From 484712281ccdcb79ef37caa9a361e2c18676760f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 10:57:39 +0100 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-btusb-add-debug-message-for-csr-controllers.patch bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch drm-shmem-helper-avoid-vm_open-error-paths.patch drm-shmem-helper-remove-errant-put-in-error-path.patch drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-usbhid-add-always_poll-quirk-for-some-mice.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch mm-gup-fix-gup_pud_range-for-dax.patch revert-arm-dts-imx7-fix-nand-controller-size-cells.patch --- ...dd-debug-message-for-csr-controllers.patch | 42 +++++++ ...when-replugging-csr-fake-controllers.patch | 82 +++++++++++++ ...mem-helper-avoid-vm_open-error-paths.patch | 54 +++++++++ ...lper-remove-errant-put-in-error-path.patch | 39 ++++++ ...se-screen-objects-when-sev-is-active.patch | 43 +++++++ ...ut-of-bounds-in-hid_report_raw_event.patch | 72 +++++++++++ ...d-hid-lg4ff-add-check-for-empty-lbuf.patch | 37 ++++++ ...-add-always_poll-quirk-for-some-mice.patch | 78 ++++++++++++ ...on-of-the-epoch-extension-epdx-field.patch | 48 ++++++++ ...ix-too-strict-blanking-sanity-checks.patch | 70 +++++++++++ ...er-free-in-memcg_write_event_control.patch | 112 ++++++++++++++++++ .../mm-gup-fix-gup_pud_range-for-dax.patch | 87 ++++++++++++++ ...-imx7-fix-nand-controller-size-cells.patch | 47 ++++++++ queue-5.10/series | 13 ++ 14 files changed, 824 insertions(+) create mode 100644 queue-5.10/bluetooth-btusb-add-debug-message-for-csr-controllers.patch create mode 100644 queue-5.10/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch create mode 100644 queue-5.10/drm-shmem-helper-avoid-vm_open-error-paths.patch create mode 100644 queue-5.10/drm-shmem-helper-remove-errant-put-in-error-path.patch create mode 100644 queue-5.10/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch create mode 100644 queue-5.10/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch create mode 100644 queue-5.10/hid-hid-lg4ff-add-check-for-empty-lbuf.patch create mode 100644 queue-5.10/hid-usbhid-add-always_poll-quirk-for-some-mice.patch create mode 100644 queue-5.10/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch create mode 100644 queue-5.10/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch create mode 100644 queue-5.10/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch create mode 100644 queue-5.10/mm-gup-fix-gup_pud_range-for-dax.patch create mode 100644 queue-5.10/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch diff --git a/queue-5.10/bluetooth-btusb-add-debug-message-for-csr-controllers.patch b/queue-5.10/bluetooth-btusb-add-debug-message-for-csr-controllers.patch new file mode 100644 index 00000000000..52244bccd11 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-debug-message-for-csr-controllers.patch @@ -0,0 +1,42 @@ +From 955aebd445e2b49622f2184b7abb82b05c060549 Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Sat, 29 Oct 2022 22:24:53 +0200 +Subject: Bluetooth: btusb: Add debug message for CSR controllers + +From: Ismael Ferreras Morezuelas + +commit 955aebd445e2b49622f2184b7abb82b05c060549 upstream. + +The rationale of showing this is that it's potentially critical +information to diagnose and find more CSR compatibility bugs in the +future and it will save a lot of headaches. + +Given that clones come from a wide array of vendors (some are actually +Barrot, some are something else) and these numbers are what let us find +differences between actual and fake ones, it will be immensely helpful +to scour the Internet looking for this pattern and building an actual +database to find correlations and improve the checks. + +Cc: stable@vger.kernel.org +Cc: Hans de Goede +Signed-off-by: Ismael Ferreras Morezuelas +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1833,6 +1833,11 @@ static int btusb_setup_csr(struct hci_de + + rp = (struct hci_rp_read_local_version *)skb->data; + ++ bt_dev_info(hdev, "CSR: Setting up dongle with HCI ver=%u rev=%04x; LMP ver=%u subver=%04x; manufacturer=%u", ++ le16_to_cpu(rp->hci_ver), le16_to_cpu(rp->hci_rev), ++ le16_to_cpu(rp->lmp_ver), le16_to_cpu(rp->lmp_subver), ++ le16_to_cpu(rp->manufacturer)); ++ + /* Detect a wide host of Chinese controllers that aren't CSR. + * + * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891 diff --git a/queue-5.10/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch b/queue-5.10/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch new file mode 100644 index 00000000000..a18e5f32186 --- /dev/null +++ b/queue-5.10/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch @@ -0,0 +1,82 @@ +From b5ca338751ad4783ec8d37b5d99c3e37b7813e59 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 29 Nov 2022 12:54:13 -0800 +Subject: Bluetooth: Fix crash when replugging CSR fake controllers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit b5ca338751ad4783ec8d37b5d99c3e37b7813e59 upstream. + +It seems fake CSR 5.0 clones can cause the suspend notifier to be +registered twice causing the following kernel panic: + +[ 71.986122] Call Trace: +[ 71.986124] +[ 71.986125] blocking_notifier_chain_register+0x33/0x60 +[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] +[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] +[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 +[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 +[ 71.986167] usb_probe_interface+0xe3/0x2b0 +[ 71.986171] really_probe+0xdb/0x380 +[ 71.986174] ? pm_runtime_barrier+0x54/0x90 +[ 71.986177] __driver_probe_device+0x78/0x170 +[ 71.986180] driver_probe_device+0x1f/0x90 +[ 71.986183] __device_attach_driver+0x89/0x110 +[ 71.986186] ? driver_allows_async_probing+0x70/0x70 +[ 71.986189] bus_for_each_drv+0x8c/0xe0 +[ 71.986192] __device_attach+0xb2/0x1e0 +[ 71.986195] bus_probe_device+0x92/0xb0 +[ 71.986198] device_add+0x422/0x9a0 +[ 71.986201] ? sysfs_merge_group+0xd4/0x110 +[ 71.986205] usb_set_configuration+0x57a/0x820 +[ 71.986208] usb_generic_driver_probe+0x4f/0x70 +[ 71.986211] usb_probe_device+0x3a/0x110 +[ 71.986213] really_probe+0xdb/0x380 +[ 71.986216] ? pm_runtime_barrier+0x54/0x90 +[ 71.986219] __driver_probe_device+0x78/0x170 +[ 71.986221] driver_probe_device+0x1f/0x90 +[ 71.986224] __device_attach_driver+0x89/0x110 +[ 71.986227] ? driver_allows_async_probing+0x70/0x70 +[ 71.986230] bus_for_each_drv+0x8c/0xe0 +[ 71.986232] __device_attach+0xb2/0x1e0 +[ 71.986235] bus_probe_device+0x92/0xb0 +[ 71.986237] device_add+0x422/0x9a0 +[ 71.986239] ? _dev_info+0x7d/0x98 +[ 71.986242] ? blake2s_update+0x4c/0xc0 +[ 71.986246] usb_new_device.cold+0x148/0x36d +[ 71.986250] hub_event+0xa8a/0x1910 +[ 71.986255] process_one_work+0x1c4/0x380 +[ 71.986259] worker_thread+0x51/0x390 +[ 71.986262] ? rescuer_thread+0x3b0/0x3b0 +[ 71.986264] kthread+0xdb/0x110 +[ 71.986266] ? kthread_complete_and_exit+0x20/0x20 +[ 71.986268] ret_from_fork+0x1f/0x30 +[ 71.986273] +[ 71.986274] ---[ end trace 0000000000000000 ]--- +[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17 + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216683 +Cc: stable@vger.kernel.org +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Leonardo Eugênio +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3799,7 +3799,8 @@ int hci_register_dev(struct hci_dev *hde + hci_sock_dev_event(hdev, HCI_DEV_REG); + hci_dev_hold(hdev); + +- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { ++ if (!hdev->suspend_notifier.notifier_call && ++ !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { + hdev->suspend_notifier.notifier_call = hci_suspend_notifier; + error = register_pm_notifier(&hdev->suspend_notifier); + if (error) diff --git a/queue-5.10/drm-shmem-helper-avoid-vm_open-error-paths.patch b/queue-5.10/drm-shmem-helper-avoid-vm_open-error-paths.patch new file mode 100644 index 00000000000..631be57b26d --- /dev/null +++ b/queue-5.10/drm-shmem-helper-avoid-vm_open-error-paths.patch @@ -0,0 +1,54 @@ +From 09bf649a74573cb596e211418a4f8008f265c5a9 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:48 -0800 +Subject: drm/shmem-helper: Avoid vm_open error paths + +From: Rob Clark + +commit 09bf649a74573cb596e211418a4f8008f265c5a9 upstream. + +vm_open() is not allowed to fail. Fortunately we are guaranteed that +the pages are already pinned, thanks to the initial mmap which