_ptr = (u16 *)(skb_tail_pointer(skb) - 2); ++ ++ skb->csum = (__force __wsum)get_unaligned(csum_ptr); + skb->ip_summed = CHECKSUM_COMPLETE; +- skb_trim(skb, skb->len - 2); ++ skb_trim(skb, skb->len - 2); /* remove csum */ + } + + static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) +@@ -1985,25 +1987,22 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(skb); + skb_trim(skb, skb->len - 4); /* remove fcs */ +- skb->truesize = size + sizeof(struct sk_buff); + + return 1; + } + +- ax_skb = skb_clone(skb, GFP_ATOMIC); ++ ax_skb = netdev_alloc_skb_ip_align(dev->net, size); + if (unlikely(!ax_skb)) { + netdev_warn(dev->net, "Error allocating skb\n"); + return 0; + } + +- ax_skb->len = size; +- ax_skb->data = packet; +- skb_set_tail_pointer(ax_skb, size); ++ skb_put(ax_skb, size); ++ memcpy(ax_skb->data, packet, size); + + if (dev->net->features & NETIF_F_RXCSUM) + smsc95xx_rx_csum_offload(ax_skb); + skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */ +- ax_skb->truesize = size + sizeof(struct sk_buff); + + usbnet_skb_return(dev, ax_skb); + } +-- +2.43.0 + diff --git a/queue-4.19/net-usb-sr9700-stop-lying-about-skb-truesize.patch b/queue-4.19/net-usb-sr9700-stop-lying-about-skb-truesize.patch new file mode 100644 index 00000000000..659d62b59e5 --- /dev/null +++ b/queue-4.19/net-usb-sr9700-stop-lying-about-skb-truesize.patch @@ -0,0 +1,59 @@ +From 01a89823824b90b4dbe63cf97a0969888907e6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 14:39:39 +0000 +Subject: net: usb: sr9700: stop lying about skb->truesize + +From: Eric Dumazet + +[ Upstream commit 05417aa9c0c038da2464a0c504b9d4f99814a23b ] + +Some usb drivers set small skb->truesize and break +core networking stacks. + +In this patch, I removed one of the skb->truesize override. + +I also replaced one skb_clone() by an allocation of a fresh +and small skb, to get minimally sized skbs, like we did +in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize +in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: +stop lying about skb->truesize") + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240506143939.3673865-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 8bee8286e41a1..a0e5d066ac455 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -418,19 +418,15 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + skb_pull(skb, 3); + skb->len = len; + skb_set_tail_pointer(skb, len); +- skb->truesize = len + sizeof(struct sk_buff); + return 2; + } + +- /* skb_clone is used for address align */ +- sr_skb = skb_clone(skb, GFP_ATOMIC); ++ sr_skb = netdev_alloc_skb_ip_align(dev->net, len); + if (!sr_skb) + return 0; + +- sr_skb->len = len; +- sr_skb->data = skb->data + 3; +- skb_set_tail_pointer(sr_skb, len); +- sr_skb->truesize = len + sizeof(struct sk_buff); ++ skb_put(sr_skb, len); ++ memcpy(sr_skb->data, skb->data + 3, len); + usbnet_skb_return(dev, sr_skb); + + skb_pull(skb, len + SR_RX_OVERHEAD); +-- +2.43.0 + diff --git a/queue-4.19/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch b/queue-4.19/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch new file mode 100644 index 00000000000..51ff27cb799 --- /dev/null +++ b/queue-4.19/netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch @@ -0,0 +1,192 @@ +From 770f7e6b4b70e3fd29270ab8b07aeed86f9268b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:29:34 +0000 +Subject: netrom: fix possible dead-lock in nr_rt_ioctl() + +From: Eric Dumazet + +[ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ] + +syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] + +Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) + +[1] +WARNING: possible circular locking dependency detected +6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted +------------------------------------------------------ +syz-executor350/5129 is trying to acquire lock: + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] + ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + +but task is already holding lock: + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (nr_node_list_lock){+...}-{2:2}: + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_remove_node net/netrom/nr_route.c:299 [inline] + nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 + nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +-> #0 (&nr_node->node_lock){+...}-{2:2}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + lock(nr_node_list_lock); + lock(&nr_node->node_lock); + + *** DEADLOCK *** + +1 lock held by syz-executor350/5129: + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] + #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 + +stack backtrace: +CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] + _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:356 [inline] + nr_node_lock include/net/netrom.h:152 [inline] + nr_dec_obs net/netrom/nr_route.c:464 [inline] + nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 + sock_do_ioctl+0x158/0x460 net/socket.c:1222 + sock_ioctl+0x629/0x8e0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240515142934.3708038-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 744c19a7a469c..41c45b4d4b18c 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -287,22 +287,14 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, + return 0; + } + +-static inline void __nr_remove_node(struct nr_node *nr_node) ++static void nr_remove_node_locked(struct nr_node *nr_node) + { ++ lockdep_assert_held(&nr_node_list_lock); ++ + hlist_del_init(&nr_node->node_node); + nr_node_put(nr_node); + } + +-#define nr_remove_node_locked(__node) \ +- __nr_remove_node(__node) +- +-static void nr_remove_node(struct nr_node *nr_node) +-{ +- spin_lock_bh(&nr_node_list_lock); +- __nr_remove_node(nr_node); +- spin_unlock_bh(&nr_node_list_lock); +-} +- + static inline void __nr_remove_neigh(struct nr_neigh *nr_neigh) + { + hlist_del_init(&nr_neigh->neigh_node); +@@ -341,6 +333,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + return -EINVAL; + } + ++ spin_lock_bh(&nr_node_list_lock); + nr_node_lock(nr_node); + for (i = 0; i < nr_node->count; i++) { + if (nr_node->routes[i].neighbour == nr_neigh) { +@@ -354,7 +347,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node->count--; + + if (nr_node->count == 0) { +- nr_remove_node(nr_node); ++ nr_remove_node_locked(nr_node); + } else { + switch (i) { + case 0: +@@ -368,12 +361,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n + nr_node_put(nr_node); + } + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + + return 0; + } + } + nr_neigh_put(nr_neigh); + nr_node_unlock(nr_node); ++ spin_unlock_bh(&nr_node_list_lock); + nr_node_put(nr_node); + + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.19/nfsd-drop-st_mutex-before-calling-move_to_close_lru.patch b/queue-4.19/nfsd-drop-st_mutex-before-calling-move_to_close_lru.patch new file mode 100644 index 00000000000..4d243ca5363 --- /dev/null +++ b/queue-4.19/nfsd-drop-st_mutex-before-calling-move_to_close_lru.patch @@ -0,0 +1,82 @@ +From 1406976a3d6b8e61b2c824242d98eafd18b37721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 12:09:18 +1000 +Subject: nfsd: drop st_mutex before calling move_to_close_lru() + +From: NeilBrown + +[ Upstream commit 56c35f43eef013579c76c007ba1f386d8c2cac14 ] + +move_to_close_lru() is currently called with ->st_mutex held. +This can lead to a deadlock as move_to_close_lru() waits for sc_count to +drop to 2, and some threads holding a reference might be waiting for the +mutex. These references will never be dropped so sc_count will never +reach 2. + +There can be no harm in dropping ->st_mutex before +move_to_close_lru() because the only place that takes the mutex is +nfsd4_lock_ol_stateid(), and it quickly aborts if sc_type is +NFS4_CLOSED_STID, which it will be before move_to_close_lru() is called. + +See also + https://lore.kernel.org/lkml/4dd1fe21e11344e5969bb112e954affb@jd.com/T/ +where this problem was raised but not successfully resolved. + +Reviewed-by: Jeff Layton +Signed-off-by: NeilBrown +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 5c241e510888d..7ac644d64ab1d 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5482,7 +5482,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp, + return status; + } + +-static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) ++static bool nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) + { + struct nfs4_client *clp = s->st_stid.sc_client; + bool unhashed; +@@ -5496,11 +5496,11 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) + put_ol_stateid_locked(s, &reaplist); + spin_unlock(&clp->cl_lock); + free_ol_stateid_reaplist(&reaplist); ++ return false; + } else { + spin_unlock(&clp->cl_lock); + free_ol_stateid_reaplist(&reaplist); +- if (unhashed) +- move_to_close_lru(s, clp->net); ++ return unhashed; + } + } + +@@ -5516,6 +5516,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + struct nfs4_ol_stateid *stp; + struct net *net = SVC_NET(rqstp); + struct nfsd_net *nn = net_generic(net, nfsd_net_id); ++ bool need_move_to_close_list; + + dprintk("NFSD: nfsd4_close on file %pd\n", + cstate->current_fh.fh_dentry); +@@ -5538,8 +5539,10 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + */ + nfs4_inc_and_copy_stateid(&close->cl_stateid, &stp->st_stid); + +- nfsd4_close_open_stateid(stp); ++ need_move_to_close_list = nfsd4_close_open_stateid(stp); + mutex_unlock(&stp->st_mutex); ++ if (need_move_to_close_list) ++ move_to_close_lru(stp, net); + + /* v4.1+ suggests that we send a special stateid in here, since the + * clients should just ignore this anyway. Since this is not useful +-- +2.43.0 + diff --git a/queue-4.19/nilfs2-fix-out-of-range-warning.patch b/queue-4.19/nilfs2-fix-out-of-range-warning.patch new file mode 100644 index 00000000000..e3df1f7e4f0 --- /dev/null +++ b/queue-4.19/nilfs2-fix-out-of-range-warning.patch @@ -0,0 +1,45 @@ +From b05eff17dde6aa5970c9c43ca43dec5991d392a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 15:30:44 +0100 +Subject: nilfs2: fix out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ] + +clang-14 points out that v_size is always smaller than a 64KB +page size if that is configured by the CPU architecture: + +fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (argv->v_size > PAGE_SIZE) + ~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is ok, so just shut up that warning with a cast. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org +Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl") +Acked-by: Ryusuke Konishi +Reviewed-by: Justin Stitt +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/nilfs2/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c +index ecb5e4cf058b5..369c55e1b9417 100644 +--- a/fs/nilfs2/ioctl.c ++++ b/fs/nilfs2/ioctl.c +@@ -59,7 +59,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, + if (argv->v_nmembs == 0) + return 0; + +- if (argv->v_size > PAGE_SIZE) ++ if ((size_t)argv->v_size > PAGE_SIZE) + return -EINVAL; + + /* +-- +2.43.0 + diff --git a/queue-4.19/null_blk-fix-missing-mutex_destroy-at-module-removal.patch b/queue-4.19/null_blk-fix-missing-mutex_destroy-at-module-removal.patch new file mode 100644 index 00000000000..00d1fcf7a91 --- /dev/null +++ b/queue-4.19/null_blk-fix-missing-mutex_destroy-at-module-removal.patch @@ -0,0 +1,37 @@ +From abf76f411fc663beacafdc68e630b41d452ddaf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 19:16:35 +0200 +Subject: null_blk: Fix missing mutex_destroy() at module removal + +From: Zhu Yanjun + +[ Upstream commit 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 ] + +When a mutex lock is not used any more, the function mutex_destroy +should be called to mark the mutex lock uninitialized. + +Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240425171635.4227-1-yanjun.zhu@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c +index 5553df736c720..fb20ed1360f99 100644 +--- a/drivers/block/null_blk_main.c ++++ b/drivers/block/null_blk_main.c +@@ -1967,6 +1967,8 @@ static void __exit null_exit(void) + + if (g_queue_mode == NULL_Q_MQ && shared_tags) + blk_mq_free_tag_set(&tag_set); ++ ++ mutex_destroy(&lock); + } + + module_init(null_init); +-- +2.43.0 + diff --git a/queue-4.19/parisc-add-missing-export-of-__cmpxchg_u8.patch b/queue-4.19/parisc-add-missing-export-of-__cmpxchg_u8.patch new file mode 100644 index 00000000000..557c546ab08 --- /dev/null +++ b/queue-4.19/parisc-add-missing-export-of-__cmpxchg_u8.patch @@ -0,0 +1,36 @@ +From f774c012e8cb9d71508d0b36594554054ea49346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 22:35:54 -0400 +Subject: parisc: add missing export of __cmpxchg_u8() + +From: Al Viro + +[ Upstream commit c57e5dccb06decf3cb6c272ab138c033727149b5 ] + +__cmpxchg_u8() had been added (initially) for the sake of +drivers/phy/ti/phy-tusb1210.c; the thing is, that drivers is +modular, so we need an export + +Fixes: b344d6a83d01 "parisc: add support for cmpxchg on u8 pointers" +Signed-off-by: Al Viro +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/parisc_ksyms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c +index 7baa2265d4392..e0d4b7d20f675 100644 +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -34,6 +34,7 @@ EXPORT_SYMBOL(memset); + #include + EXPORT_SYMBOL(__xchg8); + EXPORT_SYMBOL(__xchg32); ++EXPORT_SYMBOL(__cmpxchg_u8); + EXPORT_SYMBOL(__cmpxchg_u32); + EXPORT_SYMBOL(__cmpxchg_u64); + #ifdef CONFIG_SMP +-- +2.43.0 + diff --git a/queue-4.19/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch b/queue-4.19/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch new file mode 100644 index 00000000000..fb3f1bec040 --- /dev/null +++ b/queue-4.19/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch @@ -0,0 +1,66 @@ +From a6eddb16399ef4809d909d8b592302455b51a021 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 11:00:49 +0800 +Subject: power: supply: cros_usbpd: provide ID table for avoiding fallback + match + +From: Tzung-Bi Shih + +[ Upstream commit 0f8678c34cbfdc63569a9b0ede1fe235ec6ec693 ] + +Instead of using fallback driver name match, provide ID table[1] for the +primary match. + +[1]: https://elixir.bootlin.com/linux/v6.8/source/drivers/base/platform.c#L1353 + +Reviewed-by: Benson Leung +Reviewed-by: Prashant Malani +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20240401030052.2887845-4-tzungbi@kernel.