From 80c9e4ce2aa9c090b063e340e20ab456c1a33050 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Jun 2024 17:29:47 +0200 Subject: [PATCH] 6.9-stable patches added patches: acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch arm64-tegra-correct-tegra132-i2c-alias.patch ata-pata_legacy-make-legacy_exit-work-again.patch bcache-fix-variable-length-array-abuse-in-btree_iter.patch btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch crypto-starfive-do-not-free-stack-buffer.patch fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch wifi-rtw89-correct-asifstime-for-6ghz-band.patch --- ...ride-on-tongfang-gxxhrxx-and-gmxhgxx.patch | 41 ++ ...-qcs404-fix-bluetooth-device-address.patch | 37 ++ ...m64-tegra-correct-tegra132-i2c-alias.patch | 50 +++ ...a_legacy-make-legacy_exit-work-again.patch | 52 +++ ...ble-length-array-abuse-in-btree_iter.patch | 409 ++++++++++++++++++ ...initialization-of-auto-inherit-array.patch | 38 ++ ...to-starfive-do-not-free-stack-buffer.patch | 30 ++ ...ysctl_init-to-avoid-kmemleak-warning.patch | 52 +++ ...itself-to-clear-md_sb_change_pending.patch | 86 ++++ ...ring-suspend-after-resume-completion.patch | 80 ++++ ...into-the-inode-.permission-operation.patch | 161 +++++++ queue-6.9/series | 14 + ...ance-check-for-vrm-in-flight-request.patch | 141 ++++++ ...-check-for-scm-availability-at-probe.patch | 39 ++ ...tw89-correct-asifstime-for-6ghz-band.patch | 32 ++ 15 files changed, 1262 insertions(+) create mode 100644 queue-6.9/acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch create mode 100644 queue-6.9/arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch create mode 100644 queue-6.9/arm64-tegra-correct-tegra132-i2c-alias.patch create mode 100644 queue-6.9/ata-pata_legacy-make-legacy_exit-work-again.patch create mode 100644 queue-6.9/bcache-fix-variable-length-array-abuse-in-btree_iter.patch create mode 100644 queue-6.9/btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch create mode 100644 queue-6.9/crypto-starfive-do-not-free-stack-buffer.patch create mode 100644 queue-6.9/fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch create mode 100644 queue-6.9/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch create mode 100644 queue-6.9/platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch create mode 100644 queue-6.9/proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch create mode 100644 queue-6.9/soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch create mode 100644 queue-6.9/thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch create mode 100644 queue-6.9/wifi-rtw89-correct-asifstime-for-6ghz-band.patch diff --git a/queue-6.9/acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch b/queue-6.9/acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch new file mode 100644 index 00000000000..35613a4809b --- /dev/null +++ b/queue-6.9/acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch @@ -0,0 +1,41 @@ +From c81bf14f9db68311c2e75428eea070d97d603975 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Mon, 22 Apr 2024 10:04:36 +0200 +Subject: ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx + +From: Christoffer Sandberg + +commit c81bf14f9db68311c2e75428eea070d97d603975 upstream. + +Listed devices need the override for the keyboard to work. + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -630,6 +630,18 @@ static const struct dmi_system_id irq1_e + DMI_MATCH(DMI_BOARD_NAME, "X565"), + }, + }, ++ { ++ /* TongFang GXxHRXx/TUXEDO InfinityBook Pro Gen9 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GXxHRXx"), ++ }, ++ }, ++ { ++ /* TongFang GMxHGxx/TUXEDO Stellaris Slim Gen1 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GMxHGxx"), ++ }, ++ }, + { } + }; + diff --git a/queue-6.9/arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch b/queue-6.9/arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch new file mode 100644 index 00000000000..fe7b092d51d --- /dev/null +++ b/queue-6.9/arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch @@ -0,0 +1,37 @@ +From f5f390a77f18eaeb2c93211a1b7c5e66b5acd423 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 09:52:01 +0200 +Subject: arm64: dts: qcom: qcs404: fix bluetooth device address + +From: Johan Hovold + +commit f5f390a77f18eaeb2c93211a1b7c5e66b5acd423 upstream. + +The 'local-bd-address' property is used to pass a unique Bluetooth +device address from the boot firmware to the kernel and should otherwise +be left unset so that the OS can prevent the controller from being used +until a valid address has been provided through some other means (e.g. +using btmgmt). + +Fixes: 60f77ae7d1c1 ("arm64: dts: qcom: qcs404-evb: Enable uart3 and add Bluetooth") +Cc: stable@vger.kernel.org # 5.10 +Signed-off-by: Johan Hovold +Reviewed-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20240501075201.4732-1-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/qcs404-evb.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi +@@ -62,7 +62,7 @@ + vddrf-supply = <&vreg_l1_1p3>; + vddch0-supply = <&vdd_ch0_3p3>; + +- local-bd-address = [ 02 00 00 00 5a ad ]; ++ local-bd-address = [ 00 00 00 00 00 00 ]; + + max-speed = <3200000>; + }; diff --git a/queue-6.9/arm64-tegra-correct-tegra132-i2c-alias.patch b/queue-6.9/arm64-tegra-correct-tegra132-i2c-alias.patch new file mode 100644 index 00000000000..d084ce8cb85 --- /dev/null +++ b/queue-6.9/arm64-tegra-correct-tegra132-i2c-alias.patch @@ -0,0 +1,50 @@ +From 2633c58e1354d7de2c8e7be8bdb6f68a0a01bad7 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 1 Apr 2024 16:08:54 +0200 +Subject: arm64: tegra: Correct Tegra132 I2C alias + +From: Krzysztof Kozlowski + +commit 2633c58e1354d7de2c8e7be8bdb6f68a0a01bad7 upstream. + +There is no such device as "as3722@40", because its name is "pmic". Use +phandles for aliases to fix relying on full node path. This corrects +aliases for RTC devices and also fixes dtc W=1 warning: + + tegra132-norrin.dts:12.3-36: Warning (alias_paths): /aliases:rtc0: aliases property is not a valid node (/i2c@7000d000/as3722@40) + +Fixes: 0f279ebdf3ce ("arm64: tegra: Add NVIDIA Tegra132 Norrin support") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/nvidia/tegra132-norrin.dts | 4 ++-- + arch/arm64/boot/dts/nvidia/tegra132.dtsi | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts ++++ b/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts +@@ -9,8 +9,8 @@ + compatible = "nvidia,norrin", "nvidia,tegra132", "nvidia,tegra124"; + + aliases { +- rtc0 = "/i2c@7000d000/as3722@40"; +- rtc1 = "/rtc@7000e000"; ++ rtc0 = &as3722; ++ rtc1 = &tegra_rtc; + serial0 = &uarta; + }; + +--- a/arch/arm64/boot/dts/nvidia/tegra132.