is now +being cloned into a forked process, and only need to increment the +refcnt. So just increment it directly. Previously if a signal was +delivered at the wrong time to the forking process, the +mutex_lock_interruptible() could fail resulting in the pages_use_count +not being incremented. + +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-3-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -563,12 +563,20 @@ static void drm_gem_shmem_vm_open(struct + { + struct drm_gem_object *obj = vma->vm_private_data; + struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj); +- int ret; + + WARN_ON(shmem->base.import_attach); + +- ret = drm_gem_shmem_get_pages(shmem); +- WARN_ON_ONCE(ret != 0); ++ mutex_lock(&shmem->pages_lock); ++ ++ /* ++ * We should have already pinned the pages when the buffer was first ++ * mmap'd, vm_open() just grabs an additional reference for the new ++ * mm the vma is getting copied into (ie. on fork()). ++ */ ++ if (!WARN_ON_ONCE(!shmem->pages_use_count)) ++ shmem->pages_use_count++; ++ ++ mutex_unlock(&shmem->pages_lock); + + drm_gem_vm_open(vma); + } diff --git a/queue-5.10/drm-shmem-helper-remove-errant-put-in-error-path.patch b/queue-5.10/drm-shmem-helper-remove-errant-put-in-error-path.patch new file mode 100644 index 00000000000..fc9a86c220e --- /dev/null +++ b/queue-5.10/drm-shmem-helper-remove-errant-put-in-error-path.patch @@ -0,0 +1,39 @@ +From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:47 -0800 +Subject: drm/shmem-helper: Remove errant put in error path + +From: Rob Clark + +commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream. + +drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM +object getting prematurely freed leading to a later use-after-free. + +Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d +Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -616,10 +616,8 @@ int drm_gem_shmem_mmap(struct drm_gem_ob + shmem = to_drm_gem_shmem_obj(obj); + + ret = drm_gem_shmem_get_pages(shmem); +- if (ret) { +- drm_gem_vm_close(vma); ++ if (ret) + return ret; +- } + + vma->vm_flags |= VM_MIXEDMAP | VM_DONTEXPAND; + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); diff --git a/queue-5.10/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch b/queue-5.10/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch new file mode 100644 index 00000000000..e0624ee6e07 --- /dev/null +++ b/queue-5.10/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch @@ -0,0 +1,43 @@ +From 6e90293618ed476d6b11f82ce724efbb9e9a071b Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Thu, 1 Dec 2022 12:53:41 -0500 +Subject: drm/vmwgfx: Don't use screen objects when SEV is active + +From: Zack Rusin + +commit 6e90293618ed476d6b11f82ce724efbb9e9a071b upstream. + +When SEV is enabled gmr's and mob's are explicitly disabled because +the encrypted system memory can not be used by the hypervisor. + +The driver was disabling GMR's but the presentation code, which depends +on GMR's, wasn't honoring it which lead to black screen on hosts +with SEV enabled. + +Make sure screen objects presentation is not used when guest memory +regions have been disabled to fix presentation on SEV enabled hosts. + +Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active") +Cc: # v5.7+ +Signed-off-by: Zack Rusin +Reported-by: Nicholas Hunt +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221201175341.491884-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -949,6 +949,10 @@ int vmw_kms_sou_init_display(struct vmw_ + struct drm_device *dev = dev_priv->dev; + int i, ret; + ++ /* Screen objects won't work if GMR's aren't available */ ++ if (!dev_priv->has_gmr) ++ return -ENOSYS; ++ + if (!