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cros_usbpd-charger.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c +index 74b5914abbf7e..123a5572fe5b1 100644 +--- a/drivers/power/supply/cros_usbpd-charger.c ++++ b/drivers/power/supply/cros_usbpd-charger.c +@@ -5,6 +5,7 @@ + * Copyright (c) 2014 - 2018 Google, Inc + */ + ++#include + #include + #include + #include +@@ -530,16 +531,22 @@ static int cros_usbpd_charger_resume(struct device *dev) + static SIMPLE_DEV_PM_OPS(cros_usbpd_charger_pm_ops, NULL, + cros_usbpd_charger_resume); + ++static const struct platform_device_id cros_usbpd_charger_id[] = { ++ { DRV_NAME, 0 }, ++ {} ++}; ++MODULE_DEVICE_TABLE(platform, cros_usbpd_charger_id); ++ + static struct platform_driver cros_usbpd_charger_driver = { + .driver = { + .name = DRV_NAME, + .pm = &cros_usbpd_charger_pm_ops, + }, +- .probe = cros_usbpd_charger_probe ++ .probe = cros_usbpd_charger_probe, ++ .id_table = cros_usbpd_charger_id, + }; + + module_platform_driver(cros_usbpd_charger_driver); + + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("ChromeOS EC USBPD charger"); +-MODULE_ALIAS("platform:" DRV_NAME); +-- +2.43.0 + diff --git a/queue-4.19/powerpc-fsl-soc-hide-unused-const-variable.patch b/queue-4.19/powerpc-fsl-soc-hide-unused-const-variable.patch new file mode 100644 index 00000000000..617dc4c0793 --- /dev/null +++ b/queue-4.19/powerpc-fsl-soc-hide-unused-const-variable.patch @@ -0,0 +1,48 @@ +From 7b6b18e78b228cad7f53a0356790dc1c3d4eacea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 10:06:19 +0200 +Subject: powerpc/fsl-soc: hide unused const variable + +From: Arnd Bergmann + +[ Upstream commit 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 ] + +vmpic_msi_feature is only used conditionally, which triggers a rare +-Werror=unused-const-variable= warning with gcc: + +arch/powerpc/sysdev/fsl_msi.c:567:37: error: 'vmpic_msi_feature' defined but not used [-Werror=unused-const-variable=] + 567 | static const struct fsl_msi_feature vmpic_msi_feature = + +Hide this one in the same #ifdef as the reference so we can turn on +the warning by default. + +Fixes: 305bcf26128e ("powerpc/fsl-soc: use CONFIG_EPAPR_PARAVIRT for hcalls") +Signed-off-by: Arnd Bergmann +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240403080702.3509288-2-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_msi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index 44aedb6b9f556..4c1fd9d93e584 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -578,10 +578,12 @@ static const struct fsl_msi_feature ipic_msi_feature = { + .msiir_offset = 0x38, + }; + ++#ifdef CONFIG_EPAPR_PARAVIRT + static const struct fsl_msi_feature vmpic_msi_feature = { + .fsl_pic_ip = FSL_PIC_IP_VMPIC, + .msiir_offset = 0, + }; ++#endif + + static const struct of_device_id fsl_of_msi_ids[] = { + { +-- +2.43.0 + diff --git a/queue-4.19/qed-avoid-truncating-work-queue-length.patch b/queue-4.19/qed-avoid-truncating-work-queue-length.patch new file mode 100644 index 00000000000..6991e32b9d3 --- /dev/null +++ b/queue-4.19/qed-avoid-truncating-work-queue-length.patch @@ -0,0 +1,58 @@ +From 9779b1d634b068a0a0f77cb44932410d9344e81f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 23:38:02 +0100 +Subject: qed: avoid truncating work queue length + +From: Arnd Bergmann + +[ Upstream commit 954fd908f177604d4cce77e2a88cc50b29bad5ff ] + +clang complains that the temporary string for the name passed into +alloc_workqueue() is too short for its contents: + +drivers/net/ethernet/qlogic/qed/qed_main.c:1218:3: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 18 [-Werror,-Wformat-truncation] + +There is no need for a temporary buffer, and the actual name of a workqueue +is 32 bytes (WQ_NAME_LEN), so just use the interface as intended to avoid +the truncation. + +Fixes: 59ccf86fe69a ("qed: Add driver infrastucture for handling mfw requests.") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-4-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 43c85e584b6fe..d0441bd1944a4 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1007,7 +1007,6 @@ static void qed_slowpath_task(struct work_struct *work) + static int qed_slowpath_wq_start(struct qed_dev *cdev) + { + struct qed_hwfn *hwfn; +- char name[NAME_SIZE]; + int i; + + if (IS_VF(cdev)) +@@ -1016,11 +1015,11 @@ static int qed_slowpath_wq_start(struct qed_dev *cdev) + for_each_hwfn(cdev, i) { + hwfn = &cdev->hwfns[i]; + +- snprintf(name, NAME_SIZE, "slowpath-%02x:%02x.%02x", +- cdev->pdev->bus->number, +- PCI_SLOT(cdev->pdev->devfn), hwfn->abs_pf_id); ++ hwfn->slowpath_wq = alloc_workqueue("slowpath-%02x:%02x.%02x", ++ 0, 0, cdev->pdev->bus->number, ++ PCI_SLOT(cdev->pdev->devfn), ++ hwfn->abs_pf_id); + +- hwfn->slowpath_wq = alloc_workqueue(name, 0, 0); + if (!hwfn->slowpath_wq) { + DP_NOTICE(hwfn, "Cannot create slowpath workqueue\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/rdma-hns-use-complete-parentheses-in-macros.patch b/queue-4.19/rdma-hns-use-complete-parentheses-in-macros.patch new file mode 100644 index 00000000000..5e6660d7430 --- /dev/null +++ b/queue-4.19/rdma-hns-use-complete-parentheses-in-macros.patch @@ -0,0 +1,52 @@ +From 66a70cdc4f1ac8dd8e81a3c8fd541ca71178f6ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 17:16:15 +0800 +Subject: RDMA/hns: Use complete parentheses in macros + +From: Chengchang Tang + +[ Upstream commit 4125269bb9b22e1d8cdf4412c81be8074dbc61ca ] + +Use complete parentheses to ensure that macro expansion does +not produce unexpected results. + +Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20240412091616.370789-10-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index a94444db3045a..265706811f23a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -57,16 +57,16 @@ enum { + (sizeof(struct scatterlist) + sizeof(void *))) + + #define check_whether_bt_num_3(type, hop_num) \ +- (type < HEM_TYPE_MTT && hop_num == 2) ++ ((type) < HEM_TYPE_MTT && (hop_num) == 2) + + #define check_whether_bt_num_2(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == 2)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 2)) + + #define check_whether_bt_num_1(type, hop_num) \ +- ((type < HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0) || \ +- (type >= HEM_TYPE_MTT && hop_num == 1) || \ +- (type >= HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0)) ++ (((type) < HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == 1) || \ ++ ((type) >= HEM_TYPE_MTT && (hop_num) == HNS_ROCE_HOP_NUM_0)) + + enum { + HNS_ROCE_HEM_PAGE_SHIFT = 12, +-- +2.43.0 + diff --git a/queue-4.19/rdma-ipoib-fix-format-truncation-compilation-errors.patch b/queue-4.19/rdma-ipoib-fix-format-truncation-compilation-errors.patch new file mode 100644 index 00000000000..da0960a2fea --- /dev/null +++ b/queue-4.19/rdma-ipoib-fix-format-truncation-compilation-errors.patch @@ -0,0 +1,66 @@ +From 2fd189c3aedf823af72a96bac4273fc69cc9d562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 10:39:33 +0300 +Subject: RDMA/IPoIB: Fix format truncation compilation errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit 49ca2b2ef3d003402584c68ae7b3055ba72e750a ] + +Truncate the device name to store IPoIB VLAN name. + +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 allmodconfig +[leonro@5b4e8fba4ddd kernel]$ make -s -j 20 W=1 drivers/infiniband/ulp/ipoib/ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c: In function ‘ipoib_vlan_add’: +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:52: error: ‘%04x’ +directive output may be truncated writing 4 bytes into a region of size +between 0 and 15 [-Werror=format-truncation=] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:48: note: directive +argument in the range [0, 65535] + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~ +drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:9: note: ‘snprintf’ output +between 6 and 21 bytes into a destination of size 16 + 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 188 | ppriv->dev->name, pkey); + | ~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/ulp/ipoib/ipoib_vlan.o] Error 1 +make[6]: *** Waiting for unfinished jobs.... + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Link: https://lore.kernel.org/r/e9d3e1fef69df4c9beaf402cc3ac342bad680791.1715240029.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +index 341753fbda54d..fed44c01d65ed 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -179,8 +179,12 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) + + ppriv = ipoib_priv(pdev); + +- snprintf(intf_name, sizeof(intf_name), "%s.%04x", +- ppriv->dev->name, pkey); ++ /* If you increase IFNAMSIZ, update snprintf below ++ * to allow longer names. ++ */ ++ BUILD_BUG_ON(IFNAMSIZ != 16); ++ snprintf(intf_name, sizeof(intf_name), "%.10s.