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra132.dtsi +@@ -572,7 +572,7 @@ + status = "disabled"; + }; + +- rtc@7000e000 { ++ tegra_rtc: rtc@7000e000 { + compatible = "nvidia,tegra124-rtc", "nvidia,tegra20-rtc"; + reg = <0x0 0x7000e000 0x0 0x100>; + interrupts = ; diff --git a/queue-6.9/ata-pata_legacy-make-legacy_exit-work-again.patch b/queue-6.9/ata-pata_legacy-make-legacy_exit-work-again.patch new file mode 100644 index 00000000000..69dfeb97031 --- /dev/null +++ b/queue-6.9/ata-pata_legacy-make-legacy_exit-work-again.patch @@ -0,0 +1,52 @@ +From d4a89339f17c87c4990070e9116462d16e75894f Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov +Date: Sat, 4 May 2024 23:27:25 +0300 +Subject: ata: pata_legacy: make legacy_exit() work again + +From: Sergey Shtylyov + +commit d4a89339f17c87c4990070e9116462d16e75894f upstream. + +Commit defc9cd826e4 ("pata_legacy: resychronize with upstream changes and +resubmit") missed to update legacy_exit(), so that it now fails to do any +cleanup -- the loop body there can never be entered. Fix that and finally +remove now useless nr_legacy_host variable... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: defc9cd826e4 ("pata_legacy: resychronize with upstream changes and resubmit") +Cc: stable@vger.kernel.org +Signed-off-by: Sergey Shtylyov +Reviewed-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_legacy.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/ata/pata_legacy.c ++++ b/drivers/ata/pata_legacy.c +@@ -173,8 +173,6 @@ static int legacy_port[NR_HOST] = { 0x1f + static struct legacy_probe probe_list[NR_HOST]; + static struct legacy_data legacy_data[NR_HOST]; + static struct ata_host *legacy_host[NR_HOST]; +-static int nr_legacy_host; +- + + /** + * legacy_probe_add - Add interface to probe list +@@ -1276,9 +1274,11 @@ static __exit void legacy_exit(void) + { + int i; + +- for (i = 0; i < nr_legacy_host; i++) { ++ for (i = 0; i < NR_HOST; i++) { + struct legacy_data *ld = &legacy_data[i]; +- ata_host_detach(legacy_host[i]); ++ ++ if (legacy_host[i]) ++ ata_host_detach(legacy_host[i]); + platform_device_unregister(ld->platform_dev); + } + } diff --git a/queue-6.9/bcache-fix-variable-length-array-abuse-in-btree_iter.patch b/queue-6.9/bcache-fix-variable-length-array-abuse-in-btree_iter.patch new file mode 100644 index 00000000000..015aa876664 --- /dev/null +++ b/queue-6.9/bcache-fix-variable-length-array-abuse-in-btree_iter.patch @@ -0,0 +1,409 @@ +From 3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31 Mon Sep 17 00:00:00 2001 +From: Matthew Mirvish +Date: Thu, 9 May 2024 09:11:17 +0800 +Subject: bcache: fix variable length array abuse in btree_iter + +From: Matthew Mirvish + +commit 3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31 upstream. + +btree_iter is used in two ways: either allocated on the stack with a +fixed size MAX_BSETS, or from a mempool with a dynamic size based on the +specific cache set. Previously, the struct had a fixed-length array of +size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized +iterators, which causes UBSAN to complain. + +This patch uses the same approach as in bcachefs's sort_iter and splits +the iterator into a btree_iter with a flexible array member and a +btree_iter_stack which embeds a btree_iter as well as a fixed-length +data array. + +Cc: stable@vger.kernel.org +Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039368 +Signed-off-by: Matthew Mirvish +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20240509011117.2697-3-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bset.c | 44 +++++++++++++++++++++--------------------- + drivers/md/bcache/bset.h | 30 ++++++++++++++++++---------- + drivers/md/bcache/btree.c | 40 ++++++++++++++++++++------------------ + drivers/md/bcache/super.c | 5 ++-- + drivers/md/bcache/sysfs.c | 2 - + drivers/md/bcache/writeback.c | 10 ++++----- + 6 files changed, 71 insertions(+), 60 deletions(-) + +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -54,7 +54,7 @@ void bch_dump_bucket(struct btree_keys * + int __bch_count_data(struct btree_keys *b) + { + unsigned int ret = 0; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct bkey *k; + + if (b->ops->is_extents) +@@ -67,7 +67,7 @@ void __bch_check_keys(struct btree_keys + { + va_list args; + struct bkey *k, *p = NULL; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + const char *err; + + for_each_key(b, k, &iter) { +@@ -879,7 +879,7 @@ unsigned int bch_btree_insert_key(struct + unsigned int status = BTREE_INSERT_STATUS_NO_INSERT; + struct bset *i = bset_tree_last(b)->data; + struct bkey *m, *prev = NULL; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct bkey preceding_key_on_stack = ZERO_KEY; + struct bkey *preceding_key_p = &preceding_key_on_stack; + +@@ -895,9 +895,9 @@ unsigned int bch_btree_insert_key(struct + else + preceding_key(k, &preceding_key_p); + +- m = bch_btree_iter_init(b, &iter, preceding_key_p); ++ m = bch_btree_iter_stack_init(b, &iter, preceding_key_p); + +- if (b->ops->insert_fixup(b, k, &iter, replace_key)) ++ if (b->ops->insert_fixup(b, k, &iter.iter, replace_key)) + return