(dev_priv->capabilities & SVGA_CAP_SCREEN_OBJECT_2)) { + DRM_INFO("Not using screen objects," + " missing cap SCREEN_OBJECT_2\n"); diff --git a/queue-5.10/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-5.10/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..9030ccff3f6 --- /dev/null +++ b/queue-5.10/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch @@ -0,0 +1,72 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event + +From: ZhangPeng + +commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream. + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1310,6 +1310,9 @@ static s32 snto32(__u32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); diff --git a/queue-5.10/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-5.10/hid-hid-lg4ff-add-check-for-empty-lbuf.patch new file mode 100644 index 00000000000..837eea2a7f0 --- /dev/null +++ b/queue-5.10/hid-hid-lg4ff-add-check-for-empty-lbuf.patch @@ -0,0 +1,37 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: HID: hid-lg4ff: Add check for empty lbuf + +From: Anastasia Belova + +commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream. + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); diff --git a/queue-5.10/hid-usbhid-add-always_poll-quirk-for-some-mice.patch b/queue-5.10/hid-usbhid-add-always_poll-quirk-for-some-mice.patch new file mode 100644 index 00000000000..c9efc6107e4 --- /dev/null +++ b/queue-5.10/hid-usbhid-add-always_poll-quirk-for-some-mice.patch @@ -0,0 +1,78 @@ +From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001 +From: Ankit Patel +Date: Tue, 22 Nov 2022 15:35:20 +0800 +Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice + +From: Ankit Patel + +commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream. + +Some additional USB mouse devices are needing ALWAYS_POLL quirk without +which they disconnect and reconnect every 60s. + +Add below devices to the known quirk list. +CHERRY VID 0x046a, PID 0x000c +MICROSOFT VID 0x045e, PID 0x0783 +PRIMAX VID 0x0461, PID 0x4e2a + +Signed-off-by: Ankit Patel +Signed-off-by: Haotien Hsu +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -257,6 +257,7 @@ + #define USB_DEVICE_ID_CH_AXIS_295 0x001c + + #define USB_VENDOR_ID_CHERRY 0x046a ++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c + #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023 + #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027 + +@@ -874,6 +875,7 @@ + #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd + #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb + #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0 ++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783 + + #define USB_VENDOR_ID_MOJO 0x8282 + #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201 +@@ -1302,6 +1304,7 @@ + + #define USB_VENDOR_ID_PRIMAX 0x0461 + #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22 ++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS }, +@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS }, +@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-5.10/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch b/queue-5.10/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch new file mode 100644 index 00000000000..69e595c7b0e --- /dev/null +++ b/queue-5.10/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch @@ -0,0 +1,48 @@ +From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 23 Nov 2022 10:08:33 +0100 +Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field + +From: Thomas Huth + +commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream. + +We recently experienced some weird huge time jumps in nested guests when +rebooting them in certain cases. After adding some debug code to the epoch +handling in vsie.c (thanks to David Hildenbrand for the idea!), it was +obvious that the "epdx" field (the multi-epoch extension) did not get set +to 0xff in case the "epoch" field was negative. +Seems like the code misses to copy the value from the epdx field from +the guest to the shadow control block. By doing so, the weird time +jumps are gone in our scenarios. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899 +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Signed-off-by: Thomas Huth +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # 4.19+ +Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com +Message-Id: <20221123090833.292938-1-thuth@redhat.