%04x", ppriv->dev->name, ++ pkey); + + priv = ipoib_intf_alloc(ppriv->ca, ppriv->port, intf_name); + if (!priv) { +-- +2.43.0 + diff --git a/queue-4.19/revert-sh-handle-calling-csum_partial-with-misaligne.patch b/queue-4.19/revert-sh-handle-calling-csum_partial-with-misaligne.patch new file mode 100644 index 00000000000..6713ab824a0 --- /dev/null +++ b/queue-4.19/revert-sh-handle-calling-csum_partial-with-misaligne.patch @@ -0,0 +1,187 @@ +From eeed80cddeff344f51a88d480fc874e72aba3586 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Mar 2024 16:18:04 -0700 +Subject: Revert "sh: Handle calling csum_partial with misaligned data" + +From: Guenter Roeck + +[ Upstream commit b5319c96292ff877f6b58d349acf0a9dc8d3b454 ] + +This reverts commit cadc4e1a2b4d20d0cc0e81f2c6ba0588775e54e5. + +Commit cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned +data") causes bad checksum calculations on unaligned data. Reverting +it fixes the problem. + + # Subtest: checksum + # module: checksum_kunit + 1..5 + # test_csum_fixed_random_inputs: ASSERTION FAILED at lib/checksum_kunit.c:500 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 53378 (0xd082) + ( u64)expec == 33488 (0x82d0) + # test_csum_fixed_random_inputs: pass:0 fail:1 skip:0 total:1 + not ok 1 test_csum_fixed_random_inputs + # test_csum_all_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:525 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65281 (0xff01) + ( u64)expec == 65280 (0xff00) + # test_csum_all_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 2 test_csum_all_carry_inputs + # test_csum_no_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:573 + Expected ( u64)result == ( u64)expec, but + ( u64)result == 65535 (0xffff) + ( u64)expec == 65534 (0xfffe) + # test_csum_no_carry_inputs: pass:0 fail:1 skip:0 total:1 + not ok 3 test_csum_no_carry_inputs + # test_ip_fast_csum: pass:1 fail:0 skip:0 total:1 + ok 4 test_ip_fast_csum + # test_csum_ipv6_magic: pass:1 fail:0 skip:0 total:1 + ok 5 test_csum_ipv6_magic + # checksum: pass:2 fail:3 skip:0 total:5 + # Totals: pass:2 fail:3 skip:0 total:5 +not ok 22 checksum + +Fixes: cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data") +Signed-off-by: Guenter Roeck +Tested-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20240324231804.841099-1-linux@roeck-us.net +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/lib/checksum.S | 67 ++++++++++++------------------------------ + 1 file changed, 18 insertions(+), 49 deletions(-) + +diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S +index 356c8ec928930..1fc361b641196 100644 +--- a/arch/sh/lib/checksum.S ++++ b/arch/sh/lib/checksum.S +@@ -36,7 +36,8 @@ + */ + + /* +- * asmlinkage __wsum csum_partial(const void *buf, int len, __wsum sum); ++ * unsigned int csum_partial(const unsigned char *buf, int len, ++ * unsigned int sum); + */ + + .text +@@ -48,31 +49,11 @@ ENTRY(csum_partial) + * Fortunately, it is easy to convert 2-byte alignment to 4-byte + * alignment for the unrolled loop. + */ ++ mov r5, r1 + mov r4, r0 +- tst #3, r0 ! Check alignment. +- bt/s 2f ! Jump if alignment is ok. +- mov r4, r7 ! Keep a copy to check for alignment ++ tst #2, r0 ! Check alignment. ++ bt 2f ! Jump if alignment is ok. + ! +- tst #1, r0 ! Check alignment. +- bt 21f ! Jump if alignment is boundary of 2bytes. +- +- ! buf is odd +- tst r5, r5 +- add #-1, r5 +- bt 9f +- mov.b @r4+, r0 +- extu.b r0, r0 +- addc r0, r6 ! t=0 from previous tst +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +- mov r4, r0 +- tst #2, r0 +- bt 2f +-21: +- ! buf is 2 byte aligned (len could be 0) + add #-2, r5 ! Alignment uses up two bytes. + cmp/pz r5 ! + bt/s 1f ! Jump if we had at least two bytes. +@@ -80,17 +61,16 @@ ENTRY(csum_partial) + bra 6f + add #2, r5 ! r5 was < 2. Deal with it. + 1: ++ mov r5, r1 ! Save new len for later use. + mov.w @r4+, r0 + extu.w r0, r0 + addc r0, r6 + bf 2f + add #1, r6 + 2: +- ! buf is 4 byte aligned (len could be 0) +- mov r5, r1 + mov #-5, r0 +- shld r0, r1 +- tst r1, r1 ++ shld r0, r5 ++ tst r5, r5 + bt/s 4f ! if it's =0, go to 4f + clrt + .align 2 +@@ -112,31 +92,30 @@ ENTRY(csum_partial) + addc r0, r6 + addc r2, r6 + movt r0 +- dt r1 ++ dt r5 + bf/s 3b + cmp/eq #1, r0 +- ! here, we know r1==0 +- addc r1, r6 ! add carry to r6 ++ ! here, we know r5==0 ++ addc r5, r6 ! add carry to r6 + 4: +- mov r5, r0 ++ mov r1, r0 + and #0x1c, r0 + tst r0, r0 +- bt 6f +- ! 4 bytes or more remaining +- mov r0, r1 +- shlr2 r1 ++ bt/s 6f ++ mov r0, r5 ++ shlr2 r5 + mov #0, r2 + 5: + addc r2, r6 + mov.l @r4+, r2 + movt r0 +- dt r1 ++ dt r5 + bf/s 5b + cmp/eq #1, r0 + addc r2, r6 +- addc r1, r6 ! r1==0 here, so it means add carry-bit ++ addc r5, r6 ! r5==0 here, so it means add carry-bit + 6: +- ! 3 bytes or less remaining ++ mov r1, r5 + mov #3, r0 + and r0, r5 + tst r5, r5 +@@ -162,16 +141,6 @@ ENTRY(csum_partial) + mov #0, r0 + addc r0, r6 + 9: +- ! Check if the buffer was misaligned, if so realign sum +- mov r7, r0 +- tst #1, r0 +- bt 10f +- mov r6, r0 +- shll8 r6 +- shlr16 r0 +- shlr8 r0 +- or r0, r6 +-10: + rts + mov r6, r0 + +-- +2.43.0 + diff --git a/queue-4.19/s390-cio-fix-tracepoint-subchannel-type-field.patch b/queue-4.19/s390-cio-fix-tracepoint-subchannel-type-field.patch new file mode 100644 index 00000000000..97bbd0efafc --- /dev/null +++ b/queue-4.19/s390-cio-fix-tracepoint-subchannel-type-field.patch @@ -0,0 +1,38 @@ +From 2caf20bf057a7ad8f9a013bb5198a01d32137a54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 17:04:56 +0100 +Subject: s390/cio: fix tracepoint subchannel type field + +From: Peter Oberparleiter + +[ Upstream commit 8692a24d0fae19f674d51726d179ad04ba95d958 ] + +The subchannel-type field "st" of s390_cio_stsch and s390_cio_msch +tracepoints is incorrectly filled with the subchannel-enabled SCHIB +value "ena". Fix this by assigning the correct value. + +Fixes: d1de8633d96a ("s390 cio: Rewrite trace point class s390_class_schib") +Reviewed-by: Heiko Carstens +Signed-off-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/trace.h b/drivers/s390/cio/trace.h +index 0ebb29b6fd6df..3a56f11d36e40 100644 +--- a/drivers/s390/cio/trace.h ++++ b/drivers/s390/cio/trace.h +@@ -50,7 +50,7 @@ DECLARE_EVENT_CLASS(s390_class_schib, + __entry->devno = schib->pmcw.dev; + __entry->schib = *schib; + __entry->pmcw_ena = schib->pmcw.ena; +- __entry->pmcw_st = schib->pmcw.ena; ++ __entry->pmcw_st = schib->pmcw.st; + __entry->pmcw_dnv = schib->pmcw.dnv; + __entry->pmcw_dev = schib->pmcw.dev; + __entry->pmcw_lpm = schib->pmcw.lpm; +-- +2.43.0 + diff --git a/queue-4.19/sched-fair-allow-disabling-sched_balance_newidle-wit.patch b/queue-4.19/sched-fair-allow-disabling-sched_balance_newidle-wit.patch new file mode 100644 index 00000000000..ea4dd587931 --- /dev/null +++ b/queue-4.19/sched-fair-allow-disabling-sched_balance_newidle-wit.patch @@ -0,0 +1,64 @@ +From 2d8b7714f98dd702523f813b87d6f19813c1c558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:05:23 +0300 +Subject: sched/fair: Allow disabling sched_balance_newidle with + sched_relax_domain_level + +From: Vitalii Bursov + +[ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ] + +Change relax_domain_level checks so that it would be possible +to include or exclude all domains from newidle balancing. + +This matches the behavior described in the documentation: + + -1 no request. use system default or follow request of others. + 0 no search. + 1 search siblings (hyperthreads in a core). + +"2" enables levels 0 and 1, level_max excludes the last (level_max) +level, and level_max+1 includes all levels. + +Fixes: 1d3504fcf560 ("sched, cpuset: customize sched domains, core") +Signed-off-by: Vitalii Bursov +Signed-off-by: Ingo Molnar +Tested-by: Dietmar Eggemann +Reviewed-by: Vincent Guittot +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/bd6de28e80073c79466ec6401cdeae78f0d4423d.1714488502.git.vitaly@bursov.com +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 2 +- + kernel/sched/topology.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 3067d3e5a51d9..af749e265eadd 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1269,7 +1269,7 @@ bool current_cpuset_is_being_rebound(void) + static int update_relax_domain_level(struct cpuset *cs, s64 val) + { + #ifdef CONFIG_SMP +- if (val < -1 || val >= sched_domain_level_max) ++ if (val < -1 || val > sched_domain_level_max + 1) + return -EINVAL; + #endif + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index c171783bda0cf..a00fb3b8a6aad 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -969,7 +969,7 @@ static void set_domain_attribute(struct sched_domain *sd, + } else + request = attr->relax_domain_level; + +- if (sd->level > request) { ++ if (sd->level >= request) { + /* Turn off idle balance on this domain: */ + sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); + } +-- +2.43.0 + diff --git a/queue-4.19/sched-topology-don-t-set-sd_balance_wake-on-cpuset-d.patch b/queue-4.19/sched-topology-don-t-set-sd_balance_wake-on-cpuset-d.patch new file mode 100644 index 00000000000..b04a099d562 --- /dev/null +++ b/queue-4.19/sched-topology-don-t-set-sd_balance_wake-on-cpuset-d.patch @@ -0,0 +1,70 @@ +From f8efdf2ebec36947d92d9fe805db7cb159c82e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 17:44:08 +0100 +Subject: sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax + +From: Valentin Schneider + +[ Upstream commit 9ae7ab20b4835dbea0e5fc6a5c70171dc354a72e ] + +As pointed out in commit + + 182a85f8a119 ("sched: Disable wakeup balancing") + +SD_BALANCE_WAKE is a tad too aggressive, and is usually left unset. + +However, it turns out cpuset domain relaxation will unconditionally set it +on domains below the relaxation level. This made sense back when +SD_BALANCE_WAKE was set unconditionally, but it no longer is the case. + +We can improve things slightly by noticing that set_domain_attribute() is +always called after sd_init(), so rather than setting flags we can rely on +whatever sd_init() is doing and only clear certain flags when above the +relaxation level. + +While at it, slightly clean up the function and flip the relax level +check to be more human readable. + +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Cc: mingo@kernel.org +Cc: vincent.guittot@linaro.org +Cc: juri.lelli@redhat.com +Cc: seto.hidetoshi@jp.fujitsu.com +Cc: qperret@google.com +Cc: Dietmar.Eggemann@arm.com +Cc: morten.rasmussen@arm.com +Link: https://lkml.kernel.org/r/20191014164408.32596-1-valentin.schneider@arm.com +Stable-dep-of: a1fd0b9d751f ("sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level") +Signed-off-by: Sasha Levin +--- + kernel/sched/topology.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 02e85cd233d42..c171783bda0cf 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -965,16 +965,13 @@ static void set_domain_attribute(struct sched_domain *sd, + if (!attr || attr->relax_domain_level < 0) { + if (default_relax_domain_level < 0) + return; +- else +- request = default_relax_domain_level; ++ request = default_relax_domain_level; + } else + request = attr->relax_domain_level; +- if (request < sd->level) { ++ ++ if (sd->level > request) { + /* Turn off idle balance on this domain: */ + sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); +- } else { +- /* Turn on idle balance on this domain: */ +- sd->flags |= (SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); + } + } + +-- +2.43.0 + diff --git a/queue-4.19/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch b/queue-4.19/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..c6e89d8efbb --- /dev/null +++ b/queue-4.19/scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,49 @@ +From 8af950a9051c5e8e7587700d896dfd6de0358262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:20 +0700 +Subject: scsi: bfa: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ] + +Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from +userspace to that buffer. Later, we use sscanf on this buffer but we don't +ensure that the string is terminated inside the buffer, this can lead to +OOB read when using sscanf. Fix this issue by using memdup_user_nul instead +of memdup_user. + +Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c +index 349cfe7d055eb..30c344322d531 100644 +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -258,7 +258,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +@@ -325,7 +325,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf, + unsigned long flags; + void *kern_buf; + +- kern_buf = memdup_user(buf, nbytes); ++ kern_buf = memdup_user_nul(buf, nbytes); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-4.19/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch b/queue-4.19/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch new file mode 100644 index 00000000000..b0002f0cc24 --- /dev/null +++ b/queue-4.19/scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch @@ -0,0 +1,41 @@ +From c040e452d10e232489c39ac73ff3f6e1a3ba284e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 20:04:47 +0300 +Subject: scsi: hpsa: Fix allocation size for Scsi_Host private data + +From: Yuri Karpov + +[ Upstream commit 504e2bed5d50610c1836046c0c195b0a6dba9c72 ] + +struct Scsi_Host private data contains pointer to struct ctlr_info. + +Restore allocation of only 8 bytes to store pointer in struct Scsi_Host +private data area. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bbbd25499100 ("scsi: hpsa: Fix allocation size for scsi_host_alloc()") +Signed-off-by: Yuri Karpov +Link: https://lore.kernel.org/r/20240312170447.743709-1-YKarpov@ispras.