status; + + status = BTREE_INSERT_STATUS_INSERT; +@@ -1100,33 +1100,33 @@ void bch_btree_iter_push(struct btree_it + btree_iter_cmp)); + } + +-static struct bkey *__bch_btree_iter_init(struct btree_keys *b, +- struct btree_iter *iter, +- struct bkey *search, +- struct bset_tree *start) ++static struct bkey *__bch_btree_iter_stack_init(struct btree_keys *b, ++ struct btree_iter_stack *iter, ++ struct bkey *search, ++ struct bset_tree *start) + { + struct bkey *ret = NULL; + +- iter->size = ARRAY_SIZE(iter->data); +- iter->used = 0; ++ iter->iter.size = ARRAY_SIZE(iter->stack_data); ++ iter->iter.used = 0; + + #ifdef CONFIG_BCACHE_DEBUG +- iter->b = b; ++ iter->iter.b = b; + #endif + + for (; start <= bset_tree_last(b); start++) { + ret = bch_bset_search(b, start, search); +- bch_btree_iter_push(iter, ret, bset_bkey_last(start->data)); ++ bch_btree_iter_push(&iter->iter, ret, bset_bkey_last(start->data)); + } + + return ret; + } + +-struct bkey *bch_btree_iter_init(struct btree_keys *b, +- struct btree_iter *iter, ++struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, ++ struct btree_iter_stack *iter, + struct bkey *search) + { +- return __bch_btree_iter_init(b, iter, search, b->set); ++ return __bch_btree_iter_stack_init(b, iter, search, b->set); + } + + static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, +@@ -1293,10 +1293,10 @@ void bch_btree_sort_partial(struct btree + struct bset_sort_state *state) + { + size_t order = b->page_order, keys = 0; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + int oldsize = bch_count_data(b); + +- __bch_btree_iter_init(b, &iter, NULL, &b->set[start]); ++ __bch_btree_iter_stack_init(b, &iter, NULL, &b->set[start]); + + if (start) { + unsigned int i; +@@ -1307,7 +1307,7 @@ void bch_btree_sort_partial(struct btree + order = get_order(__set_bytes(b->set->data, keys)); + } + +- __btree_sort(b, &iter, start, order, false, state); ++ __btree_sort(b, &iter.iter, start, order, false, state); + + EBUG_ON(oldsize >= 0 && bch_count_data(b) != oldsize); + } +@@ -1323,11 +1323,11 @@ void bch_btree_sort_into(struct btree_ke + struct bset_sort_state *state) + { + uint64_t start_time = local_clock(); +- struct btree_iter iter; ++ struct btree_iter_stack iter; + +- bch_btree_iter_init(b, &iter, NULL); ++ bch_btree_iter_stack_init(b, &iter, NULL); + +- btree_mergesort(b, new->set->data, &iter, false, true); ++ btree_mergesort(b, new->set->data, &iter.iter, false, true); + + bch_time_stats_update(&state->time, start_time); + +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -321,7 +321,14 @@ struct btree_iter { + #endif + struct btree_iter_set { + struct bkey *k, *end; +- } data[MAX_BSETS]; ++ } data[]; ++}; ++ ++/* Fixed-size btree_iter that can be allocated on the stack */ ++ ++struct btree_iter_stack { ++ struct btree_iter iter; ++ struct btree_iter_set stack_data[MAX_BSETS]; + }; + + typedef bool (*ptr_filter_fn)(struct btree_keys *b, const struct bkey *k); +@@ -333,9 +340,9 @@ struct bkey *bch_btree_iter_next_filter( + + void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, + struct bkey *end); +-struct bkey *bch_btree_iter_init(struct btree_keys *b, +- struct btree_iter *iter, +- struct bkey *search); ++struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, ++ struct btree_iter_stack *iter, ++ struct bkey *search); + + struct bkey *__bch_bset_search(struct btree_keys *b, struct bset_tree *t, + const struct bkey *search); +@@ -350,13 +357,14 @@ static inline struct bkey *bch_bset_sear + return search ? __bch_bset_search(b, t, search) : t->data->start; + } + +-#define for_each_key_filter(b, k, iter, filter) \ +- for (bch_btree_iter_init((b), (iter), NULL); \ +- ((k) = bch_btree_iter_next_filter((iter), (b), filter));) +- +-#define for_each_key(b, k, iter) \ +- for (bch_btree_iter_init((b), (iter), NULL); \ +- ((k) = bch_btree_iter_next(iter));) ++#define for_each_key_filter(b, k, stack_iter, filter) \ ++ for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ ++ ((k) = bch_btree_iter_next_filter(&((stack_iter)->iter), (b), \ ++ filter));) ++ ++#define for_each_key(b, k, stack_iter) \ ++ for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ ++ ((k) = bch_btree_iter_next(&((stack_iter)->iter)));) + + /* Sorting */ + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1309,7 +1309,7 @@ static bool btree_gc_mark_node(struct bt + uint8_t stale = 0; + unsigned int keys = 0, good_keys = 0; + struct bkey *k; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct bset_tree *t; + + gc->nodes++; +@@ -1570,7 +1570,7 @@ static int btree_gc_rewrite_node(struct + static unsigned int btree_gc_count_keys(struct btree *b) + { + struct bkey *k; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + unsigned int ret = 0; + + for_each_key_filter(&b->keys, k, &iter, bch_ptr_bad) +@@ -1611,17 +1611,18 @@ static int btree_gc_recurse(struct btree + int ret = 0; + bool should_rewrite; + struct bkey *k; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct gc_merge_info r[GC_MERGE_NODES]; + struct gc_merge_info *i, *last = r + ARRAY_SIZE(r) - 1; + +- bch_btree_iter_init(&b->keys, &iter, &b->c->gc_done); ++ bch_btree_iter_stack_init(&b->keys, &iter, &b->c->gc_done); + + for (i = r; i < r + ARRAY_SIZE(r); i++) + i->b = ERR_PTR(-EINTR); + + while (1) { +- k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad); ++ k = bch_btree_iter_next_filter(&iter.iter, &b->keys, ++ bch_ptr_bad); + if (k) { + r->b = bch_btree_node_get(b->c, op, k, b->level - 1, + true, b); +@@ -1911,7 +1912,7 @@ static int bch_btree_check_recurse(struc + { + int ret = 0; + struct bkey *k, *p = NULL; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + + for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid) + bch_initial_mark_key(b->c, b->level, k); +@@ -1919,10 +1920,10 @@ static int bch_btree_check_recurse(struc + bch_initial_mark_key(b->c, b->level + 