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -535,8 +535,10 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI)) + scb_s->eca |= scb_o->eca & ECA_CEI; + /* Epoch Extension */ +- if (test_kvm_facility(vcpu->kvm, 139)) ++ if (test_kvm_facility(vcpu->kvm, 139)) { + scb_s->ecd |= scb_o->ecd & ECD_MEF; ++ scb_s->epdx = scb_o->epdx; ++ } + + /* etoken */ + if (test_kvm_facility(vcpu->kvm, 156)) diff --git a/queue-5.10/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-5.10/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch new file mode 100644 index 00000000000..22f3b1c3246 --- /dev/null +++ b/queue-5.10/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch @@ -0,0 +1,70 @@ +From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 16 Nov 2022 15:07:22 +0000 +Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks + +From: Hans Verkuil + +commit 5eef2141776da02772c44ec406d6871a790761ee upstream. + +Sanity checks were added to verify the v4l2_bt_timings blanking fields +in order to avoid integer overflows when userspace passes weird values. + +But that assumed that userspace would correctly fill in the front porch, +backporch and sync values, but sometimes all you know is the total +blanking, which is then assigned to just one of these fields. + +And that can fail with these checks. + +So instead set a maximum for the total horizontal and vertical +blanking and check that each field remains below that. + +That is still sufficient to avoid integer overflows, but it also +allows for more flexibility in how userspace fills in these fields. + +Signed-off-by: Hans Verkuil +Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct + const struct v4l2_bt_timings *bt = &t->bt; + const struct v4l2_bt_timings_cap *cap = &dvcap->bt; + u32 caps = cap->capabilities; ++ const u32 max_vert = 10240; ++ u32 max_hor = 3 * bt->width; + + if (t->type != V4L2_DV_BT_656_1120) + return false; +@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct + if (!bt->interlaced && + (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) + return false; +- if (bt->hfrontporch > 2 * bt->width || +- bt->hsync > 1024 || bt->hbackporch > 1024) ++ /* ++ * Some video receivers cannot properly separate the frontporch, ++ * backporch and sync values, and instead they only have the total ++ * blanking. That can be assigned to any of these three fields. ++ * So just check that none of these are way out of range. ++ */ ++ if (bt->hfrontporch > max_hor || ++ bt->hsync > max_hor || bt->hbackporch > max_hor) + return false; +- if (bt->vfrontporch > 4096 || +- bt->vsync > 128 || bt->vbackporch > 4096) ++ if (bt->vfrontporch > max_vert || ++ bt->vsync > max_vert || bt->vbackporch > max_vert) + return false; +- if (bt->interlaced && (bt->il_vfrontporch > 4096 || +- bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ if (bt->interlaced && (bt->il_vfrontporch > max_vert || ++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert)) + return false; + return fnc == NULL || fnc(t, fnc_handle); + } diff --git a/queue-5.10/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch b/queue-5.10/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch new file mode 100644 index 00000000000..9b5e142adbf --- /dev/null +++ b/queue-5.10/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch @@ -0,0 +1,112 @@ +From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 7 Dec 2022 16:53:15 -1000 +Subject: memcg: fix possible use-after-free in memcg_write_event_control() + +From: Tejun Heo + +commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. + +memcg_write_event_control() accesses the dentry->d_name of the specified +control fd to route the write call. As a cgroup interface file can't be +renamed, it's safe to access d_name as long as the specified file is a +regular cgroup file. Also, as these cgroup interface files can't be +removed before the directory, it's safe to access the parent too. + +Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a +call to __file_cft() which verified that the specified file is a regular +cgroupfs file before further accesses. The cftype pointer returned from +__file_cft() was no longer necessary and the commit inadvertently dropped +the file type check with it allowing any file to slip through. With the +invarients broken, the d_name and parent accesses can now race against +renames and removals of arbitrary files and cause use-after-free's. + +Fix the bug by resurrecting the file type check in __file_cft(). Now that +cgroupfs is implemented through kernfs, checking the file operations needs +to go through a layer of indirection. Instead, let's check the superblock +and dentry type. + +Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org +Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") +Signed-off-by: Tejun Heo +Reported-by: Jann Horn +Acked-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Muchun Song +Cc: Shakeel Butt +Cc: [3.