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 25d9bdd4bc698..d68d8a573ae31 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -5771,7 +5771,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h) + { + struct Scsi_Host *sh; + +- sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info)); ++ sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info *)); + if (sh == NULL) { + dev_err(&h->pdev->dev, "scsi_host_alloc failed\n"); + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch b/queue-4.19/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch new file mode 100644 index 00000000000..08fec3a2e82 --- /dev/null +++ b/queue-4.19/scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch @@ -0,0 +1,55 @@ +From f2a7eabc426e3feae10800ca8b87df3f0e3f6e70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 14:11:03 +0000 +Subject: scsi: libsas: Fix the failure of adding phy with zero-address to port + +From: Xingui Yang + +[ Upstream commit 06036a0a5db34642c5dbe22021a767141f010b7a ] + +As of commit 7d1d86518118 ("[SCSI] libsas: fix false positive 'device +attached' conditions"), reset the phy->entacted_sas_addr address to a +zero-address when the link rate is less than 1.5G. + +Currently we find that when a new device is attached, and the link rate is +less than 1.5G, but the device type is not NO_DEVICE, for example: the link +rate is SAS_PHY_RESET_IN_PROGRESS and the device type is stp. After setting +the phy->entacted_sas_addr address to the zero address, the port will +continue to be created for the phy with the zero-address, and other phys +with the zero-address will be tried to be added to the new port: + +[562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached: 0000000000000000 (no device) +// phy19 is deleted but still on the parent port's phy_list +[562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached +[562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached: 0000000000000000 (stp) +[562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's already part of another port + +Therefore, it should be the same as sas_get_phy_attached_dev(). Only when +device_type is SAS_PHY_UNUSED, sas_address is set to the 0 address. + +Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions") +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20240312141103.31358-5-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 3e74fe9257617..601e06ad6a7b2 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -269,8 +269,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp) + /* help some expanders that fail to zero sas_address in the 'no + * device' case + */ +- if (phy->attached_dev_type == SAS_PHY_UNUSED || +- phy->linkrate < SAS_LINK_RATE_1_5_GBPS) ++ if (phy->attached_dev_type == SAS_PHY_UNUSED) + memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); + else + memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); +-- +2.43.0 + diff --git a/queue-4.19/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch b/queue-4.19/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch new file mode 100644 index 00000000000..8317b305527 --- /dev/null +++ b/queue-4.19/scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch @@ -0,0 +1,40 @@ +From 062186e925e6fa15991817c527ce4b39da1e0016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 21:44:21 +0700 +Subject: scsi: qedf: Ensure the copied buf is NUL terminated + +From: Bui Quang Minh + +[ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ] + +Currently, we allocate a count-sized kernel buffer and copy count from +userspace to that buffer. Later, we use kstrtouint on this buffer but we +don't ensure that the string is terminated inside the buffer, this can +lead to OOB read when using kstrtouint. Fix this issue by using +memdup_user_nul instead of memdup_user. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 84f1ddcfbb218..4636c045e1e3e 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -190,7 +190,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer, + if (!count || *ppos) + return 0; + +- kern_buf = memdup_user(buffer, count); ++ kern_buf = memdup_user_nul(buffer, count); + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + +-- +2.43.0 + diff --git a/queue-4.19/scsi-ufs-add-a-low-level-__ufshcd_issue_tm_cmd-helpe.patch b/queue-4.19/scsi-ufs-add-a-low-level-__ufshcd_issue_tm_cmd-helpe.patch new file mode 100644 index 00000000000..26f6f442f91 --- /dev/null +++ b/queue-4.19/scsi-ufs-add-a-low-level-__ufshcd_issue_tm_cmd-helpe.patch @@ -0,0 +1,217 @@ +From 664452934cffa7a2321852fd609f16bf6d6d27d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Oct 2018 17:30:33 +0300 +Subject: scsi: ufs: add a low-level __ufshcd_issue_tm_cmd helper + +From: Christoph Hellwig + +[ Upstream commit c6049cd98212dfe39f67fb411d18d53df0ad9436 ] + +Add a helper that takes a utp_task_req_desc and issues it, which will +be useful for UFS bsg support. Rewrite ufshcd_issue_tm_cmd0x to use +this new helper. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Avri Altman +Signed-off-by: Martin K. Petersen +Stable-dep-of: e4a628877119 ("scsi: ufs: core: Perform read back after disabling interrupts") +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 141 +++++++++++++++++--------------------- + 1 file changed, 61 insertions(+), 80 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 2239dda35fd70..6e420aab18452 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -648,19 +648,6 @@ static inline int ufshcd_get_tr_ocs(struct ufshcd_lrb *lrbp) + return le32_to_cpu(lrbp->utr_descriptor_ptr->header.dword_2) & MASK_OCS; + } + +-/** +- * ufshcd_get_tmr_ocs - Get the UTMRD Overall Command Status +- * @task_req_descp: pointer to utp_task_req_desc structure +- * +- * This function is used to get the OCS field from UTMRD +- * Returns the OCS field in the UTMRD +- */ +-static inline int +-ufshcd_get_tmr_ocs(struct utp_task_req_desc *task_req_descp) +-{ +- return le32_to_cpu(task_req_descp->header.dword_2) & MASK_OCS; +-} +- + /** + * ufshcd_get_tm_free_slot - get a free slot for task management request + * @hba: per adapter instance +@@ -4658,37 +4645,6 @@ static void ufshcd_slave_destroy(struct scsi_device *sdev) + } + } + +-/** +- * ufshcd_task_req_compl - handle task management request completion +- * @hba: per adapter instance +- * @index: index of the completed request +- * @resp: task management service response +- * +- * Returns non-zero value on error, zero on success +- */ +-static int ufshcd_task_req_compl(struct ufs_hba *hba, u32 index, u8 *resp) +-{ +- struct utp_task_req_desc *treq = hba->utmrdl_base_addr + index; +- unsigned long flags; +- int ocs_value; +- +- spin_lock_irqsave(hba->host->host_lock, flags); +- +- /* Clear completed tasks from outstanding_tasks */ +- __clear_bit(index, &hba->outstanding_tasks); +- +- ocs_value = ufshcd_get_tmr_ocs(treq); +- +- if (ocs_value != OCS_SUCCESS) +- dev_err(hba->dev, "%s: failed, ocs = 0x%x\n", +- __func__, ocs_value); +- else if (resp) +- *resp = be32_to_cpu(treq->output_param1) & MASK_TM_SERVICE_RESP; +- spin_unlock_irqrestore(hba->host->host_lock, flags); +- +- return ocs_value; +-} +- + /** + * ufshcd_scsi_cmd_status - Update SCSI command result based on SCSI status + * @lrbp: pointer to local reference block of completed command +@@ -5648,27 +5604,12 @@ static int ufshcd_clear_tm_cmd(struct ufs_hba *hba, int tag) + return err; + } + +-/** +- * ufshcd_issue_tm_cmd - issues task management commands to controller +- * @hba: per adapter instance +- * @lun_id: LUN ID to which TM command is sent +- * @task_id: task ID to which the TM command is applicable +- * @tm_function: task management function opcode +- * @tm_response: task management service response return value +- * +- * Returns non-zero value on error, zero on success. +- */ +-static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, +- u8 tm_function, u8 *tm_response) ++static int __ufshcd_issue_tm_cmd(struct ufs_hba *hba, ++ struct utp_task_req_desc *treq, u8 tm_function) + { +- struct utp_task_req_desc *treq; +- struct Scsi_Host *host; ++ struct Scsi_Host *host = hba->host; + unsigned long flags; +- int free_slot; +- int err; +- int task_tag; +- +- host = hba->host; ++ int free_slot, task_tag, err; + + /* + * Get free slot, sleep if slots are unavailable. +@@ -5679,24 +5620,11 @@ static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, + ufshcd_hold(hba, false); + + spin_lock_irqsave(host->host_lock, flags); +- treq = hba->utmrdl_base_addr + free_slot; +- +- /* Configure task request descriptor */ +- treq->header.dword_0 = cpu_to_le32(UTP_REQ_DESC_INT_CMD); +- treq->header.dword_2 = cpu_to_le32(OCS_INVALID_COMMAND_STATUS); +- +- /* Configure task request UPIU */ + task_tag = hba->nutrs + free_slot; +- treq->req_header.dword_0 = UPIU_HEADER_DWORD(UPIU_TRANSACTION_TASK_REQ, +- 0, lun_id, task_tag); +- treq->req_header.dword_1 = UPIU_HEADER_DWORD(0, tm_function, 0, 0); +- /* +- * The host shall provide the same value for LUN field in the basic +- * header and for Input Parameter. +- */ +- treq->input_param1 = cpu_to_be32(lun_id); +- treq->input_param2 = cpu_to_be32(task_id); + ++ treq->req_header.dword_0 |= cpu_to_be32(task_tag); ++ ++ memcpy(hba->utmrdl_base_addr + free_slot, treq, sizeof(*treq)); + ufshcd_vops_setup_task_mgmt(hba, free_slot, tm_function); + + /* send command to the controller */ +@@ -5726,8 +5654,15 @@ static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, + __func__, free_slot); + err = -ETIMEDOUT; + } else { +- err = ufshcd_task_req_compl(hba, free_slot, tm_response); ++ err = 0; ++ memcpy(treq, hba->utmrdl_base_addr + free_slot, sizeof(*treq)); ++ + ufshcd_add_tm_upiu_trace(hba, task_tag, "tm_complete"); ++ ++ spin_lock_irqsave(hba->host->host_lock, flags); ++ __clear_bit(free_slot, &hba->outstanding_tasks); ++ spin_unlock_irqrestore(hba->host->host_lock, flags); ++ + } + + clear_bit(free_slot, &hba->tm_condition); +@@ -5738,6 +5673,52 @@ static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, + return err; + } + ++/** ++ * ufshcd_issue_tm_cmd - issues task management commands to controller ++ * @hba: per adapter instance ++ * @lun_id: LUN ID to which TM command is sent ++ * @task_id: task ID to which the TM command is applicable ++ * @tm_function: task management function opcode ++ * @tm_response: task management service response return value ++ * ++ * Returns non-zero value on error, zero on success. ++ */ ++static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, ++ u8 tm_function, u8 *tm_response) ++{ ++ struct utp_task_req_desc treq = { { 0 }, }; ++ int ocs_value, err; ++ ++ /* Configure task request descriptor */ ++ treq.header.dword_0 = cpu_to_le32(UTP_REQ_DESC_INT_CMD); ++ treq.header.dword_2 = cpu_to_le32(OCS_INVALID_COMMAND_STATUS); ++ ++ /* Configure task request UPIU */ ++ treq.req_header.dword_0 = cpu_to_be32(lun_id << 8) | ++ cpu_to_be32(UPIU_TRANSACTION_TASK_REQ << 24); ++ treq.req_header.dword_1 = cpu_to_be32(tm_function << 16); ++ ++ /* ++ * The host shall provide the same value for LUN field in the basic ++ * header and for Input Parameter. ++ */ ++ treq.input_param1 = cpu_to_be32(lun_id); ++ treq.input_param2 = cpu_to_be32(task_id); ++ ++ err = __ufshcd_issue_tm_cmd(hba, &treq, tm_function); ++ if (err == -ETIMEDOUT) ++ return err; ++ ++ ocs_value = le32_to_cpu(treq.header.dword_2) & MASK_OCS; ++ if (ocs_value != OCS_SUCCESS) ++ dev_err(hba->dev, "%s: failed, ocs = 0x%x\n", ++ __func__, ocs_value); ++ else if (tm_response) ++ *tm_response = be32_to_cpu(treq.output_param1) & ++ MASK_TM_SERVICE_RESP; ++ return err; ++} ++ + /** + * ufshcd_eh_device_reset_handler - device reset handler registered to + * scsi layer. +-- +2.43.0 + diff --git a/queue-4.19/scsi-ufs-cleanup-struct-utp_task_req_desc.patch b/queue-4.19/scsi-ufs-cleanup-struct-utp_task_req_desc.patch new file mode 100644 index 00000000000..3530ecabecb --- /dev/null +++ b/queue-4.19/scsi-ufs-cleanup-struct-utp_task_req_desc.patch @@ -0,0 +1,243 @@ +From 6e1889000d72e87995f06eb6bfadf63311484b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Oct 2018 17:30:32 +0300 +Subject: scsi: ufs: cleanup struct utp_task_req_desc + +From: Christoph Hellwig + +[ Upstream commit 391e388f853dad5d1d7462a31bb50ff2446e37f0 ] + +Remove the pointless task_req_upiu and task_rsp_upiu indirections, +which are __le32 arrays always cast to given structures and just add +the members directly. Also clean up variables names in use in the +callers a bit to make the code more readable. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Avri Altman +Signed-off-by: Martin K. Petersen +Stable-dep-of: e4a628877119 ("scsi: ufs: core: Perform read back after disabling interrupts") +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs.h | 30 ----------------- + drivers/scsi/ufs/ufshcd.c | 68 ++++++++++++--------------------------- + drivers/scsi/ufs/ufshci.h | 25 +++++++------- + 3 files changed, 34 insertions(+), 89 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h +index c3bcaaec0fc5c..58f8d6002d5a1 100644 +--- a/drivers/scsi/ufs/ufs.h ++++ b/drivers/scsi/ufs/ufs.h +@@ -519,36 +519,6 @@ struct utp_upiu_rsp { + }; + }; + +-/** +- * struct utp_upiu_task_req - Task request UPIU structure +- * @header - UPIU header structure DW0 to DW-2 +- * @input_param1: Input parameter 1 DW-3 +- * @input_param2: Input parameter 2 DW-4 +- * @input_param3: Input parameter 3 DW-5 +- * @reserved: Reserved double words DW-6 to DW-7 +- */ +-struct utp_upiu_task_req { +- struct utp_upiu_header header; +- __be32 input_param1; +- __be32 input_param2; +- __be32 input_param3; +- __be32 reserved[2]; +-}; +- +-/** +- * struct utp_upiu_task_rsp - Task Management Response UPIU structure +- * @header: UPIU header structure DW0-DW-2 +- * @output_param1: Ouput parameter 1 DW3 +- * @output_param2: Output parameter 2 DW4 +- * @reserved: Reserved double words DW-5 to DW-7 +- */ +-struct utp_upiu_task_rsp { +- struct utp_upiu_header header; +- __be32 output_param1; +- __be32 output_param2; +- __be32 reserved[3]; +-}; +- + /** + * struct ufs_query_req - parameters for building a query request + * @query_func: UPIU header query function +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index b45cd6c98bad7..2239dda35fd70 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -341,14 +341,11 @@ static void ufshcd_add_query_upiu_trace(struct ufs_hba *hba, unsigned int tag, + static void ufshcd_add_tm_upiu_trace(struct ufs_hba *hba, unsigned int tag, + const char *str) + { +- struct utp_task_req_desc *descp; +- struct utp_upiu_task_req *task_req; + int off = (int)tag - hba->nutrs; ++ struct utp_task_req_desc *descp = &hba->utmrdl_base_addr[off]; + +- descp = &hba->utmrdl_base_addr[off]; +- task_req = (struct utp_upiu_task_req *)descp->task_req_upiu; +- trace_ufshcd_upiu(dev_name(hba->dev), str, &task_req->header, +- &task_req->input_param1); ++ trace_ufshcd_upiu(dev_name(hba->dev), str, &descp->req_header, ++ &descp->input_param1); + } + + static void ufshcd_add_command_trace(struct ufs_hba *hba, +@@ -490,22 +487,13 @@ void ufshcd_print_trs(struct ufs_hba *hba, unsigned long bitmap, bool pr_prdt) + + static void ufshcd_print_tmrs(struct ufs_hba *hba, unsigned long bitmap) + { +- struct utp_task_req_desc *tmrdp; + int tag; + + for_each_set_bit(tag, &bitmap, hba->nutmrs) { +- tmrdp = &hba->utmrdl_base_addr[tag]; ++ struct utp_task_req_desc *tmrdp = &hba->utmrdl_base_addr[tag]; ++ + dev_err(hba->dev, "TM[%d] - Task Management Header\n", tag); +- ufshcd_hex_dump("TM TRD: ", &tmrdp->header, +- sizeof(struct request_desc_header)); +- dev_err(hba->dev, "TM[%d] - Task Management Request UPIU\n", +- tag); +- ufshcd_hex_dump("TM REQ: ", tmrdp->task_req_upiu, +- sizeof(struct utp_upiu_req)); +- dev_err(hba->dev, "TM[%d] - Task Management Response UPIU\n", +- tag); +- ufshcd_hex_dump("TM RSP: ", tmrdp->task_rsp_upiu, +- sizeof(struct utp_task_req_desc)); ++ ufshcd_hex_dump("", tmrdp, sizeof(*tmrdp)); + } + } + +@@ -4680,31 +4668,22 @@ static void ufshcd_slave_destroy(struct scsi_device *sdev) + */ + static int ufshcd_task_req_compl(struct ufs_hba *hba, u32 index, u8 *resp) + { +- struct utp_task_req_desc *task_req_descp; +- struct utp_upiu_task_rsp *task_rsp_upiup; ++ struct utp_task_req_desc *treq = hba->utmrdl_base_addr + index; + unsigned long flags; + int ocs_value; +- int task_result; + + spin_lock_irqsave(hba->host->host_lock, flags); + + /* Clear completed tasks from outstanding_tasks */ + __clear_bit(index, &hba->outstanding_tasks); + +- task_req_descp = hba->utmrdl_base_addr; +- ocs_value = ufshcd_get_tmr_ocs(&task_req_descp[index]); ++ ocs_value = ufshcd_get_tmr_ocs(treq); + +- if (ocs_value == OCS_SUCCESS) { +- task_rsp_upiup = (struct utp_upiu_task_rsp *) +- task_req_descp[index].task_rsp_upiu; +- task_result = be32_to_cpu(task_rsp_upiup->output_param1); +- task_result = task_result & MASK_TM_SERVICE_RESP; +- if (resp) +- *resp = (u8)task_result; +- } else { ++ if (ocs_value != OCS_SUCCESS) + dev_err(hba->dev, "%s: failed, ocs = 0x%x\n", + __func__, ocs_value); +- } ++ else if (resp) ++ *resp = be32_to_cpu(treq->output_param1) & MASK_TM_SERVICE_RESP; + spin_unlock_irqrestore(hba->host->host_lock, flags); + + return ocs_value; +@@ -5682,8 +5661,7 @@ static int ufshcd_clear_tm_cmd(struct ufs_hba *hba, int tag) + static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, + u8 tm_function, u8 *tm_response) + { +- struct utp_task_req_desc *task_req_descp; +- struct utp_upiu_task_req *task_req_upiup; ++ struct utp_task_req_desc *treq; + struct Scsi_Host *host; + unsigned long flags; + int free_slot; +@@ -5701,29 +5679,23 @@ static int ufshcd_issue_tm_cmd(struct ufs_hba *hba, int lun_id, int task_id, + ufshcd_hold(hba, false); + + spin_lock_irqsave(host->host_lock, flags); +- task_req_descp = hba->utmrdl_base_addr; +- task_req_descp += free_slot; ++ treq = hba->utmrdl_base_addr + free_slot; + + /* Configure task request descriptor */ +- task_req_descp->header.dword_0 = cpu_to_le32(UTP_REQ_DESC_INT_CMD); +- task_req_descp->header.dword_2 = +- cpu_to_le32(OCS_INVALID_COMMAND_STATUS); ++ treq->header.dword_0 = cpu_to_le32(UTP_REQ_DESC_INT_CMD); ++ treq->header.dword_2 = cpu_to_le32(OCS_INVALID_COMMAND_STATUS); + + /* Configure task request UPIU */ +- task_req_upiup = +- (struct utp_upiu_task_req *) task_req_descp->task_req_upiu; + task_tag = hba->nutrs + free_slot; +- task_req_upiup->header.dword_0 = +- UPIU_HEADER_DWORD(UPIU_TRANSACTION_TASK_REQ, 0, +- lun_id, task_tag); +- task_req_upiup->header.dword_1 = +- UPIU_HEADER_DWORD(0, tm_function, 0, 0); ++ treq->req_header.dword_0 = UPIU_HEADER_DWORD(UPIU_TRANSACTION_TASK_REQ, ++ 0, lun_id, task_tag); ++ treq->req_header.dword_1 = UPIU_HEADER_DWORD(0, tm_function, 0, 0); + /* + * The host shall provide the same value for LUN field in the basic + * header and for Input Parameter. + */ +- task_req_upiup->input_param1 = cpu_to_be32(lun_id); +- task_req_upiup->input_param2 = cpu_to_be32(task_id); ++ treq->input_param1 = cpu_to_be32(lun_id); ++ treq->input_param2 = cpu_to_be32(task_id); + + ufshcd_vops_setup_task_mgmt(hba, free_slot, tm_function); + +diff --git a/drivers/scsi/ufs/ufshci.h b/drivers/scsi/ufs/ufshci.h +index bb5d9c7f3353a..6fa889de5ee5e 100644 +--- a/drivers/scsi/ufs/ufshci.h ++++ b/drivers/scsi/ufs/ufshci.h +@@ -433,22 +433,25 @@ struct utp_transfer_req_desc { + __le16 prd_table_offset; + }; + +-/** +- * struct utp_task_req_desc - UTMRD structure +- * @header: UTMRD header DW-0 to DW-3 +- * @task_req_upiu: Pointer to task request UPIU DW-4 to DW-11 +- * @task_rsp_upiu: Pointer to task response UPIU DW12 to DW-19 ++/* ++ * UTMRD structure. + */ + struct utp_task_req_desc { +- + /* DW 0-3 */ + struct request_desc_header header; + +- /* DW 4-11 */ +- __le32 task_req_upiu[TASK_REQ_UPIU_SIZE_DWORDS]; +- +- /* DW 12-19 */ +- __le32 task_rsp_upiu[TASK_RSP_UPIU_SIZE_DWORDS]; ++ /* DW 4-11 - Task request UPIU structure */ ++ struct utp_upiu_header req_header; ++ __be32 input_param1; ++ __be32 input_param2; ++ __be32 input_param3; ++ __be32 __reserved1[2]; ++ ++ /* DW 12-19 - Task Management Response UPIU structure */ ++ struct utp_upiu_header rsp_header; ++ __be32 output_param1; ++ __be32 output_param2; ++ __be32 __reserved2[3]; + }; + + #endif /* End of Header */ +-- +2.43.0 + diff --git a/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-inte.patch b/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-inte.patch new file mode 100644 index 00000000000..d1fe301d149 --- /dev/null +++ b/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-inte.patch @@ -0,0 +1,53 @@ +From e03a077021d009b4413e01e68296ac01b4038ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:50 -0500 +Subject: scsi: ufs: core: Perform read back after disabling interrupts + +From: Andrew Halaney + +[ Upstream commit e4a628877119bd40164a651d20321247b6f94a8b ] + +Currently, interrupts are cleared and disabled prior to registering the +interrupt. An mb() is used to complete the clear/disable writes before the +interrupt is registered. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring these +bits have taken effect on the device is to perform a read back to force it +to make it all the way to the device. This is documented in device-io.rst +and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure these bits hit the device. Because the mb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: 199ef13cac7d ("scsi: ufs: avoid spurious UFS host controller interrupts") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-8-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 6e420aab18452..b6129b822ed18 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -8105,7 +8105,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + * Make sure that UFS interrupts are disabled and any pending interrupt + * status is cleared before registering UFS interrupt handler. + */ +- mb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + + /* IRQ registration */ + err = devm_request_irq(dev, irq, ufshcd_intr, IRQF_SHARED, UFSHCD, hba); +-- +2.43.0 + diff --git a/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch b/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch new file mode 100644 index 00000000000..3bfb9cda80b --- /dev/null +++ b/queue-4.19/scsi-ufs-core-perform-read-back-after-disabling-uic_.patch @@ -0,0 +1,52 @@ +From 156191e36e82a79fbea603c1e00da2534bcf4b3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:51 -0500 +Subject: scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL + +From: Andrew Halaney + +[ Upstream commit 4bf3855497b60765ca03b983d064b25e99b97657 ] + +Currently, the UIC_COMMAND_COMPL interrupt is disabled and a wmb() is used +to complete the register write before any following writes. + +wmb() ensures the writes complete in that order, but completion doesn't +mean that it isn't stored in a buffer somewhere. The recommendation for +ensuring this bit has taken effect on the device is to perform a read back +to force it to make it all the way to the device. This is documented in +device-io.rst and a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. Because the wmb()'s +purpose wasn't to add extra ordering (on top of the ordering guaranteed by +writel()/readl()), it can safely be removed. + +Fixes: d75f7fe495cf ("scsi: ufs: reduce the interrupts for power mode change requests") +Reviewed-by: Bart Van Assche +Reviewed-by: Can Guo +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-9-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index b6129b822ed18..5426bfe522d2d 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3754,7 +3754,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + * Make sure UIC command completion interrupt is disabled before + * issuing UIC command. + */ +- wmb(); ++ ufshcd_readl(hba, REG_INTERRUPT_ENABLE); + reenable_intr = true; + } + ret = __ufshcd_send_uic_cmd(hba, cmd, false); +-- +2.43.0 + diff --git a/queue-4.19/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch b/queue-4.19/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch new file mode 100644 index 00000000000..ac03c991d2e --- /dev/null +++ b/queue-4.19/scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch @@ -0,0 +1,71 @@ +From 05d24fb95595e48b16e6d81dd2fcd9e7578c0e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 15:46:43 -0500 +Subject: scsi: ufs: qcom: Perform read back after writing reset bit + +From: Andrew Halaney + +[ Upstream commit c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae ] + +Currently, the reset bit for the UFS provided reset controller (used by its +phy) is written to, and then a mb() happens to try and ensure that hit the +device. Immediately afterwards a usleep_range() occurs. + +mb() ensures that the write completes, but completion doesn't mean that it +isn't stored in a buffer somewhere. The recommendation for ensuring this +bit has taken effect on the device is to perform a read back to force it to +make it all the way to the device. This is documented in device-io.rst and +a talk by Will Deacon on this can be seen over here: + + https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 + +Let's do that to ensure the bit hits the device. By doing so and +guaranteeing the ordering against the immediately following usleep_range(), +the mb() can safely be removed. + +Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Can Guo +Signed-off-by: Andrew Halaney +Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-1-181252004586@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-qcom.