1, &b->key); + + if (b->level) { +- bch_btree_iter_init(&b->keys, &iter, NULL); ++ bch_btree_iter_stack_init(&b->keys, &iter, NULL); + + do { +- k = bch_btree_iter_next_filter(&iter, &b->keys, ++ k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad); + if (k) { + btree_node_prefetch(b, k); +@@ -1950,7 +1951,7 @@ static int bch_btree_check_thread(void * + struct btree_check_info *info = arg; + struct btree_check_state *check_state = info->state; + struct cache_set *c = check_state->c; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct bkey *k, *p; + int cur_idx, prev_idx, skip_nr; + +@@ -1959,8 +1960,8 @@ static int bch_btree_check_thread(void * + ret = 0; + + /* root node keys are checked before thread created */ +- bch_btree_iter_init(&c->root->keys, &iter, NULL); +- k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); ++ bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); ++ k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); + BUG_ON(!k); + + p = k; +@@ -1978,7 +1979,7 @@ static int bch_btree_check_thread(void * + skip_nr = cur_idx - prev_idx; + + while (skip_nr) { +- k = bch_btree_iter_next_filter(&iter, ++ k = bch_btree_iter_next_filter(&iter.iter, + &c->root->keys, + bch_ptr_bad); + if (k) +@@ -2051,7 +2052,7 @@ int bch_btree_check(struct cache_set *c) + int ret = 0; + int i; + struct bkey *k = NULL; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct btree_check_state check_state; + + /* check and mark root node keys */ +@@ -2547,11 +2548,11 @@ static int bch_btree_map_nodes_recurse(s + + if (b->level) { + struct bkey *k; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + +- bch_btree_iter_init(&b->keys, &iter, from); ++ bch_btree_iter_stack_init(&b->keys, &iter, from); + +- while ((k = bch_btree_iter_next_filter(&iter, &b->keys, ++ while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad))) { + ret = bcache_btree(map_nodes_recurse, k, b, + op, from, fn, flags); +@@ -2580,11 +2581,12 @@ int bch_btree_map_keys_recurse(struct bt + { + int ret = MAP_CONTINUE; + struct bkey *k; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + +- bch_btree_iter_init(&b->keys, &iter, from); ++ bch_btree_iter_stack_init(&b->keys, &iter, from); + +- while ((k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad))) { ++ while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, ++ bch_ptr_bad))) { + ret = !b->level + ? fn(op, b, k) + : bcache_btree(map_keys_recurse, k, +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1914,8 +1914,9 @@ struct cache_set *bch_cache_set_alloc(st + INIT_LIST_HEAD(&c->btree_cache_freed); + INIT_LIST_HEAD(&c->data_buckets); + +- iter_size = ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size + 1) * +- sizeof(struct btree_iter_set); ++ iter_size = sizeof(struct btree_iter) + ++ ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) * ++ sizeof(struct btree_iter_set); + + c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL); + if (!c->devices) +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -660,7 +660,7 @@ static unsigned int bch_root_usage(struc + unsigned int bytes = 0; + struct bkey *k; + struct btree *b; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + + goto lock_root; + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -908,15 +908,15 @@ static int bch_dirty_init_thread(void *a + struct dirty_init_thrd_info *info = arg; + struct bch_dirty_init_state *state = info->state; + struct cache_set *c = state->c; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct bkey *k, *p; + int cur_idx, prev_idx, skip_nr; + + k = p = NULL; + prev_idx = 0; + +- bch_btree_iter_init(&c->root->keys, &iter, NULL); +- k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); ++ bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); ++ k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); + BUG_ON(!k); + + p = k; +@@ -930,7 +930,7 @@ static int bch_dirty_init_thread(void *a + skip_nr = cur_idx - prev_idx; + + while (skip_nr) { +- k = bch_btree_iter_next_filter(&iter, ++ k = bch_btree_iter_next_filter(&iter.iter, + &c->root->keys, + bch_ptr_bad); + if (k) +@@ -979,7 +979,7 @@ void bch_sectors_dirty_init(struct bcach + int i; + struct btree *b = NULL; + struct bkey *k = NULL; +- struct btree_iter iter; ++ struct btree_iter_stack iter; + struct sectors_dirty_init op; + struct cache_set *c = d->c; + struct bch_dirty_init_state state; diff --git a/queue-6.9/btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch b/queue-6.9/btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch new file mode 100644 index 00000000000..338e9022d72 --- /dev/null +++ b/queue-6.9/btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch @@ -0,0 +1,38 @@ +From 0e39c9e524479b85c1b83134df0cfc6e3cb5353a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 4 May 2024 14:38:41 +0300 +Subject: btrfs: qgroup: fix initialization of auto inherit array + +From: Dan Carpenter + +commit 0e39c9e524479b85c1b83134df0cfc6e3cb5353a upstream. + +The "i++" was accidentally left out so it just sets qgids[0] over and +over. + +This can lead to unexpected problems, as the groups[1:] would be all 0, +leading to later find_qgroup_rb() unable to find a qgroup and cause +snapshot creation failure. + +Fixes: 5343cd9364ea ("btrfs: qgroup: simple quota auto hierarchy for nested subvolumes") +CC: stable@vger.kernel.org # 6.7+ +Reviewed-by: Qu Wenruo +Signed-off-by: Dan Carpenter +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3129,7 +3129,7 @@ static int qgroup_auto_inherit(struct bt + qgids = res->qgroups; + + list_for_each_entry(qg_list, &inode_qg->groups, next_group) +- qgids[i] = qg_list->group->qgroupid; ++ qgids[i++] = qg_list->group->qgroupid; + + *inherit = res; + return 0; diff --git a/queue-6.9/crypto-starfive-do-not-free-stack-buffer.patch b/queue-6.9/crypto-starfive-do-not-free-stack-buffer.patch new file mode 100644 index 00000000000..6e702ace2f5 --- /dev/null +++ b/queue-6.9/crypto-starfive-do-not-free-stack-buffer.patch @@ -0,0 +1,30 @@ +From d7f01649f4eaf1878472d3d3f480ae1e50d98f6c Mon Sep 17 00:00:00 2001 +From: Jia Jie Ho +Date: Mon, 29 Apr 2024 14:06:39 +0800 +Subject: crypto: starfive - Do not free stack buffer + +From: Jia Jie Ho + +commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c upstream. + +RSA text data uses variable length buffer allocated in software stack. +Calling kfree on it causes undefined behaviour in subsequent operations. + +Cc: #6.7+ +Signed-off-by: Jia Jie Ho +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/starfive/jh7110-rsa.