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup-internal.h | 1 - + mm/memcontrol.c | 15 +++++++++++++-- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -68,6 +68,7 @@ struct css_task_iter { + struct list_head iters_node; /* css_set->task_iters */ + }; + ++extern struct file_system_type cgroup_fs_type; + extern struct cgroup_root cgrp_dfl_root; + extern struct css_set init_css_set; + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -169,7 +169,6 @@ extern struct mutex cgroup_mutex; + extern spinlock_t css_set_lock; + extern struct cgroup_subsys *cgroup_subsys[]; + extern struct list_head cgroup_roots; +-extern struct file_system_type cgroup_fs_type; + + /* iterate across the hierarchies */ + #define for_each_root(root) \ +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4866,6 +4866,7 @@ static ssize_t memcg_write_event_control + unsigned int efd, cfd; + struct fd efile; + struct fd cfile; ++ struct dentry *cdentry; + const char *name; + char *endp; + int ret; +@@ -4917,6 +4918,16 @@ static ssize_t memcg_write_event_control + goto out_put_cfile; + + /* ++ * The control file must be a regular cgroup1 file. As a regular cgroup ++ * file can't be renamed, it's safe to access its name afterwards. ++ */ ++ cdentry = cfile.file->f_path.dentry; ++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { ++ ret = -EINVAL; ++ goto out_put_cfile; ++ } ++ ++ /* + * Determine the event callbacks and set them in @event. This used + * to be done via struct cftype but cgroup core no longer knows + * about these events. The following is crude but the whole thing +@@ -4924,7 +4935,7 @@ static ssize_t memcg_write_event_control + * + * DO NOT ADD NEW FILES. + */ +- name = cfile.file->f_path.dentry->d_name.name; ++ name = cdentry->d_name.name; + + if (!strcmp(name, "memory.usage_in_bytes")) { + event->register_event = mem_cgroup_usage_register_event; +@@ -4948,7 +4959,7 @@ static ssize_t memcg_write_event_control + * automatically removed on cgroup destruction but the removal is + * asynchronous, so take an extra ref on @css. + */ +- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, ++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent, + &memory_cgrp_subsys); + ret = -EINVAL; + if (IS_ERR(cfile_css)) diff --git a/queue-5.10/mm-gup-fix-gup_pud_range-for-dax.patch b/queue-5.10/mm-gup-fix-gup_pud_range-for-dax.patch new file mode 100644 index 00000000000..0adce6d8ddd --- /dev/null +++ b/queue-5.10/mm-gup-fix-gup_pud_range-for-dax.patch @@ -0,0 +1,87 @@ +From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001 +From: John Starks +Date: Tue, 6 Dec 2022 22:00:53 -0800 +Subject: mm/gup: fix gup_pud_range() for dax + +From: John Starks + +commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream. + +For dax pud, pud_huge() returns true on x86. So the function works as long +as hugetlb is configured. However, dax doesn't depend on hugetlb. +Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed +devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as +well. + +This fixes the below kernel panic: + +general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP + < snip > +Call Trace: + +get_user_pages_fast+0x1f/0x40 +iov_iter_get_pages+0xc6/0x3b0 +? mempool_alloc+0x5d/0x170 +bio_iov_iter_get_pages+0x82/0x4e0 +? bvec_alloc+0x91/0xc0 +? bio_alloc_bioset+0x19a/0x2a0 +blkdev_direct_IO+0x282/0x480 +? __io_complete_rw_common+0xc0/0xc0 +? filemap_range_has_page+0x82/0xc0 +generic_file_direct_write+0x9d/0x1a0 +? inode_update_time+0x24/0x30 +__generic_file_write_iter+0xbd/0x1e0 +blkdev_write_iter+0xb4/0x150 +? io_import_iovec+0x8d/0x340 +io_write+0xf9/0x300 +io_issue_sqe+0x3c3/0x1d30 +? sysvec_reschedule_ipi+0x6c/0x80 +__io_queue_sqe+0x33/0x240 +? fget+0x76/0xa0 +io_submit_sqes+0xe6a/0x18d0 +? __fget_light+0xd1/0x100 +__x64_sys_io_uring_enter+0x199/0x880 +? __context_tracking_enter+0x1f/0x70 +? irqentry_exit_to_user_mode+0x24/0x30 +? irqentry_exit+0x1d/0x30 +? __context_tracking_exit+0xe/0x70 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7fc97c11a7be + < snip > + +---[ end trace 48b2e0e67debcaeb ]--- +RIP: 0010:internal_get_user_pages_fast+0x340/0x990 + < snip > +Kernel panic - not syncing: Fatal exception +Kernel Offset: disabled + +Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com +Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") +Signed-off-by: John Starks +Signed-off-by: Saurabh Sengar +Cc: Jan Kara +Cc: Yu Zhao +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: David Hildenbrand +Cc: Dan Williams +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -2564,7 +2564,7 @@ static int gup_pud_range(p4d_t *p4dp, p4 + next = pud_addr_end(addr, end); + if (unlikely(!pud_present(pud))) + return 0; +- if (unlikely(pud_huge(pud))) { ++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) { + if (!gup_huge_pud(pud, pudp, addr, next, flags, + pages, nr)) + return 0; diff --git a/queue-5.10/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch b/queue-5.10/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch new file mode 100644 index 00000000000..9ccf084ae21 --- /dev/null +++ b/queue-5.10/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch @@ -0,0 +1,47 @@ +From ef19964da8a668c683f1d38274f6fb756e047945 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 5 Dec 2022 16:23:27 +0100 +Subject: Revert "ARM: dts: imx7: Fix NAND controller size-cells" + +From: Francesco Dolcini + +commit ef19964da8a668c683f1d38274f6fb756e047945 upstream. + +This reverts commit 753395ea1e45c724150070b5785900b6a44bd5fb. + +It introduced a boot regression on colibri-imx7, and potentially any +other i.MX7 boards with MTD partition list generated into the fdt by +U-Boot. + +While the commit we are reverting here is not obviously wrong, it fixes +only a dt binding checker warning that is non-functional, while it +introduces a boot regression and there is no obvious fix ready. + +Fixes: 753395ea1e45 ("ARM: dts: imx7: Fix NAND controller size-cells") +Signed-off-by: Francesco Dolcini +Reviewed-by: Miquel Raynal +Acked-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/ +Link: https://lore.kernel.org/all/20221205144917.6514168a@xps-13/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7s.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1221,10 +1221,10 @@ + clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>; + }; + +- gpmi: nand-controller@33002000 { ++ gpmi: nand-controller@33002000{ + compatible = "fsl,imx7d-gpmi-nand"; + #address-cells = <1>; +- #size-cells = <0>; ++ #size-cells = <1>; + reg = <0x33002000 0x2000>, <0x33004000 0x4000>; + reg-names = "gpmi-nand", "bch"; + interrupts = ; diff --git a/queue-5.10/series b/queue-5.10/series index 9abf64a1429..f34392baca3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -43,6 +43,19 @@ xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch xen-netback-do-some-code-cleanup.patch xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch media-videobuf2-core-take-mmap_lock-in-vb2_get_unmap.patch +revert-arm-dts-imx7-fix-nand-controller-size-cells.patch +media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch +memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch +mm-gup-fix-gup_pud_range-for-dax.patch +bluetooth-btusb-add-debug-message-for-csr-controllers.patch +bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch +kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch +drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch +drm-shmem-helper-remove-errant-put-in-error-path.patch +drm-shmem-helper-avoid-vm_open-error-paths.patch +hid-usbhid-add-always_poll-quirk-for-some-mice.patch +hid-hid-lg4ff-add-check-for-empty-lbuf.patch +hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch rtc-cmos-disable-irq-around-direct-invocation-of-cmo.patch rtc-mc146818-lib-fix-locking-in-mc146818_set_time.patch rtc-mc146818-lib-fix-signedness-bug-in-mc146818_get_.patch -- 2.47.3