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-qcom.h b/drivers/scsi/ufs/ufs-qcom.h +index 295f4bef6a0e9..507ffaa868466 100644 +--- a/drivers/scsi/ufs/ufs-qcom.h ++++ b/drivers/scsi/ufs/ufs-qcom.h +@@ -167,10 +167,10 @@ static inline void ufs_qcom_assert_reset(struct ufs_hba *hba) + 1 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); + + /* +- * Make sure assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) +@@ -179,10 +179,10 @@ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) + 0 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); + + /* +- * Make sure de-assertion of ufs phy reset is written to +- * register before returning ++ * Dummy read to ensure the write takes effect before doing any sort ++ * of delay + */ +- mb(); ++ ufshcd_readl(hba, REG_UFS_CFG1); + } + + struct ufs_qcom_bus_vote { +-- +2.43.0 + diff --git a/queue-4.19/selftests-kcmp-make-the-test-output-consistent-and-c.patch b/queue-4.19/selftests-kcmp-make-the-test-output-consistent-and-c.patch new file mode 100644 index 00000000000..3a5cb61282b --- /dev/null +++ b/queue-4.19/selftests-kcmp-make-the-test-output-consistent-and-c.patch @@ -0,0 +1,82 @@ +From c1f3653dcfeda9304ad4c7aba04d23ce0bfe3c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jun 2022 00:58:22 +0530 +Subject: selftests/kcmp: Make the test output consistent and clear + +From: Gautam Menghani + +[ Upstream commit ff682226a353d88ffa5db9c2a9b945066776311e ] + +Make the output format of this test consistent. Currently the output is +as follows: + ++TAP version 13 ++1..1 ++# selftests: kcmp: kcmp_test ++# pid1: 45814 pid2: 45815 FD: 1 FILES: 1 VM: 2 FS: 1 SIGHAND: 2 ++ IO: 0 SYSVSEM: 0 INV: -1 ++# PASS: 0 returned as expected ++# PASS: 0 returned as expected ++# PASS: 0 returned as expected ++# # Planned tests != run tests (0 != 3) ++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 ++# # Planned tests != run tests (0 != 3) ++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 ++# # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0 ++ok 1 selftests: kcmp: kcmp_test + +With this patch applied the output is as follows: + ++TAP version 13 ++1..1 ++# selftests: kcmp: kcmp_test ++# TAP version 13 ++# 1..3 ++# pid1: 46330 pid2: 46331 FD: 1 FILES: 2 VM: 2 FS: 2 SIGHAND: 1 ++ IO: 0 SYSVSEM: 0 INV: -1 ++# PASS: 0 returned as expected ++# PASS: 0 returned as expected ++# PASS: 0 returned as expected ++# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 ++ok 1 selftests: kcmp: kcmp_test + +Signed-off-by: Gautam Menghani +Signed-off-by: Shuah Khan +Stable-dep-of: eb59a5811371 ("selftests/kcmp: remove unused open mode") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kcmp/kcmp_test.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c +index 6ea7b9f37a411..25110c7c0b3ed 100644 +--- a/tools/testing/selftests/kcmp/kcmp_test.c ++++ b/tools/testing/selftests/kcmp/kcmp_test.c +@@ -88,6 +88,9 @@ int main(int argc, char **argv) + int pid2 = getpid(); + int ret; + ++ ksft_print_header(); ++ ksft_set_plan(3); ++ + fd2 = open(kpath, O_RDWR, 0644); + if (fd2 < 0) { + perror("Can't open file"); +@@ -152,7 +155,6 @@ int main(int argc, char **argv) + ksft_inc_pass_cnt(); + } + +- ksft_print_cnts(); + + if (ret) + ksft_exit_fail(); +@@ -162,5 +164,5 @@ int main(int argc, char **argv) + + waitpid(pid2, &status, P_ALL); + +- return ksft_exit_pass(); ++ return 0; + } +-- +2.43.0 + diff --git a/queue-4.19/selftests-kcmp-remove-unused-open-mode.patch b/queue-4.19/selftests-kcmp-remove-unused-open-mode.patch new file mode 100644 index 00000000000..c505e289a7c --- /dev/null +++ b/queue-4.19/selftests-kcmp-remove-unused-open-mode.patch @@ -0,0 +1,42 @@ +From 21c98daf5926f07538b39d9e825504258135b9bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 23:46:09 +0000 +Subject: selftests/kcmp: remove unused open mode + +From: Edward Liaw + +[ Upstream commit eb59a58113717df04b8a8229befd8ab1e5dbf86e ] + +Android bionic warns that open modes are ignored if O_CREAT or O_TMPFILE +aren't specified. The permissions for the file are set above: + + fd1 = open(kpath, O_RDWR | O_CREAT | O_TRUNC, 0644); + +Link: https://lkml.kernel.org/r/20240429234610.191144-1-edliaw@google.com +Fixes: d97b46a64674 ("syscalls, x86: add __NR_kcmp syscall") +Signed-off-by: Edward Liaw +Reviewed-by: Cyrill Gorcunov +Cc: Eric Biederman +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kcmp/kcmp_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c +index 25110c7c0b3ed..d7a8e321bb16b 100644 +--- a/tools/testing/selftests/kcmp/kcmp_test.c ++++ b/tools/testing/selftests/kcmp/kcmp_test.c +@@ -91,7 +91,7 @@ int main(int argc, char **argv) + ksft_print_header(); + ksft_set_plan(3); + +- fd2 = open(kpath, O_RDWR, 0644); ++ fd2 = open(kpath, O_RDWR); + if (fd2 < 0) { + perror("Can't open file"); + ksft_exit_fail(); +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 6bb32bcd7e3..7df9dcdb72a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -4,3 +4,82 @@ net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch nilfs2-fix-unexpected-freezing-of-nilfs_segctor_sync.patch nilfs2-fix-potential-hang-in-nilfs_detach_log_writer.patch tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch +wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch +net-usb-qmi_wwan-add-telit-fn920c04-compositions.patch +drm-amd-display-set-color_mgmt_changed-to-true-on-un.patch +asoc-rt5645-fix-the-electric-noise-due-to-the-cbj-co.patch +asoc-dt-bindings-rt5645-add-cbj-sleeve-gpio-property.patch +asoc-da7219-aad-fix-usage-of-device_get_named_child_.patch +crypto-bcm-fix-pointer-arithmetic.patch +firmware-raspberrypi-use-correct-device-for-dma-mapp.patch +ecryptfs-fix-buffer-size-for-tag-66-packet.patch +nilfs2-fix-out-of-range-warning.patch +parisc-add-missing-export-of-__cmpxchg_u8.patch +crypto-ccp-remove-forward-declaration.patch +crypto-ccp-drop-platform-ifdef-checks.patch +s390-cio-fix-tracepoint-subchannel-type-field.patch +jffs2-prevent-xattr-node-from-overflowing-the-eraseb.patch +null_blk-fix-missing-mutex_destroy-at-module-removal.patch +md-fix-resync-softlockup-when-bitmap-size-is-less-th.patch +power-supply-cros_usbpd-provide-id-table-for-avoidin.patch +hsi-omap_ssi_core-convert-to-platform-remove-callbac.patch +hsi-omap_ssi_port-convert-to-platform-remove-callbac.patch +nfsd-drop-st_mutex-before-calling-move_to_close_lru.patch +wifi-ath10k-poll-service-ready-message-before-failin.patch +x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch +qed-avoid-truncating-work-queue-length.patch +scsi-ufs-qcom-perform-read-back-after-writing-reset-.patch +scsi-ufs-cleanup-struct-utp_task_req_desc.patch +scsi-ufs-add-a-low-level-__ufshcd_issue_tm_cmd-helpe.patch +scsi-ufs-core-perform-read-back-after-disabling-inte.patch +scsi-ufs-core-perform-read-back-after-disabling-uic_.patch +irqchip-alpine-msi-fix-off-by-one-in-allocation-erro.patch +acpi-disable-wstringop-truncation.patch +scsi-libsas-fix-the-failure-of-adding-phy-with-zero-.patch +scsi-hpsa-fix-allocation-size-for-scsi_host-private-.patch +x86-purgatory-switch-to-the-position-independent-sma.patch +wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch +wifi-ath10k-populate-board-data-for-wcn3990.patch +macintosh-via-macii-remove-bug_on-assertions.patch +macintosh-via-macii-macintosh-adb-iop-clean-up-white.patch +macintosh-via-macii-fix-bug-sleeping-function-called.patch +wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch +wifi-ar5523-enable-proper-endpoint-verification.patch +sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch +revert-sh-handle-calling-csum_partial-with-misaligne.patch +scsi-bfa-ensure-the-copied-buf-is-nul-terminated.patch +scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch +wifi-mwl8k-initialize-cmd-addr-properly.patch +net-usb-sr9700-stop-lying-about-skb-truesize.patch +m68k-fix-spinlock-race-in-kernel-thread-creation.patch +m68k-mac-use-030-reset-method-on-se-30.patch +m68k-mac-fix-reboot-hang-on-mac-iici.patch +net-ethernet-cortina-locking-fixes.patch +af_unix-fix-data-races-in-unix_release_sock-unix_str.patch +net-usb-smsc95xx-stop-lying-about-skb-truesize.patch +net-openvswitch-fix-overwriting-ct-original-tuple-fo.patch +ipv6-sr-add-missing-seg6_local_exit.patch +ipv6-sr-fix-incorrect-unregister-order.patch +ipv6-sr-fix-invalid-unregister-error-path.patch +drm-amd-display-fix-potential-index-out-of-bounds-in.patch +mtd-rawnand-hynix-fixed-typo.patch +fbdev-shmobile-fix-snprintf-truncation.patch +drm-mediatek-add-0-size-check-to-mtk_drm_gem_obj.patch +powerpc-fsl-soc-hide-unused-const-variable.patch +fbdev-sisfb-hide-unused-variables.patch +media-ngene-add-dvb_ca_en50221_init-return-value-che.patch +media-radio-shark2-avoid-led_names-truncations.patch +fbdev-sh7760fb-allow-modular-build.patch +drm-arm-malidp-fix-a-possible-null-pointer-dereferen.patch +asoc-tracing-export-snd_soc_dapm_dir_out-to-its-valu.patch +rdma-hns-use-complete-parentheses-in-macros.patch +x86-insn-fix-push-instruction-in-x86-instruction-dec.patch +ext4-avoid-excessive-credit-estimate-in-ext4_tmpfile.patch +sunrpc-fix-gss_free_in_token_pages.patch +selftests-kcmp-make-the-test-output-consistent-and-c.patch +selftests-kcmp-remove-unused-open-mode.patch +rdma-ipoib-fix-format-truncation-compilation-errors.patch +netrom-fix-possible-dead-lock-in-nr_rt_ioctl.patch +af_packet-do-not-call-packet_read_pending-from-tpack.patch +sched-topology-don-t-set-sd_balance_wake-on-cpuset-d.patch +sched-fair-allow-disabling-sched_balance_newidle-wit.patch diff --git a/queue-4.19/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch b/queue-4.19/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch new file mode 100644 index 00000000000..35ad6f2c79f --- /dev/null +++ b/queue-4.19/sh-kprobes-merge-arch_copy_kprobe-into-arch_prepare_.patch @@ -0,0 +1,53 @@ +From 4727b7f6b88d964e4f29d6dd73c4204249f6f84a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:02:30 +0100 +Subject: sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() + +From: Geert Uytterhoeven + +[ Upstream commit 1422ae080b66134fe192082d9b721ab7bd93fcc5 ] + +arch/sh/kernel/kprobes.c:52:16: warning: no previous prototype for 'arch_copy_kprobe' [-Wmissing-prototypes] + +Although SH kprobes support was only merged in v2.6.28, it missed the +earlier removal of the arch_copy_kprobe() callback in v2.6.15. + +Based on the powerpc part of commit 49a2a1b83ba6fa40 ("[PATCH] kprobes: +changed from using spinlock to mutex"). + +Fixes: d39f5450146ff39f ("sh: Add kprobes support.") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/717d47a19689cc944fae6e981a1ad7cae1642c89.1709326528.git.geert+renesas@glider.be +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/kprobes.