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/crypto/starfive/jh7110-rsa.c ++++ b/drivers/crypto/starfive/jh7110-rsa.c +@@ -273,7 +273,6 @@ static int starfive_rsa_enc_core(struct + + err_rsa_crypt: + writel(STARFIVE_RSA_RESET, cryp->base + STARFIVE_PKA_CACR_OFFSET); +- kfree(rctx->rsa_data); + return ret; + } + diff --git a/queue-6.9/fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch b/queue-6.9/fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch new file mode 100644 index 00000000000..34e7bcca1d3 --- /dev/null +++ b/queue-6.9/fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch @@ -0,0 +1,52 @@ +From ee5814dddefbaa181cb247a75676dd5103775db1 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 30 Apr 2024 19:53:31 -0700 +Subject: fsverity: use register_sysctl_init() to avoid kmemleak warning + +From: Eric Biggers + +commit ee5814dddefbaa181cb247a75676dd5103775db1 upstream. + +Since the fsverity sysctl registration runs as a builtin initcall, there +is no corresponding sysctl deregistration and the resulting struct +ctl_table_header is not used. This can cause a kmemleak warning just +after the system boots up. (A pointer to the ctl_table_header is stored +in the fsverity_sysctl_header static variable, which kmemleak should +detect; however, the compiler can optimize out that variable.) Avoid +the kmemleak warning by using register_sysctl_init() which is intended +for use by builtin initcalls and uses kmemleak_not_leak(). + +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/r/CAHj4cs8DTSvR698UE040rs_pX1k-WVe7aR6N2OoXXuhXJPDC-w@mail.gmail.com +Cc: stable@vger.kernel.org +Reviewed-by: Joel Granados +Link: https://lore.kernel.org/r/20240501025331.594183-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/verity/init.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/fs/verity/init.c ++++ b/fs/verity/init.c +@@ -10,8 +10,6 @@ + #include + + #ifdef CONFIG_SYSCTL +-static struct ctl_table_header *fsverity_sysctl_header; +- + static struct ctl_table fsverity_sysctl_table[] = { + #ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES + { +@@ -28,10 +26,7 @@ static struct ctl_table fsverity_sysctl_ + + static void __init fsverity_init_sysctl(void) + { +- fsverity_sysctl_header = register_sysctl("fs/verity", +- fsverity_sysctl_table); +- if (!fsverity_sysctl_header) +- panic("fsverity sysctl registration failed"); ++ register_sysctl_init("fs/verity", fsverity_sysctl_table); + } + #else /* CONFIG_SYSCTL */ + static inline void fsverity_init_sysctl(void) diff --git a/queue-6.9/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch b/queue-6.9/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch new file mode 100644 index 00000000000..b136c8b4344 --- /dev/null +++ b/queue-6.9/md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch @@ -0,0 +1,86 @@ +From 151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Fri, 22 Mar 2024 16:10:05 +0800 +Subject: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING + +From: Yu Kuai + +commit 151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa upstream. + +Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with +small possibility, the root cause is exactly the same as commit +bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") + +However, Dan reported another hang after that, and junxiao investigated +the problem and found out that this is caused by plugged bio can't issue +from raid5d(). + +Current implementation in raid5d() has a weird dependence: + +1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear + MD_SB_CHANGE_PENDING; +2) raid5d() handles IO in a deadloop, until all IO are issued; +3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; + +This behaviour is introduce before v2.6, and for consequence, if other +context hold 'reconfig_mutex', and md_check_recovery() can't update +super_block, then raid5d() will waste one cpu 100% by the deadloop, until +'reconfig_mutex' is released. + +Refer to the implementation from raid1 and raid10, fix this problem by +skipping issue IO if MD_SB_CHANGE_PENDING is still set after +md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' +is released. Meanwhile, the hang problem will be fixed as well. + +Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d") +Cc: stable@vger.kernel.org # v5.19+ +Reported-and-tested-by: Dan Moulding +Closes: https://lore.kernel.org/all/20240123005700.9302-1-dan@danm.net/ +Investigated-by: Junxiao Bi +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240322081005.1112401-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,7 +36,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -6734,6 +6733,9 @@ static void raid5d(struct md_thread *thr + int batch_size, released; + unsigned int offset; + ++ if (test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags)) ++ break; ++ + released = release_stripe_list(conf, conf->temp_inactive_list); + if (released) + clear_bit(R5_DID_ALLOC, &conf->cache_state); +@@ -6770,18 +6772,7 @@ static void raid5d(struct md_thread *thr + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); +- +- /* +- * Waiting on MD_SB_CHANGE_PENDING below may deadlock +- * seeing md_check_recovery() is needed to clear +- * the flag when using mdmon. +- */ +- continue; + } +- +- wait_event_lock_irq(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), +- conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + diff --git a/queue-6.9/platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch b/queue-6.9/platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch new file mode 100644 index 00000000000..13f1a22b759 --- /dev/null +++ b/queue-6.9/platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch @@ -0,0 +1,80 @@ +From 2fbe479c0024e1c6b992184a799055e19932aa48 Mon Sep 17 00:00:00 2001 +From: Karthikeyan Ramasubramanian +Date: Mon, 29 Apr 2024 12:13:45 -0600 +Subject: platform/chrome: cros_ec: Handle events during suspend after resume completion + +From: Karthikeyan Ramasubramanian + +commit 2fbe479c0024e1c6b992184a799055e19932aa48 upstream. + +Commit 47ea0ddb1f56 ("platform/chrome: cros_ec_lpc: Separate host +command and irq disable") re-ordered the resume sequence. Before that +change, cros_ec resume sequence is: +1) Enable IRQ +2) Send resume event +3) Handle events during suspend + +After commit 47ea0ddb1f56 ("platform/chrome: cros_ec_lpc: Separate host +command and irq disable"), cros_ec resume sequence is: +1) Enable IRQ +2) Handle events during suspend +3) Send resume event. + +This re-ordering leads to delayed handling of any events queued between +items 2) and 3) with the updated sequence. Also in certain platforms, EC +skips triggering interrupt for certain events eg. mkbp events until the +resume event is received. Such events are stuck in the host event queue +indefinitely. This change puts back the original order to avoid any +delay in handling the pending events. + +Fixes: 47ea0ddb1f56 ("platform/chrome: cros_ec_lpc: Separate host command and irq disable") +Cc: +Cc: Lalith Rajendran +Cc: +Signed-off-by: Karthikeyan Ramasubramanian +Link: https://lore.kernel.org/r/20240429121343.v2.1.If2e0cef959f1f6df9f4d1ab53a97c54aa54208af@changeid +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -432,6 +432,12 @@ static void cros_ec_send_resume_event(st + void cros_ec_resume_complete(struct cros_ec_device *ec_dev) + { + cros_ec_send_resume_event(ec_dev); ++ ++ /* ++ * Let the mfd devices know about events that occur during ++ * suspend. This way the clients know what to do with them. ++ */ ++ cros_ec_report_events_during_suspend(ec_dev); + } + EXPORT_SYMBOL(cros_ec_resume_complete); + +@@ -442,12 +448,6 @@ static void cros_ec_enable_irq(struct cr + + if (ec_dev->wake_enabled) + disable_irq_wake(ec_dev->irq); +- +- /* +- * Let the mfd devices know about events that occur during +- * suspend. This way the clients know what to do with them. +- */ +- cros_ec_report_events_during_suspend(ec_dev); + } + + /** +@@ -475,8 +475,8 @@ EXPORT_SYMBOL(cros_ec_resume_early); + */ + int cros_ec_resume(struct cros_ec_device *ec_dev) + { +- cros_ec_enable_irq(ec_dev); +- cros_ec_send_resume_event(ec_dev); ++ cros_ec_resume_early(ec_dev); ++ cros_ec_resume_complete(ec_dev); + return 0; + } + EXPORT_SYMBOL(cros_ec_resume); diff --git a/queue-6.9/proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch b/queue-6.9/proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch new file mode 100644 index 00000000000..23aad88d32c --- /dev/null +++ b/queue-6.9/proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch @@ -0,0 +1,161 @@ +From 0a960ba49869ebe8ff859d000351504dd6b93b68 Mon Sep 17 00:00:00 2001 +From: "Tyler Hicks (Microsoft)" +Date: Tue, 30 Apr 2024 19:56:46 -0500 +Subject: proc: Move fdinfo PTRACE_MODE_READ check into the inode .permission operation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tyler Hicks (Microsoft) + +commit 0a960ba49869ebe8ff859d000351504dd6b93b68 upstream. + +The following commits loosened the permissions of /proc//fdinfo/ +directory, as well as the files within it, from 0500 to 0555 while also +introducing a PTRACE_MODE_READ check between the current task and +'s task: + + - commit 7bc3fa0172a4 ("procfs: allow reading fdinfo with PTRACE_MODE_READ") + - commit 1927e498aee1 ("procfs: prevent unprivileged processes accessing fdinfo dir") + +Before those changes, inode based system calls like inotify_add_watch(2) +would fail when the current task didn't have sufficient read permissions: + + [...] + lstat("/proc/1/task/1/fdinfo", {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0 + inotify_add_watch(64, "/proc/1/task/1/fdinfo", + IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE| + IN_ONLYDIR|IN_DONT_FOLLOW|IN_EXCL_UNLINK) = -1 EACCES (Permission denied) + [...] + +This matches the documented behavior in the inotify_add_watch(2) man +page: + + ERRORS + EACCES Read access to the given file is not permitted. + +After those changes, inotify_add_watch(2) started succeeding despite the +current task not having PTRACE_MODE_READ privileges on the target task: + + [...] + lstat("/proc/1/task/1/fdinfo", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 + inotify_add_watch(64, "/proc/1/task/1/fdinfo", + IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE| + IN_ONLYDIR|IN_DONT_FOLLOW|IN_EXCL_UNLINK) = 1757 + openat(AT_FDCWD, "/proc/1/task/1/fdinfo", + O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EACCES (Permission denied) + [...] + +This change in behavior broke .NET prior to v7. See the github link +below for the v7 commit that inadvertently/quietly (?) fixed .NET after +the kernel changes mentioned above. + +Return to the old behavior by moving the PTRACE_MODE_READ check out of +the file .open operation and into the inode .permission operation: + + [...] + lstat("/proc/1/task/1/fdinfo", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 + inotify_add_watch(64, "/proc/1/task/1/fdinfo", + IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE| + IN_ONLYDIR|IN_DONT_FOLLOW|IN_EXCL_UNLINK) = -1 EACCES (Permission denied) + [...] + +Reported-by: Kevin Parsons (Microsoft) +Link: https://github.com/dotnet/runtime/commit/89e5469ac591b82d38510fe7de98346cce74ad4f +Link: https://stackoverflow.com/questions/75379065/start-self-contained-net6-build-exe-as-service-on-raspbian-system-unauthorizeda +Fixes: 7bc3fa0172a4 ("procfs: allow reading fdinfo with PTRACE_MODE_READ") +Cc: stable@vger.kernel.org +Cc: Christian Brauner +Cc: Christian König +Cc: Jann Horn +Cc: Kalesh Singh +Cc: Hardik Garg +Cc: Allen Pais +Signed-off-by: Tyler Hicks (Microsoft) +Link: https://lore.kernel.org/r/20240501005646.745089-1-code@tyhicks.