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c +index 241e903dd3ee2..89edac3f7c535 100644 +--- a/arch/sh/kernel/kprobes.c ++++ b/arch/sh/kernel/kprobes.c +@@ -47,17 +47,12 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + if (OPCODE_RTE(opcode)) + return -EFAULT; /* Bad breakpoint */ + ++ memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); + p->opcode = opcode; + + return 0; + } + +-void __kprobes arch_copy_kprobe(struct kprobe *p) +-{ +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); +- p->opcode = *p->addr; +-} +- + void __kprobes arch_arm_kprobe(struct kprobe *p) + { + *p->addr = BREAKPOINT_INSTRUCTION; +-- +2.43.0 + diff --git a/queue-4.19/sunrpc-fix-gss_free_in_token_pages.patch b/queue-4.19/sunrpc-fix-gss_free_in_token_pages.patch new file mode 100644 index 00000000000..23dbb0c8871 --- /dev/null +++ b/queue-4.19/sunrpc-fix-gss_free_in_token_pages.patch @@ -0,0 +1,78 @@ +From 204dd5a3ada02ddb8c39cdce64d7fbaab70ea0aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 09:10:41 -0400 +Subject: SUNRPC: Fix gss_free_in_token_pages() + +From: Chuck Lever + +[ Upstream commit bafa6b4d95d97877baa61883ff90f7e374427fae ] + +Dan Carpenter says: +> Commit 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") from Oct +> 24, 2019 (linux-next), leads to the following Smatch static checker +> warning: +> +> net/sunrpc/auth_gss/svcauth_gss.c:1039 gss_free_in_token_pages() +> warn: iterator 'i' not incremented +> +> net/sunrpc/auth_gss/svcauth_gss.c +> 1034 static void gss_free_in_token_pages(struct gssp_in_token *in_token) +> 1035 { +> 1036 u32 inlen; +> 1037 int i; +> 1038 +> --> 1039 i = 0; +> 1040 inlen = in_token->page_len; +> 1041 while (inlen) { +> 1042 if (in_token->pages[i]) +> 1043 put_page(in_token->pages[i]); +> ^ +> This puts page zero over and over. +> +> 1044 inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +> 1045 } +> 1046 +> 1047 kfree(in_token->pages); +> 1048 in_token->pages = NULL; +> 1049 } + +Based on the way that the ->pages[] array is constructed in +gss_read_proxy_verf(), we know that once the loop encounters a NULL +page pointer, the remaining array elements must also be NULL. + +Reported-by: Dan Carpenter +Suggested-by: Trond Myklebust +Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index ed6b2a155f44b..76d8ff5d9e9a2 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1058,17 +1058,11 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, + + static void gss_free_in_token_pages(struct gssp_in_token *in_token) + { +- u32 inlen; + int i; + + i = 0; +- inlen = in_token->page_len; +- while (inlen) { +- if (in_token->pages[i]) +- put_page(in_token->pages[i]); +- inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; +- } +- ++ while (in_token->pages[i]) ++ put_page(in_token->pages[i++]); + kfree(in_token->pages); + in_token->pages = NULL; + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-ar5523-enable-proper-endpoint-verification.patch b/queue-4.19/wifi-ar5523-enable-proper-endpoint-verification.patch new file mode 100644 index 00000000000..0f7ea9674f3 --- /dev/null +++ b/queue-4.19/wifi-ar5523-enable-proper-endpoint-verification.patch @@ -0,0 +1,99 @@ +From 85b20f2ba7de92768e6a66894dcb9af6acfe47a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 05:14:25 -0700 +Subject: wifi: ar5523: enable proper endpoint verification + +From: Nikita Zhandarovich + +[ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ] + +Syzkaller reports [1] hitting a warning about an endpoint in use +not having an expected type to it. + +Fix the issue by checking for the existence of all proper +endpoints with their according types intact. + +Sadly, this patch has not been tested on real hardware. + +[1] Syzkaller report: +------------[ cut here ]------------ +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 + ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] + ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] + ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 + usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 + usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 + call_driver_probe drivers/base/dd.c:560 [inline] + really_probe+0x249/0xb90 drivers/base/dd.c:639 + __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 + __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 + __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 + bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 + device_add+0xbd9/0x1e90 drivers/base/core.c:3517 + usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 + hub_port_connect drivers/usb/core/hub.c:5353 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] + port_event drivers/usb/core/hub.c:5653 [inline] + hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com +Fixes: b7d572e1871d ("ar5523: Add new driver") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 5d3cf354f6cb5..5ffd6f2152920 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1590,6 +1590,20 @@ static int ar5523_probe(struct usb_interface *intf, + struct ar5523 *ar; + int error = -ENOMEM; + ++ static const u8 bulk_ep_addr[] = { ++ AR5523_CMD_TX_PIPE | USB_DIR_OUT, ++ AR5523_DATA_TX_PIPE | USB_DIR_OUT, ++ AR5523_CMD_RX_PIPE | USB_DIR_IN, ++ AR5523_DATA_RX_PIPE | USB_DIR_IN, ++ 0}; ++ ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) { ++ dev_err(&dev->dev, ++ "Could not find all expected endpoints\n"); ++ error = -ENODEV; ++ goto out; ++ } ++ + /* + * Load firmware if the device requires it. This will return + * -ENXIO on success and we'll get called back afer the usb +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch b/queue-4.19/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch new file mode 100644 index 00000000000..63acc02cc9e --- /dev/null +++ b/queue-4.19/wifi-ath10k-fix-an-error-code-problem-in-ath10k_dbg_.patch @@ -0,0 +1,43 @@ +From dd9a6db44d71d08c4dfe1021c518de62183e89e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:42:44 +0800 +Subject: wifi: ath10k: Fix an error code problem in + ath10k_dbg_sta_write_peer_debug_trigger() + +From: Su Hui + +[ Upstream commit c511a9c12674d246916bb16c479d496b76983193 ] + +Clang Static Checker (scan-build) warns: + +drivers/net/wireless/ath/ath10k/debugfs_sta.c:line 429, column 3 +Value stored to 'ret' is never read. + +Return 'ret' rather than 'count' when 'ret' stores an error code. + +Fixes: ee8b08a1be82 ("ath10k: add debugfs support to get per peer tids log via tracing") +Signed-off-by: Su Hui +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422034243.938962-1-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index 6f10331e986bd..c7d7fe5d9375c 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -449,7 +449,7 @@ ath10k_dbg_sta_write_peer_debug_trigger(struct file *file, + } + out: + mutex_unlock(&ar->conf_mutex); +- return count; ++ return ret ?: count; + } + + static const struct file_operations fops_peer_debug_trigger = { +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath10k-poll-service-ready-message-before-failin.patch b/queue-4.19/wifi-ath10k-poll-service-ready-message-before-failin.patch new file mode 100644 index 00000000000..7719b058027 --- /dev/null +++ b/queue-4.19/wifi-ath10k-poll-service-ready-message-before-failin.patch @@ -0,0 +1,81 @@ +From a4a40a7b20adc6c39ba1a89267c1268dc34ee786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 07:15:14 +0200 +Subject: wifi: ath10k: poll service ready message before failing + +From: Baochen Qiang + +[ Upstream commit e57b7d62a1b2f496caf0beba81cec3c90fad80d5 ] + +Currently host relies on CE interrupts to get notified that +the service ready message is ready. This results in timeout +issue if the interrupt is not fired, due to some unknown +reasons. See below logs: + +[76321.937866] ath10k_pci 0000:02:00.0: wmi service ready event not received +... +[76322.016738] ath10k_pci 0000:02:00.0: Could not init core: -110 + +And finally it causes WLAN interface bring up failure. + +Change to give it one more chance here by polling CE rings, +before failing directly. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1 + +Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices") +Reported-by: James Prestwood +Tested-By: James Prestwood # on QCA6174 hw3.2 +Link: https://lore.kernel.org/linux-wireless/304ce305-fbe6-420e-ac2a-d61ae5e6ca1a@gmail.com/ +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240227030409.89702-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 41eb57be92220..967a39304648e 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1697,12 +1697,32 @@ void ath10k_wmi_put_wmi_channel(struct wmi_channel *ch, + + int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) + { +- unsigned long time_left; ++ unsigned long time_left, i; + + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, + WMI_SERVICE_READY_TIMEOUT_HZ); +- if (!time_left) +- return -ETIMEDOUT; ++ if (!time_left) { ++ /* Sometimes the PCI HIF doesn't receive interrupt ++ * for the service ready message even if the buffer ++ * was completed. PCIe sniffer shows that it's ++ * because the corresponding CE ring doesn't fires ++ * it. Workaround here by polling CE rings once. ++ */ ++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); ++ ++ for (i = 0; i < CE_COUNT; i++) ++ ath10k_hif_send_complete_check(ar, i, 1); ++ ++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready, ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ ath10k_warn(ar, "polling timed out\n"); ++ return -ETIMEDOUT; ++ } ++ ++ ath10k_warn(ar, "service ready completion received, continuing normally\n"); ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath10k-populate-board-data-for-wcn3990.patch b/queue-4.19/wifi-ath10k-populate-board-data-for-wcn3990.patch new file mode 100644 index 00000000000..aa70510d312 --- /dev/null +++ b/queue-4.19/wifi-ath10k-populate-board-data-for-wcn3990.patch @@ -0,0 +1,65 @@ +From 2ac5a5d082b9504227eb1079d5a942bf7142a5d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 08:47:06 +0200 +Subject: wifi: ath10k: populate board data for WCN3990 + +From: Dmitry Baryshkov + +[ Upstream commit f1f1b5b055c9f27a2f90fd0f0521f5920e9b3c18 ] + +Specify board data size (and board.bin filename) for the WCN3990 +platform. + +Reported-by: Yongqin Liu +Fixes: 03a72288c546 ("ath10k: wmi: add hw params entry for wcn3990") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240130-wcn3990-board-fw-v1-1-738f7c19a8c8@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 3 +++ + drivers/net/wireless/ath/ath10k/hw.h | 1 + + drivers/net/wireless/ath/ath10k/targaddrs.h | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 7e43d449131dd..5683e0466a657 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -540,6 +540,9 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .max_spatial_stream = 4, + .fw = { + .dir = WCN3990_HW_1_0_FW_DIR, ++ .board = WCN3990_HW_1_0_BOARD_DATA_FILE, ++ .board_size = WCN3990_BOARD_DATA_SZ, ++ .board_ext_size = WCN3990_BOARD_EXT_DATA_SZ, + }, + .sw_decrypt_mcast_mgmt = true, + .hw_ops = &wcn3990_ops, +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 3ff65a0a834a2..afc274a078da0 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -133,6 +133,7 @@ enum qca9377_chip_id_rev { + /* WCN3990 1.0 definitions */ + #define WCN3990_HW_1_0_DEV_VERSION ATH10K_HW_WCN3990 + #define WCN3990_HW_1_0_FW_DIR ATH10K_FW_DIR "/WCN3990/hw1.0" ++#define WCN3990_HW_1_0_BOARD_DATA_FILE "board.bin" + + #define ATH10K_FW_FILE_BASE "firmware" + #define ATH10K_FW_API_MAX 6 +diff --git a/drivers/net/wireless/ath/ath10k/targaddrs.h b/drivers/net/wireless/ath/ath10k/targaddrs.h +index c2b5bad0459ba..dddf4853df589 100644 +--- a/drivers/net/wireless/ath/ath10k/targaddrs.h ++++ b/drivers/net/wireless/ath/ath10k/targaddrs.h +@@ -487,4 +487,7 @@ struct host_interest { + #define QCA4019_BOARD_DATA_SZ 12064 + #define QCA4019_BOARD_EXT_DATA_SZ 0 + ++#define WCN3990_BOARD_DATA_SZ 26328 ++#define WCN3990_BOARD_EXT_DATA_SZ 0 ++ + #endif /* __TARGADDRS_H__ */ +-- +2.43.0 + diff --git a/queue-4.19/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch b/queue-4.19/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch new file mode 100644 index 00000000000..ba6ee84f269 --- /dev/null +++ b/queue-4.19/wifi-carl9170-add-a-proper-sanity-check-for-endpoint.patch @@ -0,0 +1,97 @@ +From 0640de18175c317edb4142c82e5309db0b054d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 11:33:55 -0700 +Subject: wifi: carl9170: add a proper sanity check for endpoints + +From: Nikita Zhandarovich + +[ Upstream commit b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 ] + +Syzkaller reports [1] hitting a warning which is caused by presence +of a wrong endpoint type at the URB sumbitting stage. While there +was a check for a specific 4th endpoint, since it can switch types +between bulk and interrupt, other endpoints are trusted implicitly. +Similar warning is triggered in a couple of other syzbot issues [2]. + +Fix the issue by doing a comprehensive check of all endpoints +taking into account difference between high- and full-speed +configuration. + +[1] Syzkaller report: +... +WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +... +Call Trace: + + carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 + carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] + carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] + carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 + request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 + process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 + worker_thread+0x669/0x1090 kernel/workqueue.c:2436 + kthread+0x2e8/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + +[2] Related syzkaller crashes: +Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d +Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1 + +Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com +Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") +Signed-off-by: Nikita Zhandarovich +Acked-By: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240422183355.3785-1-n.zhandarovich@fintech.