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/fd.c | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +--- a/fs/proc/fd.c ++++ b/fs/proc/fd.c +@@ -74,7 +74,18 @@ out: + return 0; + } + +-static int proc_fdinfo_access_allowed(struct inode *inode) ++static int seq_fdinfo_open(struct inode *inode, struct file *file) ++{ ++ return single_open(file, seq_show, inode); ++} ++ ++/** ++ * Shared /proc/pid/fdinfo and /proc/pid/fdinfo/fd permission helper to ensure ++ * that the current task has PTRACE_MODE_READ in addition to the normal ++ * POSIX-like checks. ++ */ ++static int proc_fdinfo_permission(struct mnt_idmap *idmap, struct inode *inode, ++ int mask) + { + bool allowed = false; + struct task_struct *task = get_proc_task(inode); +@@ -88,18 +99,13 @@ static int proc_fdinfo_access_allowed(st + if (!allowed) + return -EACCES; + +- return 0; ++ return generic_permission(idmap, inode, mask); + } + +-static int seq_fdinfo_open(struct inode *inode, struct file *file) +-{ +- int ret = proc_fdinfo_access_allowed(inode); +- +- if (ret) +- return ret; +- +- return single_open(file, seq_show, inode); +-} ++static const struct inode_operations proc_fdinfo_file_inode_operations = { ++ .permission = proc_fdinfo_permission, ++ .setattr = proc_setattr, ++}; + + static const struct file_operations proc_fdinfo_file_operations = { + .open = seq_fdinfo_open, +@@ -388,6 +394,8 @@ static struct dentry *proc_fdinfo_instan + ei = PROC_I(inode); + ei->fd = data->fd; + ++ inode->i_op = &proc_fdinfo_file_inode_operations; ++ + inode->i_fop = &proc_fdinfo_file_operations; + tid_fd_update_inode(task, inode, 0); + +@@ -407,23 +415,13 @@ static int proc_readfdinfo(struct file * + proc_fdinfo_instantiate); + } + +-static int proc_open_fdinfo(struct inode *inode, struct file *file) +-{ +- int ret = proc_fdinfo_access_allowed(inode); +- +- if (ret) +- return ret; +- +- return 0; +-} +- + const struct inode_operations proc_fdinfo_inode_operations = { + .lookup = proc_lookupfdinfo, ++ .permission = proc_fdinfo_permission, + .setattr = proc_setattr, + }; + + const struct file_operations proc_fdinfo_operations = { +- .open = proc_open_fdinfo, + .read = generic_read_dir, + .iterate_shared = proc_readfdinfo, + .llseek = generic_file_llseek, diff --git a/queue-6.9/series b/queue-6.9/series index 577522ee584..72fe7eb7337 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -8,3 +8,17 @@ f2fs-fix-to-do-sanity-check-on-i_xattr_nid-in-sanity_check_inode.patch media-lgdt3306a-add-a-check-against-null-pointer-def.patch drm-amdgpu-add-error-handle-to-avoid-out-of-bounds.patch drm-xe-bb-assert-width-in-xe_bb_create_job.patch +bcache-fix-variable-length-array-abuse-in-btree_iter.patch +crypto-starfive-do-not-free-stack-buffer.patch +btrfs-qgroup-fix-initialization-of-auto-inherit-array.patch +wifi-rtw89-correct-asifstime-for-6ghz-band.patch +ata-pata_legacy-make-legacy_exit-work-again.patch +fsverity-use-register_sysctl_init-to-avoid-kmemleak-warning.patch +proc-move-fdinfo-ptrace_mode_read-check-into-the-inode-.permission-operation.patch +platform-chrome-cros_ec-handle-events-during-suspend-after-resume-completion.patch +thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch +soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch +acpi-resource-do-irq-override-on-tongfang-gxxhrxx-and-gmxhgxx.patch +arm64-tegra-correct-tegra132-i2c-alias.patch +arm64-dts-qcom-qcs404-fix-bluetooth-device-address.patch +md-raid5-fix-deadlock-that-raid5d-wait-for-itself-to-clear-md_sb_change_pending.patch diff --git a/queue-6.9/soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch b/queue-6.9/soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch new file mode 100644 index 00000000000..e10f29c7e0d --- /dev/null +++ b/queue-6.9/soc-qcom-rpmh-rsc-enhance-check-for-vrm-in-flight-request.patch @@ -0,0 +1,141 @@ +From f592cc5794747b81e53b53dd6e80219ee25f0611 Mon Sep 17 00:00:00 2001 +From: Maulik Shah +Date: Thu, 15 Feb 2024 10:55:44 +0530 +Subject: soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request + +From: Maulik Shah + +commit f592cc5794747b81e53b53dd6e80219ee25f0611 upstream. + +Each RPMh VRM accelerator resource has 3 or 4 contiguous 4-byte aligned +addresses associated with it. These control voltage, enable state, mode, +and in legacy targets, voltage headroom. The current in-flight request +checking logic looks for exact address matches. Requests for different +addresses of the same RPMh resource as thus not detected as in-flight. + +Add new cmd-db API cmd_db_match_resource_addr() to enhance the in-flight +request check for VRM requests by ignoring the address offset. + +This ensures that only one request is allowed to be in-flight for a given +VRM resource. This is needed to avoid scenarios where request commands are +carried out by RPMh hardware out-of-order leading to LDO regulator +over-current protection triggering. + +Fixes: 658628e7ef78 ("drivers: qcom: rpmh-rsc: add RPMH controller for QCOM SoCs") +Cc: stable@vger.kernel.org +Reviewed-by: Konrad Dybcio +Tested-by: Elliot Berman # sm8650-qrd +Signed-off-by: Maulik Shah +Link: https://lore.kernel.org/r/20240215-rpmh-rsc-fixes-v4-1-9cbddfcba05b@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/cmd-db.c | 32 +++++++++++++++++++++++++++++++- + drivers/soc/qcom/rpmh-rsc.c | 3 ++- + include/soc/qcom/cmd-db.h | 10 +++++++++- + 