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/usb.c | 32 +++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c +index 99f1897a775dc..738f43b17e959 100644 +--- a/drivers/net/wireless/ath/carl9170/usb.c ++++ b/drivers/net/wireless/ath/carl9170/usb.c +@@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf, + ar->usb_ep_cmd_is_bulk = true; + } + ++ /* Verify that all expected endpoints are present */ ++ if (ar->usb_ep_cmd_is_bulk) { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } else { ++ u8 bulk_ep_addr[] = { ++ AR9170_USB_EP_RX | USB_DIR_IN, ++ AR9170_USB_EP_TX | USB_DIR_OUT, ++ 0}; ++ u8 int_ep_addr[] = { ++ AR9170_USB_EP_IRQ | USB_DIR_IN, ++ AR9170_USB_EP_CMD | USB_DIR_OUT, ++ 0}; ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) ++ err = -ENODEV; ++ } ++ ++ if (err) { ++ carl9170_free(ar); ++ return err; ++ } ++ + usb_set_intfdata(intf, ar); + SET_IEEE80211_DEV(ar->hw, &intf->dev); + +-- +2.43.0 + diff --git a/queue-4.19/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch b/queue-4.19/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch new file mode 100644 index 00000000000..cb62cbfaa01 --- /dev/null +++ b/queue-4.19/wifi-cfg80211-fix-the-order-of-arguments-for-trace-e.patch @@ -0,0 +1,50 @@ +From 12dc702b854a3b5fb178c1bfbd200d8739eba2f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 18:24:30 +0300 +Subject: wifi: cfg80211: fix the order of arguments for trace events of the + tx_rx_evt class + +From: Igor Artemiev + +[ Upstream commit 9ef369973cd2c97cce3388d2c0c7e3c056656e8a ] + +The declarations of the tx_rx_evt class and the rdev_set_antenna event +use the wrong order of arguments in the TP_ARGS macro. + +Fix the order of arguments in the TP_ARGS macro. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Igor Artemiev +Link: https://msgid.link/20240405152431.270267-1-Igor.A.Artemiev@mcst.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/trace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/trace.h b/net/wireless/trace.h +index 54b0bb344cf93..68d547a4a5a53 100644 +--- a/net/wireless/trace.h ++++ b/net/wireless/trace.h +@@ -1591,7 +1591,7 @@ TRACE_EVENT(rdev_return_void_tx_rx, + + DECLARE_EVENT_CLASS(tx_rx_evt, + TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), +- TP_ARGS(wiphy, rx, tx), ++ TP_ARGS(wiphy, tx, rx), + TP_STRUCT__entry( + WIPHY_ENTRY + __field(u32, tx) +@@ -1608,7 +1608,7 @@ DECLARE_EVENT_CLASS(tx_rx_evt, + + DEFINE_EVENT(tx_rx_evt, rdev_set_antenna, + TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), +- TP_ARGS(wiphy, rx, tx) ++ TP_ARGS(wiphy, tx, rx) + ); + + DECLARE_EVENT_CLASS(wiphy_netdev_id_evt, +-- +2.43.0 + diff --git a/queue-4.19/wifi-mwl8k-initialize-cmd-addr-properly.patch b/queue-4.19/wifi-mwl8k-initialize-cmd-addr-properly.patch new file mode 100644 index 00000000000..2027b4e3890 --- /dev/null +++ b/queue-4.19/wifi-mwl8k-initialize-cmd-addr-properly.patch @@ -0,0 +1,38 @@ +From 0f308fa27bbf84d93f7a4f964b3dc02c40f12932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 14:38:15 +0300 +Subject: wifi: mwl8k: initialize cmd->addr[] properly + +From: Dan Carpenter + +[ Upstream commit 1d60eabb82694e58543e2b6366dae3e7465892a5 ] + +This loop is supposed to copy the mac address to cmd->addr but the +i++ increment is missing so it copies everything to cmd->addr[0] and +only the last address is recorded. + +Fixes: 22bedad3ce11 ("net: convert multicast list to list_head") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://msgid.link/b788be9a-15f5-4cca-a3fe-79df4c8ce7b2@moroto.mountain +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index ee842797570b7..55129bd36786f 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -2711,7 +2711,7 @@ __mwl8k_cmd_mac_multicast_adr(struct ieee80211_hw *hw, int allmulti, + cmd->action |= cpu_to_le16(MWL8K_ENABLE_RX_MULTICAST); + cmd->numaddr = cpu_to_le16(mc_count); + netdev_hw_addr_list_for_each(ha, mc_list) { +- memcpy(cmd->addr[i], ha->addr, ETH_ALEN); ++ memcpy(cmd->addr[i++], ha->addr, ETH_ALEN); + } + } + +-- +2.43.0 + diff --git a/queue-4.19/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch b/queue-4.19/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch new file mode 100644 index 00000000000..c793b310318 --- /dev/null +++ b/queue-4.19/x86-boot-ignore-relocations-in-.notes-sections-in-wa.patch @@ -0,0 +1,54 @@ +From 42d48ab07dda733ab30f994e38d607cc65e5f4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 23:05:47 +0800 +Subject: x86/boot: Ignore relocations in .notes sections in walk_relocs() too + +From: Guixiong Wei + +[ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ] + +Commit: + + aaa8736370db ("x86, relocs: Ignore relocations in .notes section") + +... only started ignoring the .notes sections in print_absolute_relocs(), +but the same logic should also by applied in walk_relocs() to avoid +such relocations. + +[ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ] + +Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Fixes: da1a679cde9b ("Add /sys/kernel/notes") +Signed-off-by: Guixiong Wei +Signed-off-by: Ingo Molnar +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com +Signed-off-by: Sasha Levin +--- + arch/x86/tools/relocs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index c7f1d1759c855..7470d88ae6311 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -672,6 +672,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, + if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { + continue; + } ++ ++ /* ++ * Do not perform relocations in .notes sections; any ++ * values there are meant for pre-boot consumption (e.g. ++ * startup_xen). ++ */ ++ if (sec_applies->shdr.sh_type == SHT_NOTE) ++ continue; ++ + sh_symtab = sec_symtab->symtab; + sym_strtab = sec_symtab->link->strtab; + for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { +-- +2.43.0 + diff --git a/queue-4.19/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch b/queue-4.19/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch new file mode 100644 index 00000000000..963a25408a1 --- /dev/null +++ b/queue-4.19/x86-insn-fix-push-instruction-in-x86-instruction-dec.patch @@ -0,0 +1,98 @@ +From 905d75c9d9a5e7c5b8671ee4a11a98eff4b468ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2024 13:58:45 +0300 +Subject: x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map + +From: Adrian Hunter + +[ Upstream commit 59162e0c11d7257cde15f907d19fefe26da66692 ] + +The x86 instruction decoder is used not only for decoding kernel +instructions. It is also used by perf uprobes (user space probes) and by +perf tools Intel Processor Trace decoding. Consequently, it needs to +support instructions executed by user space also. + +Opcode 0x68 PUSH instruction is currently defined as 64-bit operand size +only i.e. (d64). That was based on Intel SDM Opcode Map. However that is +contradicted by the Instruction Set Reference section for PUSH in the +same manual. + +Remove 64-bit operand size only annotation from opcode 0x68 PUSH +instruction. + +Example: + + $ cat pushw.s + .global _start + .text + _start: + pushw $0x1234 + mov $0x1,%eax # system call number (sys_exit) + int $0x80 + $ as -o pushw.o pushw.s + $ ld -s -o pushw pushw.o + $ objdump -d pushw | tail -4 + 0000000000401000 <.text>: + 401000: 66 68 34 12 pushw $0x1234 + 401004: b8 01 00 00 00 mov $0x1,%eax + 401009: cd 80 int $0x80 + $ perf record -e intel_pt//u ./pushw + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.014 MB perf.data ] + + Before: + + $ perf script --insn-trace=disasm + Warning: + 1 instruction trace errors + pushw 10349 [000] 10586.869237014: 401000 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401006 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %al, (%rax) + pushw 10349 [000] 10586.869237014: 401008 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %cl, %ch + pushw 10349 [000] 10586.869237014: 40100a [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb $0x2e, (%rax) + instruction trace error type 1 time 10586.869237224 cpu 0 pid 10349 tid 10349 ip 0x40100d code 6: Trace doesn't match instruction + + After: + + $ perf script --insn-trace=disasm + pushw 10349 [000] 10586.869237014: 401000 [unknown] (./pushw) pushw $0x1234 + pushw 10349 [000] 10586.869237014: 401004 [unknown] (./pushw) movl $1, %eax + +Fixes: eb13296cfaf6 ("x86: Instruction decoder API") +Signed-off-by: Adrian Hunter +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20240502105853.5338-3-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + tools/objtool/arch/x86/lib/x86-opcode-map.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 5cb9f009f2be3..996a3a250026b 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +index 5cb9f009f2be3..996a3a250026b 100644 +--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +@@ -148,7 +148,7 @@ AVXcode: + 65: SEG=GS (Prefix) + 66: Operand-Size (Prefix) + 67: Address-Size (Prefix) +-68: PUSH Iz (d64) ++68: PUSH Iz + 69: IMUL Gv,Ev,Iz + 6a: PUSH Ib (d64) + 6b: IMUL Gv,Ev,Ib +-- +2.43.0 + diff --git a/queue-4.19/x86-purgatory-switch-to-the-position-independent-sma.patch b/queue-4.19/x86-purgatory-switch-to-the-position-independent-sma.patch new file mode 100644 index 00000000000..bca0820542e --- /dev/null +++ b/queue-4.19/x86-purgatory-switch-to-the-position-independent-sma.patch @@ -0,0 +1,81 @@ +From 44215ae36436b11cbceb347c0750d23ba36d3bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 22:17:06 +0200 +Subject: x86/purgatory: Switch to the position-independent small code model + +From: Ard Biesheuvel + +[ Upstream commit cba786af84a0f9716204e09f518ce3b7ada8555e ] + +On x86, the ordinary, position dependent small and kernel code models +only support placement of the executable in 32-bit addressable memory, +due to the use of 32-bit signed immediates to generate references to +global variables. For the kernel, this implies that all global variables +must reside in the top 2 GiB of the kernel virtual address space, where +the implicit address bits 63:32 are equal to sign bit 31. + +This means the kernel code model is not suitable for other bare metal +executables such as the kexec purgatory, which can be placed arbitrarily +in the physical address space, where its address may no longer be +representable as a sign extended 32-bit quantity. For this reason, +commit + + e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") + +switched to the large code model, which uses 64-bit immediates for all +symbol references, including function calls, in order to avoid relying +on any assumptions regarding proximity of symbols in the final +executable. + +The large code model is rarely used, clunky and the least likely to +operate in a similar fashion when comparing GCC and Clang, so it is best +avoided. This is especially true now that Clang 18 has started to emit +executable code in two separate sections (.text and .ltext), which +triggers an issue in the kexec loading code at runtime. + +The SUSE bugzilla fixes tag points to gcc 13 having issues with the +large model too and that perhaps the large model should simply not be +used at all. + +Instead, use the position independent small code model, which makes no +assumptions about placement but only about proximity, where all +referenced symbols must be within -/+ 2 GiB, i.e., in range for a +RIP-relative reference. Use hidden visibility to suppress the use of a +GOT, which carries absolute addresses that are not covered by static ELF +relocations, and is therefore incompatible with the kexec loader's +relocation logic. + + [ bp: Massage commit message. ] + +Fixes: e16c2983fba0 ("x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors") +Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1211853 +Closes: https://github.com/ClangBuiltLinux/linux/issues/2016 +Signed-off-by: Ard Biesheuvel +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Acked-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/all/20240417-x86-fix-kexec-with-llvm-18-v1-0-5383121e8fb7@kernel.org/ +Signed-off-by: Sasha Levin +--- + arch/x86/purgatory/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile +index 00f104e341e57..e5138a7b580dc 100644 +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -30,7 +30,8 @@ KCOV_INSTRUMENT := n + # make up the standalone purgatory.ro + + PURGATORY_CFLAGS_REMOVE := -mcmodel=kernel +-PURGATORY_CFLAGS := -mcmodel=large -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS := -mcmodel=small -ffreestanding -fno-zero-initialized-in-bss -g0 ++PURGATORY_CFLAGS += -fpic -fvisibility=hidden + PURGATORY_CFLAGS += $(DISABLE_STACKLEAK_PLUGIN) -DDISABLE_BRANCH_PROFILING + + # Default KBUILD_CFLAGS can have -pg option set when FTRACE is enabled. That +-- +2.43.0 + -- 2.47.3