3 files changed, 42 insertions(+), 3 deletions(-) + +--- a/drivers/soc/qcom/cmd-db.c ++++ b/drivers/soc/qcom/cmd-db.c +@@ -1,6 +1,10 @@ + /* SPDX-License-Identifier: GPL-2.0 */ +-/* Copyright (c) 2016-2018, 2020, The Linux Foundation. All rights reserved. */ ++/* ++ * Copyright (c) 2016-2018, 2020, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. ++ */ + ++#include + #include + #include + #include +@@ -17,6 +21,8 @@ + #define MAX_SLV_ID 8 + #define SLAVE_ID_MASK 0x7 + #define SLAVE_ID_SHIFT 16 ++#define SLAVE_ID(addr) FIELD_GET(GENMASK(19, 16), addr) ++#define VRM_ADDR(addr) FIELD_GET(GENMASK(19, 4), addr) + + /** + * struct entry_header: header for each entry in cmddb +@@ -221,6 +227,30 @@ const void *cmd_db_read_aux_data(const c + EXPORT_SYMBOL_GPL(cmd_db_read_aux_data); + + /** ++ * cmd_db_match_resource_addr() - Compare if both Resource addresses are same ++ * ++ * @addr1: Resource address to compare ++ * @addr2: Resource address to compare ++ * ++ * Return: true if two addresses refer to the same resource, false otherwise ++ */ ++bool cmd_db_match_resource_addr(u32 addr1, u32 addr2) ++{ ++ /* ++ * Each RPMh VRM accelerator resource has 3 or 4 contiguous 4-byte ++ * aligned addresses associated with it. Ignore the offset to check ++ * for VRM requests. ++ */ ++ if (addr1 == addr2) ++ return true; ++ else if (SLAVE_ID(addr1) == CMD_DB_HW_VRM && VRM_ADDR(addr1) == VRM_ADDR(addr2)) ++ return true; ++ ++ return false; ++} ++EXPORT_SYMBOL_GPL(cmd_db_match_resource_addr); ++ ++/** + * cmd_db_read_slave_id - Get the slave ID for a given resource address + * + * @id: Resource id to query the DB for version +--- a/drivers/soc/qcom/rpmh-rsc.c ++++ b/drivers/soc/qcom/rpmh-rsc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #define pr_fmt(fmt) "%s " fmt, KBUILD_MODNAME +@@ -557,7 +558,7 @@ static int check_for_req_inflight(struct + for_each_set_bit(j, &curr_enabled, MAX_CMDS_PER_TCS) { + addr = read_tcs_cmd(drv, drv->regs[RSC_DRV_CMD_ADDR], i, j); + for (k = 0; k < msg->num_cmds; k++) { +- if (addr == msg->cmds[k].addr) ++ if (cmd_db_match_resource_addr(msg->cmds[k].addr, addr)) + return -EBUSY; + } + } +--- a/include/soc/qcom/cmd-db.h ++++ b/include/soc/qcom/cmd-db.h +@@ -1,5 +1,8 @@ + /* SPDX-License-Identifier: GPL-2.0 */ +-/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. */ ++/* ++ * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. ++ */ + + #ifndef __QCOM_COMMAND_DB_H__ + #define __QCOM_COMMAND_DB_H__ +@@ -21,6 +24,8 @@ u32 cmd_db_read_addr(const char *resourc + + const void *cmd_db_read_aux_data(const char *resource_id, size_t *len); + ++bool cmd_db_match_resource_addr(u32 addr1, u32 addr2); ++ + enum cmd_db_hw_type cmd_db_read_slave_id(const char *resource_id); + + int cmd_db_ready(void); +@@ -31,6 +36,9 @@ static inline u32 cmd_db_read_addr(const + static inline const void *cmd_db_read_aux_data(const char *resource_id, size_t *len) + { return ERR_PTR(-ENODEV); } + ++static inline bool cmd_db_match_resource_addr(u32 addr1, u32 addr2) ++{ return false; } ++ + static inline enum cmd_db_hw_type cmd_db_read_slave_id(const char *resource_id) + { return -ENODEV; } + diff --git a/queue-6.9/thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch b/queue-6.9/thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch new file mode 100644 index 00000000000..a3d9ae5e34e --- /dev/null +++ b/queue-6.9/thermal-drivers-qcom-lmh-check-for-scm-availability-at-probe.patch @@ -0,0 +1,39 @@ +From d9d3490c48df572edefc0b64655259eefdcbb9be Mon Sep 17 00:00:00 2001 +From: Konrad Dybcio +Date: Sat, 9 Mar 2024 14:15:03 +0100 +Subject: thermal/drivers/qcom/lmh: Check for SCM availability at probe + +From: Konrad Dybcio + +commit d9d3490c48df572edefc0b64655259eefdcbb9be upstream. + +Up until now, the necessary scm availability check has not been +performed, leading to possible null pointer dereferences (which did +happen for me on RB1). + +Fix that. + +Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver") +Cc: +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Signed-off-by: Konrad Dybcio +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240308-topic-rb1_lmh-v2-2-bac3914b0fe3@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/qcom/lmh.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/thermal/qcom/lmh.c ++++ b/drivers/thermal/qcom/lmh.c +@@ -95,6 +95,9 @@ static int lmh_probe(struct platform_dev + unsigned int enable_alg; + u32 node_id; + ++ if (!qcom_scm_is_available()) ++ return -EPROBE_DEFER; ++ + lmh_data = devm_kzalloc(dev, sizeof(*lmh_data), GFP_KERNEL); + if (!lmh_data) + return -ENOMEM; diff --git a/queue-6.9/wifi-rtw89-correct-asifstime-for-6ghz-band.patch b/queue-6.9/wifi-rtw89-correct-asifstime-for-6ghz-band.patch new file mode 100644 index 00000000000..347af06c779 --- /dev/null +++ b/queue-6.9/wifi-rtw89-correct-asifstime-for-6ghz-band.patch @@ -0,0 +1,32 @@ +From f506e3ee547669cd96842e03c8a772aa7df721fa Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Tue, 30 Apr 2024 10:05:15 +0800 +Subject: wifi: rtw89: correct aSIFSTime for 6GHz band + +From: Ping-Ke Shih + +commit f506e3ee547669cd96842e03c8a772aa7df721fa upstream. + +aSIFSTime is 10us for 2GHz band and 16us for 5GHz and 6GHz bands. +Originally, it doesn't consider 6GHz band and use wrong value, so correct +it accordingly. + +Cc: stable@vger.kernel.org +Signed-off-by: Ping-Ke Shih +Link: https://msgid.link/20240430020515.8399-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw89/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtw89/mac80211.c ++++ b/drivers/net/wireless/realtek/rtw89/mac80211.c +@@ -318,7 +318,7 @@ static u8 rtw89_aifsn_to_aifs(struct rtw + u8 sifs; + + slot_time = vif->bss_conf.use_short_slot ? 9 : 20; +- sifs = chan->band_type == RTW89_BAND_5G ? 16 : 10; ++ sifs = chan->band_type == RTW89_BAND_2G ? 10 : 16; + + return aifsn * slot_time + sifs; + } -- 2.47.3